Web proxy: Add host01.

ba92a6a1 · nimrod · e245c8e1 · ba92a6a1 · ba92a6a1 · ba92a6a1
Commit ba92a6a1 authored 2 years ago by nimrod
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -63,14 +63,14 @@ web-proxy ns4 build:
  tags: ["ns4.shore.co.il"]
  variables:
    WORKDIR: Compose/web-proxy/ns4
-  # rules: *compose-rules
+  rules: *compose-rules
 web-proxy ns4 pull:
  extends: .compose-pull
  tags: ["ns4.shore.co.il"]
  variables:
    WORKDIR: Compose/web-proxy/ns4
-  # rules: *compose-rules
+  rules: *compose-rules
 web-proxy ns4 run:
  extends: .compose-run
@@ -78,4 +78,26 @@ web-proxy ns4 run:
  variables:
    WORKDIR: Compose/web-proxy/ns4
  when: manual
+  rules: *compose-rules
+web-proxy host01 build:
+  extends: .compose-build
+  tags: ["host01.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/host01
+  # rules: *compose-rules
+web-proxy host01 pull:
+  extends: .compose-pull
+  tags: ["host01.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/host01
+  # rules: *compose-rules
+web-proxy host01 run:
+  extends: .compose-run
+  tags: ["host01.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/host01
+  when: manual
  # rules: *compose-rules
--- a/Compose/web-proxy/host01/.dockerignore
+++ b/Compose/web-proxy/host01/.dockerignore
+*
+!conf.d/
+!www/
+!snippets/
--- a/Compose/web-proxy/host01/.env
+++ b/Compose/web-proxy/host01/.env
+COMPOSE_PROJECT_NAME=web-proxy
--- a/Compose/web-proxy/host01/Dockerfile
+++ b/Compose/web-proxy/host01/Dockerfile
+# hadolint ignore=DL3006
+FROM registry.shore.co.il/nginx
+USER root
+RUN cp --archive /var/ssl/site.key /var/ssl/mail.key && \
+    cp --archive /var/ssl/site.crt /var/ssl/mail.crt
+USER nginx
+COPY --chown=root:root www/ /var/www/
+COPY --chown=root:root conf.d/ /etc/nginx/conf.d/
+COPY --chown=root:root snippets/ /etc/nginx/snippets/
+RUN nginx -t
--- a/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf
+# vim: ft=nginx
+map $host $auth { default auth; }
+limit_req_zone $binary_remote_addr zone=ldap_auth:2m rate=2r/s;
+limit_req_status 429;
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name auth.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name auth.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    location / {
+        proxy_pass              http://$auth:8080$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        include                 snippets/allow-shore-ips.conf;
+        limit_req               zone=ldap_auth burst=10 delay=2;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf
+# vim: ft=nginx
+map $host $code { default code; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name code.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name code.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    # The following was copied (and modified) from
+    # https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-with-nginx-webserver.
+    # static files
+    location ^~ /browser {
+        proxy_pass              http://$code:9980$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_hide_header       X-Frame-Options;
+    }
+    # WOPI discovery URL
+    location ^~ /hosting/discovery {
+        proxy_pass              http://$code:9980$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+    # Capabilities
+    location ^~ /hosting/capabilities {
+        proxy_pass              http://$code:9980$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+    # main websocket
+    location ~ ^/cool/(.*)/ws$ {
+        proxy_pass              http://$code:9980$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        include                 snippets/websockets.conf;
+    }
+    # download, presentation and image upload
+    location ~ ^/(c|l)ool {
+        proxy_pass              http://$code:9980$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+    # Admin Console websocket
+    location ^~ /cool/adminws {
+        proxy_pass              http://$code:9980$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        include                 snippets/websockets.conf;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf
+# vim: ft=nginx
+map $host $git { default gitlab; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name git.shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name git.shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    location / {
+        proxy_pass              http://$git$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_set_header        X-Forwarded-Ssl on;
+        client_max_body_size    512m;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf
+# vim: ft=nginx
+map $host $lam { default ldap-account-manager; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name lam.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name lam.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    location / {
+        proxy_pass              http://$lam$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_hide_header       X-Frame-Options;
+        include                 snippets/allow-private-ips.conf;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf
+# vim: ft=nginx
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il mta-sts.nehe.sr;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+}
+server {
+    listen                      443 ssl http2;
+    listen                      [::]:443 ssl http2;
+    server_name                 mta-sts.shore.co.il mta-sts.nehe.sr;
+    root                        /var/www/mail.shore.co.il/;
+    include                     snippets/robots-disallow-all.conf;
+    include                     snippets/ads-txt.conf;
+    include                     snippets/security-txt.conf;
+    # Copied from snippetes/ssl.conf.
+    add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    add_header                  Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+    include                     snippets/common-headers.conf;
+    ssl_certificate             /var/ssl/mail.crt;
+    ssl_certificate_key         /var/ssl/mail.key;
+    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers                 !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+    ssl_prefer_server_ciphers   on;
+    ssl_session_cache           shared:SSL:50m;
+    ssl_session_timeout         5m;
+    ssl_stapling                on;
+    ssl_stapling_verify         on;
+    ssl_trusted_certificate     /etc/ssl/ocsp.pem;
+}
--- a/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf
+# vim: ft=nginx
+map $host $nextcloud { default nextcloud; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name nextcloud.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name nextcloud.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    include     snippets/nextcloud-well-known.conf;
+    location / {
+        proxy_pass              http://$nextcloud$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_hide_header       X-Frame-Options;
+        client_max_body_size    512m;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf
+# vim: ft=nginx
+map $host $notify { default notifier; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name notify.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name notify.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    location / {
+        proxy_pass              http://$notify:8080$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf
+# vim: ft=nginx
+map $host $sogo { default sogo; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name sogo.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name sogo.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    location    /       { return 301 https://$host/SOGo/; }
+    location    /SOGo   { return 301 https://$host/SOGo/; }
+    location /SOGo/ {
+        proxy_pass              http://$sogo:20000$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_hide_header       X-Frame-Options;
+        include                 snippets/allow-private-ips.conf;
+        # Copied from http://wiki.sogo.nu/nginxSettings
+        proxy_set_header        x-webobjects-server-protocol HTTP/1.1;
+        proxy_set_header        x-webobjects-remote-host $sogo;
+        proxy_set_header        x-webobjects-server-name $server_name;
+        proxy_set_header        x-webobjects-server-url $scheme://$host;
+        proxy_set_header        x-webobjects-server-port $server_port;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf
+# vim: ft=nginx
+# The $vouch variable is defined in global.conf, it's needed by other servers
+# and deployments.
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name vouch.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name vouch.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    location / {
+        proxy_pass              http://$vouch:9090;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+}
--- a/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf
+++ b/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf
+# vim: ft=nginx
+map $host $zpush { default z-push; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name zpush.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name zpush.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    location / {
+        proxy_pass              http://$zpush;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+}
--- a/Compose/web-proxy/host01/docker-compose.yml
+++ b/Compose/web-proxy/host01/docker-compose.yml
+---
+version: '3.5'
+services:
+  proxy:
+    build:
+      context: ./
+    # command: ["nginx", "-g", "daemon off;"]
+    hostname: &hostname nextcloud.shore.co.il
+    networks:
+      default:
+        aliases:
+          - *hostname
+          - code.shore.co.il
+          - elasticsearch.shore.co.il
+          - git.shore.co.il
+          - kibana.shore.co.il
+          - lam.shore.co.il
+          - mta-sts.shore.co.il
+          - sogo.shore.co.il
+          - vouch.shore.co.il
+          - zpush.shore.co.il
+    ports:
+      - '80:80'
+      - '443:443'
+    restart: always
+    volumes:
+      - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/ssl/site.key:/var/ssl/site.key:ro'
+      - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+      - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
+      - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
+      - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
+  vouch:
+    environment:
+      OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+      OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+      OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+      # yamllint disable-line rule:line-length
+      OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}"  # pragma: allowlist secret
+      OAUTH_PROVIDER: nextcloud
+      OAUTH_SCOPES: 'openid,email.profile'
+      OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+      # yamllint disable-line rule:line-length
+      OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+      VOUCH_DOMAINS: shore.co.il
+      VOUCH_JWT_MAXAGE: 10080  # 1 week.
+      VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}"  # pragma: allowlist secret
+    image: quay.io/vouch/vouch-proxy:alpine-0.36.0
+    restart: always
+networks:
+  default:
+    name: shore
--- a/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf
+++ b/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf
+location /.well-known/caldav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+location /.well-known/carddav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+location /.well-known/webfinger {
+    return  301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}
--- a/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt
+++ b/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt
+version: STSv1
+mode: testing
+mx: smtp.shore.co.il
+max_age: 86400