Merge branch 'reverseproxy-port-forward'

Sergio Oliveira
2 parents 279ab334 211bc5d3
Showing 6 changed files with 34 additions and 3 deletions Show diff stats
cookbooks/gitlab/templates/gitlab-shell.yml.erb
cookbooks/gitlab/templates/gitlab.yml.erb
cookbooks/reverse_proxy/files/ip_forward.conf
cookbooks/reverse_proxy/recipes/default.rb
cookbooks/reverse_proxy/templates/iptables.erb
server
@@ -8,7 +8,7 @@ http_settings:
 #  ca_path: /etc/pki/tls/certs
   self_signed_cert: false
-repos_path: "/var/lib/gitlab/repositories/"
+repos_path: "/var/lib/gitlab-shell/repositories/"
 auth_file: "/var/lib/gitlab-shell/.ssh/authorized_keys"
 redis:
@@ -29,7 +29,7 @@ production: &amp;base
     path: /var/lib/gitlab/backups
   gitlab_shell:
     path: /usr/lib/gitlab-shell
-    repos_path: /var/lib/gitlab/repositories/
+    repos_path: /var/lib/gitlab-shell/repositories/
     hooks_path: /usr/lib/gitlab-shell/hooks/
     # Git over HTTP
     upload_pack: true
@@ -0,0 +1 @@
+net.ipv4.ip_forward = 1
+package 'iptables-services'
+
+service 'iptables' do
+  action :enable
+  supports :restart => true
+end
+
+template '/etc/sysconfig/iptables' do
+  owner 'root'
+  group 'root'
+  mode  0644
+  notifies :restart, 'service[iptables]'
+end
+
 cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do
   owner 'root'
   group 'root'
@@ -5,6 +19,14 @@ cookbook_file &quot;/etc/nginx/#{node[&#39;config&#39;][&#39;external_hostname&#39;]}.crt&quot; do
   notifies :restart, 'service[nginx]'
 end
+cookbook_file "/etc/sysctl.d/ip_forward.conf" do
+  owner 'root'
+  group 'root'
+  mode 0644
+end
+
+execute 'sysctl -w net.ipv4.ip_forward=1'
+
 cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.key" do
   owner 'root'
   group 'root'
@@ -0,0 +1,7 @@
+*nat
+
+# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH
+-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
+-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
+
+COMMIT
@@ -13,13 +13,14 @@ fi
 sudo -v
 sudo redir --lport 80  --cport 80  --caddr $reverseproxy &
 sudo redir --lport 443 --cport 443 --caddr $reverseproxy &
+sudo redir --lport 22 --cport 22 --caddr $reverseproxy &
 cleanup() {
   sudo -v
   sudo pkill -9 redir
 }
-echo "Forwarding ports 80 and 443"
+echo "Forwarding ports 22, 80 and 443"
 echo "Hit ctrl-c to stop"
 echo "Browse to: https://softwarepublico.dev/"
 echo "Browse to: https://listas.softwarepublico.dev/"
	@@ -8,7 +8,7 @@ http_settings:		@@ -8,7 +8,7 @@ http_settings:
8	# ca_path: /etc/pki/tls/certs	8	# ca_path: /etc/pki/tls/certs
9	self_signed_cert: false	9	self_signed_cert: false
10		10
11	-repos_path: "/var/lib/gitlab/repositories/"	11	+repos_path: "/var/lib/gitlab-shell/repositories/"
12	auth_file: "/var/lib/gitlab-shell/.ssh/authorized_keys"	12	auth_file: "/var/lib/gitlab-shell/.ssh/authorized_keys"
13		13
14	redis:	14	redis:
	@@ -29,7 +29,7 @@ production: &base		@@ -29,7 +29,7 @@ production: &base
29	path: /var/lib/gitlab/backups	29	path: /var/lib/gitlab/backups
30	gitlab_shell:	30	gitlab_shell:
31	path: /usr/lib/gitlab-shell	31	path: /usr/lib/gitlab-shell
32	- repos_path: /var/lib/gitlab/repositories/	32	+ repos_path: /var/lib/gitlab-shell/repositories/
33	hooks_path: /usr/lib/gitlab-shell/hooks/	33	hooks_path: /usr/lib/gitlab-shell/hooks/
34	# Git over HTTP	34	# Git over HTTP
35	upload_pack: true	35	upload_pack: true
		1	+package 'iptables-services'
		2	+
		3	+service 'iptables' do
		4	+ action :enable
		5	+ supports :restart => true
		6	+end
		7	+
		8	+template '/etc/sysconfig/iptables' do
		9	+ owner 'root'
		10	+ group 'root'
		11	+ mode 0644
		12	+ notifies :restart, 'service[iptables]'
		13	+end
		14	+
1	cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do	15	cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do
2	owner 'root'	16	owner 'root'
3	group 'root'	17	group 'root'
	@@ -5,6 +19,14 @@ cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do		@@ -5,6 +19,14 @@ cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do
5	notifies :restart, 'service[nginx]'	19	notifies :restart, 'service[nginx]'
6	end	20	end
7		21
		22	+cookbook_file "/etc/sysctl.d/ip_forward.conf" do
		23	+ owner 'root'
		24	+ group 'root'
		25	+ mode 0644
		26	+end
		27	+
		28	+execute 'sysctl -w net.ipv4.ip_forward=1'
		29	+
8	cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.key" do	30	cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.key" do
9	owner 'root'	31	owner 'root'
10	group 'root'	32	group 'root'
@@ -0,0 +1,7 @@		@@ -0,0 +1,7 @@
	1	+*nat
	2	+
	3	+# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH
	4	+-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
	5	+-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
	6	+
	7	+COMMIT
	@@ -13,13 +13,14 @@ fi		@@ -13,13 +13,14 @@ fi
13	sudo -v	13	sudo -v
14	sudo redir --lport 80 --cport 80 --caddr $reverseproxy &	14	sudo redir --lport 80 --cport 80 --caddr $reverseproxy &
15	sudo redir --lport 443 --cport 443 --caddr $reverseproxy &	15	sudo redir --lport 443 --cport 443 --caddr $reverseproxy &
		16	+sudo redir --lport 22 --cport 22 --caddr $reverseproxy &
16		17
17	cleanup() {	18	cleanup() {
18	sudo -v	19	sudo -v
19	sudo pkill -9 redir	20	sudo pkill -9 redir
20	}	21	}
21		22
22	-echo "Forwarding ports 80 and 443"	23	+echo "Forwarding ports 22, 80 and 443"
23	echo "Hit ctrl-c to stop"	24	echo "Hit ctrl-c to stop"
24	echo "Browse to: https://softwarepublico.dev/"	25	echo "Browse to: https://softwarepublico.dev/"
25	echo "Browse to: https://listas.softwarepublico.dev/"	26	echo "Browse to: https://listas.softwarepublico.dev/"