[nginx-reverseproxy] Initial role

2020-05-02 10:18:10 +02:00 · 2020-05-02 10:18:10 +02:00 · 37406ff774
parent bcba080057
commit 37406ff774
8 changed files with 372 additions and 0 deletions
--- a/network.yml
+++ b/network.yml
@ -60,8 +60,80 @@
      domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
    bind:
      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+    nginx:
+      ssl:
+        cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+        cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+        trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+ 
+      redirect_dnames:
+        - crans.eu
+        - crans.fr
+
+      reverseproxy_sites:
+        # Services web Crans
+        - {from: lutim.crans.org, to: 10.231.136.69}
+        - {from: zero.crans.org, to: 10.231.136.76}
+        - {from: pad.crans.org, to: 10.231.136.76}
+        - {from: ethercalc.crans.org, to: 10.231.136.203}
+        - {from: mediadrop.crans.org, to: 10.231.136.106}
+        - {from: videos.crans.org, to: 10.231.136.106}
+        - {from: video.crans.org, to: 10.231.136.106}
+        - {from: roundcube.crans.org, to: 10.231.136.105}
+        - {from: phabricator.crans.org, to: 10.231.136.123}
+        - {from: trackerusercontent.crans.org, to: 10.231.136.123}
+        - {from: cas.crans.org, to: 10.231.136.18}
+        - {from: auth.crans.org, to: 10.231.136.18}
+        - {from: login.crans.org, to: 10.231.136.18}
+        - {from: webmail.crans.org, to: 10.231.136.107}
+        - {from: horde.crans.org, to: 10.231.136.107}
+        - {from: owncloud.crans.org, to: 10.231.136.26}
+        - {from: ftps.crans.org, to: 10.231.136.98}
+        - {from: wiki.crans.org, to: 10.231.136.204}
+        - {from: www.crans.org, to: 10.231.136.46}
+        - {from: doc.crans.org, to: 10.231.136.46}
+        - {from: limesurvey.crans.org, to: 10.231.136.253}
+        - {from: lutim.crans.org, to: 10.231.136.69}
+        - {from: perso.crans.org, to: 10.231.136.1}
+        - {from: webnews.crans.org, to: 10.231.136.63}
+        - {from: re2o.crans.org, to: 10.231.136.9}
+        - {from: intranet.crans.org, to: 10.231.136.9}
+        - {from: autoconfig.crans.org, to: 10.231.136.46}
+        - {from: grafana.crans.org, to: 10.231.136.102}
+        - {from: webirc.crans.org, to: "10.231.136.1:9000"}
+
+        # Zamok
+        - {from: install-party.crans.org, to: 10.231.136.1}
+        - {from: med.crans.org, to: 10.231.136.1}
+        - {from: med-cartons.crans.org, to: 10.231.136.1}
+        - {from: amap.crans.org, to: 10.231.136.1}
+        - {from: pot-vieux.crans.org, to: 10.231.136.1}
+        - {from: bonvivens.crans.org, to: 10.231.136.1}
+
+      redirect_sites:
+        - {from: crans.org, to: www.crans.org}
+
+        # Aliases or legacy support
+        - {from: factures.crans.org, to: intranet.crans.org}
+        - {from: accounts.crans.org, to: intranet.crans.org}
+        - {from: intranet2.crans.org, to: intranet.crans.org}
+        - {from: clubs.crans.org, to: perso.crans.org}
+        - {from: task.crans.org, to: phabricator.crans.org}
+        - {from: adopteunpingouin.crans.org, to: install-party.crans.org}
+        - {from: i-p.crans.org, to: install-party.crans.org}
+
+        # To the wiki
+        - {from: wikipedia.crans.org, to: wiki.crans.org}
+        - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage}
+        - {from: television.crans.org, to: wiki.crans.org/CransTv}
+        - {from: tv.crans.org, to: wiki.crans.org/CransTv}
+
+        # ENS Cachan
+        - {from: crans.ens-cachan.fr, to: www.crans.org}
+        - {from: install-party.ens-cachan.fr, to: install-party.crans.org}
  roles:
    - certbot
+    - nginx-reverseproxy

 - hosts: gitzly.adm.crans.org
  vars:
--- a/roles/nginx-reverseproxy/handlers/main.yml
+++ b/roles/nginx-reverseproxy/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@ -0,0 +1,40 @@
+---
+- name: Install NGINX
+  apt:
+    update_cache: true
+    name: nginx
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Copy reverse proxy sites
+  template:
+    src: "nginx/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Activate sites
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Copy 50x error page
+  template:
+    src: www/html/50x.html.j2
+    dest: /var/www/html/50x.html
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-nginx
+    mode: 0755
--- a/roles/nginx-reverseproxy/templates/nginx/redirect.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/redirect.j2
@ -0,0 +1,83 @@
+{{ ansible_header | comment }}
+
+{% for site in nginx.redirect_sites %}
+# Redirect http://{{ site.from }} to http://{{ site.to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ site.from }};
+
+    location / {
+        return 302 http://{{ site.to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ site.from }} to https://{{ site.to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ site.from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    location / {
+        return 302 https://{{ site.to }}$request_uri;
+    }
+}
+
+{% endfor %}
+
+{# Also redirect for DNAMEs #}
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.redirect_sites %}
+{% set from = site.from | regex_replace('crans.org', dname) %}
+# Redirect http://{{ from }} to http://{{ site.to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ from }};
+
+    location / {
+        return 302 http://{{ site.to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ from }} to https://{{ site.to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    location / {
+        return 302 https://{{ site.to }}$request_uri;
+    }
+}
+
+{% endfor %}
+{% endfor %}
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2
@ -0,0 +1,62 @@
+{{ ansible_header | comment }}
+
+{% for site in nginx.reverseproxy_sites %}
+# Redirect http://{{ site.from }} to https://{{ site.from }}
+server {
+    listen 80;
+    listen [::]:80
+
+    server_name {{ site.from }};
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+
+# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ site.from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    # Log into separate log files
+    access_log      /var/log/nginx/{{ site.from }}.log;
+    error_log       /var/log/nginx/{{ site.from }}_error.log;
+
+    # Keep the TCP connection open a bit for faster browsing
+    keepalive_timeout 70;
+ 
+    # Custom error page
+    error_page  500 502 503 504  /50x.html;
+    location = /50x.html {
+        root /var/www/html;
+    }
+
+    set_real_ip_from 10.231.136.0/24;
+    set_real_ip_from 2a0c:700:0:2::/64;
+    real_ip_header P-Real-Ip;
+
+    location / {
+        proxy_set_header Host {{ site.from }};
+        proxy_set_header P-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_redirect off;
+        proxy_pass http://{{ site.to }};
+    }
+}
+
+{% endfor %}
--- a/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
+++ b/roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2
@ -0,0 +1,44 @@
+{{ ansible_header | comment }}
+
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.reverseproxy_sites %}
+{% set from = site.from | regex_replace('crans.org', dname) %}
+{% set to = site.from %}
+# Redirect http://{{ from }} to http://{{ to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ from }};
+
+    location / {
+        return 302 http://{{ to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ from }} to https://{{ to }}
+server {
+    listen 443;
+    listen [::]:443;
+
+    server_name {{ from }};
+
+    ssl on;
+    ssl_certificate {{ nginx.ssl.cert }};
+    ssl_certificate_key {{ nginx.ssl.cert_key }};
+
+    # SSL ciphers updated by Debian
+    include "/etc/letsencrypt/options-ssl-nginx.conf";
+
+    # Enable OCSP Stapling, point to certificate chain
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+
+    location / {
+        return 302 https://{{ to }}$request_uri;
+    }
+}
+
+{% endfor %}
+{% endfor %}
--- a/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
+++ b/roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2
@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+[0m> [38;5;82mNGINX[0m a été déployé sur cette machine. Voir [38;5;6m/etc/nginx/[0m.
--- a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
+++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
@ -0,0 +1,63 @@
+<!doctype html>
+<html lang="fr">
+<head>
+    <meta charset="utf-8">
+    <title>502</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <style>
+        * {
+            line-height: 1.2;
+            margin: 0;
+        }
+
+        html {
+            color: #888;
+            display: table;
+            font-family: sans-serif;
+            height: 100%;
+            text-align: center;
+            width: 100%;
+        }
+
+        body {
+            display: table-cell;
+            vertical-align: middle;
+            margin: 2em auto;
+        }
+
+	a {
+	    color: #888;
+            text-decoration: underline dotted;
+	}
+
+        h1 {
+            color: #555;
+            font-size: 2em;
+            font-weight: 400;
+        }
+
+        p {
+            margin: 1em auto;
+            max-width: 480px;
+        }
+
+        @media only screen and (max-width: 280px) {
+            body, p {
+                width: 95%;
+            }
+
+            h1 {
+                font-size: 1.5em;
+                margin: 0 0 0.3em;
+            }
+        }
+    </style>
+</head>
+<body>
+    <h1>502</h1>
+    <p>Whoops, le service prend trop de temps à répondre…</p>
+    <p>Essayez de rafraîchir la page. Si le problème persiste, pensez
+    à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p>
+</body>
+</html>
+