forked from the-distro/infra
fix(sniproxy): outside/inside of infra, the ingress IPs are different
In my infrastructure, the source node is 99::1, outside of my infra, it's ::1. All of this machinery was never really meant to be used on this scale, so oopsie. We should build our own sniproxy at some point. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
1b22c1f0ae
commit
c969625b0f
|
@ -1,9 +1,10 @@
|
|||
# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
inherit (lib) mkEnableOption mkIf;
|
||||
inherit (lib) mkEnableOption mkIf concatStringsSep;
|
||||
cfg = config.bagel.raito.v6-proxy-awareness;
|
||||
allowedUpstream = "2001:bc8:38ee:99::1/128";
|
||||
# outside of raito infra inside of raito infra
|
||||
allowedUpstreams = [ "2001:bc8:38ee::1/128" "2001:bc8:38ee:99::1/128" ];
|
||||
in
|
||||
{
|
||||
options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
|
||||
|
@ -20,8 +21,8 @@ in
|
|||
];
|
||||
|
||||
appendHttpConfig = ''
|
||||
# Kurisu node
|
||||
set_real_ip_from ${allowedUpstream};
|
||||
# Kurisu nodes
|
||||
${concatStringsSep "\n" (map (up: "set_real_ip_from ${up};") allowedUpstreams)}
|
||||
real_ip_header proxy_protocol;
|
||||
'';
|
||||
};
|
||||
|
@ -29,7 +30,7 @@ in
|
|||
# Move to nftables if firewall is enabled.
|
||||
networking.nftables.enable = true;
|
||||
networking.firewall.extraInputRules = ''
|
||||
ip6 saddr ${allowedUpstream} tcp dport 444 accept
|
||||
${concatStringsSep "\n" (map (up: "ip6 saddr ${up} tcp dport 444 accept") allowedUpstreams)}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue