feat: move listen 443 to strem to enable true ssl passthrough

2025-12-06 05:41:35 +01:00 · 2024-02-21 12:20:51 +00:00
parent 860bd22f7a
commit ba86d5c482
4 changed files with 44 additions and 2 deletions
--- a/nginx.py
+++ b/nginx.py
@@ -26,6 +26,26 @@ def dump_config(vmList, masterAddress):
            [ f.write(c) for c in vmo.dumpIptables(remove=True)]

    with open("/etc/nginx/stream_include.conf", "w") as f:
+        
+        # ssl passthrough/no-terminate #
+        ssl_passthrough_map = []
+        for vmo in vmList:
+            relevant_subdomains = filter(lambda x: x.get("no-terminate-ssl"), vmo.subdomains)
+            for s in relevant_subdomains:
+                print(s)
+                # build the map contents #
+                if s.get("include-subdomains"):
+                    match = "~.*{}".format(s.get("name"))
+                else:
+                    match = s.get("name")
+
+                ssl_passthrough_map.append("{} {}:443;".format(match, vmo.ip))
+
+        environment = jinja2.Environment(loader=jinja2.FileSystemLoader(searchpath="./templates"))
+        template = environment.get_template("nginx_stream_ssl_map.conf.j2")
+        f.write(template.render(ssl_passthrough_map=ssl_passthrough_map))
+
+
        for vmo in vmList:
            [ f.write(c) for c in vmo.dumpStreamComponents()]
        for vmo in set(vmList):
--- a/templates/nginx_server_block.conf.j2
+++ b/templates/nginx_server_block.conf.j2
@@ -2,8 +2,8 @@ server{

    # {{ comment }}
    
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 10443 ssl;
+    listen [::]:10443 ssl;

    {% if servernames %}server_name{% for s in servernames %} {{ s }}{% endfor %};{% endif %}

--- a/templates/nginx_stream_ssl_map.conf.j2
+++ b/templates/nginx_stream_ssl_map.conf.j2
@@ -0,0 +1,18 @@
+map $ssl_preread_server_name $proxy_name {
+    default 127.0.0.1:10443;
+    {% for line in ssl_passthrough_map %}
+    {{ line }}
+    {% endfor %}
+}
+
+server {
+
+    listen 443 ;
+    listen [::]:443 ;
+
+    proxy_timeout 5m;
+    proxy_responses 1;
+    ssl_preread on;
+    proxy_pass $proxy_name;
+    
+}
--- a/vm.py
+++ b/vm.py
@@ -129,6 +129,10 @@ class VM:

        for subdomain in self.subdomains:

+            if subdomain.get("no-terminate-ssl"):
+                print("Not terminating TLS for: {}".format(subdomain))
+                continue
+
            if type(subdomain) != dict:
                raise ValueError("Subdomain must be object containing 'name' ")