sheppy/athq-vm-management
1
0
Fork 0
mirror of https://github.com/FAUSheppy/athq-vm-management synced 2025-12-06 05:41:35 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: move listen 443 to strem to enable true ssl passthrough

Browse Source
This commit is contained in:
Johnathen Sheppard
2024-02-21 12:20:51 +00:00
parent 860bd22f7a
commit ba86d5c482
4 changed files with 44 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
nginx.py
View File

@@ -26,6 +26,26 @@ def dump_config(vmList, masterAddress):
[ f.write(c) for c in vmo.dumpIptables(remove=True)] [ f.write(c) for c in vmo.dumpIptables(remove=True)]
with open("/etc/nginx/stream_include.conf", "w") as f: with open("/etc/nginx/stream_include.conf", "w") as f:
# ssl passthrough/no-terminate #
ssl_passthrough_map = []
for vmo in vmList:
relevant_subdomains = filter(lambda x: x.get("no-terminate-ssl"), vmo.subdomains)
for s in relevant_subdomains:
print(s)
# build the map contents #
if s.get("include-subdomains"):
match = "~.*{}".format(s.get("name"))
else:
match = s.get("name")
ssl_passthrough_map.append("{} {}:443;".format(match, vmo.ip))
environment = jinja2.Environment(loader=jinja2.FileSystemLoader(searchpath="./templates"))
template = environment.get_template("nginx_stream_ssl_map.conf.j2")
f.write(template.render(ssl_passthrough_map=ssl_passthrough_map))
for vmo in vmList: for vmo in vmList:
[ f.write(c) for c in vmo.dumpStreamComponents()] [ f.write(c) for c in vmo.dumpStreamComponents()]
for vmo in set(vmList): for vmo in set(vmList):

4
templates/nginx_server_block.conf.j2
View File

@@ -2,8 +2,8 @@ server{
# {{ comment }} # {{ comment }}
listen 443 ssl; listen 10443 ssl;
listen [::]:443 ssl; listen [::]:10443 ssl;
{% if servernames %}server_name{% for s in servernames %} {{ s }}{% endfor %};{% endif %} {% if servernames %}server_name{% for s in servernames %} {{ s }}{% endfor %};{% endif %}

18
templates/nginx_stream_ssl_map.conf.j2 Normal file
View File

@@ -0,0 +1,18 @@
map $ssl_preread_server_name $proxy_name {
default 127.0.0.1:10443;
{% for line in ssl_passthrough_map %}
{{ line }}
{% endfor %}
}
server {
listen 443 ;
listen [::]:443 ;
proxy_timeout 5m;
proxy_responses 1;
ssl_preread on;
proxy_pass $proxy_name;
}

4
vm.py
View File

@@ -129,6 +129,10 @@ class VM:
for subdomain in self.subdomains: for subdomain in self.subdomains:
if subdomain.get("no-terminate-ssl"):
print("Not terminating TLS for: {}".format(subdomain))
continue
if type(subdomain) != dict: if type(subdomain) != dict:
raise ValueError("Subdomain must be object containing 'name' ") raise ValueError("Subdomain must be object containing 'name' ")