From 80aa7b3785aa2e964d9a3f5ea47def5c7dda1712 Mon Sep 17 00:00:00 2001 From: Chloe Gerhardson Date: Mon, 29 Jan 2024 13:43:33 -0500 Subject: [PATCH 1/3] Add realip.conf for nginx config This commit ensures the presence of realip.conf to enable realip module --- salt/base/salt.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/base/salt.sls b/salt/base/salt.sls index c5dc6970..d9a7a8c9 100644 --- a/salt/base/salt.sls +++ b/salt/base/salt.sls @@ -126,6 +126,15 @@ salt-master: - group: root - mode: "0644" +/etc/nginx/sites.d/realip.conf: + file.managed: + - source: salt://base/config/realip-nginx.conf + - user: root + - group: root + - mode: "0644" + - require: + - file: /etc/nginx/sites.d/ + /etc/nginx/sites.d/publish-files.conf: file.managed: - source: salt://base/config/publish-files-nginx.conf From 1d7d35e7b1cf725e2a9791228e3e95dfbf134971 Mon Sep 17 00:00:00 2001 From: Chloe Gerhardson Date: Mon, 29 Jan 2024 14:05:27 -0500 Subject: [PATCH 2/3] Restructure realip.conf This commit restructures realip.conf to be managed by jinja templating --- salt/base/salt.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/base/salt.sls b/salt/base/salt.sls index d9a7a8c9..b65be307 100644 --- a/salt/base/salt.sls +++ b/salt/base/salt.sls @@ -128,7 +128,8 @@ salt-master: /etc/nginx/sites.d/realip.conf: file.managed: - - source: salt://base/config/realip-nginx.conf + - source: salt://base/config/realip-nginx.jinja.conf + - template: jinja - user: root - group: root - mode: "0644" From 58bada554d00deaaa7a4b8d8fc548155a828c481 Mon Sep 17 00:00:00 2001 From: Chloe Gerhardson Date: Mon, 29 Jan 2024 14:07:41 -0500 Subject: [PATCH 3/3] Configure realip This commit utilizes the nginx realip module to configure X-Forwarded-For headers --- salt/base/config/realip-nginx.jinja.conf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 salt/base/config/realip-nginx.jinja.conf diff --git a/salt/base/config/realip-nginx.jinja.conf b/salt/base/config/realip-nginx.jinja.conf new file mode 100644 index 00000000..39e86227 --- /dev/null +++ b/salt/base/config/realip-nginx.jinja.conf @@ -0,0 +1,18 @@ +server { + listen 9001 ssl; + + ssl_certificate /etc/ssl/private/salt.psf.io.pem; + ssl_certificate_key /etc/ssl/private/salt.psf.io.pem; + + server_name salt-public.psf.io; + + # Real IP Configuration + set_real_ip_from {{ pillar["psf_internal_network"] }}; + set_real_ip_from 127.0.0.1; + real_ip_header X-Forwarded-For; + + location / { + root /srv/public; + try_files $uri =404; + } +}