Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).
Affected roles:
- reverse_proxy:
Pass PROXY PROTOCOL by default to all upstream server. May cause
problem with upstream server unable to understand PROXY
PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
Expect PROXY PROTOCOL for all incoming TLS connection on nginx
clients.
*Warning:* now you can access local server only passing by the
firewall reverse proxy, not directly.
- gitlab:
Built-in nginx instance configured to expect PROXY PROTOCOL for
tls incoming connections.
- Coherent quotation style
Single quotes for text variable (even if implicit), no quotes for
variable and conditional statements, if not required.
- Some useful tags added:
* ssh_certs
renewal of server SSH certificates and configuration of authorized
CA.
* tls_pub
renewal of public TLS certificates (let's encrypt) and certbot
configuration.
* tls_int
renewal of internal TLS certificates (service authorizations) and
configuration of authorized internal CA.
*(ToDo: deployment of Certificate Revokation Lists)*
* lxc
deployment of new containers (deployment of configuration file
excluded, for instance change in ip address are always applied and
trigger a container restart even if you skip this tag.
* packages
installation and upgrade of software packages (apt, opkg or
tarballs)
* service_password
create new random password for services-only password, for routine
rotation. Not meant to be skipped (some roles need to know the
service password, so they do a rotation).
- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab
- x509_subject_prefix
- x509_ldap_suffix
*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
Used in roles/certbot and roles/gitlab
- root_ca_cert
*Replaces:* ssl_ca_cert and files/lilik_x1.crt
New defaults:
- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
*Replaces:* fqdn_domain
Removed:
- fqdn_dmain
- x509_suffix
*Replaced by:* x509_ldap_suffix in common
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
*Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
Because we are using openwrt and we would like to mantain LUCI running
on it's interface we can't bind on 0.0.0.0. or 127.0.0.1 hence we must
listen on a specific ip. This will set the public ip from the group
vars to be the one where we listen
This role split the reverse proxy configuration in three files per
host. Every file belong to a different directory that is created on
the reverse proxy we use (nginx).
We decided to split the reverse proxy configuration from one file to
three different files. One is the http configuration and the remaining
are the https configuration.