deploy webservers behind reverse proxy (added poc for headscale)

This commit is contained in:
Elizabeth Hunt 2024-01-03 14:21:07 -05:00
parent 562df598d0
commit 4fd1ae556e
9 changed files with 169 additions and 67 deletions

View File

@ -1,19 +1,2 @@
headscale_version: '0.22.3'
headscale_arch: 'amd64'
headscale_user_name: 'headscale'
headscale_user_group: '{{ headscale_user_name }}'
headscale_user_uid: '800'
headscale_user_gid: '{{ headscale_user_uid }}'
headscale_binary_path: '/usr/local/bin/headscale'
headscale_config_dir: '/etc/headscale'
headscale_var_data_dir: '/var/lib/headscale'
headscale_pid_dir: '/var/run/headscale'
headscale_directories:
- '{{ headscale_config_dir }}'
- '{{ headscale_var_data_dir }}'
- '{{ headscale_pid_dir }}'
---
headscale_users: ['simponic']
headscale_enable_routes: []
headscale_exit_nodes: []

View File

@ -0,0 +1,2 @@
---
letsencrypt_email: 'elizabeth.hunt@simponic.xyz'

View File

@ -31,6 +31,12 @@
group: root
mode: 0700
- name: ensure headscale users
shell: |
docker exec headscale headscale user create "{{ item }}"
with_items:
- "{{ headscale_users }}"
- name: daemon-reload and enable headscale
ansible.builtin.systemd_service:
state: restarted

View File

View File

@ -0,0 +1,26 @@
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -1,48 +0,0 @@
server {
server_name headscale.simponic.xyz;
location /web {
proxy_pass https://127.0.0.1:9443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
location / {
proxy_pass https://127.0.0.1:27896;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/headscale.simponic.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
keepalive_timeout 70;
}
server {
if ($host = headscale.simponic.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name headscale.simponic.xyz;
listen 80;
return 404; # managed by Certbot
}

View File

@ -0,0 +1,15 @@
server_tokens off;
server {
listen 80 default_server;
server_name headscale.simponic.xyz;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://headscale.simponic.xyz$request_uri? permanent;
}
}

View File

@ -0,0 +1,46 @@
server {
listen 443 ssl;
server_name headscale.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/headscale.simponic.xyz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location /web {
proxy_pass https://127.0.0.1:9443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
location / {
proxy_pass http://127.0.0.1:27896;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}

View File

@ -15,4 +15,76 @@
service: name=ufw state=restarted enabled=yes
- name: install nginx
apt: name=nginx status=latest
apt: name=nginx state=latest
- name: install letsencrypt
apt: name=letsencrypt state=latest
- name: create letsencrypt directory
file: name=/var/www/letsencrypt state=directory
- name: remove default nginx
file: name=/etc/nginx/sites-enabled/default state=absent
- name: generate dhparams
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
args:
creates: /etc/nginx/dhparams.pem
- name: add system nginx config
template:
src: ../files/nginx.conf
dest: /etc/nginx/nginx.conf
- name: copy http nginx configuration for each domain
copy:
src: "{{ item }}"
dest: "/etc/nginx/sites-enabled/"
with_fileglob:
- "files/{{ inventory_hostname }}/http.*.conf"
- name: restart nginx to get letsencrypt certificate
service: name=nginx state=restarted enabled=yes
- name: find deployed domains
ansible.builtin.find:
paths: "/etc/nginx/sites-enabled/"
patterns: "http.*.conf"
register: nginx_conf_files
delegate_to: "{{ inventory_hostname }}"
- name: extract domains from deployed nginx configurations
shell: |
grep -oP 'server_name\s+\K[^;]+' "{{ item.path }}"
loop: "{{ nginx_conf_files.files }}"
register: extracted_domains
- name: request letsencrypt certificate
shell: >
letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
--agree-tos -d {{ item.stdout }}
args:
creates: "/etc/letsencrypt/live/{{ item.stdout }}"
loop: "{{ extracted_domains.results }}"
when: item.stdout != ""
- name: copy https nginx configuration for each domain
copy:
src: "{{ item }}"
dest: "/etc/nginx/sites-enabled/"
with_fileglob:
- "files/{{ inventory_hostname }}/https.*.conf"
- name: reload nginx to activate sites
service: name=nginx state=restarted
- name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
cron:
name: "letsencrypt_renewal_{{ item.stdout }}"
day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}"
hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}"
minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}"
job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos && service nginx reload"
loop: "{{ extracted_domains.results }}"
when: item.stdout != ""