Skip to content

Commit

Permalink
feat: nginx handle mTLS in global configuration or in specific location
Browse files Browse the repository at this point in the history
  • Loading branch information
M0NsTeRRR committed Feb 20, 2024
1 parent 8757de1 commit b382eef
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 2 deletions.
2 changes: 2 additions & 0 deletions ansible/group_vars/all/all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ node_exporter_ca_filename: "ca.crt"
node_exporter_cert_filename: "{{ inventory_hostname }}-fullchain.crt"
node_exporter_key_filename: "{{ inventory_hostname }}.key"

nginx_local_path_ca_certificate: "{{ ca_certificates_local_path_ca_certificate }}"

kubernetes_localhost_kubeconfig_path: "{{ lookup('env', 'HOME') }}/.kube/homelab"
kubernetes_vip_url: "kubernetes.unicornafk.fr"
kubernetes_homelab_ca_config_map: "homelab-ca"
Expand Down
4 changes: 4 additions & 0 deletions ansible/group_vars/dns/all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,7 @@ powerdns_authoritative_records:

nginx_configuration:
- server_name: "{{ hostvars[inventory_hostname].hostname[:-1] }}"
ssl_verify_client: optional
additional_server_name:
- "{{ ansible_default_ipv4.address }}"
- "{{ ansible_default_ipv6.address }}"
Expand All @@ -254,10 +255,13 @@ nginx_configuration:
proxy_pass: http://127.0.0.1:8081/api
- location: /auth/metrics
proxy_pass: http://127.0.0.1:8081/metrics
ssl_client_verify: true
- location: /rec/metrics
proxy_pass: http://127.0.0.1:8082/metrics
ssl_client_verify: true
- location: /dnsdist/metrics
proxy_pass: http://127.0.0.1:8083/metrics
ssl_client_verify: true
enable_content_security: true
http_redirection: false
ssl_port: 9443
Expand Down
3 changes: 3 additions & 0 deletions ansible/roles/nginx/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
nginx_package_state: latest
# nginx_cryptography_version:
nginx_cryptography_package_state: latest
nginx_local_path_ca_certificate: /tmp/nginx
nginx_venv: "/tmp/venv_nginx"
nginx_acme_local_folder: ""
nginx_configuration: []
Expand All @@ -12,9 +13,11 @@ nginx_auth_basic: {}
# nginx_configuration:
# - server_name: "{{ inventory_hostname }}"
# # optional
# ssl_verify_client: optional
# additional_server_name:
# - "192.168.0.1"
# - location: /
# ssl_client_verify: true
# proxy_pass: "http://127.0.0.1:8080"
# proxy_headers:
# X-Server-URL: https://$server_name/
Expand Down
9 changes: 9 additions & 0 deletions ansible/roles/nginx/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,15 @@
- /var/www/html
notify: Restart nginx

- name: Add CA cert
ansible.builtin.copy:
src: "{{ nginx_local_path_ca_certificate }}"
dest: "/etc/nginx/ssl/ca.crt"
owner: nginx
group: nginx
mode: "0640"
notify: Restart nginx

- name: Configure default nginx configuration
ansible.builtin.copy:
src: nginx.conf
Expand Down
12 changes: 10 additions & 2 deletions ansible/roles/nginx/templates/site.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,20 @@ server {

server_name {{ item.server_name }}{% if item.additional_server_name is defined %}, {% for additional_server_name in item.additional_server_name %}{{ additional_server_name }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %};

ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_certificate /etc/nginx/ssl/{{ item.server_name }}-fullchain.crt;
ssl_certificate_key /etc/nginx/ssl/{{ item.server_name }}.key;
{% if item.ssl_verify_client %}
ssl_verify_client {{ item.ssl_verify_client }};
{% endif %}

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
{% if item.enable_content_security %}add_header Content-Security-Policy "default-src 'self'" always;{% endif %}
{% if item.enable_content_security %}
add_header Content-Security-Policy "default-src 'self'" always;
{% endif %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()";
add_header X-Permitted-Cross-Domain-Policies "none" always;
Expand All @@ -21,12 +27,14 @@ server {
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";


access_log /var/log/nginx/{{ item.server_name }}.access.log;
error_log /var/log/nginx/{{ item.server_name }}.error.log warn;

{% for location in item.locations %}
location {{ location.location }} {
{% if location.ssl_client_verify is defined and location.ssl_client_verify %}
if ($ssl_client_verify != "SUCCESS") { return 403; }
{% endif %}
{% if location.proxy_pass is defined %}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
Expand Down

0 comments on commit b382eef

Please sign in to comment.