Feb 25, 2020

2020-02-25 11:28:31 -08:00
commit f26cf87f5a
436 changed files with 67904 additions and 0 deletions
--- a/jails/config/proxy/haproxy.conf
+++ b/jails/config/proxy/haproxy.conf
@ -0,0 +1,230 @@
+# Copyright (c) 2018-2020, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+global
+  daemon
+  maxconn 4096
+  tune.ssl.default-dh-param 2048
+  ssl-default-bind-ciphers  ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+  ssl-default-bind-options  no-sslv3 no-tlsv10
+  # no-tlsv11
+  log 127.0.0.1 local0
+
+defaults
+  log global
+  mode http
+  option http-use-htx
+  option forwardfor
+  option redispatch
+  option http-keep-alive
+  option http-server-close
+  option httplog
+  option dontlognull
+  retries 3
+  timeout http-request 10s
+  timeout http-keep-alive 10s
+  timeout queue 1m
+  timeout connect 5s
+  timeout client 90s
+  timeout server 90s
+  timeout check 10s
+  timeout tunnel 3600s
+  timeout tarpit 60s
+
+#listen stats
+#  bind :::1936 v4v6
+#  stats uri /
+#  stats enable
+#  stats refresh 10s
+#  stats show-node
+#  stats realm Haproxy\ Statistics
+#  stats auth infra:infra
+
+frontend stats
+   bind :::8404 v4v6
+   http-request use-service prometheus-exporter if { path /metrics }
+   stats enable
+   stats uri /stats
+   stats refresh 10s
+   stats show-node
+   stats realm Haproxy\ Statistics
+   stats auth infra:infra
+
+frontend ft
+  bind :::80 v4v6
+  bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem
+
+  redirect scheme https if !{ ssl_fc }
+
+  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
+  # passing on that browser is using https
+  reqadd X-Forwarded-Proto:\ https
+
+  # for Clickjacking - added to individual backends
+  # rspadd X-Frame-Options:\ SAMEORIGIN
+
+  # prevent browser from using non-secure
+  rspadd Strict-Transport-Security:\ max-age=15768000
+
+  acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
+  acl restricted_page path -i -m sub /wp-admin
+  acl restricted_page path -i -m sub /wp-login
+  block if restricted_page !network_allowed
+
+  use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
+  use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
+  use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
+  use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
+  use_backend bk_diyit if { ssl_fc_sni diyit.org }
+  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
+  use_backend bk_diyit if { ssl_fc_sni xflow.org }
+  use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
+  use_backend bk_diyit if { ssl_fc_sni diyit.space }
+  use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
+
+  use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
+  use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com }
+  use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
+  use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
+
+#  use_backend bk_ahlawat-book if { ssl_fc_sni book.ahlawat.com }
+  use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com }
+  use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com }
+  use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com }
+  use_backend bk_ahlawat-cam if { ssl_fc_sni cam.ahlawat.com }
+  use_backend bk_ahlawat-ci if { ssl_fc_sni ci.ahlawat.com }
+  use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com }
+  use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com }
+  use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com }
+  use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
+
+  use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
+  use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
+  use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
+  use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
+
+  use_backend bk_beyondbell-api if { ssl_fc_sni api.beyondbell.com }
+  use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
+  use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
+  use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
+
+  default_backend bk_ahlawat
+
+backend bk_ahlawat
+  server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_beyondbell
+  server srv1 192.168.0.74:8000
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_diyit
+  server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-sharad
+  server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-nivi
+  server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-rishabh
+  server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+#backend bk_ahlawat-book
+#  server srv1 bookx.ahlawat.com:443 check ssl verify none
+
+backend bk_ahlawat-book-443
+#  server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-book-444
+#  server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-book-445
+#  server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-cam
+  server srv1 192.168.0.54:8765 check
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-cloud
+  server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-git
+  server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspidel X-Frame-Options:*
+#  http-request set-var(txn.src) src
+#  acl mynet var(txn.src) -m sub 192.168.0
+#  acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
+#  rspidel X-Frame-Options:* if mynet
+#  rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
+# The gitea server add this header be default
+
+backend bk_ahlawat-hub
+  server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-monitor
+  server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_diyit-grafana
+  server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_diyit-prometheus
+  server srv1 monitorx.ahlawat.com:9090 check
+# ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_diyit-kibana
+  server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_diyit-maps
+  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_ahlawat-ci
+#  http-request  set-header Host cix.ahlawat.com:8180
+  reqirep  ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2
+  rspirep  ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2
+  server srv1 cix.ahlawat.com:8180 check
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_beyondbell-api
+  server srv1 192.168.0.77:8000
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_beyondbell-git
+  server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_beyondbell-ci
+  http-request  set-header Host cix.beyondbell.com:8111
+  reqirep  ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
+  rspirep  ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
+  server srv1 cix.beyondbell.com:8111 check
+  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_beyondbell-repo
+#  http-request  set-header Host 192.168.0.75:8080
+  reqirep  ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
+  rspirep  ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
+  server srv1 192.168.0.75:8080 check
+  rspadd X-Frame-Options:\ SAMEORIGIN
--- a/jails/config/proxy/pkgp.conf
+++ b/jails/config/proxy/pkgp.conf
@ -0,0 +1,20 @@
+FreeBSD: {
+    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
+    enabled: no
+}
+
+pkgp-freebsd-pkg: {
+    url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
+    mirror_type: "http",
+    enabled: yes,
+    priority: 10
+}
+
+pkgp121: {
+    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    mirror_type: "http",
+    signature_type: "pubkey",
+    pubkey: "/mnt/certs/poudriere.cert",
+    enabled: yes,
+    priority: 100
+}