github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove http-related nginx config (#866)

Browse Source 
* remove http-related nginx config

* Add more details about Nginx and reverse proxies to upgrade notes

Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
This commit is contained in:
Gabi
2022-07-29 15:50:31 -03:00
committed by GitHub
parent 30876da922
commit b2e292d4fd
7 changed files with 31 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Gemfile.lock
View File

@@ -26,6 +26,7 @@ GEM
PLATFORMS
arm64-darwin-21
x86_64-linux
DEPENDENCIES
rubocop

27
docs/docs/administer/upgrade.md
View File

@@ -22,6 +22,33 @@ issue](https://github.com/firezone/firezone/issues/new/choose).
## Upgrading from < 0.5.0 to >= 0.5.0
0.5.0 introduces a few breaking changes and configuration updates that will need
to be addressed. Read more below.
### Bundled Nginx non_ssl_port (HTTP) requests removed
0.5.0 and above removes the `force_ssl` and `non_ssl_port` settings for
Nginx. SSL is required for Firezone to function; if you're using (or would like
to use) your own reverse proxy, we recommend disabling the bundle Nginx service
by setting `default['firezone']['nginx']['enabled'] = false` and pointing your
reverse proxy directly to the Phoenix app on port 13000 (by default).
Read more about setting up a custom reverse proxy
[here](../deploy/reverse-proxies).
### ACME protocol support
0.5.0 introduces ACME protocol support for automatically renewing SSL
certificates with the bundled Nginx service. To enable,
- Make sure `default['firezone']['external_url']` contains a valid FQDN that
resolves to your server's public IP address.
- Ensure port `80/tcp` is reachable
- Enable ACME protocol support with
`default['firezone']['ssl']['acme']['enabled'] = true` in your config file.
### Overlapping egress rule destinations
Firezone 0.5.0 removes the ability to add rules with overlapping destinations.

1
docs/docs/reference/configuration-file.md
View File

@@ -34,7 +34,6 @@ Shown below is a complete listing of the configuration options available in
| `default['firezone']['authentication']['disable_vpn_on_oidc_error']` | Disable a user's VPN if an error is detected trying to refresh their OIDC token. | `false` |
| `default['firezone']['authentication']['oidc']` | OpenID Connect config, in the format of `{"provider" => [config...]}` - See [OpenIDConnect documentation](https://hexdocs.pm/openid_connect/readme.html) for config examples. | `{}` |
| `default['firezone']['nginx']['enabled']` | Enable or disable the bundled nginx server. | `true` |
| `default['firezone']['nginx']['non_ssl_port']` | HTTP listen port. | `80` |
| `default['firezone']['nginx']['ssl_port']` | HTTPS listen port. | `443` |
| `default['firezone']['nginx']['directory']` | Directory to store Firezone-related nginx virtual host configuration. | `"#{node['firezone']['var_directory']}/nginx/etc"` |
| `default['firezone']['nginx']['log_directory']` | Directory to store Firezone-related nginx log files. | `"#{node['firezone']['log_directory']}/nginx"` |

2
omnibus/cookbooks/firezone/attributes/default.rb
View File

@@ -164,7 +164,6 @@ default['firezone']['phoenix']['private_clients'] = []
# These attributes control Firezone-specific portions of the Nginx
# configuration and the virtual host for the Firezone Phoenix app.
default['firezone']['nginx']['enabled'] = true
default['firezone']['nginx']['non_ssl_port'] = 80
default['firezone']['nginx']['ssl_port'] = 443
default['firezone']['nginx']['directory'] = "#{node['firezone']['var_directory']}/nginx/etc"
default['firezone']['nginx']['log_directory'] = "#{node['firezone']['log_directory']}/nginx"
@@ -419,7 +418,6 @@ default['firezone']['ssl']['email_address'] = nil
# 1. default['firezone']['external_url'] includes a valid FQDN
# 2. Port 80/tcp is accessible; this is used for domain validation.
# 3. default['firezone']['ssl']['email_address'] is set properly. This will be used for renewal notices.
# 4. default['firezone']['nginx']['non_ssl_port'] is set to 80
default['firezone']['ssl']['acme']['enabled'] = false
# Set the ACME server directory for ACME protocol SSL certificate issuance

1
omnibus/cookbooks/firezone/recipes/nginx.rb
View File

@@ -63,7 +63,6 @@ template 'redirect.conf' do
variables(
server_name: URI.parse(node['firezone']['external_url']).host,
acme_www_root: "#{node['firezone']['var_directory']}/nginx/acme_root",
non_ssl_port: node['firezone']['nginx']['non_ssl_port'],
rate_limiting_zone_name: node['firezone']['nginx']['rate_limiting_zone_name'],
ipv6: node['firezone']['nginx']['ipv6']
)

2
omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
View File

@@ -45,7 +45,7 @@ server {
}
if ($redirect_to_canonical = H) {
return 301 http<%= @ssl['enabled'] ? 's' : '' %>://<%= @fqdn %>$request_uri;
return 301 https://<%= @fqdn %>$request_uri;
}
<% end -%>

13
omnibus/cookbooks/firezone/templates/redirect.conf.erb
View File

@@ -1,7 +1,7 @@
server {
listen <%= @non_ssl_port %> default_server;
listen 80 default_server;
<% if @ipv6 -%>
listen [::]:<%= @non_ssl_port %> default_server;
listen [::]:80 default_server;
<% end -%>
server_name <%= @server_name %>;
@@ -9,13 +9,4 @@ server {
location /.well-known/acme-challenge/ {
alias <%= @acme_www_root %>/.well-known/acme-challenge/;
}
location / {
<% if @enable_rate_limiting -%>
limit_req zone=<%= @rate_limiting_zone_name %>;
<% end -%>
if ($http_x_forwarded_proto != 'https') {
return 301 https://$server_name$request_uri;
}
}
}