Dustin C. Hatch
8aa1e986d4
Using the PROXY protocol allows the publicly-facing reverse proxy to pass through the original source address of the client, without doing TLS termination. Clients on the internal network will not go through the proxy, though, so we have to disable the PROXY protocol for those addresses. Unfortunately, the syntax for this is kind of cumbersome, because Apache only has a deny list, not an allow list, so we have to enumerate all of the possible internal addresses _except_ the proxy.
143 lines
2.9 KiB
YAML
143 lines
2.9 KiB
YAML
dch_proxy_internal_networks:
|
|
- 172.30.0.0/16
|
|
- 172.31.1.0/24
|
|
# - 'fd68:c2d2:500e:3e00::/56'
|
|
|
|
dch_proxy_allowlist:
|
|
- 172.30.0.211/32
|
|
|
|
dch_proxy_blocklist:
|
|
- 172.30.0.208/28
|
|
- 172.30.0.224/29
|
|
- 172.30.0.232/29
|
|
- 172.30.0.240/28
|
|
|
|
dch_proxy_sites:
|
|
- backend: gitea
|
|
match: git.pyrocufflink
|
|
matcher: dom
|
|
- backend: kubernetes
|
|
match: bitwarden.pyrocufflink
|
|
matcher: dom
|
|
- backend: nextcloud
|
|
match: nextcloud.pyrocufflink.net
|
|
- backend: kubernetes
|
|
match: billing.hatchlearningcenter.org
|
|
- backend: web
|
|
match: chmod777.sh
|
|
matcher: end
|
|
- backend: web
|
|
match: dustinandtabitha.com
|
|
matcher: end
|
|
- backend: web
|
|
match: dustin.hatch.name
|
|
- backend: web
|
|
match: dustin.hatch.is
|
|
- backend: web
|
|
match: ebonfire.com
|
|
matcher: end
|
|
- backend: web
|
|
match: apps.du5t1n.xyz
|
|
- backend: web
|
|
match: hatchlearningcenter hlckc hlcks
|
|
matcher: dom
|
|
- backend: web
|
|
match: nratonpass.com
|
|
matcher: end
|
|
- backend: web
|
|
match: pyrocufflink.net
|
|
- backend: web
|
|
match: tabitha.biz
|
|
matcher: end
|
|
- backend: jellyfin
|
|
match: jellyfin.pyrocufflink
|
|
matcher: dom
|
|
- backend: kubernetes
|
|
match: ntfy.pyrocufflink.net
|
|
- backend: web
|
|
match: darkchestofwonders.us
|
|
- backend: kubernetes
|
|
match: invoiceninja.pyrocufflink.net
|
|
- backend: kubernetes
|
|
match: dynk8s-provisioner.pyrocufflink.net
|
|
- backend: kubernetes
|
|
match: metrics.pyrocufflink.blue
|
|
- backend: kubernetes
|
|
match: auth.pyrocufflink
|
|
matcher: dom
|
|
|
|
dch_proxy_backends:
|
|
bitwarden:
|
|
servers:
|
|
- name: bitwarden
|
|
host: 'bitwarden.pyrocufflink.blue:80'
|
|
options: check
|
|
bitwarden-tls:
|
|
mode: tcp
|
|
servers:
|
|
- name: bitwarden
|
|
host: 'bitwarden.pyrocufflink.blue:443'
|
|
options: check
|
|
|
|
gitea:
|
|
servers:
|
|
- name: gitea
|
|
host: 'git0.pyrocufflink.blue:80'
|
|
options: check
|
|
gitea-tls:
|
|
mode: tcp
|
|
servers:
|
|
- name: gitea
|
|
host: 'git0.pyrocufflink.blue:443'
|
|
options: check send-proxy
|
|
|
|
jellyfin:
|
|
servers:
|
|
- name: jellyfin
|
|
host: 'jellyfin.pyrocufflink.blue:80'
|
|
options: check
|
|
jellyfin-tls:
|
|
mode: tcp
|
|
servers:
|
|
- name: jellyfin-tls
|
|
host: 'jellyfin.pyrocufflink.blue:8443'
|
|
options: check send-proxy
|
|
|
|
kubernetes:
|
|
servers:
|
|
- name: k8s
|
|
host: 'k8s-ingress.pyrocufflink.blue:80'
|
|
options: check
|
|
kubernetes-tls:
|
|
mode: tcp
|
|
servers:
|
|
- name: k8s
|
|
host: 'k8s-ingress.pyrocufflink.blue:443'
|
|
options: check
|
|
|
|
nextcloud:
|
|
servers:
|
|
- name: nextcloud
|
|
host: 'cloud0.pyrocufflink.blue:80'
|
|
options: check
|
|
nextcloud-tls:
|
|
mode: tcp
|
|
servers:
|
|
- name: nextcloud
|
|
# NOTE: NOT the default HTTPS port, but a different virtual host that
|
|
# accepts the PROXY protocol
|
|
host: 'cloud0.pyrocufflink.blue:8443'
|
|
options: check send-proxy
|
|
|
|
web:
|
|
servers:
|
|
- name: web0
|
|
host: 'web0.pyrocufflink.blue:80'
|
|
options: check
|
|
web-tls:
|
|
mode: tcp
|
|
servers:
|
|
- name: web0
|
|
host: 'web0.pyrocufflink.blue:443'
|
|
options: check send-proxy
|