1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
# @summary Revproxy for concourse
#
# Rev-proxy, which also gathers all web nodes in a cluster, into a
# single web endpoint
#
# This also manages the TLS certificate for the load balancer.
#
# @param server_name
# Name of the nginx server, will also be used for rev-proxy routing.
# @param cluster
# Name of the concourse cluster.
# @param upstream_members
# Members of this cluster. If puppetdb is available then these are
# collected automatically from each instance of `concourse::web`.
# But if that is not an option then they can be specified manually.
# @param ensure
define concourse::proxy::nginx (
String $server_name = $name,
String $cluster = $concourse::default_cluster,
Optional[Nginx::UpstreamMembers] $upstream_members = undef,
Enum['absent', 'present'] $ensure = 'present',
) {
include concourse
include letsencrypt
nginx::resource::upstream { "concourse_${cluster}":
ensure => $ensure,
members => $upstream_members,
}
letsencrypt::cert { $server_name:
include_self => true,
authenticator => 'nginx',
config => {
'post-hook' => 'nginx -s reload',
},
}
nginx::resource::server { $server_name:
ipv6_enable => true,
ipv6_listen_options => '',
use_default_location => false,
* => letsencrypt::conf::nginx($server_name),
}
# TODO the connection from nginx to each web instance is unencrypted.
# Concourse's documentation only mentions TLS through letsencrypt,
# which works less than ideal with internal nodes.
# Running unencrypted is however a bad idea, since web nodes are
# assumed to be on different machines. Either figure out how to use
# a custom certificate internally, or configure a segregated network.
# TODO proxy to upstream
nginx::resource::streamhost { "${server_name}-stream":
listen_port => 2222,
ipv6_enable => true,
ipv6_listen_options => '',
proxy => $server_name,
}
nginx::resource::location { "${server_name} - /":
server => $server_name,
location => '/',
proxy => "http://concourse_${cluster}",
* => letsencrypt::conf::nginx::location($server_name),
}
nginx::resource::location { "${server_name} - ~ /hijack$":
server => $server_name,
location => '~ /hijack$',
proxy => "http://concourse_${cluster}",
proxy_set_header => [
'Host $host',
'X-Real-IP $remote_addr',
'X-Forwarded-For $proxy_add_x_forwarded_for',
'X-Forwarded-Host $host',
'X-Forwarded-Proto $scheme',
'Proxy ""',
'Upgrade $http_upgrade',
'Connection "upgrade"',
],
* => letsencrypt::conf::nginx::location($server_name),
}
}
|