feat: clean proxy protocol everywhere

2025-03-23 20:30:52 +01:00 · 2024-12-07 01:03:20 +01:00 · 2024-12-07 01:03:20 +01:00 · bff13e5ba9
commit bff13e5ba9
parent dd454001d1
6 changed files with 93 additions and 5 deletions
--- a/machines/core-security/default.nix
+++ b/machines/core-security/default.nix
@ -20,6 +20,7 @@
    profiles = with profiles; [
      vm-simple-network
      server
+      behind-sniproxy
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
--- a/machines/gustave/pages.nix
+++ b/machines/gustave/pages.nix
@ -4,6 +4,9 @@
  config,
  ...
 }:
+let
+  allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
+in
 {
  age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age;

@ -39,42 +42,62 @@
    settingsFile = config.age.secrets."pages-settings-file".path;
  };

+  networking.nftables.enable = true;
+
+  # Only requests from the router must be accepted by proxy protocol listeners
+  # in order to prevent ip spoofing.
+  networking.firewall.extraInputRules = ''
+    ip6 saddr ${allowedUpstream} tcp dport 444 accept
+    ip6 saddr ${allowedUpstream} tcp dport 8110 accept
+  '';
  networking.firewall.allowedTCPPorts = [
-    444
    8010
  ];

  luj.nginx.enable = true;
  services.nginx = {
    appendHttpConfig = ''
-      set_real_ip_from 127.0.0.1;
+      set_real_ip_from ${allowedUpstream};
      real_ip_header proxy_protocol;
    '';

    defaultListen = [
+      # proxy protocol listener with ipv6, which is what is used by the sniproxy
      {
        addr = "[::]";
        port = 444;
        ssl = true;
        proxyProtocol = true;
      }
+      # used for certificate requests with let's encrypt
      {
        addr = "[::]";
        port = 80;
        ssl = false;
      }
+      # listener for ipv6 clients in private infra
+      {
+        addr = "[${config.machine.meta.ips.vpn.ipv6}]";
+        port = 443;
+        ssl = true;
+      }
+      # listener for ipv4 client in private infra
      {
        addr = config.machine.meta.ips.vpn.ipv4;
        port = 443;
        ssl = true;
      }
+      # used for certificate request with internal CA
      {
-        addr = config.machine.meta.ips.vpn.ipv4;
+        addr = "[${config.machine.meta.ips.vpn.ipv6}]";
        port = 80;
        ssl = false;
      }
    ];

+    # Listen to ipv6 packets coming from the internet, check the SNI
+    # If they are one of the declared virtualHosts, forward them to the proxy protocol listener 
+    # for that virtualHost, else forward them to the page server
    streamConfig = ''
      map $ssl_preread_server_name $sni_upstream {
        hostnames;
@ -85,7 +108,7 @@
      }

      server {
-        listen [::]:443;
+        listen [${config.machine.meta.ips.public.ipv6}]:443;
        ssl_preread on;
        proxy_pass $sni_upstream;
        proxy_protocol on;
--- a/machines/nuage/default.nix
+++ b/machines/nuage/default.nix
@ -19,6 +19,7 @@
    profiles = with profiles; [
      vm-simple-network
      server
+      behind-sniproxy
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
--- a/machines/tower/default.nix
+++ b/machines/tower/default.nix
@ -19,6 +19,7 @@
    profiles = with profiles; [
      vm-simple-network
      server
+      behind-sniproxy
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
--- a/modules/irc/default.nix
+++ b/modules/irc/default.nix
@ -2,7 +2,7 @@
 with lib;
 let
  cfg = config.luj.irc;
-  port = 9000;
+  port = 8349;
 in
 {

@ -19,6 +19,7 @@ in
  config = mkIf cfg.enable (mkMerge [
    {
      services.thelounge = {
+        inherit port;
        enable = true;
        public = false;
        extraConfig.fileUpload.enable = true;
--- a/profiles/behind-sniproxy.nix
+++ b/profiles/behind-sniproxy.nix
@ -0,0 +1,61 @@
+{ config, ... }:
+
+let
+  allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
+in
+{
+  services.nginx = {
+    appendHttpConfig = ''
+      set_real_ip_from ${allowedUpstream};
+      real_ip_header proxy_protocol;
+    '';
+
+    defaultListen = [
+      # proxy protocol listener with ipv6, which is what is used by the sniproxy
+      {
+        addr = "[::]";
+        port = 444;
+        ssl = true;
+        proxyProtocol = true;
+      }
+      # regular listener with ipv6, for ipv6 clients
+      {
+        addr = "[::]";
+        port = 443;
+        ssl = true;
+      }
+      # used for certificate requests with let's encrypt
+      {
+        addr = "[::]";
+        port = 80;
+        ssl = false;
+      }
+      # listener for ipv6 clients in private infra
+      {
+        addr = "[${config.machine.meta.ips.vpn.ipv6}]";
+        port = 443;
+        ssl = true;
+      }
+      # listener for ipv4 client in private infra
+      {
+        addr = config.machine.meta.ips.vpn.ipv4;
+        port = 443;
+        ssl = true;
+      }
+      # used for certificate request with internal CA
+      {
+        addr = "[${config.machine.meta.ips.vpn.ipv6}]";
+        port = 80;
+        ssl = false;
+      }
+    ];
+  };
+
+  networking.nftables.enable = true;
+  # Only requests from the router must be accepted by proxy protocol listeners
+  # in order to prevent ip spoofing.
+  networking.firewall.extraInputRules = ''
+    ip6 saddr ${allowedUpstream} tcp dport 444 accept
+  '';
+
+}