proxy.py 4.92 KB
Newer Older
1 2 3 4 5 6
#!/usr/bin/env python
# -*- mode: python; coding: utf-8 -*-

""" Variables de config pour les proxy """


7
#### Conf nginx des proxy gérés à la main
8

9
non_sites_auto = {
10
    u"diplome.crans.org",
Gabriel Detraz's avatar
Gabriel Detraz committed
11
    u"imprimante.crans.org",
12
    u"webirc.crans.org",
13
}
14 15 16 17

max_upload = {
    u"intranet.crans.org" : "160M",
    u"owncloud.crans.org" : "10G",
18
    u"roundcube.crans.org": "10M",
19
    u"perso.crans.org"    : "20M",
20 21 22
    u"webmail.crans.org"  : "10M",
    u"sogo.crans.org"     : "10M",
    u"horde.crans.org"    : "10M",
23
    u"wiki.crans.org"     : "15M",
24
    u"re2o.crans.org"     : "160M",
25 26
}

27 28
#: Redirection "host": "url"
sites_redirect = {
29
    "impression.crans.org": "https://wiki.crans.org/VieCrans/ImpressionReseau",
30 31 32
    "factures.crans.org": "https://intranet.crans.org/factures",
    "accounts.crans.org": "https://intranet.crans.org/compte",
    "intranet2.crans.org": "https://intranet.crans.org",
Gabriel Detraz's avatar
Gabriel Detraz committed
33
    "autostatus.crans.org": "https://status.crans.org",
34 35 36 37 38 39 40 41
    "wikipedia.crans.org": "https://wiki.crans.org",
    "crans.org": "https://www.crans.org",
    "install-party.ens-cachan.fr": "https://install-party.crans.org",
    "www.install-party.ens-cachan.fr": "https://install-party.crans.org",
    "adopteunpingouin.crans.org": "https://install-party.crans.org",
    "i-p.crans.org": "https://install-party.crans.org",
    "hostnames-a-m.crans.org": "https://proxy.crans.org",
    "hostnames-n-z.crans.org": "https://proxy.crans.org",
42
    "task.crans.org": "https://phabricator.crans.org",
43
    "crans.ens-cachan.fr": "https://www.crans.org",
44 45
}

46

47 48
def server_name_to_cert_name(serveur):
    """
49
        A un nom de domaine, on associe le certificat correspondant.
50 51 52 53 54 55 56 57
        Retourne None si le certificat n'est pas trouvé.
    """
    if serveur.endswith(".ens-cachan.fr") or serveur == "ens-cachan.fr":
        return "crans.ens-cachan.fr"
    elif serveur.endswith(".crans.org") or serveur == "crans.org":
        if serveur[0] <= 'm' and serveur != "hostnames-n-z.crans.org":
            return "hostnames-a-m.crans.org"
        else:
58
            return "hostnames-n-z.crans.org"
59 60 61 62 63
    elif serveur.endswith(".crans.fr") or serveur == "crans.fr":
        if serveur[0] <= 'm' and serveur != "hostnames-n-z.crans.fr":
            return "hostnames-a-m.crans.fr"
        else:
            return "hostnames-n-z.crans.fr"
64 65 66 67 68
    elif serveur.endswith(".crans.eu") or serveur == "crans.eu":
        if serveur[0] <= 'm' and serveur != "hostnames-n-z.crans.eu":
            return "hostnames-a-m.crans.eu"
        else:
            return "hostnames-n-z.crans.eu"
69 70


71 72 73
site_template = """server {
    server_name %(serveur)s;
    include "snippets/proxy-common.conf";
74

75 76 77 78 79 80 81 82 83
    location / {
        return 302 https://$host$request_uri;
    }

    # On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
    # pour pouvoir utiliser le plugin webroot de letsencrypt
    location /.well-known/acme-challenge {
            alias /usr/share/nginx/html/.well-known/acme-challenge;
    }
84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
}

server {
    include "snippets/proxy-common-ssl.conf";
    server_name %(serveur)s;

    ssl_certificate /etc/letsencrypt/live/%(cert_name)s/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/%(cert_name)s/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/%(cert_name)s/chain.pem;
    %(max_body_size)s
    location / {
        proxy_redirect off;
        proxy_pass http://%(proxy_pass)s;
        proxy_set_header Host %(serveur)s;
        proxy_set_header P-Real-IP $remote_addr;
Gabriel Detraz's avatar
Gabriel Detraz committed
99
        proxy_set_header X-Forwarded-For $remote_addr;
100 101 102

        # Indique au target que l'on est en HTTPS (fix wordpress)
        proxy_set_header X-Forwarded-Proto https;
103 104
    }

105 106 107 108 109 110
    # On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
    # pour pouvoir utiliser le plugin webroot de letsencrypt
    location /.well-known/acme-challenge {
            alias /usr/share/nginx/html/.well-known/acme-challenge;
    }

111 112
}
"""
113 114 115 116

site_redirect_template = """server {
    server_name %(serveur)s;
    include "snippets/proxy-common.conf";
117

118 119 120 121 122 123 124 125 126
    # On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
    # pour pouvoir utiliser le plugin webroot de letsencrypt
    location /.well-known/acme-challenge {
            alias /usr/share/nginx/html/.well-known/acme-challenge;
    }

    location / {
        return 302 %(redirect)s$request_uri;
    }
127 128 129 130 131 132 133 134 135 136
}

server {
    include "snippets/proxy-common-ssl.conf";
    server_name %(serveur)s;

    ssl_certificate /etc/letsencrypt/live/%(cert_name)s/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/%(cert_name)s/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/%(cert_name)s/chain.pem;

137 138 139 140 141 142 143 144 145
    # On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
    # pour pouvoir utiliser le plugin webroot de letsencrypt
    location /.well-known/acme-challenge {
            alias /usr/share/nginx/html/.well-known/acme-challenge;
    }

    location / {
        return 302 %(redirect)s$request_uri;
    }
146 147
}
"""