updated for FreeBSD 12.2

2021-02-13 11:38:38 -08:00
parent bd3cffc61a
commit 5cee123a3c
121 changed files with 7315 additions and 624 deletions
--- a/jails/config/proxy/haproxy.conf
+++ b/jails/config/proxy/haproxy.conf
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -48,35 +48,31 @@ frontend stats

 frontend ft
  bind :::80 v4v6
-  bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem
+  bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem 

  redirect scheme https if !{ ssl_fc }

  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
  # passing on that browser is using https
-  reqadd X-Forwarded-Proto:\ https
+  ## http-request add-header Forwarded: proto=https  
+  #enabling this breaks things, needs investigation
+
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
+  http-request set-header X-Forwarded-Ssl on if { ssl_fc }

  # for Clickjacking - added to individual backends
-  # rspadd X-Frame-Options:\ SAMEORIGIN
+  # http-response add-header X-Frame-Options: SAMEORIGIN

  # prevent browser from using non-secure
-  rspadd Strict-Transport-Security:\ max-age=15768000
+  http-response add-header Strict-Transport-Security: max-age=15768000

  acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
  acl restricted_page path -i -m sub /wp-admin
  acl restricted_page path -i -m sub /wp-login
-  block if restricted_page !network_allowed
+  http-request deny if restricted_page !network_allowed

  use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
  use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
-  use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
-  use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
-  use_backend bk_diyit if { ssl_fc_sni diyit.org }
-  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
-  use_backend bk_diyit if { ssl_fc_sni xflow.org }
-  use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
-  use_backend bk_diyit if { ssl_fc_sni diyit.space }
-  use_backend bk_diyit if { ssl_fc_sni www.diyit.space }

  use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
  use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
@ -96,53 +92,67 @@ frontend ft
  use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
  use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
  use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
+  use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }

+  use_backend bk_diyit if { ssl_fc_sni diyit.org }
+  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
+  use_backend bk_diyit if { ssl_fc_sni xflow.org }
+  use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
  use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
  use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
  use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
  use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }

+  use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
+  use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
+  use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
+  use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
+
+  use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
+  use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
  use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
  use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
  use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
-  use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }
+  use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
+  use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
+  use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
+  use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }

  default_backend bk_ahlawat

+  acl is_websocket hdr(Upgrade) -i WebSocket
+  acl is_websocket hdr_beg(Host) -i ws
+  use_backend bk_ahlawat if is_websocket
+
+
 backend bk_ahlawat
  server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
-
-backend bk_beyondbell
-  server srv1 192.168.0.77:8000
-  rspadd X-Frame-Options:\ SAMEORIGIN
-
-backend bk_diyit
-  server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-sharad
  balance roundrobin
  server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
+#  http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"

 backend bk_ahlawat-rachna
  server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-nivi
  server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-rishabh
  server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+

 #backend bk_ahlawat-book
 #  server srv1 bookx.ahlawat.com:443 check ssl verify none
@ -150,102 +160,143 @@ backend bk_ahlawat-rishabh
 backend bk_ahlawat-book-443
 #  server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-book-444
 #  server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-book-445
 #  server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-cam
  server srv1 192.168.0.54:8765 check
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_ahlawat-ci
+#  http-request set-header Host cix.ahlawat.com:8080
+  http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*)  \1\ http://cix.ahlawat.com:8080/\2
+  http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*)  \1\ https://ci.ahlawat.com/\2
+  server srv1 cix.ahlawat.com:8080 check
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-cloud
  server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-git
  server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspidel X-Frame-Options:*
-#  http-request set-var(txn.src) src
-#  acl mynet var(txn.src) -m sub 192.168.0
-#  acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
-#  rspidel X-Frame-Options:* if mynet
-#  rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
-# The gitea server add this header be default
+  http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
+#  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-hub
  server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-matrix
  server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-meet
  server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_ahlawat-monitor
  server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_ahlawat-jump
+  server srv1 jumpx.ahlawat.com:8080 check
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+
+
+backend bk_diyit
+  server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_diyit-grafana
  server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_diyit-prometheus
  server srv1 monitorx.ahlawat.com:9090 check
 # ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_diyit-kibana
-  server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_diyit-maps
-  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  http-response add-header X-Frame-Options: SAMEORIGIN

-backend bk_ahlawat-ci
-#  http-request  set-header Host cix.ahlawat.com:8180
-  reqirep  ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2
-  rspirep  ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2
-  server srv1 cix.ahlawat.com:8180 check
-  rspadd X-Frame-Options:\ SAMEORIGIN
+
+
+backend bk_dvpc
+  server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+
+
+backend bk_beyondbell
+  server srv1 192.168.0.77:8000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-ci
+#  http-request set-header Host cix.beyondbell.com:8111
+  http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
+  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
+  server srv1 192.168.0.73:8111
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_beyondbell-git
  server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
-
-backend bk_beyondbell-ci
-  http-request  set-header Host cix.beyondbell.com:8111
-  reqirep  ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
-  rspirep  ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
-  server srv1 cix.beyondbell.com:8111
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

 backend bk_beyondbell-repo
-#  http-request  set-header Host 192.168.0.75:8080
-  reqirep  ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
-  rspirep  ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
-  server srv1 192.168.0.75:8080
-  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-request set-header Host 192.168.0.75:8081
+#  http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
+#  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2

-backend bk_beyondbell-gs
+  server srv1 192.168.0.75:8081
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+#  http-response del-header Strict-Transport-Security
+#  http-response add-header Content-Security-Policy: upgrade-insecure-requests
+
+backend bk_beyondbell-web-moonglade
+  server srv1 192.168.0.74:8000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-web-moonglade-private
+  server srv1 192.168.0.74:4000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-r-windows
+  server srv1 192.168.0.85:4000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-windows
  server srv1 192.168.0.81:26900 check
  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
--- a/jails/config/proxy/pkgp.conf
+++ b/jails/config/proxy/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }

-pkgp121: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/proxy/port-fwd.sh
+++ b/jails/config/proxy/port-fwd.sh
@ -0,0 +1 @@
+ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820
				`@ -0,0 +1 @@`
				`ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820`