Update firewalls

This commit is contained in:
albert 2024-08-12 09:06:47 +09:00
parent b3bf50bf88
commit 79e2f05ebb
Signed by: albert
GPG key ID: 3895DD267CA11BA9
2 changed files with 26 additions and 29 deletions

View file

@ -1,4 +1,4 @@
{ ... }: { { pkgs, ... }: {
networking = { networking = {
firewall = { firewall = {
enable = true; enable = true;
@ -50,6 +50,8 @@
}; };
}; };
environment.systemPackages = [ pkgs.cacert ];
services.haproxy = { services.haproxy = {
enable = true; enable = true;
config = '' config = ''
@ -57,23 +59,30 @@
timeout connect 10s timeout connect 10s
timeout client 30s timeout client 30s
timeout server 30s timeout server 30s
maxconn 30000 maxconn 3000
log global log global
frontend http frontend http
mode http mode http
bind :80 bind :80
option forwardfor bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
http-request redirect scheme https unless { ssl_fc }
default_backend backend_http default_backend backend_http
backend backend_http
mode http
option forwardfor
option forwarded
server warsaw-ovh-01 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
frontend tcp frontend tcp
mode tcp mode tcp
bind :42420 bind :42420
bind :25565 bind :25565
bind :4443 bind :4443
bind :443 default_backend backend_tcp
option forwardfor backend backend_tcp
default_backend backend_tcp mode tcp
server warsaw-ovh-01 10.100.0.2
frontend mail frontend mail
mode tcp mode tcp
@ -84,24 +93,9 @@
bind :993 bind :993
bind :4190 bind :4190
default_backend backend_mail default_backend backend_mail
backend backend_mail backend backend_mail
mode tcp mode tcp
option forwarded
option forwardfor if-none
server mailserver-wg 10.100.1.3 server mailserver-wg 10.100.1.3
backend backend_tcp
mode tcp
option forwarded
option forwardfor if-none
server warsaw-ovh-01 10.100.0.2
backend backend_http
mode http
option forwarded
option forwardfor if-none
server warsaw-ovh-01 10.100.0.2
''; '';
}; };
} }

View file

@ -1,4 +1,4 @@
{ ... }: { { pkgs, ... }: {
networking = { networking = {
firewall = { firewall = {
enable = true; enable = true;
@ -50,6 +50,8 @@
}; };
}; };
environment.systemPackages = [ pkgs.cacert ];
services.haproxy = { services.haproxy = {
enable = true; enable = true;
config = '' config = ''
@ -65,11 +67,12 @@
bind :80 bind :80
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
http-request redirect scheme https unless { ssl_fc } http-request redirect scheme https unless { ssl_fc }
option forwardfor
default_backend backend_http default_backend backend_http
backend backend_http backend backend_http
mode http mode http
server framework-server 10.100.0.2:443 ssl verify required ca-file @system-ca option forwardfor
option forwarded
server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
frontend tcp frontend tcp
mode tcp mode tcp