Replace edge proxy with nginx

The config makes more sense, and it has more of the features I need, which will come later.
This commit is contained in:
Jake Howard 2021-08-22 22:34:27 +01:00
parent 23fc7bbb12
commit a54d373526
Signed by: jake
GPG Key ID: 57AFB45680EDD477
10 changed files with 96 additions and 98 deletions

View File

@ -1,15 +0,0 @@
haproxy:
exposed_ports:
- 8448
- 4242
stats_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
61356632383432353833616431393962613037646634656133316135363465313962663061633830
6564343466343965363233623138383961653733343834340a653563393039333764613131653735
30636333633137636664396566623831653831646562323232656233366563656464326333336339
3266363638356436370a323566326637356366373063643163613833636531373032313532336663
61633261633665626364343763313361656661393466373932363165306263303937306136303937
36626534393139353135383035383934633136363730643132333037393839373337396430333535
39386139353935663635346561616332356534373532643765646366373563323035306466626266
37303535663465363637653237343365333434663230356534316530376164306132613466303738
37666163616666626334363538343933313466313433353033613766653634646239

View File

@ -1,4 +0,0 @@
[Definition]
failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.*$
ignoreregex =

View File

@ -1,41 +0,0 @@
global
log /dev/log local0
log /dev/log local1 notice
pidfile /run/haproxy.pid
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10000
defaults
log global
mode http
option httplog
option dontlognull
listen https
bind *:443
mode tcp
timeout http-request 10m
timeout connect 10m
timeout client 10m
timeout server 10m
server default {{ wireguard.clients.ingress.ip }}:8443 send-proxy-v2
listen http
bind *:80
stats enable
stats show-node
stats uri /haproxy
stats auth stats:{{ haproxy.stats_pass }}
timeout http-request 10m
timeout connect 10m
timeout client 10m
timeout server 10m
server default {{ wireguard.clients.ingress.ip }}:880 send-proxy-v2
listen matrix
bind *:8448
mode tcp
server default {{ wireguard.clients.ingress.ip }}:8443 send-proxy-v2

View File

@ -0,0 +1,4 @@
[Definition]
failregex = ^<HOST> .*$
ignoreregex =

View File

@ -1,16 +1,14 @@
[haproxy]
[nginx]
enabled = true
bantime = 600
findtime = 10
maxretry = 100
filter = haproxy-basic
backend = systemd
journalmatch = _COMM=haproxy
filter = nginx-tcp
logpath = /var/log/nginx/ips.log
port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
[traefik]
enabled = true
filter = haproxy-basic # Not actually used
port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}

View File

@ -0,0 +1,57 @@
worker_processes {{ ansible_processor_nproc }};
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
}
stream {
log_format access '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
log_format ips '$remote_addr [$time_local] $upstream_addr';
access_log /var/log/nginx/access.log access;
access_log /var/log/nginx/ips.log ips;
server {
listen 80;
proxy_pass {{ wireguard.clients.ingress.ip }}:880;
proxy_protocol on;
}
server {
listen 443;
proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
proxy_protocol on;
}
server {
listen 8448;
proxy_protocol on;
proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
}
}

View File

@ -1,15 +1,15 @@
- name: fail2ban filter
template:
src: files/haproxy-fail2ban-filter.conf
dest: /etc/fail2ban/filter.d/haproxy-basic.conf
src: files/nginx-fail2ban-filter.conf
dest: /etc/fail2ban/filter.d/nginx-tcp.conf
mode: "0600"
become: true
register: fail2ban_filter
- name: fail2ban jail
template:
src: files/haproxy-fail2ban-jail.conf
dest: /etc/fail2ban/jail.d/haproxy.conf
src: files/nginx-fail2ban-jail.conf
dest: /etc/fail2ban/jail.d/nginx.conf
mode: "0600"
become: true
register: fail2ban_jail

View File

@ -1,27 +0,0 @@
- name: Install Haproxy
package:
name: haproxy
become: true
- name: Haproxy config
template:
src: files/haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
validate: /usr/sbin/haproxy -c -- %s
mode: "0644"
backup: yes
become: true
register: haproxy_config
- name: Enable Haproxy
service:
name: haproxy
enabled: true
become: true
- name: Restart Haproxy
service:
name: haproxy
state: restarted
become: true
when: haproxy_config.changed

View File

@ -1,5 +1,5 @@
- name: Configure HAproxy
include: haproxy.yml
- name: Configure Nginx
include: nginx.yml
- name: Configure wireguard
include: wireguard.yml

View File

@ -0,0 +1,26 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Nginx config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
validate: nginx -t -c %s
mode: "0644"
become: true
register: nginx_config
- name: Enable Nginx
service:
name: nginx
enabled: true
become: true
- name: Restart Nginx
service:
name: nginx
state: restarted
become: true
when: nginx_config.changed