diff --git a/terraform/modules/lb/cloud-init/lb.yaml b/terraform/modules/lb/cloud-init/lb.yaml index 1006052..217b9e8 100644 --- a/terraform/modules/lb/cloud-init/lb.yaml +++ b/terraform/modules/lb/cloud-init/lb.yaml @@ -1,7 +1,7 @@ users: - name: bs uid: 2000 - + write_files: - path: /home/bs/default.conf permissions: 0644 @@ -11,7 +11,7 @@ write_files: '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; - + server { access_log /var/log/nginx/access.log withtime; error_log /var/log/nginx/error.log; @@ -21,11 +21,11 @@ write_files: listen 80; server_tokens off; proxy_set_header X-Forwarded-For 0.0.0.0; - + location / { rewrite ^ https://$http_host$request_uri? permanent; } - + location /.well-known { auth_basic off; allow all; # Allow all to see content @@ -45,7 +45,7 @@ write_files: '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; - + server { index index.php index.html index.htm index.nginx-debian.html; @@ -58,25 +58,25 @@ write_files: ssl_certificate_key /etc/nginx/certs/live/${host}/privkey.pem; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/certs/certs/dhparam.pem; - + ssl_client_certificate /etc/nginx/certs/ca.cert; ssl_verify_client optional; root /usr/share/nginx/html/; server_tokens off; proxy_set_header X-Forwarded-For 0.0.0.0; - + location = / { rewrite ^ /index.html break; } - + # Client cert authenticated endpoints location /order/tx/ { # Allow base stations only - allow 202.161.136.2; + allow 202.161.136.2; allow 66.203.141.162; deny all; - + if ($ssl_client_verify != SUCCESS) { return 403; } @@ -85,23 +85,23 @@ write_files: location /order/rx/ { # Allow base stations only - allow 202.161.136.2; + allow 202.161.136.2; allow 66.203.141.162; - deny all; - + deny all; + if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://${mainnet_ip}:9292/order/rx/; } - + # Proxy to mainnet Satellite API location / { add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE' always; add_header 'Access-Control-Allow-Headers' 'X-Auth-Token,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; add_header 'X-XSS-Protection' '1; mode=block' always; - + if ($request_uri ~* "^/$") { return 301 https://$host; @@ -111,7 +111,7 @@ write_files: { return 200; } - + proxy_pass http://${mainnet_ip}:9292/; } @@ -125,7 +125,7 @@ write_files: proxy_pass http://${mainnet_ip}:4500/stream?channels=; } - + # Proxy to testnet Satellite API location /testnet/ { add_header 'Access-Control-Allow-Origin' '*' always; @@ -156,8 +156,8 @@ write_files: proxy_pass http://${testnet_ip}:4500/stream?channels=; } - - # Proxy to Gossip + + # Proxy to Gossip location /gossip/ { add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE' always; @@ -187,14 +187,14 @@ write_files: proxy_pass http://${gossip_ip}:4500/stream?channels=; } - + # Client cert authenticated gossip endpoints - location ~ ^/gossip/(order/.*)$ { + location ~ ^/gossip/(order/?.*)$ { # Allow base stations only - allow 202.161.136.2; + allow 202.161.136.2; allow 66.203.141.162; deny all; - + if ($ssl_client_verify != SUCCESS) { return 403; } @@ -344,7 +344,7 @@ write_files: -e EMAIL=${letsencrypt_email} \ "${certbot_docker}" renew ExecStartPost=-/usr/bin/systemctl restart nginx-tls - + - path: /etc/systemd/system/node-exporter.service permissions: 0644 owner: root