Browse Source

proxy: thin layer on top of enough-nginx

keep-around/d49101982f08526b40a5f41683a53ca2274729bc
Loïc Dachary 3 months ago
parent
commit
d49101982f
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 6
      docs/release-notes.rst
  2. 25
      docs/services/website.rst
  3. 8
      inventory/group_vars/proxy-service-group.yml
  4. 8
      inventory/services.yml
  5. 2
      playbooks/enough-nginx/roles/enough-nginx/tasks/enough-nginx.yml
  6. 2
      playbooks/website/conftest.py
  7. 28
      playbooks/website/inventory/ca.crt
  8. 2
      playbooks/website/inventory/host_vars/proxy-host/ca.yml
  9. 4
      playbooks/website/inventory/services.yml
  10. 8
      playbooks/website/inventory/test-hosts.yml
  11. 2
      playbooks/website/playbook.yml
  12. 34
      playbooks/website/proxy-playbook.yml
  13. 10
      playbooks/website/proxy-test-playbook.yml
  14. 27
      playbooks/website/roles/proxy/defaults/main.yml
  15. 2
      playbooks/website/roles/proxy/tasks/main.yml
  16. 35
      playbooks/website/roles/proxy/tasks/proxy.yml
  17. 3
      playbooks/website/tests/test_icinga.py

6
docs/release-notes.rst

@ -1,6 +1,12 @@
Release Notes
=============
2.1.28
------
* Add the `proxy` role to the `website` playbook to help define reverse proxies
linking OpenStack and libvirt services.
2.1.27
------

25
docs/services/website.rst

@ -1,7 +1,7 @@
Hugo
====
Website
=======
`Hugo <https://gohugo.io/>`__ is available at `www.example.com` and is documented in `this file
A `Hugo <https://gohugo.io/>`__ static website is available at `www.example.com` and is documented in `this file
<https://lab.enough.community/main/infrastructure/blob/master/playbooks/website/roles/website/defaults/main.yml>`__
and can be modified in the
`~/.enough/example.com/inventory/group_vars/website-service-group.yml`
@ -12,3 +12,22 @@ The service is created on the host specified by the `--host` argument:
.. code::
$ enough --domain example.com service create --host website-host website
Reverse proxy
-------------
The nginx based website can be configured as a reverse proxy with a
playbook like the following:
.. code::
- name: reverse proxy for website
hosts: proxy-service-group
become: true
roles:
- role: proxy
vars:
website_proxy_name: "public.example.com"
website_proxy_backend: "behind.proxy.other.com"
website_proxy_monitor_string: "Behind"

8
inventory/group_vars/proxy-service-group.yml

@ -0,0 +1,8 @@
---
#
######################################################
#
# Path to the CA that must be installed for the proxy
# to be able to access the backend server securely.
#
website_proxy_ca: "{{ certificate_local_directory }}/lan.crt"

8
inventory/services.yml

@ -119,6 +119,14 @@ website-service-hosts:
website-service-group:
essential-service-group:
proxy-service-group:
hosts: {}
proxy-service-hosts:
children:
proxy-service-group:
essential-service-group:
api-service-group:
hosts: {}

2
playbooks/enough-nginx/roles/enough-nginx/tasks/enough-nginx.yml

@ -15,7 +15,7 @@
echo -n {{ enough_nginx_reverse_proxy }}
else
set $(echo {{ enough_nginx_reverse_proxy }} | sed -e 's/:/ /')
if getent hosts $1 ; then
if getent hosts $1 > /dev/null ; then
echo -n {{ enough_nginx_reverse_proxy }}
else
docker inspect -f {{ '"{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}"' }} $1 | tr -d '\n'

2
playbooks/website/conftest.py

@ -3,7 +3,7 @@ def pytest_addoption(parser):
"--enough-hosts",
action="store",
default="bind-host,website-host",
default="bind-host,website-host,proxy-host",
help="list of hosts"
)
parser.addoption(

28
playbooks/website/inventory/ca.crt

@ -0,0 +1,28 @@
-----BEGIN CERTIFICATE-----
MIIE3DCCAsSgAwIBAgICPSswDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOU2Vs
ZiBTaWduZWQgQ0EwHhcNMjAwMjE2MTk1MjI0WhcNMzAwMjEzMTk1MjI0WjAZMRcw
FQYDVQQDDA5TZWxmIFNpZ25lZCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAJzJS/QnKTpW8uxi0G3kE8Zg1Ed8jsFCs+HMD2NT9wneHPwGYiuECsgv
s9WACOo33jFFk4jDrIZeInQSU0CrJESUz1t0l0Lh27lwUkI9RDvWx970MfmOV5bI
h/XpaLnl5+XMM2Otle3bhRMudfZryQgIRcgnA+dnsTI0mLJgqxGrTLxFj9/HJ1SP
rLKAABp3mW5bmn28zIs9PhsPysSumUgSI28VquPHtRbu18LGOOrpo7ix54UiQoKP
fKlpirPb6KqXz3JstN0qM+pV9bmUqjqyRGPafd2LgXaPYFXlvlfV90JxmUzbeWns
0/t4ukgK0kJ02gfowme0MoOezA7YuBSczrmZVCGxiPw4aAdzo84viJH6/6NIeGKN
XUK0N3ayVqx0MRNsrb+76ksGuyHjVcuLzsI21L2tlUbfx2b2rT86XHUcbTSis3uq
4z3fT9rDKEtAnwLXHrSSE+IxLOd6ZDojNznvp6fKwPgVji+yijYprzW51itcqZcL
spsNo4hsgtpEtU/p8jfiqIDxHBXJpQBuXGDRTmWxg8U7Oh5cwkLQXgWgtRE24U9G
h4LfSWgQSygUhSqSmH2P1EqjZnE8mQU2WRbq3ZPtxqMWqaUKVrwJKOZZc0yVISOY
cracc+mRvG/uYfuubM0zJ5/HBZZpv7pRZpxgVvMXua/iNAt3dB/LAgMBAAGjLjAs
MBkGA1UdEQQSMBCCDlNlbGYgU2lnbmVkIENBMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggIBAIkH1UfbuzWIQ69NcoD7/JlIh3LMlhS9rGFz+agXAgmg
FmERO9IWLxK2klgpE3GP85KIqt2Fkd9nH9ifNbfJ/dPmPe2cAeR57uq6O9GUEtA1
u1NRlOJHwNrAMhNHS6oDvVyIGY7+mJ4Otm5SJMWjt2aNGUCNZFJ7VtVNzy3K1oOH
fp5bxlH7USAVJAFiqg3Pb2W9tGYb8cwpmYFBuv66IAa6FPM2EGDVIyf/3kWapibP
b1NxK42+kac8MWXecwaWic03NymJt6mqYo9CUsaRV/eE60fGB22QUUaJZOgmlobK
zFpj0YDU4pSC+DmXXn217ae4IDwF8bh1mIbXdoK0brdCMTTFVg1OrTouTlYhCTYH
+FnDJcjpmGRWEIOwN+Z+QAtU3Dc0DUjoXfiuH/NBtewn/jPkYtcGcrTl1VBHHzJe
lbyh9iVFLuX7qWP/DxUsFz8tQ3aeHkuPKZOKAH8xcfwgNssKzpP0IVHueXhrRrKY
qfxh5J42FeaFJpJfgR6BzVur2vhkLVDYwObvoeG1B9ER88lCj3WXHPfkd++4cKqo
NPkhvT727m2rRtdZVzZpTMMY3jVWx7WpcKaSgE3S3YeFbEyYRjGPuKP1cONxF9RG
0SDKq7aphgcEX4+8Xv1aoQzbSTo4WLt1XD5iF66JrS1TCBztPc629Yex3wwkr5Zq
-----END CERTIFICATE-----

2
playbooks/website/inventory/host_vars/proxy-host/ca.yml

@ -0,0 +1,2 @@
---
website_proxy_ca: inventory/ca.crt

4
playbooks/website/inventory/services.yml

@ -6,3 +6,7 @@ icinga-service-group:
website-service-group:
hosts:
website-host:
proxy-service-group:
hosts:
proxy-host:

8
playbooks/website/inventory/test-hosts.yml

@ -0,0 +1,8 @@
---
all-hosts:
hosts:
proxy-host:
firewall_web_server_group:
hosts:
proxy-host:

2
playbooks/website/playbook.yml

@ -7,3 +7,5 @@
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: website-playbook.yml
- import_playbook: proxy-playbook.yml
- import_playbook: proxy-test-playbook.yml

34
playbooks/website/proxy-playbook.yml

@ -0,0 +1,34 @@
---
- name: firewall for web
hosts: localhost
gather_facts: false
tasks:
- include_role:
name: firewall
vars:
firewall_server: "{{ item }}"
firewall_clients: [ 0.0.0.0/0 ]
firewall_protocols: [ tcp ]
firewall_ports: [ 80, 443 ]
when: hostvars[item].ansible_host is defined
with_items: "{{ groups['proxy-service-group'] | default([]) }}"
- name: install proxy root CA
hosts: proxy-service-group
become: true
pre_tasks:
- name: mkdir -p /usr/local/share/ca-certificates/infrastructure
file:
path: /usr/local/share/ca-certificates/infrastructure
state: directory
- name: install proxy CA
copy:
src: "{{ website_proxy_ca }}"
dest: /usr/local/share/ca-certificates/infrastructure/proxy-ca.crt
- name: update-ca-certificates
command: update-ca-certificates --fresh

10
playbooks/website/proxy-test-playbook.yml

@ -0,0 +1,10 @@
- name: reverse proxy for website
hosts: proxy-service-group
become: true
roles:
- role: proxy
vars:
website_proxy_name: "theproxy"
website_proxy_backend: "{{ domain }}"
website_proxy_monitor_string: "nginx"

27
playbooks/website/roles/proxy/defaults/main.yml

@ -0,0 +1,27 @@
---
#
######################################################
#
# Public name that will be reverse proxy
# as {{ website_proxy_name }}.{{ domain }}
#
#website_proxy_name:
#
######################################################
#
# FQDN of the backend to reverse proxy {{ website_proxy_name }}
#
#website_proxy_backend:
#
######################################################
#
# CA necessary to interact with {{ website_proxy_backend }}
#
#website_proxy_ca:
#
######################################################
#
# String found in the backend website that should be monitored
# in the public website to verify the proxy actually works.
#
#website_proxy_monitor_string

2
playbooks/website/roles/proxy/tasks/main.yml

@ -0,0 +1,2 @@
---
- import_tasks: proxy.yml

35
playbooks/website/roles/proxy/tasks/proxy.yml

@ -0,0 +1,35 @@
---
- name: set CNAME
nsupdate:
server: "127.0.0.1"
zone: "{{ domain }}"
record: "{{ website_proxy_name }}.{{ domain }}."
ttl: 1800
type: CNAME
value: "{{ groups['proxy-service-group'][0] }}.{{ domain }}."
delegate_to: "{{ item }}"
loop: "{{groups['bind-service-group']}}"
- name: setup the reverse proxy
import_role:
name: enough-nginx
vars:
enough_nginx_reverse_proxy: "{{ website_proxy_backend }}"
enough_nginx_fqdn: "{{ website_proxy_name }}.{{ domain }}"
- name: setup the certificate
import_role:
name: certificate
vars:
certificate_fqdn: "{{ website_proxy_name }}.{{ domain }}"
certificate_installer: nginx
- name: monitor the public website
import_role:
name: monitor_http_vhost
vars:
http_vhost_https: true
http_vhost_name: "Proxy {{ website_proxy_name }}"
http_vhost_fqdn: "{{ website_proxy_name }}.{{ domain }}"
http_vhost_uri: "/"
http_vhost_string: "{{ website_proxy_monitor_string }}"

3
playbooks/website/tests/test_icinga.py

@ -16,3 +16,6 @@ class TestChecks(IcingaHelper):
website.update(testinfra.get_host('ansible://website-host',
ansible_inventory=self.inventory))
assert self.is_service_ok('website-host!Website')
def test_proxy_host(self):
assert 'proxy-host' in self.get_hosts(host='proxy-host')
Loading…
Cancel
Save