Update firewalls
This commit is contained in:
parent
b3bf50bf88
commit
79e2f05ebb
2 changed files with 26 additions and 29 deletions
|
@ -1,4 +1,4 @@
|
||||||
{ ... }: {
|
{ pkgs, ... }: {
|
||||||
networking = {
|
networking = {
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -50,6 +50,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.cacert ];
|
||||||
|
|
||||||
services.haproxy = {
|
services.haproxy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
|
@ -57,23 +59,30 @@
|
||||||
timeout connect 10s
|
timeout connect 10s
|
||||||
timeout client 30s
|
timeout client 30s
|
||||||
timeout server 30s
|
timeout server 30s
|
||||||
maxconn 30000
|
maxconn 3000
|
||||||
log global
|
log global
|
||||||
|
|
||||||
frontend http
|
frontend http
|
||||||
mode http
|
mode http
|
||||||
bind :80
|
bind :80
|
||||||
option forwardfor
|
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
|
||||||
|
http-request redirect scheme https unless { ssl_fc }
|
||||||
default_backend backend_http
|
default_backend backend_http
|
||||||
|
backend backend_http
|
||||||
|
mode http
|
||||||
|
option forwardfor
|
||||||
|
option forwarded
|
||||||
|
server warsaw-ovh-01 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
|
||||||
|
|
||||||
frontend tcp
|
frontend tcp
|
||||||
mode tcp
|
mode tcp
|
||||||
bind :42420
|
bind :42420
|
||||||
bind :25565
|
bind :25565
|
||||||
bind :4443
|
bind :4443
|
||||||
bind :443
|
default_backend backend_tcp
|
||||||
option forwardfor
|
backend backend_tcp
|
||||||
default_backend backend_tcp
|
mode tcp
|
||||||
|
server warsaw-ovh-01 10.100.0.2
|
||||||
|
|
||||||
frontend mail
|
frontend mail
|
||||||
mode tcp
|
mode tcp
|
||||||
|
@ -84,24 +93,9 @@
|
||||||
bind :993
|
bind :993
|
||||||
bind :4190
|
bind :4190
|
||||||
default_backend backend_mail
|
default_backend backend_mail
|
||||||
|
|
||||||
backend backend_mail
|
backend backend_mail
|
||||||
mode tcp
|
mode tcp
|
||||||
option forwarded
|
|
||||||
option forwardfor if-none
|
|
||||||
server mailserver-wg 10.100.1.3
|
server mailserver-wg 10.100.1.3
|
||||||
|
|
||||||
backend backend_tcp
|
|
||||||
mode tcp
|
|
||||||
option forwarded
|
|
||||||
option forwardfor if-none
|
|
||||||
server warsaw-ovh-01 10.100.0.2
|
|
||||||
|
|
||||||
backend backend_http
|
|
||||||
mode http
|
|
||||||
option forwarded
|
|
||||||
option forwardfor if-none
|
|
||||||
server warsaw-ovh-01 10.100.0.2
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ ... }: {
|
{ pkgs, ... }: {
|
||||||
networking = {
|
networking = {
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -50,6 +50,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.cacert ];
|
||||||
|
|
||||||
services.haproxy = {
|
services.haproxy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
|
@ -65,11 +67,12 @@
|
||||||
bind :80
|
bind :80
|
||||||
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
|
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
|
||||||
http-request redirect scheme https unless { ssl_fc }
|
http-request redirect scheme https unless { ssl_fc }
|
||||||
option forwardfor
|
|
||||||
default_backend backend_http
|
default_backend backend_http
|
||||||
backend backend_http
|
backend backend_http
|
||||||
mode http
|
mode http
|
||||||
server framework-server 10.100.0.2:443 ssl verify required ca-file @system-ca
|
option forwardfor
|
||||||
|
option forwarded
|
||||||
|
server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
|
||||||
|
|
||||||
frontend tcp
|
frontend tcp
|
||||||
mode tcp
|
mode tcp
|
||||||
|
|
Loading…
Reference in a new issue