From 7a2079e3ef7fcd4dffbd44fbf77718004a7f77f1 Mon Sep 17 00:00:00 2001 From: Terekhin Alexandr Date: Sat, 14 Dec 2024 23:34:27 +0300 Subject: [PATCH] Nginx frontend in stream mode, client cert based auth to connect sstp server --- accel-ppp.conf | 2 +- compose.yaml | 45 ++++++++++++++++++++++++++++--- nginx-stream/Dockerfile | 10 +++++++ nginx-stream/nginx.conf | 12 +++++++++ nginx-stream/stream.conf.template | 37 +++++++++++++++++++++++++ proxy/00-default.conf | 7 +++++ proxy/Dockerfile | 3 +++ 7 files changed, 111 insertions(+), 5 deletions(-) create mode 100644 nginx-stream/Dockerfile create mode 100644 nginx-stream/nginx.conf create mode 100644 nginx-stream/stream.conf.template create mode 100644 proxy/00-default.conf create mode 100644 proxy/Dockerfile diff --git a/accel-ppp.conf b/accel-ppp.conf index e13408b..c267073 100644 --- a/accel-ppp.conf +++ b/accel-ppp.conf @@ -41,7 +41,7 @@ lcp-echo-timeout=5 [sstp] port=443 verbose=5 -#accept=proxy,ssl +accept=proxy,ssl accept=ssl ssl-pemfile=/etc/cert.pem ssl-keyfile=/etc/privkey.pem diff --git a/compose.yaml b/compose.yaml index e36f4dc..b489900 100644 --- a/compose.yaml +++ b/compose.yaml @@ -11,10 +11,47 @@ services: - ./ca.pem:/etc/ca.pem:ro expose: - "443/tcp" - ports: - - "443:443/tcp" devices: - "/dev/ppp:/dev/ppp:rwm" - + environment: + VIRTUAL_HOST: "api.bearns.me" + VIRTUAL_PROTO: "https" + VIRTUAL_PORT: 443 cap_add: - - NET_ADMIN \ No newline at end of file + - NET_ADMIN + networks: + - proxy-tier + + stream: + build: ./nginx-stream + volumes: + - ./ca.pem:/etc/nginx/certs/ca.pem:ro + - ./cert.pem:/etc/nginx/certs/cert.pem:ro + - ./privkey.pem:/etc/nginx/certs/privkey.pem:ro + expose: + - "443/tcp" + ports: + - "443:443/tcp" + environment: + - ENABLE_IPV6=true + - TRUST_DOWNSTREAM_PROXY=true + networks: + - proxy-tier + + proxy: + build: ./proxy + volumes: + - ./cert.pem:/etc/nginx/certs/cert.pem:ro + - ./privkey.pem:/etc/nginx/certs/privkey.pem:ro + expose: + - "443/tcp" + networks: + - proxy-tier + +networks: + proxy-tier: + +volumes: + certs: + vhost.d: + html: diff --git a/nginx-stream/Dockerfile b/nginx-stream/Dockerfile new file mode 100644 index 0000000..3bed434 --- /dev/null +++ b/nginx-stream/Dockerfile @@ -0,0 +1,10 @@ +FROM nginx:alpine + +ENV HTTPS_UPSTREAM="proxy" +ENV SSTP_UPSTREAM="sstp" +ENV CA_CERT="ca.pem" + +COPY nginx.conf /etc/nginx/ +COPY stream.conf.template /etc/nginx/templates/ + +RUN rm -f /etc/nginx/conf.d/default.conf \ No newline at end of file diff --git a/nginx-stream/nginx.conf b/nginx-stream/nginx.conf new file mode 100644 index 0000000..49c3662 --- /dev/null +++ b/nginx-stream/nginx.conf @@ -0,0 +1,12 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + +include /etc/nginx/conf.d/*.conf; diff --git a/nginx-stream/stream.conf.template b/nginx-stream/stream.conf.template new file mode 100644 index 0000000..74f1ff6 --- /dev/null +++ b/nginx-stream/stream.conf.template @@ -0,0 +1,37 @@ +error_log /dev/stderr; + +stream { + map $ssl_client_verify $name { + SUCCESS sstp; + default https; + } + + upstream https { + server ${HTTPS_UPSTREAM}:443; + } + + upstream sstp { + server ${SSTP_UPSTREAM}:443; + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/nginx/certs/cert.pem; + ssl_certificate_key /etc/nginx/certs/privkey.pem; + + ssl_trusted_certificate /etc/nginx/certs/${CA_CERT}; + ssl_verify_client optional; + + proxy_half_close on; + + # Doesn't work without it + proxy_ssl on; + proxy_ssl_session_reuse off; + + proxy_pass $name; + ssl_preread on; + proxy_protocol on; + } +} \ No newline at end of file diff --git a/proxy/00-default.conf b/proxy/00-default.conf new file mode 100644 index 0000000..76b721c --- /dev/null +++ b/proxy/00-default.conf @@ -0,0 +1,7 @@ +server { + listen 443 ssl; + server_name _; + ssl_certificate /etc/nginx/certs/cert.pem; + ssl_certificate_key /etc/nginx/certs/privkey.pem; + return 404; +} \ No newline at end of file diff --git a/proxy/Dockerfile b/proxy/Dockerfile new file mode 100644 index 0000000..13747d3 --- /dev/null +++ b/proxy/Dockerfile @@ -0,0 +1,3 @@ +FROM nginx:alpine + +COPY 00-default.conf /etc/nginx/conf.d/ \ No newline at end of file