Mercurial > repos > other > Puppet
changeset 284:9431aec4d998
Switch to using IPv6 prefix and IP per site
This is because the proxy seems to break SNI, so we need an IP
per SSL cert. We're not short of IPv6 addresses, though!
Also corrected to "4to6" naming, because we're letting IPv4 access
an IPv6 site
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 16 Feb 2020 12:07:35 +0000 |
| parents | d29f477c51d4 |
| children | c0e989d32b5c |
| files | manifests/nodes.pp manifests/templates.pp modules/website/manifests/https.pp modules/website/manifests/https/multitld.pp modules/website/manifests/https/redir.pp modules/website/manifests/init.pp |
| diffstat | 6 files changed, 76 insertions(+), 34 deletions(-) [+] |
line wrap: on
line diff
--- a/manifests/nodes.pp Sat Feb 15 20:11:23 2020 +0000 +++ b/manifests/nodes.pp Sun Feb 16 12:07:35 2020 +0000 @@ -18,7 +18,7 @@ node 'ibbvps.vs.mythic-beasts.com' { class { 'ibboardvpsnode': primary_ip => '2a00:1098:82:52::1', - proxy_6to4_ip => '2a00:1098:82:52::01d4', # ::old4 for IPv4! + proxy_4to6_ip_prefix => '2a00:1098:82:52::01d4', # ::old4 for IPv4! proxy_upstream => ['proxy.mythic-beasts.com'], mailserver => 'mail.ibboard.co.uk', imapserver => 'imap.ibboard.co.uk',
--- a/manifests/templates.pp Sat Feb 15 20:11:23 2020 +0000 +++ b/manifests/templates.pp Sun Feb 16 12:07:35 2020 +0000 @@ -27,7 +27,7 @@ class basevpsnode ( $primary_ip, - $proxy_6to4_ip = undef, + $proxy_4to6_ip_prefix = undef, $proxy_upstream = undef, $mailserver, $imapserver, @@ -56,7 +56,7 @@ include vcs::client class { 'webserver': primary_ip => $primary_ip, - proxy_6to4_ip => $proxy_6to4_ip, + proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, proxy_upstream => $proxy_upstream, } include cronjobs @@ -410,14 +410,24 @@ #Our web server with our configs, not just a stock one class webserver ( $primary_ip, - $proxy_6to4_ip = undef, + $proxy_4to6_ip_prefix = undef, $proxy_upstream = undef, ) { + + if $proxy_4to6_ip_prefix == undef { + $ipv6_addresses = [] + } + else { + $ipv6_addresses = [1, 2, 3, 4, 5, 6, 7, 8, 9].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } + } + #Setup base website parameters class { 'website': base_dir => '/srv/sites', primary_ip => $primary_ip, - proxy_6to4_ip => $proxy_6to4_ip, + proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, + proxy_4to6_mask => 124, + proxy_4to6_addresses => $ipv6_addresses, proxy_upstream => $proxy_upstream, default_owner => $defaultusers::default_user, default_group => $defaultusers::default_user, @@ -517,7 +527,7 @@ class ibboardvpsnode ( $primary_ip, - $proxy_6to4_ip = undef, + $proxy_4to6_ip_prefix = undef, $proxy_upstream = undef, $mailserver, $imapserver, @@ -525,7 +535,7 @@ ){ class { 'basevpsnode': primary_ip => $primary_ip, - proxy_6to4_ip => $proxy_6to4_ip, + proxy_4to6_ip_prefix => $proxy_4to6_ip_prefix, proxy_upstream => $proxy_upstream, mailserver => $mailserver, imapserver => $imapserver, @@ -555,8 +565,14 @@ } #Configure our sites, using templates for the custom fragments where the extra content is too long - include adminsite + class { "devsite": + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:01", default => undef } + } + class { "adminsite": + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:02", default => undef } + } website::https::multitld { 'www.ibboard': + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:03", default => undef }, custom_fragment => template("privat/apache/ibboard.fragment"), letsencrypt_name => 'ibboard.co.uk', csp_override => { @@ -570,20 +586,33 @@ "connect-src" => "'self'", } } - include hiveworldterrasite - include bdstrikesite - include devsite + class { "hiveworldterrasite": + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:04", default => undef } + } + class { "bdstrikesite": + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:05", default => undef } + } website::https::multitld { 'www.abiknight': + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:06", default => undef }, custom_fragment => "$website::htmlphpfragment ErrorDocument 404 /error.php", letsencrypt_name => 'abiknight.co.uk', } - include webmailpimsite + website::https::multitld { 'www.warfoundry': + proxy_4to6_ip => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:07", default => undef }, + letsencrypt_name => 'warfoundry.co.uk', + custom_fragment => template("privat/apache/warfoundry.fragment"), + } + class { "webmailpimsite": + proxy_4to6_ip_pim => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:08", default => undef }, + proxy_4to6_ip_webmail => $proxy_4to6_ip_prefix != undef ? { true => "$proxy_4to6_ip_prefix:09", default => undef }, + } } -class adminsite{ +class adminsite ($proxy_4to6_ip) { apache::mod { 'info':; 'status':; 'cgi':; } website::https::multitld { 'admin.ibboard': + proxy_4to6_ip => $proxy_4to6_ip, force_no_index => false, ssl_ca_chain => '', custom_fragment => template("privat/apache/admin.fragment"), @@ -601,29 +630,34 @@ } } -class hiveworldterrasite { +class hiveworldterrasite ($proxy_4to6_ip) { website::https::multitld { 'www.hiveworldterra': + proxy_4to6_ip => $proxy_4to6_ip, force_no_www => false, letsencrypt_name => 'hiveworldterra.co.uk', custom_fragment => template("privat/apache/hwt.fragment"), } website::https::multitld { 'forums.hiveworldterra': + proxy_4to6_ip => $proxy_4to6_ip, letsencrypt_name => 'hiveworldterra.co.uk', custom_fragment => template("privat/apache/forums.fragment"), } website::https::multitld { 'skins.hiveworldterra': + proxy_4to6_ip => $proxy_4to6_ip, letsencrypt_name => 'hiveworldterra.co.uk', custom_fragment => template("privat/apache/skins.fragment"), } website::https::redir { 'hiveworldterra.ibboard.co.uk': + proxy_4to6_ip => $proxy_4to6_ip, redir => 'https://www.hiveworldterra.co.uk/', docroot => "${website::basedir}/hiveworldterra", letsencrypt_name => 'hiveworldterra.co.uk', separate_log => true, } } -class bdstrikesite { +class bdstrikesite ($proxy_4to6_ip) { website::https::multitld { 'www.bdstrike': + proxy_4to6_ip => $proxy_4to6_ip, docroot_owner => $defaultusers::secondary_user, docroot_group => 'editors', letsencrypt_name => 'bdstrike.co.uk', @@ -641,6 +675,7 @@ 'www.strikecreations.com' ] website::https::redir { 'www.strikecreations.co.uk': + proxy_4to6_ip => $proxy_4to6_ip, redir => 'https://bdstrike.co.uk/', serveraliases => $aliases, docroot => "${website::basedir}/bdstrike", @@ -657,7 +692,7 @@ minute => '*/15', } } -class devsite { +class devsite ($proxy_4to6_ip) { if versioncmp($operatingsystemrelease, '8') >= 0 { # Apache::Mod doesn't map this correctly for CentOS 8 yet $mod_wsgi_lib = 'mod_wsgi_python3.so' @@ -693,11 +728,8 @@ ensure => installed, } - website::https::multitld { 'www.warfoundry': - letsencrypt_name => 'warfoundry.co.uk', - custom_fragment => template("privat/apache/warfoundry.fragment"), - } website::https::multitld { 'dev.ibboard': + proxy_4to6_ip => $proxy_4to6_ip, #Make sure we're the first one hit for the tiny fraction of "no support" cases we care about (potentially Python for Mercurial!) # http://en.wikipedia.org/wiki/Server_Name_Indication#No_support priority => 1, @@ -708,14 +740,16 @@ } } -class webmailpimsite { +class webmailpimsite ($proxy_4to6_ip_pim, $proxy_4to6_ip_webmail) { # Webmail and Personal Information Management (PIM) sites website::https { 'webmail.ibboard.co.uk': + proxy_4to6_ip => $proxy_4to6_ip_webmail, force_no_index => false, ssl_ca_chain => '', custom_fragment => template("privat/apache/webmail.fragment"), } website::https { 'pim.ibboard.co.uk': + proxy_4to6_ip => $proxy_4to6_ip_pim, docroot_owner => 'apache', docroot_group => 'editors', force_no_index => false,
--- a/modules/website/manifests/https.pp Sat Feb 15 20:11:23 2020 +0000 +++ b/modules/website/manifests/https.pp Sun Feb 16 12:07:35 2020 +0000 @@ -3,6 +3,7 @@ define website::https( $docroot = undef, $ip = $website::primary_ip, + $proxy_4to6_ip = undef, $ssl_cert = undef, $ssl_key = undef, $ssl_ca_chain = undef, @@ -174,10 +175,10 @@ error_log_file => "error_${logpart}_nossl.log", } - if ($website::proxy_6to4_ip != undef) { + if ($proxy_4to6_ip != undef) { apache::vhost { "$name-PROXY": servername => $name, - ip => $website::proxy_6to4_ip, + ip => $proxy_4to6_ip, port => '443', priority => $priority, docroot => $siteroot, @@ -201,7 +202,7 @@ apache::vhost { "${name}-80-PROXY": servername => $name, - ip => $website::proxy_6to4_ip, + ip => $proxy_4to6_ip, port => 80, docroot => $siteroot, redirect_status => 'permanent',
--- a/modules/website/manifests/https/multitld.pp Sat Feb 15 20:11:23 2020 +0000 +++ b/modules/website/manifests/https/multitld.pp Sun Feb 16 12:07:35 2020 +0000 @@ -1,6 +1,7 @@ define website::https::multitld ( Optional[String] $docroot = undef, - String $ip = $website::primary_ip, + Stdlib::IP::Address $ip = $website::primary_ip, + Stdlib::IP::Address::V6 $proxy_4to6_ip = undef, Optional[Integer] $priority = undef, String $base = $name, Pattern[/^[a-z]+(\.[a-z]+)?$/] $main_tld = $website::tld, @@ -37,6 +38,7 @@ website::https { $main_domain: priority => $priority, ip => $ip, + proxy_4to6_ip => $proxy_4to6_ip, serveraliases => $aliases, docroot => $docroot, docroot_owner => $docroot_owner,
--- a/modules/website/manifests/https/redir.pp Sat Feb 15 20:11:23 2020 +0000 +++ b/modules/website/manifests/https/redir.pp Sun Feb 16 12:07:35 2020 +0000 @@ -3,6 +3,7 @@ define website::https::redir( $docroot = undef, $ip = $website::primary_ip, + $proxy_4to6_ip = undef, $redir, $ssl_cert = undef, $ssl_key = undef, @@ -141,9 +142,9 @@ } - if ($website::proxy_6to4_ip != undef) { + if ($proxy_4to6_ip != undef) { apache::vhost { "$name-PROXY": - ip => $website::proxy_6to4_ip, + ip => $proxy_4to6_ip, port => '443', docroot => $siteroot, docroot_owner => $owner, @@ -167,7 +168,7 @@ apache::vhost { "${name}-80-PROXY": servername => $name, - ip => $website::proxy_6to4_ip, + ip => $proxy_4to6_ip, port => 80, docroot => $siteroot, docroot_owner => $owner,
--- a/modules/website/manifests/init.pp Sat Feb 15 20:11:23 2020 +0000 +++ b/modules/website/manifests/init.pp Sun Feb 16 12:07:35 2020 +0000 @@ -2,8 +2,10 @@ Pattern[/^(\/[^\/]+)*$/] $base_dir, Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom', Stdlib::IP::Address $primary_ip, - Stdlib::IP::Address::V6 $proxy_6to4_ip = undef, - Array[Stdlib::IP::Address::V6] $proxy_upstream = undef, + Stdlib::IP::Address::V6 $proxy_4to6_ip_prefix = undef, + Optional[Integer] $proxy_4to6_mask = undef, + Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [], + Array $proxy_upstream = undef, String $default_owner, String $default_group, String $default_tld = 'com', @@ -125,25 +127,27 @@ proto => tcp, action => accept, } - if ($proxy_6to4_ip != undef) and ($proxy_upstream != undef) { + if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) { + $ipv6_secondaries = join($proxy_4to6_addresses, " ") augeas {'/etc/sysconfig/network-scripts/ifcfg-eth0': context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", - changes => "set IPV6ADDR_SECONDARIES $proxy_6to4_ip", + changes => "set IPV6ADDR_SECONDARIES '$ipv6_secondaries'", } apache::mod { "remoteip": } + $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask" $proxy_upstream.each |String $upstream_addr| { firewall { "100 limit PROXY protocol to upstream $upstream_addr": source => $upstream_addr, - destination => $proxy_6to4_ip, + destination => $proxy_4to6_ip, dport => [80, 443], proto => tcp, action => accept, } } firewall { "101 block all other PROXY protocol access": - destination => $proxy_6to4_ip, + destination => $proxy_4to6_ip, dport => [80, 443], proto => tcp, action => reject,