From 247a2486a24854a075a165a6c1559a095de6cfe8 Mon Sep 17 00:00:00 2001 From: Matthieu Saulnier Date: Sat, 20 Oct 2018 23:33:33 +0200 Subject: Initial reverseproxy role --- .gitignore | 1 + reverseproxy.yml | 5 + .../reverseproxy/files/caddy-reverse-proxy.service | 15 +++ roles/reverseproxy/files/containercleaning.sh | 3 + roles/reverseproxy/files/index.html | 132 +++++++++++++++++++++ roles/reverseproxy/handlers/main.yml | 1 + roles/reverseproxy/handlers/systemd.yml | 2 + roles/reverseproxy/tasks/config.yml | 26 ++++ roles/reverseproxy/tasks/dirs.yml | 23 ++++ roles/reverseproxy/tasks/fw.yml | 10 ++ roles/reverseproxy/tasks/main.yml | 3 + roles/reverseproxy/templates/Caddyfile.j2 | 81 +++++++++++++ roles/reverseproxy/vars/main.yml | 45 +++++++ site.yml | 1 + 14 files changed, 348 insertions(+) create mode 100644 reverseproxy.yml create mode 100644 roles/reverseproxy/files/caddy-reverse-proxy.service create mode 100644 roles/reverseproxy/files/containercleaning.sh create mode 100644 roles/reverseproxy/files/index.html create mode 100644 roles/reverseproxy/handlers/main.yml create mode 100644 roles/reverseproxy/handlers/systemd.yml create mode 100644 roles/reverseproxy/tasks/config.yml create mode 100644 roles/reverseproxy/tasks/dirs.yml create mode 100644 roles/reverseproxy/tasks/fw.yml create mode 100644 roles/reverseproxy/tasks/main.yml create mode 100644 roles/reverseproxy/templates/Caddyfile.j2 create mode 100644 roles/reverseproxy/vars/main.yml diff --git a/.gitignore b/.gitignore index 4c2957f..0e19a9e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ roles/dnsserver/templates/keys.j2 roles/torrelay/templates/keys.j2 roles/mtaserver/files/virtual roles/mtaserver/files/credentials +roles/reverseproxy/vars/email.yml .jabbersecrets diff --git a/reverseproxy.yml b/reverseproxy.yml new file mode 100644 index 0000000..effbb51 --- /dev/null +++ b/reverseproxy.yml @@ -0,0 +1,5 @@ +- hosts: reverseproxy + remote_user: root + any_errors_fatal: true + roles: + - reverseproxy diff --git a/roles/reverseproxy/files/caddy-reverse-proxy.service b/roles/reverseproxy/files/caddy-reverse-proxy.service new file mode 100644 index 0000000..244aad2 --- /dev/null +++ b/roles/reverseproxy/files/caddy-reverse-proxy.service @@ -0,0 +1,15 @@ +[Unit] +Description=Caddy Reverse Proxy web +After=docker.service + +[Service] +Restart=always +ExecStart=/usr/bin/docker run -i --dns 208.67.222.222 -p 80:80 -p 443:443 \ + -v /contener/%p/root/.caddy:/root/.caddy:Z \ + -v /contener/%p/etc/Caddyfile:/etc/Caddyfile:Z \ + -v /contener/%p/srv:/srv:Z \ + docker.io/abiosoft/caddy:latest +ExecReload=/usr/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/roles/reverseproxy/files/containercleaning.sh b/roles/reverseproxy/files/containercleaning.sh new file mode 100644 index 0000000..b81486e --- /dev/null +++ b/roles/reverseproxy/files/containercleaning.sh @@ -0,0 +1,3 @@ +#!/usr/bin/bash + +docker rm $(docker ps -a | awk '{ print $1 }') diff --git a/roles/reverseproxy/files/index.html b/roles/reverseproxy/files/index.html new file mode 100644 index 0000000..1b7ea03 --- /dev/null +++ b/roles/reverseproxy/files/index.html @@ -0,0 +1,132 @@ + + + + + Test Page for the Apache HTTP Server on Fedora + + + + + +

Fedora Test Page

+ +
+
+

This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the web server installed at this site is working properly, but has not yet been configured.

+
+
+ +
+
+

If you are a member of the general public:

+ +

The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.

+ +

If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.

+ +

For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".

+ +

Fedora is a distribution of Linux, a popular computer operating system. It is commonly used by hosting companies because it is free, and includes free web server software. Many times, they do not set up their web server correctly, and it displays this "test page" instead of the expected website.

+ +

Accordingly, please keep these facts in mind:

+
    +
  • Neither the Fedora Project or Red Hat has any affiliation with any website or content hosted from this server (unless otherwise explicitly stated).
    • +
  • Neither the Fedora Project or Red Hat has "hacked" this webserver, this test page is an included component of Apache's httpd webserver software.
    • +
+ +

For more information about Fedora, please visit the Fedora Project website.

+
+
+ +
+

If you are the website administrator:

+ +

You may now add content to the directory /var/www/html/. Note that until you do so, people visiting your website will see this page, and not your content. To prevent this page from ever being used, follow the instructions in the file /etc/httpd/conf.d/welcome.conf.

+ +
+

You are free to use the images below on Apache and Fedora powered HTTP servers. Thanks for using Apache and Fedora!

+ +

[ Powered by Apache ] [ Powered by Fedora ]

+
+
+
+
+ + diff --git a/roles/reverseproxy/handlers/main.yml b/roles/reverseproxy/handlers/main.yml new file mode 100644 index 0000000..8db0dde --- /dev/null +++ b/roles/reverseproxy/handlers/main.yml @@ -0,0 +1 @@ +- import_tasks: systemd.yml diff --git a/roles/reverseproxy/handlers/systemd.yml b/roles/reverseproxy/handlers/systemd.yml new file mode 100644 index 0000000..d81fdba --- /dev/null +++ b/roles/reverseproxy/handlers/systemd.yml @@ -0,0 +1,2 @@ +- name: reload systemd + command: /usr/bin/systemctl --system daemon-reload diff --git a/roles/reverseproxy/tasks/config.yml b/roles/reverseproxy/tasks/config.yml new file mode 100644 index 0000000..a6ecfec --- /dev/null +++ b/roles/reverseproxy/tasks/config.yml @@ -0,0 +1,26 @@ +- name: Installation des unités systemd + copy: + src: caddy-reverse-proxy.service + dest: /etc/systemd/system/ + mode: 0644 + notify: reload systemd + +- name: Installation de la page web statique + copy: + src: index.html + dest: /contener/caddy-reverse-proxy/srv + mode: 0644 + +- name: Installation du script de nettoyage des containers inactifs + copy: + src: containercleaning.sh + dest: /usr/local/bin/containercleaning + mode: 0755 + +- name: Configuration du reverse proxy + template: + src: Caddyfile.j2 + dest: /contener/caddy-reverse-proxy/etc/Caddyfile + owner: root + group: root + mode: 0644 diff --git a/roles/reverseproxy/tasks/dirs.yml b/roles/reverseproxy/tasks/dirs.yml new file mode 100644 index 0000000..39f4789 --- /dev/null +++ b/roles/reverseproxy/tasks/dirs.yml @@ -0,0 +1,23 @@ +- name: Création du répertoire racine + file: + path: /contener/caddy-reverse-proxy + state: directory + mode: 0700 + +- name: Création du répertoire etc + file: + path: /contener/caddy-reverse-proxy/etc + state: directory + mode: 0755 + +- name: Création du répertoire root + file: + path: /contener/caddy-reverse-proxy/root + state: directory + mode: 0755 + +- name: Création du répertoire srv + file: + path: /contener/caddy-reverse-proxy/srv + state: directory + mode: 0755 diff --git a/roles/reverseproxy/tasks/fw.yml b/roles/reverseproxy/tasks/fw.yml new file mode 100644 index 0000000..0636c9f --- /dev/null +++ b/roles/reverseproxy/tasks/fw.yml @@ -0,0 +1,10 @@ +- name: Ouverture des ports Firewalld + firewalld: + service: {{ item }} + permanent: yes + immediate: yes + state: enabled + with_items: + - http + - https + when: ansible_distribution == "Fedora" diff --git a/roles/reverseproxy/tasks/main.yml b/roles/reverseproxy/tasks/main.yml new file mode 100644 index 0000000..dd880d6 --- /dev/null +++ b/roles/reverseproxy/tasks/main.yml @@ -0,0 +1,3 @@ +- import_tasks: dirs.yml +- import_tasks: config.yml +- import_tasks: fw.yml diff --git a/roles/reverseproxy/templates/Caddyfile.j2 b/roles/reverseproxy/templates/Caddyfile.j2 new file mode 100644 index 0000000..86ce98c --- /dev/null +++ b/roles/reverseproxy/templates/Caddyfile.j2 @@ -0,0 +1,81 @@ +{% for item in {{ ansible_hostname }}.static %} +"{{ item }}" { + tls "{{ email }}" + gzip + log "{{ item }}_access.log" { + rotate_size 1 + rotate_keep 10 + } + errors "{{ item }}_error.log" { + rotate_size 1 + rotate_keep 10 + } +} +{% endfor %} +{% for item in {{ ansible_hostname }}.redir %} +"{{ item.1 }}" { + tls "{{ email }}" + gzip + log "{{ item.1 }}_access.log" { + rotate_size 1 + rotate_keep 10 + } + errors "{{ item.1 }}_error.log" { + rotate_size 1 + rotate_keep 10 + } + redir https://"{{ item.2 }}"{uri} +} + +{% if outdoor is defined %} +{% for item in public.static %} +"{{ item }}" { + tls "{{ email }}" + gzip + log "{{ item }}_access.log" { + rotate_size 1 + rotate_keep 10 + } + errors "{{ item }}_error.log" { + rotate_size 1 + rotate_keep 10 + } +} +{% endfor %} + +{% for item in public.redir %} +"{{ item.1 }}" { + tls "{{ email }}" + gzip + log "{{ item.1 }}_access.log" { + rotate_size 1 + rotate_keep 10 + } + errors "{{ item.1 }}_error.log" { + rotate_size 1 + rotate_keep 10 + } + redir https://"{{ item.2 }}"{uri} +} +{% endfor %} + +{% for item in public.reverse %} +"{{ item }}" { + tls "{{ email }}" + gzip + log "{{ item }}_access.log" { + rotate_size 1 + rotate_keep 10 + } + errors "{{ item }}_error.log" { + rotate_size 1 + rotate_keep 10 + } + proxy / https://"{{ backendhost }}":"{{ backendport }}" { + transparent + insecure_skip_verify + max_fails 60 + } +} +{% endfor %} +{% endif %} diff --git a/roles/reverseproxy/vars/main.yml b/roles/reverseproxy/vars/main.yml new file mode 100644 index 0000000..88da4fe --- /dev/null +++ b/roles/reverseproxy/vars/main.yml @@ -0,0 +1,45 @@ +- include_vars: email.yml + +backendhost: 82.247.103.117 +backendport: 4433 + +public: + - static: + - "{{ ansible_hostname }}.casperlefantom.net" + - jaysfoodventure.com + - redir: + - [ 'www.casperlefantom.net', 'casperlefantom.net' ] + - [ 'blog.casperlefantom.net', 'casperlefantom.net' ] + - reverse: + - casperlefantom.net + - search.casperlefantom.net + - dl.casperlefantom.net + - cirrus.casperlefantom.net + +manchester: + - static: + - admin.casperlefantom.net + - nsa.casperlefantom.net + - ns1.casperlefantom.net + - ntp1.casperlefantom.net + - imap.casperlefantom.net + - ssl.casperlefantom.net + - mail.casperlefantom.net + - smtp.casperlefantom.net + - voip.casperlefantom.net + - jabber.casperlefantom.net + - conference.casperlefantom.net + - manchester.admin.casperlefantom.net + - redir: + - [ 'mirror.casperlefantom.net', 'mirror.casperlefantom.net:4433' ] + - [ 'nsa.admin.casperlefantom.net', 'nsa.admin.casperlefantom.net:4433' ] + - [ 'bt1.admin.casperlefantom.net', 'bt1.admin.casperlefantom.net:4433' ] + +sd-129211: + - static: + - ns4.casperlefantom.net + - nsd.casperlefantom.net + - ntp4.casperlefantom.net + - redir: + - [ 'nsd.admin.casperlefantom.net', 'nsd.admin.casperlefantom.net:4433' ] + - [ 'bt2.admin.casperlefantom.net', 'bt2.admin.casperlefantom.net:4433' ] diff --git a/site.yml b/site.yml index 5d09768..912c584 100644 --- a/site.yml +++ b/site.yml @@ -11,5 +11,6 @@ - import_playbook: dnsserver.yml - import_playbook: torrelay.yml - import_playbook: bittorrent.yml +- import_playbook: reverseproxy.yml # modules at and jabber not working #- import_playbook: update.yml -- cgit