- (Icinga2) Preseed correctly all the debconf variables to have IDO db created
and populated by `icinga2-ido-pgsql` deb installation script.
- (IcingaWeb2) Use a different user, `www-data`, with lower
privileges, to access the IDO db in read-only mode.
- Use everywhere socket (local ident) authentication to PostgreSQL to
avoid local service password.
(IcingaWeb2) Configuration issues fixed:
- Missing `php-fpm` requirement.
- Migrating php7.0 -> php 7.3 in nginx config location config file.
- Fixed `rewrite` rule in nginx configuration:
When usign `/icingaweb2` as rewrite target nginx automatically
expand the redirect 302 response as
`$scheme://$remote_host:$remote_port/icingaweb2`, causing
connection to fail when behind a *reverse proxy*, because
remote_post and remote_host are incorrect.
- Remove hardcoded `status.lilik.it` in `meta/main.yaml`,
`server_fqdn` is already defined in `defaults/main.yaml` as
`{{ ansible_hostname }}.{{ domain }}`.
(IcingaWeb2) LDAP:
- procedure to automatically issue service credetinals to authenticate
with the ldap server.
- starttls secured ldap connection with service account.
- use of the variable `base_dn` instead of hard-coded values in config
files.
(IcingaWeb2) CONFIGURATION:
- fixed rsync parameters.
- resource renaming.
When using multiples server names in `server_name`, the NGINX variable
`$server_name` will always point only to the first entry. `$host`
variable, instead, point to the selected host from the user (HTTP
request or Host: header).
Do not apply tag `packages` to role `service`. Tags are already
applied inside the role. If we apply the tag `package` at the role
level handlers defined inside the role (restart, reload) are not
available in the play!
Fix an error when `ssh_server` last task, the one that checks if the
server has actually started to listen on port 22.
This error occurred while using the `ssh_server` role on a physical
host, not while running on lxc_guests.
Role to configure port forwarding in a OpenWRT firewall.
Import this role in any host playbook to open a redirect to the
current host from the host labelled as firewall.
Example:
- set_fact:
firewall: 'inventory_name_of_firewall'
- import_role: name=port_forwarding
vars:
name: 'stun'
proto: 'tcp'
port: 3478
This is beacause nginx will do canonization of URIs before
proxy-passing if you add anything after the port host:port.
For example, with:
location /anything {
proxy_pass http://127.0.0.1:8008/anything;
}
NGINX will perform canonization, but with:
location /anything {
proxy_pass http://127.0.0.1:8008
# With NO Trailing slash
}
NGINX will pass the unaltered original request, included /anything, to
the upstream server.
Canonization leads to problem when federating to other matrix-synapse
instances. The observed bug was:
- User A on our server (@A:our.server) invites User B on external
server (@B:matrix.org).
- User B correctly receive the invite.
- User B try to join the room but the request timeout.
- On our.sever logs we see "signature tampered" errors related to
incoming connection from the external server (matrix.org).
This commit fix the issue.