commit 0a5babd692afa4e332357f90041542746a3be4ca
parent 8d2e009dab7b6a88ffd915b0090bca4fb388571f
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 16 Nov 2020 20:19:48 +0100
parent 8d2e009dab7b6a88ffd915b0090bca4fb388571f
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 16 Nov 2020 20:19:48 +0100
add frps
7 files changed, 72 insertions(+), 25 deletions(-)
diff --git a/config-files/awall/custom-services.json b/config-files/awall/custom-services.json @@ -2,6 +2,9 @@ "service": { "submissions": [ { "proto": "tcp", "port": 465 } + ], + "frps": [ + { "proto": "tcp", "port": 5050 } ] } }
diff --git a/config-files/awall/frps.json b/config-files/awall/frps.json @@ -0,0 +1,13 @@ +{ + "description": "Allow FRPS on WAN", + "import": [ "base" ], + + "filter": [ + { + "in": "WAN", + "out": "_fw", + "service": "frps", + "action": "accept" + } + ] +}
diff --git a/config-files/frps/confd b/config-files/frps/confd @@ -1,3 +0,0 @@ -# Configuration for /etc/init.d/chartsrv - -frps_opts="--token=foobar123 --bind_port=9000 --subdomain_host=frp.ctu.cx --vhost_http_port=8088"
diff --git a/roles/frps/tasks/main.yml b/roles/frps/tasks/main.yml @@ -6,9 +6,21 @@ state: present update_cache: yes -- copy: - src: config-files/frps/confd +- name: Copy http(s) firewall-rule to destination host + copy: + src: config-files/awall/frps.json + dest: /etc/awall/optional/frps.json + validate: jq '.' %s + +- awall: + name: frps + state: enabled + activate: yes + +- template: + src: frps.confd dest: /etc/conf.d/frps + mode: 0644 - service: name: frps @@ -18,11 +30,17 @@ - name: copy nginx-vhost for frps to destination host template: src: frps-vhost.conf.j2 - dest: /etc/nginx/conf.d/oeffisearch.conf + dest: /etc/nginx/conf.d/frps.conf mode: 0644 owner: nginx group: nginx +- name: restart frps + service: + name: frps + state: restarted + enabled: yes + - name: restart nginx service: name: nginx
diff --git a/roles/frps/templates/frps-vhost.conf.j2 b/roles/frps/templates/frps-vhost.conf.j2 @@ -0,0 +1,33 @@ + +{% for vhost in frps.vhosts %} +server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate "{{frps.sslDir}}/{{vhost}}.{{frps.vhost_domain}}/{{frps.sslCertFile}}"; + ssl_certificate_key "{{frps.sslDir}}/{{vhost}}.{{frps.vhost_domain}}/{{frps.sslPrivkeyFile}}"; + include /etc/nginx/ssl.conf; + + server_name {{vhost}}.{{frps.vhost_domain}}; + + location / { + proxy_pass http://127.0.0.1:{{frps.vhost_port}}/; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + } +} + +{% endfor %}
diff --git a/roles/frps/templates/frps.confd b/roles/frps/templates/frps.confd @@ -0,0 +1,2 @@ +# Configuration for /etc/init.d/chartsrv +frps_opts="--token={{frps.token}} --bind_port={{frps.port}} --subdomain_host={{frps.vhost_domain}} --vhost_http_port={{frps.vhost_port}}"
diff --git a/roles/frps/templates/oeffisearch-vhost.conf.j2 b/roles/frps/templates/oeffisearch-vhost.conf.j2 @@ -1,19 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - ssl_certificate "{{oeffisearch.ssl_cert}}"; - ssl_certificate_key "{{oeffisearch.ssl_privkey}}"; - include /etc/nginx/ssl.conf; - - server_name {{oeffisearch.domain}}; - - location / { - try_files $uri $uri/ @api; - root /usr/share/oeffisearch; - } - - location @api { - proxy_pass http://127.0.0.1:8081; - } -}