diff --git a/ansible/group_vars/all/haproxy.yml b/ansible/group_vars/all/haproxy.yml deleted file mode 100644 index c7d1a4a..0000000 --- a/ansible/group_vars/all/haproxy.yml +++ /dev/null @@ -1,15 +0,0 @@ -haproxy: - exposed_ports: - - 8448 - - 4242 - stats_pass: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 61356632383432353833616431393962613037646634656133316135363465313962663061633830 - 6564343466343965363233623138383961653733343834340a653563393039333764613131653735 - 30636333633137636664396566623831653831646562323232656233366563656464326333336339 - 3266363638356436370a323566326637356366373063643163613833636531373032313532336663 - 61633261633665626364343763313361656661393466373932363165306263303937306136303937 - 36626534393139353135383035383934633136363730643132333037393839373337396430333535 - 39386139353935663635346561616332356534373532643765646366373563323035306466626266 - 37303535663465363637653237343365333434663230356534316530376164306132613466303738 - 37666163616666626334363538343933313466313433353033613766653634646239 diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf b/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf deleted file mode 100644 index 615b2b0..0000000 --- a/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf +++ /dev/null @@ -1,4 +0,0 @@ -[Definition] - -failregex = ^.*haproxy\[[0-9]+\]: :.*$ -ignoreregex = diff --git a/ansible/roles/gateway/files/haproxy.cfg b/ansible/roles/gateway/files/haproxy.cfg deleted file mode 100644 index d423533..0000000 --- a/ansible/roles/gateway/files/haproxy.cfg +++ /dev/null @@ -1,41 +0,0 @@ -global - log /dev/log local0 - log /dev/log local1 notice - pidfile /run/haproxy.pid - stats timeout 30s - user haproxy - group haproxy - daemon - maxconn 10000 - -defaults - log global - mode http - option httplog - option dontlognull - -listen https - bind *:443 - mode tcp - timeout http-request 10m - timeout connect 10m - timeout client 10m - timeout server 10m - server default {{ wireguard.clients.ingress.ip }}:8443 send-proxy-v2 - -listen http - bind *:80 - stats enable - stats show-node - stats uri /haproxy - stats auth stats:{{ haproxy.stats_pass }} - timeout http-request 10m - timeout connect 10m - timeout client 10m - timeout server 10m - server default {{ wireguard.clients.ingress.ip }}:880 send-proxy-v2 - -listen matrix - bind *:8448 - mode tcp - server default {{ wireguard.clients.ingress.ip }}:8443 send-proxy-v2 diff --git a/ansible/roles/gateway/files/nginx-fail2ban-filter.conf b/ansible/roles/gateway/files/nginx-fail2ban-filter.conf new file mode 100644 index 0000000..64ab636 --- /dev/null +++ b/ansible/roles/gateway/files/nginx-fail2ban-filter.conf @@ -0,0 +1,4 @@ +[Definition] + +failregex = ^ .*$ +ignoreregex = diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf similarity index 70% rename from ansible/roles/gateway/files/haproxy-fail2ban-jail.conf rename to ansible/roles/gateway/files/nginx-fail2ban-jail.conf index aece157..57ae5a4 100644 --- a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf +++ b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf @@ -1,16 +1,14 @@ -[haproxy] +[nginx] enabled = true bantime = 600 findtime = 10 maxretry = 100 -filter = haproxy-basic -backend = systemd -journalmatch = _COMM=haproxy +filter = nginx-tcp +logpath = /var/log/nginx/ips.log port = http,https,8448 ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} [traefik] enabled = true -filter = haproxy-basic # Not actually used port = http,https,8448 ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} diff --git a/ansible/roles/gateway/files/nginx.conf b/ansible/roles/gateway/files/nginx.conf new file mode 100644 index 0000000..051f170 --- /dev/null +++ b/ansible/roles/gateway/files/nginx.conf @@ -0,0 +1,57 @@ +worker_processes {{ ansible_processor_nproc }}; + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + +} + +stream { + + log_format access '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time "$upstream_addr" ' + '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; + + log_format ips '$remote_addr [$time_local] $upstream_addr'; + + + access_log /var/log/nginx/access.log access; + access_log /var/log/nginx/ips.log ips; + + server { + listen 80; + proxy_pass {{ wireguard.clients.ingress.ip }}:880; + proxy_protocol on; + } + server { + listen 443; + proxy_pass {{ wireguard.clients.ingress.ip }}:8443; + proxy_protocol on; + } + + server { + listen 8448; + proxy_protocol on; + proxy_pass {{ wireguard.clients.ingress.ip }}:8443; + } +} diff --git a/ansible/roles/gateway/tasks/fail2ban.yml b/ansible/roles/gateway/tasks/fail2ban.yml index e9b1246..aab8702 100644 --- a/ansible/roles/gateway/tasks/fail2ban.yml +++ b/ansible/roles/gateway/tasks/fail2ban.yml @@ -1,15 +1,15 @@ - name: fail2ban filter template: - src: files/haproxy-fail2ban-filter.conf - dest: /etc/fail2ban/filter.d/haproxy-basic.conf + src: files/nginx-fail2ban-filter.conf + dest: /etc/fail2ban/filter.d/nginx-tcp.conf mode: "0600" become: true register: fail2ban_filter - name: fail2ban jail template: - src: files/haproxy-fail2ban-jail.conf - dest: /etc/fail2ban/jail.d/haproxy.conf + src: files/nginx-fail2ban-jail.conf + dest: /etc/fail2ban/jail.d/nginx.conf mode: "0600" become: true register: fail2ban_jail diff --git a/ansible/roles/gateway/tasks/haproxy.yml b/ansible/roles/gateway/tasks/haproxy.yml deleted file mode 100644 index 20035dc..0000000 --- a/ansible/roles/gateway/tasks/haproxy.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: Install Haproxy - package: - name: haproxy - become: true - -- name: Haproxy config - template: - src: files/haproxy.cfg - dest: /etc/haproxy/haproxy.cfg - validate: /usr/sbin/haproxy -c -- %s - mode: "0644" - backup: yes - become: true - register: haproxy_config - -- name: Enable Haproxy - service: - name: haproxy - enabled: true - become: true - -- name: Restart Haproxy - service: - name: haproxy - state: restarted - become: true - when: haproxy_config.changed diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml index aa8f8f9..2231577 100644 --- a/ansible/roles/gateway/tasks/main.yml +++ b/ansible/roles/gateway/tasks/main.yml @@ -1,5 +1,5 @@ -- name: Configure HAproxy - include: haproxy.yml +- name: Configure Nginx + include: nginx.yml - name: Configure wireguard include: wireguard.yml diff --git a/ansible/roles/gateway/tasks/nginx.yml b/ansible/roles/gateway/tasks/nginx.yml new file mode 100644 index 0000000..a6711a6 --- /dev/null +++ b/ansible/roles/gateway/tasks/nginx.yml @@ -0,0 +1,26 @@ +- name: Install nginx + package: + name: nginx + become: true + +- name: Nginx config + template: + src: files/nginx.conf + dest: /etc/nginx/nginx.conf + validate: nginx -t -c %s + mode: "0644" + become: true + register: nginx_config + +- name: Enable Nginx + service: + name: nginx + enabled: true + become: true + +- name: Restart Nginx + service: + name: nginx + state: restarted + become: true + when: nginx_config.changed