diff options
| author | Elizabeth Hunt <me@liz.coffee> | 2025-05-01 23:07:54 -0700 |
|---|---|---|
| committer | Elizabeth Hunt <me@liz.coffee> | 2025-05-01 23:07:54 -0700 |
| commit | e5bca60eb98d76b32388a98418ab6fa3e0eff357 (patch) | |
| tree | 72c7bbb4f8eadb5a8885c2f23acebafca77eb8f7 /playbooks | |
| parent | 83aef76c5a74269a2d15ff80722adc90b002acc1 (diff) | |
| download | infra-e5bca60eb98d76b32388a98418ab6fa3e0eff357.tar.gz infra-e5bca60eb98d76b32388a98418ab6fa3e0eff357.zip | |
Fix real ip's from upstream proxies
Diffstat (limited to 'playbooks')
10 files changed, 40 insertions, 11 deletions
diff --git a/playbooks/roles/nginx-proxy/templates/docker-compose.yml b/playbooks/roles/nginx-proxy/templates/docker-compose.yml index 77eda61..33b3243 100644 --- a/playbooks/roles/nginx-proxy/templates/docker-compose.yml +++ b/playbooks/roles/nginx-proxy/templates/docker-compose.yml @@ -25,6 +25,9 @@ services: environment: - TZ={{ timezone }} - DEPLOYMENT_TIME={{ deployment_time }} + - NO_COLOR=1 + - LOG_JSON=true + - TRUST_DOWNSTREAM_PROXY=false networks: - proxy labels: diff --git a/playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf b/playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf index fdf1a88..3e7c125 100644 --- a/playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf +++ b/playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf @@ -1,9 +1,6 @@ {% if not homelab_build %} stream { - log_format basic '$proxy_protocol_addr - [$time_local] ' - '$protocol $status $bytes_sent $bytes_received ' - '$session_time'; upstream imaps { server {{ vpn_proxy_filter_container_name }}:993; } diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/bin.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/bin.conf index 3c5682d..db2f957 100644 --- a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/bin.conf +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/bin.conf @@ -3,6 +3,10 @@ server { server_name bin.liz.coffee; client_max_body_size 200M; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + location / { proxy_pass https://{{ loadbalancer_ip }}; proxy_ssl_verify off; @@ -10,7 +14,6 @@ server { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/idm.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/idm.conf index c85ebcf..95477b0 100644 --- a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/idm.conf +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/idm.conf @@ -2,12 +2,15 @@ server { listen 80; server_name idm.liz.coffee; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + location / { proxy_pass https://{{ loadbalancer_ip }}; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; } } diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/kanban.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/kanban.conf index b668310..e8c9458 100644 --- a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/kanban.conf +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/kanban.conf @@ -2,12 +2,15 @@ server { listen 80; server_name kanban.liz.coffee; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + location / { proxy_pass https://{{ loadbalancer_ip }}; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; } } diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mail.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mail.conf index c810f5a..11e2145 100644 --- a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mail.conf +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mail.conf @@ -1,6 +1,11 @@ server { listen 80; server_name mail.liz.coffee; + + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + location / { proxy_pass https://{{ loadbalancer_ip }}; proxy_ssl_verify off; @@ -8,7 +13,6 @@ server { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/notes.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/notes.conf index f7937dd..c38b948 100644 --- a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/notes.conf +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/notes.conf @@ -2,12 +2,15 @@ server { listen 80; server_name notes.liz.coffee; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + location / { proxy_pass https://{{ loadbalancer_ip }}; proxy_ssl_verify off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; } } diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/src.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/src.conf index ad24e23..b786eac 100644 --- a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/src.conf +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/src.conf @@ -1,6 +1,11 @@ server { listen 80; server_name src.liz.coffee; + + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + location / { proxy_pass https://{{ loadbalancer_ip }}; proxy_ssl_verify off; @@ -8,7 +13,6 @@ server { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } diff --git a/playbooks/roles/src/templates/stacks/docker-compose.yml b/playbooks/roles/src/templates/stacks/docker-compose.yml index 4ffd1ef..344dfc5 100644 --- a/playbooks/roles/src/templates/stacks/docker-compose.yml +++ b/playbooks/roles/src/templates/stacks/docker-compose.yml @@ -7,11 +7,16 @@ services: - "2222:2222" environment: - TZ={{ timezone }} - - DEPLOYMENT_TIME={{ now() }} + - DEPLOYMENT_TIME={{ deployment_time }} - SOFT_SERVE_NAME={{ src_domain }} + - SOFT_SERVE_SSH_LISTEN_ADDR=:2222 + - SOFT_SERVE_HTTP_LISTEN_ADDR=:8000 + - SOFT_SERVE_STATS_LISTEN_ADDR=:8001 - SOFT_SERVE_HTTP_PUBLIC_URL=https://{{ src_domain }} - SOFT_SERVE_SSH_PUBLIC_URL=ssh://{{ src_domain }}:2222 - SOFT_SERVE_INITIAL_ADMIN_KEYS={{ src_admin_keys }} + - SOFT_SERVE_GIT_MAX_CONNECTIONS=20 + - SOFT_SERVE_LOG_FORMAT=json networks: - proxy healthcheck: @@ -36,7 +41,7 @@ services: - traefik.http.routers.src.tls.certResolver=letsencrypt - traefik.http.routers.src.rule=Host(`{{ src_domain }}`) - traefik.http.routers.src.entrypoints=websecure - - traefik.http.services.src.loadbalancer.server.port=23232 + - traefik.http.services.src.loadbalancer.server.port=8000 networks: proxy: diff --git a/playbooks/roles/traefik/templates/stacks/traefik.yml b/playbooks/roles/traefik/templates/stacks/traefik.yml index ceeb0cb..98c333e 100644 --- a/playbooks/roles/traefik/templates/stacks/traefik.yml +++ b/playbooks/roles/traefik/templates/stacks/traefik.yml @@ -16,6 +16,10 @@ entryPoints: scheme: https websecure: address: ":443" + forwardedHeaders: + trustedIPs: + - "{{ homelab_network }}" + serversTransport: insecureSkipVerify: true providers: |