websites/proxy: Add reverse proxy configuration

For some time, I have been trying to design a new configuration for the reverse proxy on port 443 to correctly handle all the types of traffic on that port. In the original implementation, all traffic on port 443 was forwarded by the gateway to HAProxy. HAproxy then used TLS SNI to route connections to the correct backend server based the requested host name. This allowed both HTTPS and OpenVPN-over-TLS to use the same port, however it was not without issues. A layer 4 (TCP) proxy like this "hides" the real source address of clients connecting to the backend, which makes IP-based security (e.g. rate limiting, blacklists, etc.) impossible at the application level. In particular, Nextcloud, which implements rate limiting was constantly imposing login delays on all users, because legitimate traffic was indistinguishable from Internet background noise. To alleviate these issues, I needed to change the proxy to operate in layer 7 (HTTP) mode, so that headers like *X-Forwarded-For* and *X-Forwarded-Host* could be added. Unfortunately, this was not easy, because of the simultaneous requirement to forward OpenVPN traffic. HAProxy can only do SNI inspection in TCP mode. So, I began looking for an alternate way to proxy both HTTP and non-HTTP traffic on the same port. The HTTP protocol defines the `CONNECT` method, which is used by forward proxies to tunnel HTTPS over plain HTTP. OpenVPN clients support tunneling OpenVPN over HTTP using this method as well. HAProxy has limited support for the CONNECT method (i.e. it doesn't do DNS resolution, and I could find no way of restricting the destination) with the `http_proxy` option, so I looked for alternate proxy servers that had more complete support. Unsurprisingly, Apache HTTPD has the most complete implementation of the `CONNECT` method (Nginx doesn't support it at all). Using a name-based virtual host on port 443, Apache will accept requests for *vpn.pyrocufflink.net* (using TLS SNI) and allow the clients to use the `CONNECT` method to create a tunnel to the OpenVPN server. This requires OpenVPN clients to a) use *stunnel* to wrap plain HTTP proxy connections in TLS and b) configure OpenVPN to use the TLS-wrapped HTTP proxy. With Apache accepting all incoming connections, it was trivial to also configure it as a layer 7 forward proxy for Bitwarden, Gitea, Jenkins, and Nextcloud. Unfortunately, proxying for the other websites (darkchestofwonders.us, chmod777.sh, dustin.hatch.name) was not quite as straightforward. These websites would need to have an internal name that differed from their external name, and thus a certificate valid for that name. Rather than reconfigure all of these sites and set all of that up, I decided to just move the responsibility for handling direct connections from outside to the *web0* and eliminate the dedicated reverse proxy. This was not possible before, because Apache could not forward the OpenVPN traffic directly, but now with the forward proxy configuration, there is no reason to have a separate server for these connections. Overall, I am pleased with how this turned out. It makes the OpenVPN configuration simpler (*stunnel* no longer needs to run on the OpenVPN server itself, since Apache is handling TLS termination), eliminates a network hop for the websites, makes the reverse proxy configuration for the other web applications much easier to understand, and resolves the original issue of losing client connection information.
2020-03-15 17:23:06 -05:00 · 2020-03-15 17:23:06 -05:00 · e4ecd5d58a
parent 1de8e9fa90
commit e4ecd5d58a
11 changed files with 127 additions and 0 deletions
--- a/roles/websites/proxy-bitwarden/tasks/main.yml
+++ b/roles/websites/proxy-bitwarden/tasks/main.yml
@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for bitwarden
+  template:
+    src: bitwarden.httpd.conf.j2
+    dest: /etc/httpd/conf.d/bitwarden.conf
+    mode: '0644'
+  notify: reload httpd
--- a/roles/websites/proxy-bitwarden/templates/bitwarden.httpd.conf.j2
+++ b/roles/websites/proxy-bitwarden/templates/bitwarden.httpd.conf.j2
@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName bitwarden.pyrocufflink.blue
+ServerAlias bitwarden.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://bitwarden.pyrocufflink.blue/
+ProxyPassReverse / https://bitwarden.pyrocufflink.blue/
+</VirtualHost>
--- a/roles/websites/proxy-gitea/tasks/main.yml
+++ b/roles/websites/proxy-gitea/tasks/main.yml
@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for gitea
+  template:
+    src: gitea.httpd.conf.j2
+    dest: /etc/httpd/conf.d/gitea.conf
+    mode: '0644'
+  notify: reload httpd
--- a/roles/websites/proxy-gitea/templates/gitea.httpd.conf.j2
+++ b/roles/websites/proxy-gitea/templates/gitea.httpd.conf.j2
@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName git.pyrocufflink.blue
+ServerAlias git.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://git.pyrocufflink.blue/
+ProxyPassReverse / https://git.pyrocufflink.blue/
+</VirtualHost>
--- a/roles/websites/proxy-jenkins/tasks/main.yml
+++ b/roles/websites/proxy-jenkins/tasks/main.yml
@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for jenkins
+  template:
+    src: jenkins.httpd.conf.j2
+    dest: /etc/httpd/conf.d/jenkins.conf
+    mode: '0644'
+  notify: reload httpd
--- a/roles/websites/proxy-jenkins/templates/jenkins.httpd.conf.j2
+++ b/roles/websites/proxy-jenkins/templates/jenkins.httpd.conf.j2
@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName jenkins.pyrocufflink.blue
+ServerAlias jenkins.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://jenkins.pyrocufflink.blue/
+ProxyPassReverse / https://jenkins.pyrocufflink.blue/
+</VirtualHost>
--- a/roles/websites/proxy-nextcloud/tasks/main.yml
+++ b/roles/websites/proxy-nextcloud/tasks/main.yml
@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for nextcloud
+  template:
+    src: nextcloud.httpd.conf.j2
+    dest: /etc/httpd/conf.d/nextcloud.conf
+    mode: '0644'
+  notify: reload httpd
--- a/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2
+++ b/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2
@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName nextcloud.pyrocufflink.blue
+ServerAlias nextcloud.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://cloud0.pyrocufflink.blue/
+ProxyPassReverse / https://cloud0.pyrocufflink.blue/
+</VirtualHost>
--- a/roles/websites/proxy-openvpn/tasks/main.yml
+++ b/roles/websites/proxy-openvpn/tasks/main.yml
@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for openvpn
+  template:
+    src: openvpn.httpd.conf.j2
+    dest: /etc/httpd/conf.d/openvpn.conf
+    mode: '0644'
+  notify: reload httpd
--- a/roles/websites/proxy-openvpn/templates/openvpn.httpd.conf.j2
+++ b/roles/websites/proxy-openvpn/templates/openvpn.httpd.conf.j2
@ -0,0 +1,19 @@
+<VirtualHost *:443>
+ServerName vpn.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+
+<Location />
+    Require all denied
+</Location>
+ProxyRequests On
+AllowCONNECT 1194
+<Proxy "*">
+    Require all denied
+</Proxy>
+<Proxy "vpn.pyrocufflink.net:1194">
+    Require ip 74.122.204.67
+</Proxy>
+</VirtualHost>
--- a/websites.yml
+++ b/websites.yml
@ -11,6 +11,12 @@
      cert_key_dest: /etc/pki/tls/private/pyrocufflink.net.key
    tags:
    - websites/pyrocufflink.net
+    - websites/proxy
+    - websites/proxy-bitwarden
+    - websites/proxy-gitea
+    - websites/proxy-jenkins
+    - websites/proxy-nextcloud
+    - websites/proxy-openvpn
  - role: websites/pyrocufflink.net
    tags: websites/pyrocufflink.net
  - role: websites/dustin.hatch.name
@ -29,6 +35,26 @@
    tags: websites/chmod777.sh
  - role: websites/chmod777.sh
    tags: websites/chmod777.sh
+  - role: websites/proxy-bitwarden
+    tags:
+    - websites/proxy
+    - websites/proxy-bitwarden
+  - role: websites/proxy-gitea
+    tags:
+    - websites/proxy
+    - websites/proxy-gitea
+  - role: websites/proxy-jenkins
+    tags:
+    - websites/proxy
+    - websites/proxy-jenkins
+  - role: websites/proxy-nextcloud
+    tags:
+    - websites/proxy
+    - websites/proxy-nextcloud
+  - role: websites/proxy-openvpn
+    tags:
+    - websites/proxy
+    - websites/proxy-openvpn
  tasks:
  - name: ensure httpd service is running
    service: