Merge pull request 'separate internal and external certificates from the reverse proxy' (#1) from gnunux/dataset:issue/reverseproxy_internal into main
Reviewed-on: https://cloud.silique.fr/gitea/risotto/dataset/pulls/1
This commit is contained in:
commit
bd964455ea
16 changed files with 19 additions and 45 deletions
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
__pycache__
|
|
@ -24,7 +24,7 @@
|
|||
<constraints>
|
||||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">revprox_client_server_domainname</param>
|
||||
<param name="authority_name">ReverseProxy</param>
|
||||
<param name="authority_name">InternalReverseProxy</param>
|
||||
<target>server_ca</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
|
||||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
|
||||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
<override/>
|
||||
</service>
|
||||
<service name="dovecot" target="multi-user">
|
||||
<file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
|
||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
||||
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
|
||||
<file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
|
||||
<file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
|
||||
|
@ -99,7 +99,7 @@
|
|||
</check>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_ReverseProxy.crt</param>
|
||||
<param>ca_InternalReverseProxy.crt</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_ca_file</target>
|
||||
</fill>
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')
|
|
@ -1 +0,0 @@
|
|||
%%get_chain(%%revprox_server_domainname, authority_name='ReverseProxy')
|
|
@ -5,8 +5,7 @@
|
|||
<override engine="creole"/>
|
||||
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
|
||||
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
|
||||
<file source="ca.crt" file_type="variable" mode="600">nginx_chain_filename</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_ReverseProxy.crt</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||
<file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
|
||||
<file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
|
||||
</service>
|
||||
|
@ -26,8 +25,6 @@
|
|||
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
|
||||
<variable name='nginx_private_key_filename' type="filename" description="Private key filename" hidden='True' multi='True'/>
|
||||
<variable name='nginx_certificate_filename' type="filename" description="Certificate filename" hidden='True' multi='True'/>
|
||||
<variable name='nginx_chain_filename' type="filename" description="Chain filename" hidden='True' multi='True'/>
|
||||
<variable name='nginx_chain' type="string" description="Certificate" hidden='True' multi='True'/>
|
||||
<variable name='internal_nginx_chain' type="string" description="Certificate" hidden='True'/>
|
||||
</family>
|
||||
</variables>
|
||||
|
@ -53,22 +50,9 @@
|
|||
<param name="multi" type="boolean">True</param>
|
||||
<target>nginx_private_key_filename</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param>/etc/nginx/</param>
|
||||
<param type="variable">revprox_domainnames_all</param>
|
||||
<param>.ca</param>
|
||||
<param name="join"></param>
|
||||
<param name="multi" type="boolean">True</param>
|
||||
<target>nginx_chain_filename</target>
|
||||
</fill>
|
||||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">revprox_domainnames_all</param>
|
||||
<param name="authority_name">ReverseProxy</param>
|
||||
<target>nginx_chain</target>
|
||||
</fill>
|
||||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">domain_name_eth0</param>
|
||||
<param name="authority_name">ReverseProxy</param>
|
||||
<param name="authority_name">InternalReverseProxy</param>
|
||||
<target>internal_nginx_chain</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
|
|
|
@ -1,5 +1 @@
|
|||
%set %%extra_domainnames = []
|
||||
%for %%idx in %%range(1, %%number_of_interfaces)
|
||||
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
|
||||
%end for
|
||||
%%get_certificate(%%domain_name_eth0, 'ReverseProxy', extra_domainnames=%%extra_domainnames)
|
||||
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy')
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'ReverseProxy')
|
||||
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy')
|
||||
|
|
|
@ -6,13 +6,7 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name %%domainname;
|
||||
error_page 403 404 502 503 504 /error.html;
|
||||
|
||||
location / {
|
||||
rewrite ^(.*) https://$host$1 permanent;
|
||||
break;
|
||||
}
|
||||
# FIXME return 301 https://www.domain.com$request_uri; => https://www.nginx.com/blog/creating-nginx-rewrite-rules/
|
||||
return 301 https://www.domain.com$request_uri;
|
||||
}
|
||||
|
||||
# Configuration HTTPS %%domainname
|
||||
|
@ -20,7 +14,6 @@ server {
|
|||
listen 443 ssl http2;
|
||||
ssl_certificate %%nginx_certificate_filename[%%idx];
|
||||
ssl_certificate_key %%nginx_private_key_filename[%%idx];
|
||||
ssl_client_certificate %%nginx_chain_filename[%%idx];
|
||||
server_name %%domainname;
|
||||
error_page 403 404 502 503 504 /error.html;
|
||||
location = /error.html{
|
||||
|
@ -44,7 +37,7 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Destination $dest;
|
||||
%end if
|
||||
proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_ReverseProxy.crt;
|
||||
proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
|
||||
proxy_ssl_verify on;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_session_reuse on;
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="nginx" manage="False">
|
||||
<file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
|
||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
||||
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
|
||||
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
|
||||
</service>
|
||||
|
@ -45,7 +45,7 @@
|
|||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_ReverseProxy.crt</param>
|
||||
<param>ca_InternalReverseProxy.crt</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_ca_file</target>
|
||||
</fill>
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_chain(%%revprox_client_server_domainname, authority_name='ReverseProxy')
|
||||
%%get_chain(%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
|
|
@ -1,2 +1,2 @@
|
|||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='ReverseProxy', type="server")
|
||||
%%get_chain(%%revprox_client_server_domainname, 'ReverseProxy')
|
||||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
|
||||
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='ReverseProxy', type='server')
|
||||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
|
||||
|
|
Loading…
Reference in a new issue