r/dch-proxy: Update and clean up

The *dch-proxy* role has not been used for quite some time. The web server has been handling the reerse proxy functionality, in addition to hosting websites. The drawback to using Apache as the reverse proxy, though, is that it operates in TLS-terminating mode, so it needs to have the correct certificate for every site and application it proxies for. This is becoming cumbersome, especially now that there are several sites that do not use the _pyrocufflink.net_ wildcard certificate. Notably, Tabitha's _hatchlearningcenter.org_ is problematic because although the main site are hosted by the web server, the Invoice Ninja client portal is hosted in Kubernetes. Switching back to HAProxy to provide the reverse proxy functionality will eliminate the need to have the server certificate both on the backend and on the reverse proxy, as it can operate in TLS-passthrough mode. The main reason I stopped using HAProxy in the first place was because when using TLS-passthrough mode, the original source IP address is lost. Fortunately, HAProxy and Apache can both be configured to use the PROXY protocol, which provides a mechanism for communicating the original IP address while still passing through the TLS connection unmodified. This is particularly important for Nextcloud because of its built-in intrusion prevention; without knowing the actual source IP address, it blocks _everyone_, since all connections appear to come from the reverse proxy's IP address. Combining TLS-passthrough mode with the PROXY protocol resolves both the certificate management issue and the source IP address issue. I've cleaned up the _dch-proxy_ role quite a bit in this commit. Notably, I consolidated all the backend and frontend definitions into a single file; it didn't really make sense to have them all separate, since they were managed by the same role and referred to each other. Of course, I had to update the backends to match the currently-deployed applications as well.
2024-08-23 20:10:32 -05:00 · 2024-08-23 20:10:32 -05:00 · 2fa28dfa5f
parent cd1d472b74
commit 2fa28dfa5f
11 changed files with 137 additions and 111 deletions
--- a/dch-proxy.yml
+++ b/dch-proxy.yml
@ -4,5 +4,18 @@
  tasks:
  - name: ensure haproxy is running
    service:
-      name=haproxy
-      state=started
+      name: haproxy
+      state: started
+    tags:
+    - service
+  - name: ensure firewall is configured for haproxy
+    firewalld:
+      service: '{{ item }}'
+      immediate: true
+      permanent: true
+      state: enabled
+    loop:
+    - http
+    - https
+    tags:
+    - firewalld
--- a/group_vars/dch-proxy.yml
+++ b/group_vars/dch-proxy.yml
@ -0,0 +1,13 @@
+dch_proxy_internal_networks:
+- 172.30.0.0/16
+- 172.31.1.0/24
+# - 'fd68:c2d2:500e:3e00::/56'
+
+dch_proxy_allowlist:
+- 172.30.0.211/32
+
+dch_proxy_blocklist:
+- 172.30.0.208/28
+- 172.30.0.224/29
+- 172.30.0.232/29
+- 172.30.0.240/28
--- a/roles/dch-proxy/tasks/main.yml
+++ b/roles/dch-proxy/tasks/main.yml
@ -1,41 +1,9 @@
- name: ensure main haproxy frontend is configured
+- name: ensure haproxy is configured
  template:
-    src=frontend-main.haproxy.cfg.j2
-    dest=/etc/haproxy/50-frontend-main.cfg
-    mode=0644
-  notify: reload haproxy
-
- name: ensure gitea haproxy backend is configured
-  template:
-    src=backend-gitea.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-gitea.cfg
-    mode=0644
-  notify: reload haproxy
-
- name: ensure jenkins haproxy backend is configured
-  template:
-    src=backend-jenkins.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-jenkins.cfg
-    mode=0644
-  notify: reload haproxy
-
- name: ensure bitwarden haproxy backend is configured
-  template:
-    src=backend-bitwarden.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-bitwarden.cfg
-    mode=0644
-  notify: reload haproxy
-
- name: ensure openvpn haproxy backend is configured
-  template:
-    src=backend-openvpn.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-openvpn.cfg
-    mode=0644
-  notify: reload haproxy
-
- name: ensure websites haproxy backend is configured
-  template:
-    src=backend-websites.haproxy.cfg.j2
-    dest=/etc/haproxy/70-backend-websites.cfg
-    mode=0644
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/conf.d/50-main.cfg
+    mode: u=rw,go=r
+  tags:
+  - config
+  - haproxy-config
  notify: reload haproxy
--- a/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-bitwarden.haproxy.cfg.j2
@ -1,7 +0,0 @@
-backend bitwarden
-	server bitwarden bitwarden.pyrocufflink.blue:80 check
-
-
-backend bitwarden-tls
-	mode tcp
-	server bitwarden bitwarden.pyrocufflink.blue:443 check
--- a/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-gitea.haproxy.cfg.j2
@ -1,7 +0,0 @@
-backend gitea
-    server gitea git0.pyrocufflink.blue:80 check
-
-
-backend gitea-tls
-    mode tcp
-    server gitea git0.pyrocufflink.blue:443 check
--- a/roles/dch-proxy/templates/backend-jenkins.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-jenkins.haproxy.cfg.j2
@ -1,7 +0,0 @@
-backend jenkins
-	server jenkins jenkins.pyrocufflink.blue:80 check
-
-
-backend jenkins-tls
-	mode tcp
-	server jenkins jenkins.pyrocufflink.blue:443 check
--- a/roles/dch-proxy/templates/backend-nextcloud.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-nextcloud.haproxy.cfg.j2
@ -1,7 +0,0 @@
-backend nextcloud
-	server nextcloud cloud0.pyrocufflink.blue:80 check
-
-
-backend nextcloud-tls
-	mode tcp
-	server nextcloud cloud0.pyrocufflink.blue:443 check
--- a/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-openvpn.haproxy.cfg.j2
@ -1,3 +0,0 @@
-backend openvpn
-	mode tcp
-	server openvpn 172.30.0.2:9876 check
--- a/roles/dch-proxy/templates/backend-websites.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/backend-websites.haproxy.cfg.j2
@ -1,7 +0,0 @@
-backend web
-	server web0 web0.pyrocufflink.blue:80 check
-
-
-backend web-tls
-	mode tcp
-	server web web0.pyrocufflink.blue:443 check
--- a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
@ -1,32 +0,0 @@
-frontend main
-    bind :::80
-
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
-    use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.blue }
-    use_backend jenkins if { hdr(host) -i jenkins.pyrocufflink.net }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
-    default_backend web
-
-
-frontend main-tls
-    bind :::443
-    mode tcp
-    option tcplog
-
-    tcp-request inspect-delay 5s
-    tcp-request content accept if { req_ssl_hello_type 1 }
-
-    use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.blue }
-    use_backend gitea-tls if { req_ssl_sni -i git.pyrocufflink.net }
-    use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.blue }
-    use_backend jenkins-tls if { req_ssl_sni -i jenkins.pyrocufflink.net }
-    use_backend bitwarden-tls if { req_ssl_sni -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden-tls if { req_ssl_sni -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud-tls if { req_ssl_sni -i nextcloud.pyrocufflink.net }
-    use_backend web-tls if { req_ssl_sni -i darkchestofwonders.us }
-    use_backend web-tls if { req_ssl_sni -i pyrocufflink.net }
-    use_backend web-tls if { req_ssl_sni -i -m end chmod777.sh }
-    default_backend openvpn
--- a/roles/dch-proxy/templates/haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/haproxy.cfg.j2
@ -0,0 +1,102 @@
+{% macro acls() +%}
+    acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
+    acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
+    acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
+{% endmacro %}
+
+frontend main
+    bind :::80
+
+    {{ acls() }}
+
+    tcp-request connection reject if blocklist !allowlist
+
+    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
+    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
+    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
+    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
+    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
+    use_backend web if { hdr(host) -i -m end chmod777.sh }
+    use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
+    use_backend web if { hdr(host) -i dustin.hatch.name }
+    use_backend web if { hdr(host) -i dustin.hatch.is }
+    use_backend web if { hdr(host) -i -m end ebonfire.com }
+    use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
+    use_backend web if { hdr(host) -i -m dom hlckc }
+    use_backend web if { hdr(host) -i -m dom hlcks }
+    use_backend web if { hdr(host) -i -m end nratonpass.com }
+    use_backend web if { hdr(host) -i pyrocufflink.net }
+    use_backend web if { hdr(host) -i -m end tabitha.biz }
+    use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
+    use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
+    use_backend kubernetes if internal_net
+
+
+frontend main-tls
+    bind :::443
+    mode tcp
+    option tcplog
+
+    {{ acls() }}
+
+    tcp-request connection reject if blocklist !allowlist
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req.ssl_hello_type 1 }
+
+    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue }
+    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net }
+    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue }
+    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
+    use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
+    use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
+    use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
+    use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
+    use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
+    use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
+    use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
+    use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
+    use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
+    use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
+    use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
+    use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
+    use_backend kubernetes-tls if internal_net
+
+
+backend bitwarden
+    server bitwarden bitwarden.pyrocufflink.blue:80 check
+
+backend bitwarden-tls
+    mode tcp
+    server bitwarden bitwarden.pyrocufflink.blue:443 check
+
+
+backend gitea
+    server gitea git0.pyrocufflink.blue:80 check
+
+backend gitea-tls
+    mode tcp
+    server gitea git0.pyrocufflink.blue:443 check
+
+
+backend kubernetes
+    server k8s k8s-ingress.pyrocufflink.blue:80 check
+
+backend kubernetes-tls
+    mode tcp
+    server k8s k8s-ingress.pyrocufflink.blue:443 check
+
+
+backend nextcloud
+    server nextcloud cloud0.pyrocufflink.blue:80 check
+
+backend nextcloud-tls
+    mode tcp
+    server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2
+
+
+backend web
+    server web0 web0.pyrocufflink.blue:80 check
+
+backend web-tls
+    mode tcp
+    server web web0.pyrocufflink.blue:443 check