diff --git a/MY/hosts.yaml b/MY/hosts.yaml index ab58a39..7026c6d 100644 --- a/MY/hosts.yaml +++ b/MY/hosts.yaml @@ -12,7 +12,8 @@ all_servers: hip: hosts: #france# 83.171.226.120 - 93.177.116.129 + 93.177.116.129: + ansible_port: 35130 vars: ansible_user: pycm1k docker_overlay_net_subnet: 11.101.0.0/24 diff --git a/MY/nginx/nginx.conf b/MY/nginx/nginx.conf new file mode 100644 index 0000000..531ad5c --- /dev/null +++ b/MY/nginx/nginx.conf @@ -0,0 +1,68 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +stream { + include /etc/nginx/stream-enabled/*.conf; + + +} + + diff --git a/MY/nginx/sites-enabled/moamo.duckdns.org b/MY/nginx/sites-enabled/moamo.duckdns.org new file mode 100644 index 0000000..39fd171 --- /dev/null +++ b/MY/nginx/sites-enabled/moamo.duckdns.org @@ -0,0 +1,11 @@ +server { + server_name moamo.duckdns.org; + listen moamo.duckdns.org:80; + + include acme; + + location / { + return 404; + } +} + diff --git a/MY/nginx/sites-enabled/tormob.duckdns.org b/MY/nginx/sites-enabled/tormob.duckdns.org new file mode 100644 index 0000000..a45366e --- /dev/null +++ b/MY/nginx/sites-enabled/tormob.duckdns.org @@ -0,0 +1,45 @@ +server { + server_name tormob.duckdns.org; + + index index.html; + include acme; + location / { +# proxy_pass http://11.101.0.3:8090/; + proxy_pass http://11.200.0.2:8090/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + client_max_body_size 0; + + } + + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + +# listen [::]:443 ssl http2; # managed by Certbot + listen 7443 ssl; + #http2 on; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/pycm1k/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/pycm1k/privkey.pem; # managed by Certbot + ssl_trusted_certificate /etc/letsencrypt/live/pycm1k/chain.pem; +} + +server { + if ($host = tormob.duckdns.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80; +# listen [::]:80; + + server_name tormob.duckdns.org; + return 404; # managed by Certbot +} diff --git a/MY/nginx/stream-enabled/proxy.conf b/MY/nginx/stream-enabled/proxy.conf new file mode 100644 index 0000000..a7eaf63 --- /dev/null +++ b/MY/nginx/stream-enabled/proxy.conf @@ -0,0 +1,34 @@ +map $ssl_preread_server_name $sni_name { + hostnames; + www.vk.com xray; + vk.com xray; + www.eh.vk.com xray; + eh.vk.com xray; + tshk.duckdns.org openconnect; + duckdns.org www; + *.duckdns.org www; + default vk; +} + +upstream xray { + server 11.101.0.254:6443; +} + +upstream www { + server 127.0.0.1:7443; +} + +upstream vk { + server 87.240.137.164:443; +} + +upstream openconnect { + server 127.0.0.1:5443; +} + +server { + listen 443; + proxy_pass $sni_name; + ssl_preread on; +} + diff --git a/MY/nginx_install.yaml b/MY/nginx_install.yaml new file mode 100644 index 0000000..fa247b4 --- /dev/null +++ b/MY/nginx_install.yaml @@ -0,0 +1,69 @@ +--- +- name: Install and configure nginx with stream module + hosts: hip + become: yes + gather_facts: yes + + tasks: + - name: Update apt cache + apt: + update_cache: yes + cache_valid_time: 3600 + when: ansible_os_family == "Debian" + + - name: Install nginx with stream module + apt: + name: + - nginx + - libnginx-mod-stream + state: present + when: ansible_os_family == "Debian" + + - name: Create stream log directory + file: + path: /var/log/nginx/stream + state: directory + owner: www-data + group: adm + mode: '0755' + + - name: Create stream config directory + file: + path: /etc/nginx/stream-conf.d + state: directory + owner: root + group: root + mode: '0755' + + - name: Deploy stream configuration + template: + src: templates/nginx/nginx-stream.conf.j2 + dest: /etc/nginx/stream-conf.d/default.conf + owner: root + group: root + mode: '0644' + notify: restart nginx + + - name: Configure main stream block in nginx.conf + blockinfile: + path: /etc/nginx/nginx.conf + insertafter: EOF + block: | + stream { + include /etc/nginx/stream-conf.d/*.conf; + } + marker: "### {mark} ANSIBLE MANAGED STREAM BLOCK ###" + notify: restart nginx + + - name: Enable nginx service + systemd: + name: nginx + enabled: yes + state: started + + handlers: + - name: restart nginx + systemd: + name: nginx + state: restarted + daemon_reload: yes diff --git a/MY/nginx_sites.yaml b/MY/nginx_sites.yaml new file mode 100644 index 0000000..548f2a5 --- /dev/null +++ b/MY/nginx_sites.yaml @@ -0,0 +1,22 @@ +--- +- name: Deploy Nginx site configurations + hosts: hip + become: yes + vars: + nginx_sites_enabled_path: /etc/nginx/sites-enabled + + tasks: + - name: Copy all configs from templates to sites-enabled + copy: + src: "templates/nginx/sites-enabled/" + dest: "{{ nginx_sites_enabled_path }}/" + owner: root + group: root + mode: '0644' + notify: reload nginx + + handlers: + - name: reload nginx + service: + name: nginx + state: reloaded diff --git a/MY/templates/nginx/nginx-stream.conf.j2 b/MY/templates/nginx/nginx-stream.conf.j2 new file mode 100644 index 0000000..c594a71 --- /dev/null +++ b/MY/templates/nginx/nginx-stream.conf.j2 @@ -0,0 +1,46 @@ +log_format stream_log '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received ' + '$session_time "$ssl_preread_server_name" "$upstream_addr" ' + '$upstream_bytes_sent $upstream_bytes_received'; + +access_log /var/log/nginx/stream/access.log stream_log; +error_log /var/log/nginx/stream/error.log; + +map $ssl_preread_server_name $sni_name { + www.vk.com xray; + vk.com xray; + www.eh.vk.com xray; + eh.vk.com xray; + tshk.duckdns.org openconnect; + moamo.duckdns.org telemt; + duckdns.org www; + ~^[^.]+\.duckdns\.org$ www; + default vk; +} + +upstream xray { + server 11.101.0.254:6443; +} + +upstream www { + server 127.0.0.1:7443; +} + +upstream vk { + server 87.240.137.164:443; +} + +upstream openconnect { + server 127.0.0.1:5443; +} + +upstream telemt { + server 11.101.0.254:9443; +} + +server { + listen 443; + proxy_pass $sni_name; + ssl_preread on; + proxy_connect_timeout 5s; + proxy_timeout 24h; +} diff --git a/MY/templates/nginx/sites-enabled/default b/MY/templates/nginx/sites-enabled/default new file mode 100644 index 0000000..d8c614a --- /dev/null +++ b/MY/templates/nginx/sites-enabled/default @@ -0,0 +1,15 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + # Дефолтная локация Certbot'а работает "из коробки" + location /.well-known/acme-challenge/ { + root /var/www/html; + } + + # Всё остальное — молчок + location / { + return 444; + } +} diff --git a/MY/templates/nginx/sites-enabled/tormob.duckdns.org b/MY/templates/nginx/sites-enabled/tormob.duckdns.org new file mode 100644 index 0000000..a45366e --- /dev/null +++ b/MY/templates/nginx/sites-enabled/tormob.duckdns.org @@ -0,0 +1,45 @@ +server { + server_name tormob.duckdns.org; + + index index.html; + include acme; + location / { +# proxy_pass http://11.101.0.3:8090/; + proxy_pass http://11.200.0.2:8090/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + client_max_body_size 0; + + } + + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + +# listen [::]:443 ssl http2; # managed by Certbot + listen 7443 ssl; + #http2 on; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/pycm1k/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/pycm1k/privkey.pem; # managed by Certbot + ssl_trusted_certificate /etc/letsencrypt/live/pycm1k/chain.pem; +} + +server { + if ($host = tormob.duckdns.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80; +# listen [::]:80; + + server_name tormob.duckdns.org; + return 404; # managed by Certbot +}