[MediaWiki-commits] [Gerrit] operations...nginx[master]: Add a simple TLS-terminating reverse proxy class

Giuseppe Lavagetto (Code Review) Wed, 10 Aug 2016 01:58:03 -0700

Giuseppe Lavagetto has submitted this change and it was merged.

Change subject: Add a simple TLS-terminating reverse proxy class
......................................................................



Add a simple TLS-terminating reverse proxy class

This is a simple reverse proxy with nginx to localhost that can be used
for TLS termination whenever a service needs it. This is supposed to be
used for very simple cases where a simple passthru can be used.

Change-Id: I3c2c67224d85a3f343a7464b86518f419e85828c
---
A manifests/simple_tlsproxy.pp
A templates/simple_tlsproxy.erb
2 files changed, 52 insertions(+), 0 deletions(-)

Approvals:
  Gehel: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/manifests/simple_tlsproxy.pp b/manifests/simple_tlsproxy.pp
new file mode 100644
index 0000000..d386d7f
--- /dev/null
+++ b/manifests/simple_tlsproxy.pp
@@ -0,0 +1,28 @@
+# Class nginx::simple_tlsproxy
+#
+# An nginx class to set up a reverse proxy with TLS termination for a local
+# service.
+#
+# This is useful whenever the underlying service either has no TLS capabilities
+# or it has bad TLS performance/features.
+#
+class nginx::simple_tlsproxy( $backend_port, $site_name, $port=443,) {
+    validate_string($site_name)
+    include ::nginx
+    include ::nginx::ssl
+
+    diamond::collector::nginx{ $site_name:
+        port => 10080,
+    }
+
+    ::base::expose_puppet_certs { '/etc/nginx':
+        ensure          => present,
+        provide_private => true,
+        require         => Class['nginx'],
+    }
+
+    ::nginx::site { "${site_name}_tls_termination":
+        ensure  => present,
+        content => template('nginx/simple_tlsproxy.erb')
+    }
+}
diff --git a/templates/simple_tlsproxy.erb b/templates/simple_tlsproxy.erb
new file mode 100644
index 0000000..0608588
--- /dev/null
+++ b/templates/simple_tlsproxy.erb
@@ -0,0 +1,24 @@
+# This file is managed by puppet. Do not edit
+server {
+
+    listen <%= @port %> ssl default_server;
+    listen [::]:<%= @port %> ssl default_server ipv6only=on;
+
+    ssl_certificate     /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/server.key;
+
+    access_log   /var/log/nginx/<%= @site_name %>_access.log;
+    error_log    /var/log/nginx/<%= @site_name %>_error.log;
+
+    root /dev/null;
+
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:<%= @backend_port %>/;
+
+        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Real-IP $remote_addr;
+    }
+}
+

-- 
To view, visit https://gerrit.wikimedia.org/r/303998
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3c2c67224d85a3f343a7464b86518f419e85828c
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet/nginx
Gerrit-Branch: master
Gerrit-Owner: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Gehel <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...nginx[master]: Add a simple TLS-terminating reverse proxy class

Reply via email to