diff --git a/fe-common/overlay/etc/hiera/data/group.yaml b/fe-common/overlay/etc/hiera/data/group.yaml index fea30149..708621c1 100644 --- a/fe-common/overlay/etc/hiera/data/group.yaml +++ b/fe-common/overlay/etc/hiera/data/group.yaml @@ -92,6 +92,32 @@ sunet_frontend: letsencrypt_server: 'acme-c.sunet.se' haproxy_imagetag: 'staging' + 'proxy': + site_name: 'proxy.eidas.swedenconnect.se' + frontends: + 'fe-fre-3.komreg.net': + ips: ['94.176.226.18', '2001:6b0:65:1::18'] + 'fe-tug-3.komreg.net': + ips: ['94.176.226.19', '2001:6b0:65:1::19'] + backends: + default: + 'eidas-proxy-1.sveidas.se': + ips: ['94.176.224.140'] + server_args: 'ssl check verify none cookie p1' + 'eidas-proxy-2.sveidas.se': + ips: ['94.176.224.12'] + server_args: 'ssl check verify none cookie p2' + 'eidas-proxy-3.sveidas.se': + ips: ['94.176.224.141'] + server_args: 'ssl check verify none cookie p3' + 'eidas-proxy-4.sveidas.se': + ips: ['94.176.224.13'] + server_args: 'ssl check verify none cookie p4' + allow_ports: + - 443 + letsencrypt_server: 'acme-c.sunet.se' + haproxy_imagetag: 'staging' + 'md': site_name: 'md.swedenconnect.se' frontends: diff --git a/fe-common/overlay/opt/frontend/config/proxy/haproxy.j2 b/fe-common/overlay/opt/frontend/config/proxy/haproxy.j2 new file mode 100644 index 00000000..f3c3826a --- /dev/null +++ b/fe-common/overlay/opt/frontend/config/proxy/haproxy.j2 @@ -0,0 +1,22 @@ +{% extends 'common/haproxy_base.j2' %} + +{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %} + +{% block frontend %} +frontend {{ site_name }} + {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }} + + stats enable + timeout http-request 10s + timeout http-keep-alive 4s + option forwardfor + http-request set-header X-Forwarded-Proto https + + {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff']) }} + + {{ acme_challenge(letsencrypt_server) }} + + use_backend {{ site_name }}__default + +{% endblock frontend %} +