From 44eabdf302848717f44c7e2d918ccf94ed052488 Mon Sep 17 00:00:00 2001 From: Magic_RB Date: Sun, 23 Apr 2023 23:03:20 +0200 Subject: [PATCH] ingress-blowhole expose internal services using DNS Signed-off-by: Magic_RB --- .../regions/homelab-1/ingress-upstreams.conf | 163 ++++++++++++------ nomad/regions/homelab-1/job/ingress.hcl | 106 +++++++++++- 2 files changed, 208 insertions(+), 61 deletions(-) diff --git a/nomad/regions/homelab-1/ingress-upstreams.conf b/nomad/regions/homelab-1/ingress-upstreams.conf index 840a260..f0b04ce 100644 --- a/nomad/regions/homelab-1/ingress-upstreams.conf +++ b/nomad/regions/homelab-1/ingress-upstreams.conf @@ -14,26 +14,34 @@ upstream syncthing { server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }}; } -upstream baikal { - server {{ env "NOMAD_UPSTREAM_ADDR_baikal" }}; +upstream influx { + server {{ env "NOMAD_UPSTREAM_ADDR_influx" }}; +} + +upstream grafana { + server {{ env "NOMAD_UPSTREAM_ADDR_grafana" }}; +} + +upstream mainsail { + server {{ env "NOMAD_UPSTREAM_ADDR_mainsail" }}; } server { - listen 8096; + listen 80; - server_name _; + server_name jellyfin.in.redalder.org; include /local/security.conf; client_max_body_size 100M; - location /jellyfin/ { + location / { # Proxy main Jellyfin traffic # The / at the end is significant. # https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/ - proxy_pass http://jellyfin/jellyfin/; + proxy_pass http://jellyfin/; proxy_pass_request_headers on; @@ -50,57 +58,115 @@ server { # Disable buffering when the nginx proxy gets very resource heavy upon streaming proxy_buffering off; } +} - location /syncthing/ { +server { + listen 80; + + server_name syncthing.in.redalder.org; + + include /local/security.conf; + + location / { include /local/headers.conf; proxy_pass http://syncthing/; } +} - location ~ "^/(static/icons/|static/fonts/|static/translations/|static/images/|static/panels/|static/polyfills|api/|auth/|frontend_latest/|frontend_es5/|local/|lovelace|map|config|developer-tools|history|logbook|profile|states|hassio|onboarding.html|service_worker.js|authorize.html|manifest.json)" { +server { + listen 80; + + server_name hass.in.redalder.org; + + include /local/security.conf; + + location / { include /local/headers.conf; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_pass http://home-assistant; + proxy_pass http://home-assistant/; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; } +} - location /home-assistant { +server { + listen 80; + + server_name zigbee2mqtt.in.redalder.org; + + include /local/security.conf; + + location / { include /local/headers.conf; - rewrite /home-assistant/(.*) /$1 break; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_pass http://home-assistant; - } - - location /zigbee2mqtt/ { - include /local/headers.conf; - -# rewrite /zigbee2mqtt/(.*) /$1 break; - proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://zigbee2mqtt/; } +} - location /baikal/ { +server { + listen 80; + + server_name grafana.in.redalder.org; + + # Grafana really doesn't like that CSP policy + # include /local/security.conf; + + location / { include /local/headers.conf; -# rewrite /baikal/(.*) /$1 break; - proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_pass http://baikal/; + proxy_pass http://grafana/; + } +} + +server { + listen 80; + + server_name influx.in.redalder.org; + + # Influx doesn't like it either + # include /local/security.conf; + + location / { + include /local/headers.conf; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_pass http://influx/; + } +} + +server { + listen 80; + + server_name mainsail.in.redalder.org; + + # Influx doesn't like it either + # include /local/security.conf; + + location / { + include /local/headers.conf; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_pass http://mainsail/; } } @@ -108,32 +174,21 @@ server { listen 80; server_name _; - include /local/security.conf; - client_max_body_size 100M; - - location /jellyfin/ { - # Proxy main Jellyfin traffic - - # The / at the end is significant. - # https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/ - - proxy_pass http://jellyfin/jellyfin/; - - proxy_pass_request_headers on; - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - - # Disable buffering when the nginx proxy gets very resource heavy upon streaming - proxy_buffering off; + location / { + return 404; } -} \ No newline at end of file +} + +# server { +# listen 443; + +# server_name _; + +# include /local/security.conf; + +# location / { +# return 404; +# } +# } \ No newline at end of file diff --git a/nomad/regions/homelab-1/job/ingress.hcl b/nomad/regions/homelab-1/job/ingress.hcl index 9fb010d..145adb5 100644 --- a/nomad/regions/homelab-1/job/ingress.hcl +++ b/nomad/regions/homelab-1/job/ingress.hcl @@ -25,21 +25,19 @@ job "ingress" { network { mode = "bridge" port "http" { - static = 8080 + host_network = "mesh" + static = 80 to = 80 } port "https" { + host_network = "mesh" static = 443 to = 443 } - port "jellyfin" { - static = 8096 - to = 8096 - } - port "imap" { + host_network = "mesh" static = 143 to = 143 } @@ -49,6 +47,90 @@ job "ingress" { name = "ingress-blowhole" port = "80" + check { + type = "http" + path = "/health" + name = "jellyfin" + port = "http" + interval = "5s" + timeout = "5s" + header { + Host = [ "jellyfin.in.redalder.org" ] + } + } + + check { + type = "http" + path = "/" + name = "zigbee2mqtt" + port = "http" + interval = "5s" + timeout = "5s" + header { + Host = [ "zigbee2mqtt.in.redalder.org" ] + } + } + + check { + type = "http" + path = "/" + name = "home-assistant" + port = "http" + interval = "5s" + timeout = "5s" + header { + Host = [ "hass.in.redalder.org" ] + } + } + + # check { + # type = "http" + # path = "/" + # name = "syncthing" + # port = "http" + # interval = "5s" + # timeout = "5s" + # header { + # Host = [ "syncthing.in.redalder.org" ] + # } + # } + + check { + type = "http" + path = "/api/health" + name = "grafana" + port = "http" + interval = "5s" + timeout = "5s" + header { + Host = [ "grafana.in.redalder.org" ] + } + } + + check { + type = "http" + path = "/health" + name = "influx" + port = "http" + interval = "5s" + timeout = "5s" + header { + Host = [ "influx.in.redalder.org" ] + } + } + + check { + type = "http" + path = "/" + name = "mainsail" + port = "http" + interval = "5s" + timeout = "5s" + header { + Host = [ "mainsail.in.redalder.org" ] + } + } + connect { sidecar_service { proxy { @@ -78,9 +160,19 @@ job "ingress" { } upstreams { - destination_name = "baikal" + destination_name = "grafana" local_bind_port = 8006 } + + upstreams { + destination_name = "influx" + local_bind_port = 8007 + } + + upstreams { + destination_name = "mainsail" + local_bind_port = 8008 + } } }