bundles/nginx: support disabling ssl for each vhost individually
All checks were successful
bundlewrap/pipeline/head This commit looks good

This commit is contained in:
Franzi 2021-02-20 14:25:27 +01:00
parent 228786f6aa
commit 74d81eb7ba
Signed by: kunsi
GPG key ID: 12E3D2136B818350
5 changed files with 27 additions and 13 deletions

View file

@ -7,7 +7,7 @@ server {
root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
index ${' '.join(index)}; index ${' '.join(index)};
% if node.metadata['nginx']['use_ssl_for_all_connections']: % if ssl:
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -52,7 +52,7 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
% endif % endif
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% if node.metadata['nginx']['use_ssl_for_all_connections']: % if ssl:
proxy_set_header X-Forwarded-Proto HTTPS; proxy_set_header X-Forwarded-Proto HTTPS;
% endif % endif
proxy_set_header X-Forwarded-Host ${domain}; proxy_set_header X-Forwarded-Host ${domain};

View file

@ -47,12 +47,15 @@ svc_systemd = {
}, },
} }
if node.metadata['nginx']['use_ssl_for_all_connections']: # Always redirect all traffic to HTTPS, except if there is only one
# TODO rework this to support specifying a certificate instead of # vhost and this vhost has ssl disabled.
# relying on letsencrypt for the specific domain (for example to install_port80_redirect = True
# support wildcard certificates if len(node.metadata.get('nginx/vhosts', {})) == 1:
assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt' vhost_name = list(node.metadata['nginx']['vhosts'].keys())[0]
if node.metadata.get('nginx/vhosts/{}/ssl'.format(vhost_name), 'letsencrypt') == False:
install_port80_redirect = False
if install_port80_redirect:
files['/etc/nginx/sites/000-port80.conf'] = { files['/etc/nginx/sites/000-port80.conf'] = {
'source': 'port80.conf', 'source': 'port80.conf',
'triggers': { 'triggers': {
@ -88,5 +91,5 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {})) directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {}))
if node.metadata['nginx']['use_ssl_for_all_connections']: if config.get('ssl', 'letsencrypt') == 'letsencrypt':
files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain'])) files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))

View file

@ -30,7 +30,6 @@ defaults = {
}, },
'nginx': { 'nginx': {
'worker_connections': 768, 'worker_connections': 768,
'use_ssl_for_all_connections': True,
}, },
} }
@ -49,16 +48,21 @@ def worker_processes(metadata):
@metadata_reactor.provides( @metadata_reactor.provides(
'letsencrypt/domains', 'letsencrypt/domains',
'letsencrypt/reload_after', 'letsencrypt/reload_after',
'nginx/vhosts',
) )
def letsencrypt(metadata): def letsencrypt(metadata):
if not node.has_bundle('letsencrypt'): if not node.has_bundle('letsencrypt'):
raise DoNotRunAgain raise DoNotRunAgain
domains = {} domains = {}
vhosts = {}
for vhost, config in metadata.get('nginx/vhosts', {}).items(): for vhost, config in metadata.get('nginx/vhosts', {}).items():
domain = config.get('domain', vhost) domain = config.get('domain', vhost)
domains[domain] = config.get('domain_aliases', set()) domains[domain] = config.get('domain_aliases', set())
vhosts[vhost] = {
'ssl': 'letsencrypt',
}
return { return {
'letsencrypt': { 'letsencrypt': {
@ -67,6 +71,9 @@ def letsencrypt(metadata):
'nginx', 'nginx',
}, },
}, },
'nginx': {
'vhosts': vhosts,
},
} }
@ -105,7 +112,7 @@ def monitoring(metadata):
for vname, vconfig in metadata.get('nginx/vhosts', {}).items(): for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
domain = vconfig.get('domain', vname) domain = vconfig.get('domain', vname)
if metadata.get('nginx/use_ssl_for_all_connections'): if vconfig['ssl']:
scheme = 'https' scheme = 'https'
else: else:
scheme = 'http' scheme = 'http'
@ -118,7 +125,7 @@ def monitoring(metadata):
'vars.notification.sms': True, 'vars.notification.sms': True,
} }
if vconfig.get('check_ssl', metadata.get('nginx/use_ssl_for_all_connections')): if vconfig.get('check_ssl', vconfig['ssl']):
services['NGINX VHOST {} CERTIFICATE'.format(vname)] = { services['NGINX VHOST {} CERTIFICATE'.format(vname)] = {
'check_command': 'check_https_cert_at_url', 'check_command': 'check_https_cert_at_url',
'vars.domain': domain, 'vars.domain': domain,

View file

@ -22,12 +22,12 @@ nodes['home.octoprint-vielschichtigkeit'] = {
'server': '172.19.138.20:22', 'server': '172.19.138.20:22',
}, },
'nginx': { 'nginx': {
'use_ssl_for_all_connections': False,
'vhosts': { 'vhosts': {
'octoprint': { 'octoprint': {
'domain': 'vielschichtigkeit.franzi-home.kunbox.net', 'domain': 'vielschichtigkeit.franzi-home.kunbox.net',
'do_not_set_content_security_headers': True, 'do_not_set_content_security_headers': True,
'extras': True, 'extras': True,
'ssl': False,
'proxy': { 'proxy': {
'/': { '/': {
'target': 'http://[::1]:22030/', 'target': 'http://[::1]:22030/',

View file

@ -105,10 +105,14 @@ nodes['home.router'] = {
}, },
}, },
'nginx': { 'nginx': {
'use_ssl_for_all_connections': False,
'restrict-to': { 'restrict-to': {
'172.19.136.0/22', '172.19.136.0/22',
}, },
'vhosts': {
'vnstat': {
'ssl': False,
},
},
}, },
'openvpn-client': { 'openvpn-client': {
'configs': { 'configs': {