Add nginx proxy for BTCPay

2020-12-29 15:56:53 +01:00 · 2020-12-29 15:56:53 +01:00 · 61accc05c2
commit 61accc05c2
parent 5892e3c0ab
5 changed files with 108 additions and 1 deletions
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@ -41,7 +41,18 @@
      "kosmos-bitcoin::firewall",
      "git::default",
      "git::package",
-      "golang::default"
+      "golang::default",
+      "kosmos-nginx::default",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "kosmos-nginx::firewall",
+      "kosmos-base::letsencrypt"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@ -53,6 +53,7 @@ node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
 node.default['btcpay']['port'] = '23001'
+node.default["btcpay"]["domain"] = 'btcpay.kosmos.org'
 node.default['btcpay']['postgres']['port'] = 5432
 node.default['btcpay']['postgres']['database'] = 'btcpayserver'
 node.default['btcpay']['postgres']['user'] = 'satoshi'
--- a/site-cookbooks/kosmos-bitcoin/metadata.rb
+++ b/site-cookbooks/kosmos-bitcoin/metadata.rb
@ -22,3 +22,4 @@ chef_version '>= 14.0'
 depends 'ark'
 depends 'git'
 depends 'golang'
+depends 'kosmos-nginx'
--- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
@ -87,3 +87,27 @@ systemd_unit 'btcpayserver.service' do
  triggers_reload true
  action [:create, :enable, :start]
 end
+
+#
+# HTTPS Reverse Proxy
+#
+
+include_recipe "kosmos-nginx"
+server_name = node["btcpay"]["domain"]
+
+template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do
+  source "nginx_conf_btcpayserver.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables btcpay_port: node["btcpay"]["port"],
+            server_name: server_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site server_name do
+  action :enable
+end
+
+nginx_certbot_site server_name
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
@ -0,0 +1,70 @@
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+upstream _btcpayserver {
+  server localhost:<%= @btcpay_port %>;
+}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack
+proxy_set_header Proxy "";
+
+server {
+  client_max_body_size 100M;
+  server_name <%= @server_name %>;
+  listen 443 ssl http2;
+
+  access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;
+
+  ssl_prefer_server_ciphers on;
+  ssl_session_timeout 5m;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header Strict-Transport-Security "max-age=15768000";
+
+  location / {
+    proxy_pass http://_btcpayserver;
+  }
+}
+<% end -%>