gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(nginx): cloudflared remote_addr

Browse source
This commit is contained in:
arcnmx 2024-06-24 10:39:01 -07:00
parent 0bcfd82a60
commit b5c1b9de84
4 changed files with 89 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/nixos/monitoring/source/promtail.nix
View file

@ -75,21 +75,23 @@ in {
stages = [ stages = [
{ {
regex.expression = concatStringsSep " " [ regex.expression = concatStringsSep " " [
''(?P<remote_addr>.*?)'' ''(?P<remote_addr>.*?)(@-|@(?P<request_scheme>.*?)|)''
''(?P<remote_log_name>.*?)'' ''(-|(?P<remote_log_name>.*?))(@-|@(?P<request_id>.*?)|)''
''(?P<userid>.*?)(@(?P<virtual_host>.*?))?'' ''(-|(?P<userid>.*?))(@(?P<virtual_host>.*?))?''
''\[(?P<timestamp>.*?)\]'' ''\[(?P<timestamp>.*?)\]''
''\"(?P<request_method>.*?) (?P<path>.*?)( (?P<request_version>HTTP/.*))?\"'' ''\"(?P<request_method>.*?) (?P<path>.*?)( (?P<request_version>HTTP/.*))?\"''
''(?P<status>.*?)'' ''(?P<status>.*?)''
''(?P<length>.*?)'' ''(?P<length>.*?)''
''\"(?P<referrer>.*?)\"'' ''\"(-|(?P<referrer>.*?))\"''
''\"(?P<user_agent>.*?)\"'' ''\"(-|(?P<user_agent>.*?))\"''
]; ];
} }
{ {
labels = { labels = {
remote_addr = null; remote_addr = null;
remote_log_name = null; remote_log_name = null;
request_scheme = null;
request_id = null;
userid = null; userid = null;
virtual_host = null; virtual_host = null;
request_method = null; request_method = null;

84
modules/nixos/nginx/proxied.nix
View file

@ -1,4 +1,12 @@
let let
xCloudflared = {virtualHost}: let
host = if virtualHost.proxied.cloudflared.host == virtualHost.serverName
then "$server_name"
else "'${virtualHost.proxied.cloudflared.host}'";
in ''
set $proxied_cf on;
set $proxied_host_cf ${host};
'';
xHeadersProxied = {xvars}: '' xHeadersProxied = {xvars}: ''
${xvars.init "forwarded_for" "$proxy_add_x_forwarded_for"} ${xvars.init "forwarded_for" "$proxy_add_x_forwarded_for"}
if ($http_x_forwarded_proto) { if ($http_x_forwarded_proto) {
@ -11,6 +19,9 @@ let
if ($http_x_real_ip) { if ($http_x_real_ip) {
${xvars.init "remote_addr" "$http_x_real_ip"} ${xvars.init "remote_addr" "$http_x_real_ip"}
} }
if ($http_cf_connecting_ip) {
${xvars.init "remote_addr" "$http_cf_connecting_ip"}
}
if ($http_x_forwarded_host) { if ($http_x_forwarded_host) {
${xvars.init "host" "$http_x_forwarded_host"} ${xvars.init "host" "$http_x_forwarded_host"}
} }
@ -66,6 +77,9 @@ let
}; };
xvars.enable = mkIf cfg.enabled true; xvars.enable = mkIf cfg.enabled true;
extraConfig = mkMerge [ extraConfig = mkMerge [
(mkIf (cfg.enable == "cloudflared" && virtualHost.proxied.enable != "cloudflared") (
mkJustBefore (xCloudflared {inherit virtualHost;})
))
(mkIf emitVars ( (mkIf emitVars (
mkJustBefore (xHeadersProxied {inherit xvars;}) mkJustBefore (xHeadersProxied {inherit xvars;})
)) ))
@ -97,6 +111,10 @@ let
default = cfg.enable != false; default = cfg.enable != false;
}; };
cloudflared = { cloudflared = {
host = mkOption {
type = str;
default = config.serverName;
};
ingressSettings = mkOption { ingressSettings = mkOption {
type = unmerged.types.attrs; type = unmerged.types.attrs;
}; };
@ -127,12 +145,19 @@ let
mkIf (cfg.enable == "cloudflared") { mkIf (cfg.enable == "cloudflared") {
ingressSettings.${config.serverName} = { ingressSettings.${config.serverName} = {
service = "${scheme}://localhost:${toString listen.port}"; service = "${scheme}://localhost:${toString listen.port}";
originRequest.${ originRequest = let
noTLSVerify =
if scheme == "https" if scheme == "https"
then "noTLSVerify" then "noTLSVerify"
else null else null;
} = httpHostHeader =
true; if cfg.cloudflared.host != config.serverName
then "httpHostHeader"
else null;
in {
${noTLSVerify} = true;
${httpHostHeader} = cfg.cloudflared.host;
};
}; };
getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings; getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings;
}; };
@ -146,9 +171,16 @@ let
}; };
}; };
accessLog = mkIf cfg.enabled { accessLog = mkIf cfg.enabled {
format = mkDefault "combined_proxied"; format = mkDefault (
if cfg.enable == "cloudflared"
then "combined_cloudflared"
else "combined_proxied"
);
}; };
extraConfig = mkMerge [ extraConfig = mkMerge [
(mkIf (cfg.enable == "cloudflared") (
mkOrder orderJustBefore (xCloudflared {virtualHost = config;})
))
(mkIf (cfg.enabled && config.xvars.enable) ( (mkIf (cfg.enabled && config.xvars.enable) (
mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;}) mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;})
)) ))
@ -218,10 +250,46 @@ in
}; };
}; };
commonHttpConfig = mkIf cfg.enable '' commonHttpConfig = mkIf cfg.enable ''
log_format combined_proxied '$x_remote_addr proxied $remote_user@$x_host [$time_local] ' map "$http_cf_connecting_ip" $proxied_remote_addr_cf {
'"$request" $status $body_bytes_sent ' "" $remote_addr;
'"$http_referer" "$http_user_agent"'; default $http_cf_connecting_ip;
}
map "$http_x_real_ip" $proxied_remote_addr_x {
"" $remote_addr;
default $http_x_real_ip;
}
map "$http_x_forwarded_host" $proxied_host_x {
"" $host;
default $http_x_forwarded_host;
}
map "$http_x_forwarded_server" $proxied_forwarded_server_x {
"" $proxied_host_x;
default $http_x_forwarded_server;
}
map "$http_x_forwarded_proto" $proxied_scheme {
"" $scheme;
default $http_x_forwarded_proto;
}
map "$proxied_scheme" $proxied_https {
"https" on;
default "";
}
map "$proxied_cf" $proxied_remote_addr {
"on" $proxied_remote_addr_cf;
default $proxied_remote_addr_x;
}
map "$proxied_cf" $proxied_host {
"on" $proxied_host_cf;
default $proxied_host_x;
}
log_format combined_proxied '$proxied_remote_addr@$proxied_scheme proxied $remote_user@$proxied_host [$time_local]'
' "$request" $status $body_bytes_sent'
' "$http_referer" "$http_user_agent"';
log_format combined_cloudflared '$proxied_remote_addr_cf@$proxied_scheme cloudflared@$http_cf_ray $remote_user@$proxied_host_cf [$time_local]'
' "$request" $status $body_bytes_sent'
' "$http_referer" "$http_user_agent"';
''; '';
}; };
networking.firewall.interfaces.lan = mkIf nginx.enable { networking.firewall.interfaces.lan = mkIf nginx.enable {

1
modules/nixos/nginx/proxy.nix
View file

@ -160,6 +160,7 @@ let
then xvars.get.proxy_hostport then xvars.get.proxy_hostport
else cfg.host; else cfg.host;
Referer = xvars.get.referer; Referer = xvars.get.referer;
CF-Connecting-IP = xvars.get.remote_addr;
X-Real-IP = xvars.get.remote_addr; X-Real-IP = xvars.get.remote_addr;
X-Forwarded-For = xvars.get.forwarded_for; X-Forwarded-For = xvars.get.forwarded_for;
X-Forwarded-Proto = xvars.get.scheme; X-Forwarded-Proto = xvars.get.scheme;

6
nixos/nginx.nix
View file

@ -38,9 +38,9 @@ in {
map $scheme $hsts_header { map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload"; https "max-age=31536000; includeSubdomains; preload";
} }
log_format combined_host '$remote_addr - $remote_user@$host [$time_local] ' log_format combined_host '$remote_addr@$scheme - $remote_user@$host [$time_local]'
'"$request" $status $body_bytes_sent ' ' "$request" $status $body_bytes_sent'
'"$http_referer" "$http_user_agent"'; ' "$http_referer" "$http_user_agent"';
''; '';
clientMaxBodySize = mkDefault "512m"; clientMaxBodySize = mkDefault "512m";
virtualHosts.fallback = { virtualHosts.fallback = {