diff --git a/ansible/playbooks/app/site.yaml b/ansible/playbooks/app/site.yaml index 3df2a37..9586cf7 100644 --- a/ansible/playbooks/app/site.yaml +++ b/ansible/playbooks/app/site.yaml @@ -153,6 +153,14 @@ tags: ["site", "kopia"] tags: ["site", "kopia"] + - name: Set caddy + ansible.builtin.include_role: + name: "common" + tasks_from: "services/set_caddy" + apply: + tags: ["site", "caddy"] + tags: ["site", "caddy"] + - name: Flush handlers right now ansible.builtin.meta: "flush_handlers" diff --git a/config/node/app/nftables.conf.j2 b/config/node/app/nftables.conf.j2 index 6a33d3d..856970a 100644 --- a/config/node/app/nftables.conf.j2 +++ b/config/node/app/nftables.conf.j2 @@ -5,17 +5,27 @@ define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }} define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }} define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} } define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} } +define HOSTS4_AUTH = {{ hostvars['fw']['network4']['auth']['server'] }} +define HOSTS6_AUTH = {{ hostvars['fw']['network6']['auth']['server'] }} define PORTS_SSH = 22 +define PORTS_HTTP = 80 +define PORTS_HTTP_FORWARD = 2080 +define PORTS_HTTPS = 443 +define PORTS_HTTPS_FORWARD = 2443 table inet nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; + tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD" + tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD" } chain postrouting { } chain output { type nat hook output priority dstnat; policy accept; + oifname "lo" tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD out of LOCALHOST" + oifname "lo" tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD out of LOCALHOST" } } @@ -28,6 +38,10 @@ table inet filter { meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection" ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > APP" ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv6 ssh connection: CONSOLE > APP" + ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv4 http connection: CONSOLE, AUTH > APP" + ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv6 http connection: CONSOLE, AUTH > APP" + ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv4 https connection: CONSOLE, AUTH > APP" + ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv6 https connection: CONSOLE, AUTH > APP" } chain forward { type filter hook forward priority 0; policy drop; diff --git a/config/services/containers/common/caddy/etc/app/Caddyfile.j2 b/config/services/containers/common/caddy/etc/app/Caddyfile.j2 new file mode 100644 index 0000000..5d90279 --- /dev/null +++ b/config/services/containers/common/caddy/etc/app/Caddyfile.j2 @@ -0,0 +1,30 @@ +{ + servers { + # Only accept packets from auth main caddy + trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }} + } +} +# Private TLS ACME with DNS-01-challenge +(private_tls) { + tls { + issuer acme { + dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory + dns rfc2136 { + server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }} + key_name acme-key + key_alg hmac-sha256 + key "{file./run/secrets/CADDY_ACME_KEY}" + } + } + } +} + +app.ilnmors.internal { + import private_tls + metrics +} +test.app.ilnmors.internal { + import private_tls + root * /usr/share/caddy + file_server +} diff --git a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 index a140f9a..cef72bb 100644 --- a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 +++ b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 @@ -54,6 +54,15 @@ test.ilnmors.com { file_server } } +test.app.ilnmors.com { + import crowdsec_log + route { + crowdsec + reverse_proxy https://test.app.ilnmors.internal { + header_up Host {http.reverse_proxy.upstream.host} + } + } +} # Internal domain auth.ilnmors.internal { diff --git a/config/services/containers/infra/ca/config/ca.json.j2 b/config/services/containers/infra/ca/config/ca.json.j2 index ce14d1a..47b839f 100644 --- a/config/services/containers/infra/ca/config/ca.json.j2 +++ b/config/services/containers/infra/ca/config/ca.json.j2 @@ -22,7 +22,8 @@ "allow": { "dns": [ "ilnmors.internal", - "*.ilnmors.internal" + "*.ilnmors.internal", + "*.app.ilnmors.internal" ] }, "allowWildcardNames": true diff --git a/docs/services/common/caddy.md b/docs/services/common/caddy.md index b945f22..16028ef 100644 --- a/docs/services/common/caddy.md +++ b/docs/services/common/caddy.md @@ -28,17 +28,23 @@ test.ilnmors.com import crowdsec_log route { crowdsec - reverse_proxy https://test.app.ilnmors.internal + reverse_proxy https://test.app.ilnmors.internal { + header_up Host {http.reverse_proxy.upstream.host} + } } } # App server +{ + servers { + trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }} + } +} test.app.ilnmors.internal { import internal_tls - trusted_proxies {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }} route { reverse_proxy host.containers.internal:3000 { - header_up Host {header.X-Forwarded-Host} {Host} + header_up Host {http.request.header.X-Forwarded-Host} } } }