Add custom error pages and Nginx configuration for proxy module

- Introduced custom HTML error pages for various HTTP status codes (400, 401, 403, 404, 408, 429, 500, 502, 503, 504) in the proxy module.
- Created a .gitignore file to exclude non-HTML files in the error resources directory.
- Updated Nginx configuration to serve custom error pages for upstream errors.
- Added new Nginx configuration templates for handling HTTP and stream protocols.
- Implemented Wireguard configuration templates and associated variables for secure connections.
- Established Kubernetes resources for Stunnel and Wireguard, including deployment, service accounts, and config maps.
- Defined variables for the Stunnel and Wireguard modules to facilitate configuration.
- Created a new Wol Proxy module with Kubernetes resources for deployment and service management.
This commit is contained in:
2025-10-02 00:19:01 +02:00
parent 4d00986273
commit e6a3f3affd
62 changed files with 1517 additions and 99 deletions
+74
View File
@@ -0,0 +1,74 @@
locals {
wireguard_version = "1.0.20210914-r4-ls54"
wireguard_config = try(templatefile("${path.module}/resources/wireguard/wireguard.conf.tpl", {
wireguard_private_key = var.wireguard_config.private_key
wireguard_public_key = var.wireguard_config.public_key
wireguard_pre_shared_key = var.wireguard_config.pre_shared_key
wireguard_address = var.wireguard_config.address
wireguard_dns = var.wireguard_config.dns
wireguard_allowed_ips = join(", ", var.wireguard_config.allowed_ips)
wireguard_endpoint = "${var.wireguard_config.endpoint}:${var.wireguard_config.endpoint_port}"
}), "null")
wireguard_config_checksum = nonsensitive(sha256(local.wireguard_config))
default_headers = {
"Host" : "$host",
"X-Real-IP" : "$remote_addr",
"X-Forwarded-For" : "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" : "$scheme",
"X-Forwarded-Host" : "$host",
"X-Forwarded-Port" : "$server_port",
}
nginx_config = file("${path.module}/resources/nginx/nginx.conf")
nginx_config_checksum = sha256(local.nginx_config)
services_config = {
for k, v in var.services : "${k}.conf" => coalesce(v.config, templatefile("${path.module}/resources/nginx/conf.d/default.conf.tpl", {
errors = local.error_codes
http_port = v.http_port
https_port = v.https_port
upstream = v.upstream
resolver = v.resolver
ingress = v.ingress
service_http_port = v.service_http_port
service_https_port = v.service_https_port
tls = v.tls
fqdn = length(v.fqdn) > 0 ? join(" ", v.fqdn) : k
auth = length([for l in v.locations : true if l.private]) > 0
locations = [for l in v.locations : {
path = l.path
headers = merge(l.headers, coalesce(v.default_headers, local.default_headers))
private = l.private
upstream = l.upstream
resolver = l.resolver
rewrite = l.rewrite
}]
custom_snippet = v.custom_snippet
}))
}
services_config_checksum = sha256(jsonencode(local.services_config))
streams_config = {
for k, v in var.streams : "${k}.conf" => templatefile("${path.module}/resources/nginx/streams.d/stream.conf.tpl", {
name = k
port = v.port
upstream = v.upstream
custom_snippet = v.custom_snippet
upstream_port = coalesce(v.upstream_port, v.port)
resolver = v.resolver
protocol = upper(v.protocol)
})
}
streams_config_checksum = sha256(jsonencode(local.streams_config))
auth_script = file("${path.module}/resources/auth/auth_server.py")
auth_script_checksum = sha256(local.auth_script)
error_codes = [for f in fileset("${path.module}/resources/errors", "*.html") : split(".", f)[0]]
errors_pages = {
for f in local.error_codes :
"${f}.html" => file("${path.module}/resources/errors/${f}.html")
}
errors_pages_checksum = sha256(jsonencode(local.errors_pages))
}
+557
View File
@@ -0,0 +1,557 @@
resource "kubernetes_namespace" "proxy" {
metadata {
annotations = {
name = "proxy"
}
labels = {
name = "proxy"
}
name = "proxy"
}
}
resource "kubernetes_service_account" "service_account" {
metadata {
name = "proxy-app-sa"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
automount_service_account_token = false
}
resource "kubernetes_service" "services" {
for_each = var.services
metadata {
name = format("%s", replace(each.key, ".", "-"))
namespace = kubernetes_namespace.proxy.metadata[0].name
}
spec {
port {
name = "http"
port = each.value.service_http_port
target_port = substr(format("http-%s", replace(each.key, ".", "-")), 0, 15)
}
dynamic "port" {
for_each = each.value.tls ? [1] : []
content {
name = "https"
port = each.value.service_https_port
target_port = substr(format("https-%s", replace(each.key, ".", "-")), 0, 15)
}
}
selector = {
app = "proxy"
}
type = "ClusterIP"
}
}
resource "kubernetes_service" "streams" {
for_each = var.streams
metadata {
name = substr(format("stream-%s", replace(each.key, ".", "-")), 0, 15)
namespace = kubernetes_namespace.proxy.metadata[0].name
}
spec {
port {
name = substr(format("stream-%s", replace(each.key, ".", "-")), 0, 15)
port = each.value.port
target_port = substr(format("stream-%s", replace(each.key, ".", "-")), 0, 15)
}
selector = {
app = "proxy"
}
type = "ClusterIP"
}
}
resource "kubernetes_manifest" "internal_cert" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = "internal-cert"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
spec = {
secretName = "internal-cert"
issuerRef = {
name = var.issuer_name
kind = "ClusterIssuer"
}
commonName = "proxy.internal"
dnsNames = flatten([for _, v in var.services : v.fqdn if v.tls == true])
}
}
}
resource "kubernetes_config_map" "wireguard_config" {
count = local.wireguard_config != "null" ? 1 : 0
metadata {
name = "wireguard-config"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
data = {
"wireguard.conf" = local.wireguard_config
}
}
resource "kubernetes_config_map" "nginx_config" {
metadata {
name = "nginx-config"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
data = {
"nginx.conf" = local.nginx_config
}
}
resource "kubernetes_config_map" "nginx_default_config" {
metadata {
name = "nginx-default-config"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
data = local.services_config
}
resource "kubernetes_config_map" "nginx_streams_config" {
metadata {
name = "nginx-streams-config"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
data = local.streams_config
}
resource "kubernetes_config_map" "nginx_custom_50x_page" {
metadata {
name = "nginx-errors"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
data = {
for k, v in local.errors_pages : k => v
}
}
resource "kubernetes_config_map" "auth_script" {
metadata {
name = "auth-script"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
data = {
"auth_server.py" = local.auth_script
}
}
resource "kubernetes_ingress_v1" "ingress" {
for_each = { for k, v in var.services : k => v if lookup(v, "ingress", true) && length(v.fqdn) > 0 }
metadata {
name = format("%s", replace(each.key, ".", "-"))
namespace = kubernetes_namespace.proxy.metadata[0].name
annotations = merge({
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
},
each.value.custom_ingress_annotations,
each.value.tls ? {
"nginx.org/ssl-services" = format("%s", replace(each.key, ".", "-"))
"nginx.org/ssl-redirect" = "true"
"nginx.org/redirect-to-https" = "true"
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
} : {}
)
}
spec {
tls {
hosts = each.value.fqdn
secret_name = format("proxy-%s-tls", replace(each.key, ".", "-"))
}
dynamic "rule" {
for_each = each.value.fqdn
content {
host = rule.value
http {
path {
backend {
service {
name = format("%s", replace(each.key, ".", "-"))
port {
name = each.value.tls ? "https" : "http"
}
}
}
}
}
}
}
}
}
resource "kubernetes_secret" "auth_token" {
count = var.auth_token != "" ? 1 : 0
metadata {
name = "auth-token-secret"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
data = {
token = var.auth_token
}
type = "Opaque"
}
resource "kubernetes_deployment" "proxy" {
metadata {
name = "proxy"
namespace = kubernetes_namespace.proxy.metadata[0].name
annotations = {
"security.alpha.kubernetes.io/unsafe-sysctls" = "net.ipv4.conf.all.src_valid_mark=1"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "proxy"
}
}
strategy {
type = "Recreate"
}
template {
metadata {
labels = {
app = "proxy"
}
annotations = {
"checksum/nginx" = local.nginx_config_checksum
"checksum/services" = local.services_config_checksum
"checksum/wireguard" = local.wireguard_config_checksum
"checksum/auth_server" = local.auth_script_checksum
"checksum/custom_50x" = local.errors_pages_checksum
"checksum/streams" = local.streams_config_checksum
}
}
spec {
dynamic "container" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "wireguard"
image = "linuxserver/wireguard:${local.wireguard_version}"
resources {
requests = {
memory = "64Mi"
}
}
liveness_probe {
exec {
command = [
"/bin/sh",
"-c",
"wg show | grep -q transfer"
]
}
initial_delay_seconds = 90
period_seconds = 90
}
security_context {
privileged = true
capabilities {
add = ["NET_ADMIN"]
}
read_only_root_filesystem = true
}
env {
name = "PUID"
value = "1000"
}
env {
name = "PGID"
value = "1000"
}
env {
name = "TZ"
value = "Europe/Berlin"
}
volume_mount {
name = "wireguard-config"
mount_path = "/config/wg_confs"
read_only = true
}
volume_mount {
name = "lib-modules"
mount_path = "/lib/modules"
read_only = true
}
volume_mount {
name = "wireguard-run"
mount_path = "/run"
}
}
}
dynamic "container" {
for_each = nonsensitive(var.auth_token) != "" ? [1] : []
content {
name = "auth-sidecar"
image = "python:3.11-slim"
command = ["python", "/app/auth_server.py"]
env {
name = "AUTH_TOKEN"
value_from {
secret_key_ref {
name = kubernetes_secret.auth_token[0].metadata[0].name
key = "token"
}
}
}
volume_mount {
name = "auth-script"
mount_path = "/app"
read_only = true
}
port {
container_port = 5000
name = "auth"
}
security_context {
read_only_root_filesystem = true
run_as_group = 1000
run_as_user = 1000
allow_privilege_escalation = false
run_as_non_root = true
}
}
}
container {
name = "proxy"
image = "nginx:${var.tag}"
image_pull_policy = "Always"
resources {
requests = {
memory = "100Mi"
}
}
security_context {
allow_privilege_escalation = false
read_only_root_filesystem = true
}
readiness_probe {
http_get {
path = "/health"
port = 8888
}
initial_delay_seconds = 5
period_seconds = 10
}
liveness_probe {
http_get {
path = "/health"
port = 8888
}
initial_delay_seconds = 5
period_seconds = 10
failure_threshold = 10
timeout_seconds = 5
success_threshold = 1
}
dynamic "port" {
for_each = { for k, v in var.services : k => v.http_port }
content {
container_port = port.value
name = substr(format("http-%s", replace(port.key, ".", "-")), 0, 15)
}
}
dynamic "port" {
for_each = { for k, v in var.services : k => v.https_port if v.tls }
content {
container_port = port.value
name = substr(format("https-%s", replace(port.key, ".", "-")), 0, 15)
}
}
dynamic "port" {
for_each = var.streams
content {
container_port = port.value.port
name = substr(format("stream-%s", replace(port.key, ".", "-")), 0, 15)
host_port = port.value.host_port
protocol = upper(port.value.protocol)
}
}
volume_mount {
name = "nginx"
mount_path = "/etc/nginx/nginx.conf"
sub_path = "nginx.conf"
read_only = true
}
volume_mount {
name = "services"
mount_path = "/etc/nginx/conf.d/"
read_only = true
}
volume_mount {
name = "streams"
mount_path = "/etc/nginx/streams.d/"
read_only = true
}
volume_mount {
name = "nginx-errors"
mount_path = "/usr/share/nginx/html/errors"
read_only = true
}
volume_mount {
name = "nginx-tmp"
mount_path = "/tmp"
}
dynamic "volume_mount" {
for_each = length([for v in var.services : v.tls if v.tls == true]) > 0 ? [1] : []
content {
name = "tls"
mount_path = "/etc/ssl/certs/private"
read_only = true
}
}
}
dynamic "volume" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "wireguard-config"
config_map {
name = nonsensitive(kubernetes_config_map.wireguard_config[0].metadata[0].name)
}
}
}
dynamic "volume" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "lib-modules"
host_path {
path = "/lib/modules"
}
}
}
dynamic "volume" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "wireguard-run"
empty_dir {
medium = "Memory"
}
}
}
volume {
name = "auth-script"
config_map {
name = kubernetes_config_map.auth_script.metadata[0].name
}
}
volume {
name = "nginx"
config_map {
name = kubernetes_config_map.nginx_config.metadata[0].name
}
}
volume {
name = "services"
config_map {
name = kubernetes_config_map.nginx_default_config.metadata[0].name
}
}
volume {
name = "streams"
config_map {
name = kubernetes_config_map.nginx_streams_config.metadata[0].name
}
}
volume {
name = "nginx-errors"
config_map {
name = kubernetes_config_map.nginx_custom_50x_page.metadata[0].name
}
}
volume {
name = "nginx-tmp"
empty_dir {
}
}
dynamic "volume" {
for_each = length([for v in var.services : v.tls if v.tls == true]) > 0 ? [1] : []
content {
name = "tls"
secret {
secret_name = kubernetes_manifest.internal_cert.manifest["metadata"]["name"]
items {
key = "tls.crt"
path = "tls.crt"
}
items {
key = "tls.key"
path = "tls.key"
}
}
}
}
}
}
}
lifecycle {
ignore_changes = [spec[0].template[0].metadata[0].annotations["kubectl.kubernetes.io/restartedAt"]]
}
}
+13
View File
@@ -0,0 +1,13 @@
terraform {
required_version = "~>1.8"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.36.0"
}
scaleway = {
source = "scaleway/scaleway"
version = "~>2.13"
}
}
}
@@ -0,0 +1,40 @@
import os
import logging
from http.server import BaseHTTPRequestHandler, HTTPServer
# Configure logging
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s [%(levelname)s] %(message)s"
)
EXPECTED_TOKEN = os.getenv("AUTH_TOKEN", "")
class AuthHandler(BaseHTTPRequestHandler):
def do_GET(self):
auth = self.headers.get('Authorization')
# Log request info
client_ip = self.client_address[0]
logging.info(f"Auth request from {client_ip}")
if auth == f"Bearer {EXPECTED_TOKEN}":
logging.info("Authentication successful")
self.send_response(200)
else:
logging.warning("Authentication failed")
self.send_response(401)
self.end_headers()
def log_message(self, format, *args):
# Suppress default BaseHTTPRequestHandler logging
return
if __name__ == '__main__':
if not EXPECTED_TOKEN:
logging.error("AUTH_TOKEN environment variable not set. Exiting.")
exit(1)
server = HTTPServer(('', 5000), AuthHandler)
logging.info("Auth server running on port 5000...")
server.serve_forever()
@@ -0,0 +1 @@
!*.html
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>400 - Bad Request</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon"></div>
<h1>400 - Bad Request</h1>
<p>Oops! The server couldn't understand your request.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>401 - Unauthorized</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🔒</div>
<h1>401 - Unauthorized</h1>
<p>You need to log in to access this resource.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>403 - Forbidden</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🚫</div>
<h1>403 - Forbidden</h1>
<p>You don't have permission to view this page.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>404 - Page Not Found</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🔍</div>
<h1>404 - Page Not Found</h1>
<p>We couldn't find the page you're looking for.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>408 - Request Timeout</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon"></div>
<h1>408 - Request Timeout</h1>
<p>The server took too long to respond. Try again later.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>429 - Too Many Requests</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🚦</div>
<h1>429 - Too Many Requests</h1>
<p>You're making too many requests. Please slow down.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>500 - Internal Server Error</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">⚠️</div>
<h1>500 - Internal Server Error</h1>
<p>Something went wrong on our end. We're working on it.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>502 - Bad Gateway</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🔌</div>
<h1>502 - Bad Gateway</h1>
<p>The server received an invalid response from upstream.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>503 - Service Unavailable</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🛠️</div>
<h1>503 - Service Unavailable</h1>
<p>We're doing some maintenance. Please check back soon.</p>
</div>
</body>
</html>
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>504 - Gateway Timeout</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">📡</div>
<h1>504 - Gateway Timeout</h1>
<p>The upstream server didn't respond in time.</p>
</div>
</body>
</html>
@@ -0,0 +1,54 @@
server {
listen ${http_port};
%{ if tls ~}
listen ${https_port} ssl;
ssl_certificate /etc/ssl/certs/private/tls.crt;
ssl_certificate_key /etc/ssl/certs/private/tls.key;
ssl_protocols TLSv1.2 TLSv1.3;
%{ endif ~}
server_name ${fqdn};
# Custom error page for upstream errors
%{ for e in errors ~}
error_page ${e} /errors/${e}.html;
location = /errors/${e}.html {
root /usr/share/nginx/html;
internal;
}
%{ endfor ~}
%{ if custom_snippet != "" ~}
${custom_snippet}
%{ endif ~}
%{ if auth ~}
location = /auth {
internal;
proxy_pass http://localhost:5000/;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Authorization $http_authorization;
}
%{ endif }
%{ for l in locations ~}
location ${l.path} {
%{ if l.resolver == "" ~}
%{ if resolver != "" ~}
resolver ${resolver};
%{ endif ~}
%{ else ~}
resolver ${l.resolver};
%{ endif ~}
%{ if l.private ~}
auth_request /auth<;
%{ endif ~}
set $upstream "%{ if l.upstream != "" ~}${l.upstream}%{ else ~}${upstream}%{ endif ~}";
%{ if l.rewrite != "" ~}
rewrite ${l.rewrite};
%{ endif ~}
proxy_pass $upstream;
proxy_http_version 1.1;
%{ for k,v in l.headers ~}
proxy_set_header ${k} ${v};
%{ endfor ~}
proxy_intercept_errors on;
}
%{ endfor ~}
}
@@ -0,0 +1,48 @@
worker_processes auto;
error_log /dev/stderr warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
client_max_body_size 10M;
proxy_buffering off;
proxy_request_buffering off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /dev/stdout main;
sendfile on;
keepalive_timeout 65;
server {
listen 8888;
server_name _;
location /health {
access_log off;
return 200 "OK";
}
}
include /etc/nginx/conf.d/*.conf;
}
stream {
include /etc/nginx/streams.d/*.conf;
}
@@ -0,0 +1,13 @@
upstream ${name} {
%{ if resolver != "" ~}
resolver ${resolver};
%{ endif ~}
server ${upstream}:${upstream_port};
}
server {
listen %{ if protocol == "UDP" ~}${port} udp;%{ else ~}${port};%{ endif }
%{ if custom_snippet != "" ~}
${custom_snippet}
%{ endif ~}
proxy_pass ${name};
}
@@ -0,0 +1,10 @@
[Interface]
PrivateKey = ${wireguard_private_key}
Address = ${wireguard_address}
[Peer]
PublicKey = ${wireguard_public_key}
PresharedKey = ${wireguard_pre_shared_key}
AllowedIPs = ${wireguard_allowed_ips}
Endpoint = ${wireguard_endpoint}
PersistentKeepalive = 25
@@ -0,0 +1,76 @@
variable "tag" {
description = "The version of the nginx server to install"
type = string
default = "stable-alpine"
}
variable "wireguard_config" {
description = "The Wireguard configuration file"
type = object({
private_key = string
public_key = string
pre_shared_key = string
endpoint = string
endpoint_port = number
address = string
dns = string
allowed_ips = list(string)
})
default = null
sensitive = true
}
variable "issuer_name" {
description = "The name of the issuer to use for TLS certificates, internal certificates"
type = string
default = "internal-ca"
}
variable "services" {
description = "A list of services to be deployed"
type = map(object({
fqdn = optional(list(string), [])
custom_ingress_annotations = optional(map(string), {})
annotations = optional(map(string), {})
upstream = optional(string, "")
resolver = optional(string, "")
default_headers = optional(map(string), {}),
http_port = optional(number, 80)
https_port = optional(number, 443)
tls = optional(bool, false)
ingress = optional(bool, true)
service_http_port = optional(number, 80)
service_https_port = optional(number, 443)
locations = optional(list(object({
path = string,
headers = optional(map(string), {}),
private = optional(bool, false),
upstream = optional(string, ""),
resolver = optional(string, "")
rewrite = optional(string, "")
})), [])
custom_snippet = optional(string, "")
config = optional(string, "")
}))
}
variable "auth_token" {
description = "The authentication token to use for the reverse proxy"
type = string
sensitive = true
default = ""
}
variable "streams" {
description = "A list of streams to be deployed"
type = map(object({
port = number
upstream = string
custom_snippet = optional(string, "")
resolver = optional(string, "")
upstream_port = optional(number, null)
protocol = optional(string, "TCP")
host_port = optional(number, null)
}))
default = {}
}