HAProxy as an ingress proxy

6 months ago · c4b180a7f0
parent ef430a5ccf
commit c4b180a7f0
3 changed files with 83 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -49,6 +49,7 @@

          ./hosts/nyx/include/acme.nix
          ./hosts/nyx/include/nginx.nix
+          ./hosts/nyx/include/haproxy.nix
          ./hosts/nyx/include/services.nix
          ./hosts/nyx/include/proxy.nix
          ./hosts/nyx/include/seance.nix
--- a/hosts/nyx/include/haproxy.nix
+++ b/hosts/nyx/include/haproxy.nix
@ -0,0 +1,70 @@
+{ config, pkgs, ...}: {
+  services.haproxy.enable = true;
+
+  services.haproxy.config = ''
+    global
+      log 127.0.0.1 local0 info
+      maxconn 2000
+
+      stats socket /run/haproxy/stats.sock mode 666 level user
+      stats timeout 30s
+
+      # from https://ssl-config.mozilla.org
+      ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+      ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+      ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+      ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+      ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+      ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+      ssl-dh-param-file /etc/dhparam
+
+    defaults
+      log global
+      mode http
+      option dontlognull
+      retries 3
+      option redispatch
+      timeout connect 50000000
+      timeout client 10000000
+      timeout server 10000000
+      option http-keep-alive
+      balance roundrobin
+
+    frontend tls-in
+      bind 104.168.211.198:443 interface ens3
+      mode tcp
+
+      tcp-request inspect-delay 5s
+      tcp-request content accept if { req.ssl_hello_type 1 }
+
+      acl sni_irc req.ssl_sni -i -m end .irc.tempest.dev
+      use_backend calico if sni_irc
+
+      default_backend http-pass
+
+    backend calico
+      mode tcp
+      server calico 127.0.0.1:6697
+
+    backend http-pass
+      mode tcp
+      server local-http 127.0.0.1:443 send-proxy-v2
+  '';
+
+  environment.etc = {
+    dhparam = {
+      text = ''
+        -----BEGIN DH PARAMETERS-----
+        MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+        +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+        87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+        YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+        7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+        ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+        -----END DH PARAMETERS-----
+      '';
+      mode = "0400";
+      user = "haproxy";
+    };
+  };
+}
--- a/hosts/nyx/include/nginx.nix
+++ b/hosts/nyx/include/nginx.nix
@ -1,8 +1,19 @@
 { config, pkgs, ...}: {
  services.nginx.enable = true;
-  services.nginx.defaultListenAddresses = [ "104.168.211.198" ];
+  services.nginx.defaultListen = [{
+    addr = "127.0.0.1";
+    port = 443;
+    ssl = true;
+    proxyProtocol = true;
+  }{
+    addr = "0.0.0.0";
+    port = 80;
+    ssl = false;
+  }];
  services.nginx.recommendedProxySettings = true;
  services.nginx.appendHttpConfig = ''
+    set_real_ip_from 127.0.0.1;
+    real_ip_header proxy_protocol;
    types {
      text/plain wat;
      text/plain glsl;