Luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-03-25 21:30:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: clean proxy protocol everywhere

Browse source
This commit is contained in:
Julien Malka 2024-12-07 01:03:20 +01:00
parent dd454001d1
commit bff13e5ba9
Signed by: Luj
GPG key ID: 6FC74C847011FD83
6 changed files with 93 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
machines/core-security/default.nix
View file

@ -20,6 +20,7 @@
profiles = with profiles; [ profiles = with profiles; [
vm-simple-network vm-simple-network
server server
behind-sniproxy
]; ];
ips = { ips = {
public.ipv4 = "82.67.34.230"; public.ipv4 = "82.67.34.230";

31
machines/gustave/pages.nix
View file

@ -4,6 +4,9 @@
config, config,
... ...
}: }:
let
allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
in
{ {
age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age; age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age;
@ -39,42 +42,62 @@
settingsFile = config.age.secrets."pages-settings-file".path; settingsFile = config.age.secrets."pages-settings-file".path;
}; };
networking.nftables.enable = true;
# Only requests from the router must be accepted by proxy protocol listeners
# in order to prevent ip spoofing.
networking.firewall.extraInputRules = ''
ip6 saddr ${allowedUpstream} tcp dport 444 accept
ip6 saddr ${allowedUpstream} tcp dport 8110 accept
'';
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
444
8010 8010
]; ];
luj.nginx.enable = true; luj.nginx.enable = true;
services.nginx = { services.nginx = {
appendHttpConfig = '' appendHttpConfig = ''
set_real_ip_from 127.0.0.1; set_real_ip_from ${allowedUpstream};
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
defaultListen = [ defaultListen = [
# proxy protocol listener with ipv6, which is what is used by the sniproxy
{ {
addr = "[::]"; addr = "[::]";
port = 444; port = 444;
ssl = true; ssl = true;
proxyProtocol = true; proxyProtocol = true;
} }
# used for certificate requests with let's encrypt
{ {
addr = "[::]"; addr = "[::]";
port = 80; port = 80;
ssl = false; ssl = false;
} }
# listener for ipv6 clients in private infra
{
addr = "[${config.machine.meta.ips.vpn.ipv6}]";
port = 443;
ssl = true;
}
# listener for ipv4 client in private infra
{ {
addr = config.machine.meta.ips.vpn.ipv4; addr = config.machine.meta.ips.vpn.ipv4;
port = 443; port = 443;
ssl = true; ssl = true;
} }
# used for certificate request with internal CA
{ {
addr = config.machine.meta.ips.vpn.ipv4; addr = "[${config.machine.meta.ips.vpn.ipv6}]";
port = 80; port = 80;
ssl = false; ssl = false;
} }
]; ];
# Listen to ipv6 packets coming from the internet, check the SNI
# If they are one of the declared virtualHosts, forward them to the proxy protocol listener
# for that virtualHost, else forward them to the page server
streamConfig = '' streamConfig = ''
map $ssl_preread_server_name $sni_upstream { map $ssl_preread_server_name $sni_upstream {
hostnames; hostnames;
@ -85,7 +108,7 @@
} }
server { server {
listen [::]:443; listen [${config.machine.meta.ips.public.ipv6}]:443;
ssl_preread on; ssl_preread on;
proxy_pass $sni_upstream; proxy_pass $sni_upstream;
proxy_protocol on; proxy_protocol on;

1
machines/nuage/default.nix
View file

@ -19,6 +19,7 @@
profiles = with profiles; [ profiles = with profiles; [
vm-simple-network vm-simple-network
server server
behind-sniproxy
]; ];
ips = { ips = {
public.ipv4 = "82.67.34.230"; public.ipv4 = "82.67.34.230";

1
machines/tower/default.nix
View file

@ -19,6 +19,7 @@
profiles = with profiles; [ profiles = with profiles; [
vm-simple-network vm-simple-network
server server
behind-sniproxy
]; ];
ips = { ips = {
public.ipv4 = "82.67.34.230"; public.ipv4 = "82.67.34.230";

3
modules/irc/default.nix
View file

@ -2,7 +2,7 @@
with lib; with lib;
let let
cfg = config.luj.irc; cfg = config.luj.irc;
port = 9000; port = 8349;
in in
{ {
@ -19,6 +19,7 @@ in
config = mkIf cfg.enable (mkMerge [ config = mkIf cfg.enable (mkMerge [
{ {
services.thelounge = { services.thelounge = {
inherit port;
enable = true; enable = true;
public = false; public = false;
extraConfig.fileUpload.enable = true; extraConfig.fileUpload.enable = true;

61
profiles/behind-sniproxy.nix Normal file
View file

@ -0,0 +1,61 @@
{ config, ... }:
let
allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
in
{
services.nginx = {
appendHttpConfig = ''
set_real_ip_from ${allowedUpstream};
real_ip_header proxy_protocol;
'';
defaultListen = [
# proxy protocol listener with ipv6, which is what is used by the sniproxy
{
addr = "[::]";
port = 444;
ssl = true;
proxyProtocol = true;
}
# regular listener with ipv6, for ipv6 clients
{
addr = "[::]";
port = 443;
ssl = true;
}
# used for certificate requests with let's encrypt
{
addr = "[::]";
port = 80;
ssl = false;
}
# listener for ipv6 clients in private infra
{
addr = "[${config.machine.meta.ips.vpn.ipv6}]";
port = 443;
ssl = true;
}
# listener for ipv4 client in private infra
{
addr = config.machine.meta.ips.vpn.ipv4;
port = 443;
ssl = true;
}
# used for certificate request with internal CA
{
addr = "[${config.machine.meta.ips.vpn.ipv6}]";
port = 80;
ssl = false;
}
];
};
networking.nftables.enable = true;
# Only requests from the router must be accepted by proxy protocol listeners
# in order to prevent ip spoofing.
networking.firewall.extraInputRules = ''
ip6 saddr ${allowedUpstream} tcp dport 444 accept
'';
}