unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
d79a5de17b
puppet-prod/hieradata/roles/apps/media.yaml
Ben Vincent 991c8a3029 feat: haproxy updates 
- add acls for all backends
- harden security of backends
- update http-check for all backends
2024-07-07 16:51:36 +10:00

102 lines
3.3 KiB
YAML
Raw Blame History

---
hiera_include:
- profiles::nginx::simpleproxy
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
descr: ceph reef repository
target: /etc/yum.repos.d/ceph-reef.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgcheck: 0,
mirrorlist: absent
profiles::ceph::client::keyrings:
media:
key: "%{hiera('ceph::key::media')}"
profiles::base::groups::local:
media:
ensure: present
gid: 20000
allowdupe: false
forcelocal: true
ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'
profiles::nginx::simpleproxy::locations:
# authentication proxy
authproxy:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
internal: true
location: '= /auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
proxy_set_header:
- 'Content-Length ""'
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
- 'X-Ldap-Starttls "false"'
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
- 'X-CookieName "nginxauth"'
- 'Cookie nginxauth=$cookie_nginxauth'
- "X-Ldap-Template %{lookup('ldap_template')}"
- 'X-Ldap-Realm "Restricted"'
proxy_cache: 'cache'
proxy_cache_valid: '200 10m'
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# health checks by consul/haproxy
arrstack_web_healthcheck:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/consul/health'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
location_deny:
- all
# authorised access from external
arrstack_web_external:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
auth_request: '/auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
# location for api, which should be accessible without authentication
arrstack_api:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '~ /api'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
location_cfg_append:
client_max_body_size: '20m'
Reference in New Issue View Git Blame Copy Permalink