feat(nginx): Use proxy_protocol for sni redirection
All checks were successful
Check meta / check_meta (pull_request) Successful in 19s
Check meta / check_dns (pull_request) Successful in 20s
lint / check (push) Successful in 26s
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m19s
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m4s
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m3s
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m13s
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m42s
build configuration / build_and_cache_krz01 (pull_request) Successful in 2m4s
lint / check (pull_request) Successful in 25s
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m4s
build configuration / build_and_cache_web02 (pull_request) Successful in 1m16s
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m26s
build configuration / build_and_cache_web01 (pull_request) Successful in 1m46s
All checks were successful
Check meta / check_meta (pull_request) Successful in 19s
Check meta / check_dns (pull_request) Successful in 20s
lint / check (push) Successful in 26s
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m19s
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m4s
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m3s
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m13s
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m42s
build configuration / build_and_cache_krz01 (pull_request) Successful in 2m4s
lint / check (pull_request) Successful in 25s
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m4s
build configuration / build_and_cache_web02 (pull_request) Successful in 1m16s
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m26s
build configuration / build_and_cache_web01 (pull_request) Successful in 1m46s
WARNING: This alone does not work, we need to set the real ip based on http://nginx.org/en/docs/stream/ngx_stream_realip_module.html Which is not feasible right now without causing an infinite loop during eval
This commit is contained in:
parent
407f99ca95
commit
e4cc002f6f
SSH key fingerprint:
SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
1 changed files with 18 additions and 4 deletions
|
|
@ -69,19 +69,33 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
|
defaultListen = [
|
||||||
|
{
|
||||||
|
addr = "127.0.0.1";
|
||||||
|
port = 8446;
|
||||||
|
ssl = true;
|
||||||
|
proxyProtocol = true;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
ssl = false;
|
||||||
|
}
|
||||||
|
];
|
||||||
streamConfig = ''
|
streamConfig = ''
|
||||||
map $ssl_preread_server_name $sni_upstream {
|
map $ssl_preread_server_name $sni_upstream {
|
||||||
hostnames;
|
|
||||||
default 127.0.0.1:8010;
|
default 127.0.0.1:8010;
|
||||||
${lib.concatMapStringsSep "\n" (vhost: " ${vhost} 127.0.0.1:8446;") (
|
${
|
||||||
|
lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") (
|
||||||
lib.attrNames config.services.nginx.virtualHosts
|
lib.attrNames config.services.nginx.virtualHosts
|
||||||
)}
|
)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443;
|
listen 443;
|
||||||
ssl_preread on;
|
ssl_preread on;
|
||||||
proxy_pass $sni_upstream;
|
proxy_pass $sni_upstream;
|
||||||
|
proxy_protocol on;
|
||||||
}
|
}
|
||||||
|
|
||||||
'';
|
'';
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue