From c969625b0f028fbb8e12c0d4efbac3b7d9d85c34 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 30 Aug 2024 19:01:44 +0200 Subject: [PATCH] fix(sniproxy): outside/inside of infra, the ingress IPs are different In my infrastructure, the source node is 99::1, outside of my infra, it's ::1. All of this machinery was never really meant to be used on this scale, so oopsie. We should build our own sniproxy at some point. Signed-off-by: Raito Bezarius --- common/raito-proxy-aware-nginx.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/common/raito-proxy-aware-nginx.nix b/common/raito-proxy-aware-nginx.nix index 59fb332..beedfef 100644 --- a/common/raito-proxy-aware-nginx.nix +++ b/common/raito-proxy-aware-nginx.nix @@ -1,9 +1,10 @@ # This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol. { config, lib, ... }: let - inherit (lib) mkEnableOption mkIf; + inherit (lib) mkEnableOption mkIf concatStringsSep; cfg = config.bagel.raito.v6-proxy-awareness; - allowedUpstream = "2001:bc8:38ee:99::1/128"; + # outside of raito infra inside of raito infra + allowedUpstreams = [ "2001:bc8:38ee::1/128" "2001:bc8:38ee:99::1/128" ]; in { options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX"; @@ -20,8 +21,8 @@ in ]; appendHttpConfig = '' - # Kurisu node - set_real_ip_from ${allowedUpstream}; + # Kurisu nodes + ${concatStringsSep "\n" (map (up: "set_real_ip_from ${up};") allowedUpstreams)} real_ip_header proxy_protocol; ''; }; @@ -29,7 +30,7 @@ in # Move to nftables if firewall is enabled. networking.nftables.enable = true; networking.firewall.extraInputRules = '' - ip6 saddr ${allowedUpstream} tcp dport 444 accept + ${concatStringsSep "\n" (map (up: "ip6 saddr ${up} tcp dport 444 accept") allowedUpstreams)} ''; }; }