-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
containers_web: switch to apache proxy
* replaces nginx container * gitea uses http/1.1 only, due to go-gitea/gitea#19265 * vaultwarden admin uses oidc sso
- Loading branch information
Showing
18 changed files
with
148 additions
and
210 deletions.
There are no files selected for viewing
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
RemoteIPHeader X-Forwarded-For | ||
RemoteIPTrustedProxy 10.88.0.0/24 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
<VirtualHost *:443> | ||
ServerName gitea.chrisx.xyz | ||
SSLEngine on | ||
SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem | ||
SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem | ||
|
||
Header always set Referrer-Policy "no-referrer" | ||
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | ||
Header always set X-Content-Type-Options "nosniff" | ||
Header always set X-Robots-Tag "none" | ||
Header always set X-XSS-Protection "1; mode=block" | ||
|
||
AllowEncodedSlashes NoDecode | ||
|
||
ProxyPass /robots.txt ! | ||
ProxyPass / http://127.0.0.1:53000/ | ||
ProxyPassReverse / http://127.0.0.1:53000/ | ||
ProxyPreserveHost On | ||
ProxyRequests off | ||
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME} | ||
|
||
ErrorLog /var/log/httpd/gitea_error_log | ||
CustomLog /var/log/httpd/gitea_access_log combined | ||
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<VirtualHost *:443> | ||
ServerName sso.chrisx.xyz | ||
SSLEngine on | ||
SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem | ||
SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem | ||
Protocols h2 http/1.1 | ||
|
||
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | ||
|
||
AliasMatch "^/resources/.+/login/keycloak/img/favicon.ico$" /var/www/html/favicon.ico | ||
RedirectMatch 404 "^/$" | ||
|
||
ProxyPassMatch "^/$" ! | ||
ProxyPassMatch "^/resources/.+/login/keycloak/img/favicon.ico$" ! | ||
ProxyPass / http://127.0.0.1:58080/ | ||
ProxyPassReverse / http://127.0.0.1:58080/ | ||
ProxyPreserveHost On | ||
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME} | ||
|
||
ErrorLog /var/log/httpd/sso_error_log | ||
CustomLog /var/log/httpd/sso_access_log combined | ||
</VirtualHost> |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
- name: Copy favicon | ||
ansible.builtin.copy: | ||
src: favicon.ico | ||
dest: /var/www/html | ||
mode: 0644 | ||
|
||
- name: Generate new OIDC crypto password | ||
ansible.builtin.set_fact: | ||
oidc_crypto: "{{ lookup('password', '/dev/null length=64') }}" | ||
- name: Copy vaultwarden site config | ||
ansible.builtin.template: | ||
src: vaultwarden.conf.j2 | ||
dest: /etc/httpd/conf.d/vaultwarden.conf | ||
mode: 0640 | ||
- name: Copy Apache site config | ||
ansible.builtin.copy: | ||
src: httpd/conf.d | ||
dest: /etc/httpd | ||
mode: 0640 | ||
|
||
- name: Copy chrisx ssl certs | ||
ansible.builtin.import_role: | ||
name: sslcert | ||
tasks_from: chrisx.yml | ||
|
||
- name: Configure SELinux httpd_can_network_connect | ||
ansible.posix.seboolean: | ||
name: httpd_can_network_connect | ||
persistent: true | ||
state: true | ||
|
||
- name: Restart httpd | ||
ansible.builtin.systemd: | ||
name: httpd | ||
state: restarted |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
<VirtualHost *:443> | ||
ServerName vaultwarden.chrisx.xyz | ||
SSLEngine on | ||
SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem | ||
SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem | ||
Protocols h2 http/1.1 | ||
|
||
Header unset Referrer-Policy | ||
Header unset X-XSS-Protection | ||
Header always set Referrer-Policy "no-referrer" | ||
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | ||
Header always set X-Robots-Tag "none" | ||
Header always set X-XSS-Protection "1 mode=block" | ||
|
||
ProxyPass /admin/logout ! | ||
ProxyPass /robots.txt ! | ||
ProxyPass / http://127.0.0.1:58288/ | ||
ProxyPassReverse / http://127.0.0.1:58288/ | ||
ProxyPreserveHost On | ||
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME} | ||
|
||
RewriteEngine on | ||
RewriteCond %{HTTP:Upgrade} =websocket [NC] | ||
RewriteRule /notifications/hub(.*) ws://127.0.0.1:53012/$1 [P,L] | ||
Redirect 302 /admin/logout /admin/openid-connect?logout= | ||
|
||
ErrorLog /var/log/httpd/vaultwarden_error_log | ||
CustomLog /var/log/httpd/vaultwarden_access_log combined | ||
|
||
OIDCClientID vaultwarden.chrisx.xyz | ||
OIDCClientSecret {{ vaultwarden_client_secret }} | ||
OIDCPassClaimsAs none | ||
OIDCProviderMetadataURL https://sso.chrisx.xyz/realms/chrisx/.well-known/openid-configuration | ||
OIDCRedirectURI https://vaultwarden.chrisx.xyz/admin/openid-connect | ||
OIDCScope openid | ||
OIDCSessionInactivityTimeout 3600 | ||
OIDCStateMaxNumberOfCookies 2 true | ||
OIDCCryptoPassphrase {{ oidc_crypto }} | ||
|
||
<Location "/admin/openid-connect"> | ||
AuthType openid-connect | ||
Require valid-user | ||
</Location> | ||
|
||
<Location "/admin"> | ||
AuthType openid-connect | ||
Require claim roles:admin | ||
</Location> | ||
</VirtualHost> |
Oops, something went wrong.