slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️: refactor allowlist

Browse Source
This commit is contained in:
VC
2024-11-04 17:48:43 +01:00
parent 92cbac9568
commit 95f38ef6f7
19 changed files with 95 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
roles/nginx/templates/header.conf.j2
View File

@@ -1,10 +1,21 @@
listen *:443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/x509/{{ item }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item }}/{{ item }}.key;
server_name {{ item }};
access_log /var/log/nginx/{{ item }}.access.log combined;
ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
server_name {{ item.host }};
access_log /var/log/nginx/{{ item.host }}.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/{{ item }}.error.log;
error_log /var/log/nginx/{{ item.host }}.error.log;
error_log syslog:server=unix:/dev/log;
{% if item.allowlistv4 is defined %}
allow {{ hostvars['haproxy.dmz.mateu.be'].ansible_default_ipv4.address }};
{% endif %}
{% if item.allowlistv6 is defined %}
{% for addrv6 in item.allowlistv6 %}
allow {{ addrv6 }};
{% endfor %}
{% endif %}
{% if item.allowlistv4 is defined or item.allowlistv6 is defined %}
deny all;
{% endif %}

5
roles/nginx/templates/vhosts/btf.mateu.be.conf.j2
View File

@@ -1,4 +1,3 @@
{% set allowed_ips=['10.233.212.2/32','10.233.212.64/27', '2a01:e0a:9bd:2811::/64', '2a01:e0a:9bd:2810::/64', '2a01:e0a:fc:ebc0::/64', '2a01:cb00:8a0a:b700::/64', '2a01:e0a:d19:ef90::/64', '2001:910:13c8::/48', '2a01:e0a:bde:d350::/64', '2a01:cb00:f55:2d00::/64'] -%}
server {
{% include './templates/header.conf.j2' %}
@@ -6,10 +5,6 @@ server {
root /net/;
fancyindex on;
fancyindex_exact_size off;
{% for allowed_ip in allowed_ips -%}
allow {{ allowed_ip }};
{% endfor -%}
deny all;
}
}

4
roles/nginx/templates/vhosts/garage.mateu.be.conf.j2
View File

@@ -2,7 +2,7 @@ server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://s3_backend_{{ item.split('.')|join('_') }};
proxy_pass http://s3_backend_{{ item.host.split('.')|join('_') }};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
# Disable buffering to a temporary file.
@@ -10,7 +10,7 @@ server {
}
}
upstream s3_backend_{{ item.split('.')|join('_') }} {
upstream s3_backend_{{ item.host.split('.')|join('_') }} {
# If you have a garage instance locally.
server [::1]:3900;
}

4
roles/nginx/templates/vhosts/web.garage.mateu.be.conf.j2
View File

@@ -2,13 +2,13 @@ server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://web_backend_{{ item.split('.')|join('_') }};
proxy_pass http://web_backend_{{ item.host.split('.')|join('_') }};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
}
upstream web_backend_{{ item.split('.')|join('_') }} {
upstream web_backend_{{ item.host.split('.')|join('_') }} {
# If you have a garage instance locally.
server [::1]:3902;
}