ingress-blowhole expose internal services using DNS

Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-04-23 23:03:20 +02:00
parent dafbab9495
commit 44eabdf302
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
2 changed files with 208 additions and 61 deletions

View file

@ -14,26 +14,34 @@ upstream syncthing {
server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }}; server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }};
} }
upstream baikal { upstream influx {
server {{ env "NOMAD_UPSTREAM_ADDR_baikal" }}; server {{ env "NOMAD_UPSTREAM_ADDR_influx" }};
}
upstream grafana {
server {{ env "NOMAD_UPSTREAM_ADDR_grafana" }};
}
upstream mainsail {
server {{ env "NOMAD_UPSTREAM_ADDR_mainsail" }};
} }
server { server {
listen 8096; listen 80;
server_name _; server_name jellyfin.in.redalder.org;
include /local/security.conf; include /local/security.conf;
client_max_body_size 100M; client_max_body_size 100M;
location /jellyfin/ { location / {
# Proxy main Jellyfin traffic # Proxy main Jellyfin traffic
# The / at the end is significant. # The / at the end is significant.
# https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/ # https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/
proxy_pass http://jellyfin/jellyfin/; proxy_pass http://jellyfin/;
proxy_pass_request_headers on; proxy_pass_request_headers on;
@ -50,57 +58,115 @@ server {
# Disable buffering when the nginx proxy gets very resource heavy upon streaming # Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off; proxy_buffering off;
} }
}
location /syncthing/ { server {
listen 80;
server_name syncthing.in.redalder.org;
include /local/security.conf;
location / {
include /local/headers.conf; include /local/headers.conf;
proxy_pass http://syncthing/; proxy_pass http://syncthing/;
} }
}
location ~ "^/(static/icons/|static/fonts/|static/translations/|static/images/|static/panels/|static/polyfills|api/|auth/|frontend_latest/|frontend_es5/|local/|lovelace|map|config|developer-tools|history|logbook|profile|states|hassio|onboarding.html|service_worker.js|authorize.html|manifest.json)" { server {
listen 80;
server_name hass.in.redalder.org;
include /local/security.conf;
location / {
include /local/headers.conf; include /local/headers.conf;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_pass http://home-assistant; proxy_pass http://home-assistant/;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
} }
location /home-assistant { server {
listen 80;
server_name zigbee2mqtt.in.redalder.org;
include /local/security.conf;
location / {
include /local/headers.conf; include /local/headers.conf;
rewrite /home-assistant/(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://home-assistant;
}
location /zigbee2mqtt/ {
include /local/headers.conf;
# rewrite /zigbee2mqtt/(.*) /$1 break;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_pass http://zigbee2mqtt/; proxy_pass http://zigbee2mqtt/;
} }
}
location /baikal/ { server {
listen 80;
server_name grafana.in.redalder.org;
# Grafana really doesn't like that CSP policy
# include /local/security.conf;
location / {
include /local/headers.conf; include /local/headers.conf;
# rewrite /baikal/(.*) /$1 break;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_pass http://baikal/; proxy_pass http://grafana/;
}
}
server {
listen 80;
server_name influx.in.redalder.org;
# Influx doesn't like it either
# include /local/security.conf;
location / {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://influx/;
}
}
server {
listen 80;
server_name mainsail.in.redalder.org;
# Influx doesn't like it either
# include /local/security.conf;
location / {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://mainsail/;
} }
} }
@ -108,32 +174,21 @@ server {
listen 80; listen 80;
server_name _; server_name _;
include /local/security.conf; include /local/security.conf;
client_max_body_size 100M; location / {
return 404;
location /jellyfin/ {
# Proxy main Jellyfin traffic
# The / at the end is significant.
# https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/
proxy_pass http://jellyfin/jellyfin/;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
} }
} }
# server {
# listen 443;
# server_name _;
# include /local/security.conf;
# location / {
# return 404;
# }
# }

View file

@ -25,21 +25,19 @@ job "ingress" {
network { network {
mode = "bridge" mode = "bridge"
port "http" { port "http" {
static = 8080 host_network = "mesh"
static = 80
to = 80 to = 80
} }
port "https" { port "https" {
host_network = "mesh"
static = 443 static = 443
to = 443 to = 443
} }
port "jellyfin" {
static = 8096
to = 8096
}
port "imap" { port "imap" {
host_network = "mesh"
static = 143 static = 143
to = 143 to = 143
} }
@ -49,6 +47,90 @@ job "ingress" {
name = "ingress-blowhole" name = "ingress-blowhole"
port = "80" port = "80"
check {
type = "http"
path = "/health"
name = "jellyfin"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "jellyfin.in.redalder.org" ]
}
}
check {
type = "http"
path = "/"
name = "zigbee2mqtt"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "zigbee2mqtt.in.redalder.org" ]
}
}
check {
type = "http"
path = "/"
name = "home-assistant"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "hass.in.redalder.org" ]
}
}
# check {
# type = "http"
# path = "/"
# name = "syncthing"
# port = "http"
# interval = "5s"
# timeout = "5s"
# header {
# Host = [ "syncthing.in.redalder.org" ]
# }
# }
check {
type = "http"
path = "/api/health"
name = "grafana"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "grafana.in.redalder.org" ]
}
}
check {
type = "http"
path = "/health"
name = "influx"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "influx.in.redalder.org" ]
}
}
check {
type = "http"
path = "/"
name = "mainsail"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "mainsail.in.redalder.org" ]
}
}
connect { connect {
sidecar_service { sidecar_service {
proxy { proxy {
@ -78,9 +160,19 @@ job "ingress" {
} }
upstreams { upstreams {
destination_name = "baikal" destination_name = "grafana"
local_bind_port = 8006 local_bind_port = 8006
} }
upstreams {
destination_name = "influx"
local_bind_port = 8007
}
upstreams {
destination_name = "mainsail"
local_bind_port = 8008
}
} }
} }