From 233e2c655cc64627a021c6baabe25e0ab7a4e134 Mon Sep 17 00:00:00 2001
From: mia <mia@mia.jetzt>
Date: Sat, 23 Nov 2024 18:52:51 -0800
Subject: terminate tls on asylum for secure local connections

---
 nginx/nginx.conf     | 44 +++++++++++++++++++++++++++++++++-----------
 nginx/sync.py        | 22 +++++++++++++++++++++-
 nginx/terminate.conf | 22 ++++++++++++++++++++++
 3 files changed, 76 insertions(+), 12 deletions(-)
 create mode 100644 nginx/terminate.conf

(limited to 'nginx')

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 7ce4846..d04b581 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -13,6 +13,7 @@ http {
     tcp_nopush on;
     tcp_nodelay on;
     server_tokens off;
+    http2 on;
 
     access_log /var/log/nginx/access.log;
     include mime.types;
@@ -25,6 +26,8 @@ http {
     gzip_comp_level 6;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
+    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g;
+
     map $http_upgrade $connection_upgrade {
         default upgrade;
         '' close;
@@ -39,6 +42,20 @@ http {
 
     absolute_redirect off;
 
+    # mozilla ssl settings via https://ssl-config.mozilla.org/
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 127.0.0.53;
+
+    # static sites
     server {
         listen 80 default_server;
         listen [::]:80 default_server;
@@ -48,6 +65,19 @@ http {
         index index.html;
     }
 
+    # https dummy server
+    server {
+        listen 443 quic reuseport default_server;
+        listen [::]:443 quic reuseport default_server;
+        listen 443 ssl reuseport default_server;
+        listen [::]:443 ssl reuseport default_server;
+        server_name _;
+        ssl_certificate /etc/tls/mia.jetzt.crt;
+        ssl_certificate_key /etc/tls/mia.jetzt.key;
+    }
+
+    %TERMINATE%
+
     # dissociate
     server {
         listen 80;
@@ -56,7 +86,7 @@ http {
 
         location / {
             proxy_pass http://localhost:8001;
-            proxy_http_version 1.1;
+            %PROXY%
         }
     }
 
@@ -138,11 +168,7 @@ http {
 
         location / {
             proxy_pass http://localhost:6502;
-            proxy_http_version 1.1;
-            proxy_redirect off;
-            proxy_set_header Host $http_host;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
+            %PROXY%
         }
     }
 
@@ -180,11 +206,7 @@ http {
 
         location / {
             proxy_pass http://localhost:6503;
-            proxy_http_version 1.1;
-            proxy_redirect off;
-            proxy_set_header Host $http_host;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
+            %PROXY%
         }
     }
 }
diff --git a/nginx/sync.py b/nginx/sync.py
index 9d81a39..2b36c2c 100644
--- a/nginx/sync.py
+++ b/nginx/sync.py
@@ -1,9 +1,11 @@
 import re
 
+from commia.bearer import get_key, keys
 from commia.prelude import *
 from commia.ssh import scp, ssh_args, ssh_prewarm
 from commia.util import with_written
 
+ssh_prewarm("asylum", "secrets@bearer")
 spacing_pattern = re.compile(r"([;,{}])$")
 
 handoff = Path("nginx/handoff.html").read_text().splitlines()
@@ -39,14 +41,32 @@ auth_locations = (
             }"""
 )
 
+proxy = (
+    """proxy_http_version 1.1;
+            proxy_redirect off;
+            proxy_set_header Host $http_host;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;"""
+)
+
+domains = get_key(keys.domains).splitlines()
+terminate_tmpl = Path("nginx/terminate.conf").read_text()
+terminate = []
+for domain in domains:
+    terminate.append(terminate_tmpl.replace("%HOST%", domain))
+terminate_indented = "\n".join(
+    map(lambda line: f"\t{line}", "\n".join(terminate).splitlines())
+).strip()
+
 nginx_conf = (
     Path("nginx/nginx.conf")
     .read_text()
     .replace("%AUTH_CHECK%", auth_check)
     .replace("%AUTH_LOCATIONS%", auth_locations)
+    .replace("%PROXY%", proxy)
+    .replace("%TERMINATE%", terminate_indented)
 )
 
-ssh_prewarm("asylum", "secrets@bearer")
 with_written(
     nginx_conf,
     lambda path: scp(path, "asylum:/etc/nginx/nginx.conf"),
diff --git a/nginx/terminate.conf b/nginx/terminate.conf
new file mode 100644
index 0000000..731feb2
--- /dev/null
+++ b/nginx/terminate.conf
@@ -0,0 +1,22 @@
+# %HOST% internal
+server {
+    listen 443 quic;
+    listen [::]:443 quic;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name %HOST% *.%HOST%;
+    add_header alt-svc 'h3=":443"; ma=86400';
+    ssl_certificate /etc/tls/%HOST%.crt;
+    ssl_certificate_key /etc/tls/%HOST%.key;
+    location / {
+        proxy_pass http://127.0.0.1:80;
+        proxy_http_version 1.1;
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
-- 
cgit 1.4.1