From 2b1df931cbfab06234993686865f9b75664e7618 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Wed, 13 Mar 2024 09:38:35 -0700 Subject: [PATCH] feat(idp): ssl pre-read --- nixos/access/freeipa.nix | 104 +++++++++++++++++++++++++++--------- nixos/access/freepbx.nix | 6 +-- nixos/access/kitchencam.nix | 4 +- systems/hakurei/nixos.nix | 1 + tf/cloudflare_records.tf | 1 + 5 files changed, 86 insertions(+), 30 deletions(-) diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix index 69f18c74..0f38927c 100644 --- a/nixos/access/freeipa.nix +++ b/nixos/access/freeipa.nix @@ -6,12 +6,13 @@ }: let inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkBefore mkIf mkDefault; + inherit (lib.modules) mkIf mkMerge mkBefore mkDefault; inherit (lib.strings) optionalString concatStringsSep; inherit (config.services) tailscale; - inherit (config.services.nginx) virtualHosts; - access = config.services.nginx.access.freeipa; - inherit (config.services.nginx.access) ldap; + inherit (config.services) nginx; + inherit (nginx) virtualHosts; + access = nginx.access.freeipa; + inherit (nginx.access) ldap; extraConfig = '' ssl_verify_client optional_no_ca; ''; @@ -28,6 +29,16 @@ let proxy_set_header X-Forwarded-Server $host; proxy_set_header X-SSL-CERT $ssl_client_escaped_cert; proxy_redirect https://${domain}/ $scheme://$host/; + + set $x_referer $http_referer; + if ($x_referer ~ "^https://([^/]*)/(.*)$") { + set $x_referer_host $1; + set $x_referer_path $2; + } + if ($x_referer_host = $host) { + set $x_referer "https://${domain}/$x_referer_path"; + } + proxy_set_header Referer $x_referer; ''; }; }; @@ -44,6 +55,15 @@ in { host = mkOption { type = str; }; + preread = { + enable = mkEnableOption "ssl preread" // { + default = true; + }; + port = mkOption { + type = port; + default = 444; + }; + }; kerberos = { enable = mkEnableOption "proxy kerberos" // { default = true; @@ -77,6 +97,10 @@ in { type = str; default = "idp-ca.${config.networking.domain}"; }; + globalDomain = mkOption { + type = str; + default = "freeipa.${config.networking.domain}"; + }; localDomain = mkOption { type = str; default = "freeipa.local.${config.networking.domain}"; @@ -106,31 +130,61 @@ in { port = mkDefault access.ldapPort; useACMEHost = mkDefault access.useACMEHost; }; - streamConfig = mkIf access.kerberos.enable '' - server { - listen 0.0.0.0:${toString access.kerberos.ports.ticket}; - listen [::]:${toString access.kerberos.ports.ticket}; - listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp; - listen [::]:${toString access.kerberos.ports.ticket} udp; - proxy_pass ${access.host}:${toString access.kerberos.ports.ticket}; - } - server { - listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp; - listen [::]:${toString access.kerberos.ports.ticket4} udp; - proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4}; - } - server { - listen 0.0.0.0:${toString access.kerberos.ports.kpasswd}; - listen [::]:${toString access.kerberos.ports.kpasswd}; - listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp; - listen [::]:${toString access.kerberos.ports.kpasswd} udp; - proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd}; - } - ''; + resolver.addresses = mkIf access.preread.enable [ "[::1]" "127.0.0.1:5353" ]; + defaultSSLListenPort = mkIf access.preread.enable access.preread.port; + streamConfig = let + preread = '' + upstream freeipa { + server ${access.host}:${toString access.port}; + } + upstream nginx { + server localhost:${toString nginx.defaultSSLListenPort}; + } + map $ssl_preread_server_name $ssl_name { + hostnames; + ${access.domain} freeipa; + ${access.caDomain} freeipa; + default nginx; + } + server { + listen 0.0.0.0:443; + listen [::]:443; + ssl_preread on; + proxy_pass $ssl_name; + } + ''; + kerberos = '' + server { + listen 0.0.0.0:${toString access.kerberos.ports.ticket}; + listen [::]:${toString access.kerberos.ports.ticket}; + listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp; + listen [::]:${toString access.kerberos.ports.ticket} udp; + proxy_pass ${access.host}:${toString access.kerberos.ports.ticket}; + } + server { + listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp; + listen [::]:${toString access.kerberos.ports.ticket4} udp; + proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4}; + } + server { + listen 0.0.0.0:${toString access.kerberos.ports.kpasswd}; + listen [::]:${toString access.kerberos.ports.kpasswd}; + listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp; + listen [::]:${toString access.kerberos.ports.kpasswd} udp; + proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd}; + } + ''; + in mkMerge [ + (mkIf access.preread.enable preread) + (mkIf access.kerberos.enable kerberos) + ]; virtualHosts = { ${access.domain} = { inherit locations extraConfig; }; + ${access.globalDomain} = { + inherit locations extraConfig; + }; ${access.caDomain} = { locations = caLocations; inherit extraConfig; diff --git a/nixos/access/freepbx.nix b/nixos/access/freepbx.nix index aaccd059..692ce09a 100644 --- a/nixos/access/freepbx.nix +++ b/nixos/access/freepbx.nix @@ -4,7 +4,7 @@ ... }: let inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkMerge mkDefault; + inherit (lib.modules) mkIf mkDefault; inherit (lib.lists) head optional concatMap; inherit (lib.strings) splitString; inherit (config.services) nginx tailscale; @@ -119,7 +119,7 @@ in { listen = concatMap (addr: [ { inherit addr; - port = 80; + port = nginx.defaultHTTPListenPort; } { inherit addr; @@ -127,7 +127,7 @@ in { } (mkIf (access.useACMEHost != null) { inherit addr; - port = 443; + port = nginx.defaultSSLListenPort; ssl = true; }) (mkIf (access.useACMEHost != null) { diff --git a/nixos/access/kitchencam.nix b/nixos/access/kitchencam.nix index a3d36e5e..5360f9a3 100644 --- a/nixos/access/kitchencam.nix +++ b/nixos/access/kitchencam.nix @@ -68,12 +68,12 @@ in { listen = concatMap (addr: [ (mkIf config.addSSL { inherit addr; - port = 443; + port = nginx.defaultSSLListenPort; ssl = true; }) { inherit addr; - port = 80; + port = nginx.defaultHTTPListenPort; } { inherit addr; diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 452130e9..d79ac051 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -101,6 +101,7 @@ in { [ access.freeipa.localDomain access.freeipa.caDomain + access.freeipa.globalDomain access.ldap.domain access.ldap.localDomain ] diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 6cc06ca2..6c1ba60e 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -30,6 +30,7 @@ module "hakurei_system_records" { global_subdomains = [ "plex", "idp", + "freeipa", "ldap", "pbx", "smb",