dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

r/dch-proxy: Define sites declaratively 

I've already made a couple of mistakes keeping the HTTP and HTTPS rules
in sync.  Let's define the sites declaratively and derive the HAProxy
rules from the data, rather then manually type the rules.
frigate-exporter
Dustin 2024-08-24 11:45:03 -05:00
parent 2a110d7aba
commit 85da487cb8
2 changed files with 124 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
group_vars/dch-proxy.yml
View File

@ -11,3 +11,106 @@ dch_proxy_blocklist:
- 172.30.0.224/29 - 172.30.0.224/29
- 172.30.0.232/29 - 172.30.0.232/29
- 172.30.0.240/28 - 172.30.0.240/28
dch_proxy_sites:
- backend: gitea
match: git.pyrocufflink
matcher: dom
- backend: bitwarden
match: bitwarden.pyrocufflink
matcher: dom
- backend: nextcloud
match: nextcloud.pyrocufflink.net
- backend: kubernetes
match: billing.hatchlearningcenter.org
- backend: web
match: chmod777.sh
matcher: end
- backend: web
match: dustinandtabitha.com
matcher: end
- backend: web
match: dustin.hatch.name
- backend: web
match: dustin.hatch.is
- backend: web
match: ebonfire.com
matcher: end
- backend: web
match: hatchlearningcenter hlckc hlcks
matcher: dom
- backend: web
match: nratonpass.com
matcher: end
- backend: web
match: pyrocufflink.net
- backend: web
match: tabitha.biz
matcher: end
- backend: kubernetes
match: ntfy.pyrocufflink.net
- backend: kubernetes
match: darkchestofwonders.us
dch_proxy_backends:
bitwarden:
servers:
- name: bitwarden
host: 'bitwarden.pyrocufflink.blue:80'
options: check
bitwarden-tls:
mode: tcp
servers:
- name: bitwarden
host: 'bitwarden.pyrocufflink.blue:443'
options: check
gitea:
servers:
- name: gitea
host: 'git0.pyrocufflink.blue:80'
options: check
gitea-tls:
mode: tcp
servers:
- name: gitea
host: 'git0.pyrocufflink.blue:443'
options: check
kubernetes:
servers:
- name: k8s
host: 'k8s-ingress.pyrocufflink.blue:80'
options: check
kubernetes-tls:
mode: tcp
servers:
- name: k8s
host: 'k8s-ingress.pyrocufflink.blue:443'
options: check
nextcloud:
servers:
- name: nextcloud
host: 'cloud0.pyrocufflink.blue:80'
options: check
nextcloud-tls:
mode: tcp
servers:
- name: nextcloud
# NOTE: NOT the default HTTPS port, but a different virtual host that
# accepts the PROXY protocol
host: 'cloud0.pyrocufflink.blue:8443'
options: check send-proxy-v2
web:
servers:
- name: web0
host: 'web0.pyrocufflink.blue:80'
options: check
web-tls:
mode: tcp
servers:
- name: web0
host: 'web0.pyrocufflink.blue:443'
options: check

96
roles/dch-proxy/templates/haproxy.cfg.j2
View File

@ -1,4 +1,4 @@
{% macro acls() +%} {% macro acls() %}
acl internal_net src {{ dch_proxy_internal_networks|join(' ') }} acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
acl allowlist src {{ dch_proxy_allowlist|join(' ') }} acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
acl blocklist src {{ dch_proxy_blocklist|join(' ') }} acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
@ -7,96 +7,36 @@
frontend main frontend main
bind :::80 bind :::80
{{ acls() }} {{ acls() | indent(4) }}
tcp-request connection reject if blocklist !allowlist tcp-request connection reject if blocklist !allowlist
use_backend gitea if { hdr(host) -i git.pyrocufflink.blue } {% for site in dch_proxy_sites %}
use_backend gitea if { hdr(host) -i git.pyrocufflink.net } use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue } {% endfor %}
use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
use_backend web if { hdr(host) -i -m end chmod777.sh }
use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
use_backend web if { hdr(host) -i dustin.hatch.name }
use_backend web if { hdr(host) -i dustin.hatch.is }
use_backend web if { hdr(host) -i -m end ebonfire.com }
use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
use_backend web if { hdr(host) -i -m dom hlckc }
use_backend web if { hdr(host) -i -m dom hlcks }
use_backend web if { hdr(host) -i -m end nratonpass.com }
use_backend web if { hdr(host) -i pyrocufflink.net }
use_backend web if { hdr(host) -i -m end tabitha.biz }
use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
use_backend kubernetes if internal_net use_backend kubernetes if internal_net
frontend main-tls frontend main-tls
bind :::443 bind :::443
mode tcp mode tcp
option tcplog option tcplog
{{ acls() }} {{ acls() | indent(4) }}
tcp-request connection reject if blocklist !allowlist tcp-request connection reject if blocklist !allowlist
tcp-request inspect-delay 5s tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 } tcp-request content accept if { req.ssl_hello_type 1 }
use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue } {% for site in dch_proxy_sites %}
use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net } use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue } {% endfor %}
use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
use_backend kubernetes-tls if internal_net use_backend kubernetes-tls if internal_net
{% for name, backend in dch_proxy_backends.items() %}
backend bitwarden backend {{ name }}
server bitwarden bitwarden.pyrocufflink.blue:80 check {% if backend.mode|d %}
mode {{ backend.mode }}
backend bitwarden-tls {% endif %}
mode tcp {% for server in backend.servers %}
server bitwarden bitwarden.pyrocufflink.blue:443 check server {{ server.name }} {{ server.host }} {{ server.options }}
{% endfor %}
{% endfor %}
backend gitea
server gitea git0.pyrocufflink.blue:80 check
backend gitea-tls
mode tcp
server gitea git0.pyrocufflink.blue:443 check
backend kubernetes
server k8s k8s-ingress.pyrocufflink.blue:80 check
backend kubernetes-tls
mode tcp
server k8s k8s-ingress.pyrocufflink.blue:443 check
backend nextcloud
server nextcloud cloud0.pyrocufflink.blue:80 check
backend nextcloud-tls
mode tcp
server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2
backend web
server web0 web0.pyrocufflink.blue:80 check
backend web-tls
mode tcp
server web web0.pyrocufflink.blue:443 check