pve loadbalancer created in front of each proxmox node, and ssl added

pve DNS is now served out publicly, so that port 80 and 443 webservers
can respond as a vhost, enabling certbot letsencrypt signing.  Then
these redirect onto port 8006, which only works inside the network
from mgmt hosts

Author: spacelama

files/etc/apache2.webserver.ext/ports.conf

@@ -6,8 +6,10 @@ Listen 80
 
 <IfModule ssl_module>
 	Listen 443
+	Listen 8006
 </IfModule>
 
 <IfModule mod_gnutls.c>
 	Listen 443
+	Listen 8006
 </IfModule>

files/etc/apache2.webserver.ext/sites-enabled/2-pve.conf

@@ -0,0 +1,149 @@
+<VirtualHost *:80>
+    # The ServerName directive sets the request scheme, hostname and port that
+    # the server uses to identify itself. This is used when creating
+    # redirection URLs. In the context of virtual hosts, the ServerName
+    # specifies what hostname must appear in the request's Host: header to
+    # match this virtual host. For the default virtual host (this file) this
+    # value is not decisive as it is used as a last resort host regardless.
+    # However, you must set it for any further virtual host explicitly.
+    #ServerName www.example.com
+
+    #   ServerAdmin webmaster@localhost
+    ServerAdmin [email protected]
+    # will redirect from local and remote onto pve load balancer only accessible on the inside:
+    ServerName pve.rather.puzzling.org
+    ServerAlias pve
+
+    RewriteEngine on
+    RewriteCond %{SERVER_NAME} =pve.rather.puzzling.org [OR]
+    RewriteCond %{SERVER_NAME} =pve
+    RewriteRule ^ https://pve.rather.puzzling.org:8006%{REQUEST_URI} [END,NE,R=permanent]
+</VirtualHost>
+
+<VirtualHost *:443>
+    # The ServerName directive sets the request scheme, hostname and port that
+    # the server uses to identify itself. This is used when creating
+    # redirection URLs. In the context of virtual hosts, the ServerName
+    # specifies what hostname must appear in the request's Host: header to
+    # match this virtual host. For the default virtual host (this file) this
+    # value is not decisive as it is used as a last resort host regardless.
+    # However, you must set it for any further virtual host explicitly.
+    #ServerName www.example.com
+
+    #   ServerAdmin webmaster@localhost
+    ServerAdmin [email protected]
+    # will redirect from local and remote onto pve load balancer only accessible on the inside:
+    ServerName pve.rather.puzzling.org
+
+    RewriteEngine on
+    RewriteCond %{SERVER_NAME} =pve.rather.puzzling.org [OR]
+    RewriteCond %{SERVER_NAME} =pve
+    RewriteRule ^ https://pve.rather.puzzling.org:8006%{REQUEST_URI} [END,NE,R=permanent]
+
+    Include /etc/letsencrypt/options-ssl-apache.conf
+    SSLCertificateFile /etc/letsencrypt/live/pve.rather.puzzling.org/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/pve.rather.puzzling.org/privkey.pem
+</VirtualHost>
+
+<VirtualHost *:8006>
+    #   ServerAdmin webmaster@localhost
+    ServerAdmin [email protected]
+    # will redirect from local and remote onto pve load balancer only accessible on the inside:
+    ServerName pve.rather.puzzling.org
+
+    <Location /*>
+
+        Order allow,deny
+        Allow from 192.168.0.0/16
+
+    </Location>
+
+    <IfModule mod_proxy_balancer.c>
+
+        ProxyPass "/" "balancer://pvecluster/" stickysession=JSESSIONID|jsessionid nofailover=On
+        <Proxy "balancer://pvecluster">
+            BalancerMember "https://pve1:8006"
+            BalancerMember "https://pve2:8006" loadfactor=2
+            BalancerMember "https://pve3:8006" loadfactor=5
+        </Proxy>
+
+    </IfModule>
+
+    <IfModule mod_proxy.c>
+
+        ProxyPreserveHost On
+        ProxyRequests Off
+        ProxyErrorOverride On
+
+        SSLProxyEngine On
+
+        SetEnv force-proxy-request-1.0 1
+        SetEnv proxy-nokeepalive 1
+
+        SSLProxyVerify none
+        SSLProxyCheckPeerCN off
+        SSLProxyCheckPeerName off
+        SSLProxyCheckPeerExpire off
+
+        ProxyPass "/" "balancer://proxmox/"
+        ProxyPassReverse "/" "balancer://proxmox/"
+
+    </IfModule>
+
+    Include /etc/letsencrypt/options-ssl-apache.conf
+    SSLCertificateFile /etc/letsencrypt/live/pve.rather.puzzling.org/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/pve.rather.puzzling.org/privkey.pem
+
+#<Proxy "balancer://hotcluster">
+#    BalancerMember "http://www2.example.com:8080" loadfactor=1
+#    BalancerMember "http://www3.example.com:8080" loadfactor=2
+#    ProxySet lbmethod=bytraffic
+
+#</Proxy>
+
+#<Proxy "http://backend">
+#    ProxySet keepalive=On
+#</Proxy>
+#ProxySet "balancer://foo" lbmethod=bytraffic timeout=15
+#ProxySet "ajp://backend:7001" timeout=15
+
+#    ProxyPreserveHost On
+
+#    ProxyPass / http://127.0.0.1:8080/
+#    ProxyPassReverse / http://127.0.0.1:8080/
+
+    #   SSL Protocol Adjustments:
+    #   The safe and default but still SSL/TLS standard compliant shutdown
+    #   approach is that mod_ssl sends the close notify alert but doesn't wait for
+    #   the close notify alert from client. When you need a different shutdown
+    #   approach you can use one of the following variables:
+    #   o ssl-unclean-shutdown:
+    #	 This forces an unclean shutdown when the connection is closed, i.e. no
+    #	 SSL close notify alert is send or allowed to received.  This violates
+    #	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
+    #	 this when you receive I/O errors because of the standard approach where
+    #	 mod_ssl sends the close notify alert.
+    #   o ssl-accurate-shutdown:
+    #	 This forces an accurate shutdown when the connection is closed, i.e. a
+    #	 SSL close notify alert is send and mod_ssl waits for the close notify
+    #	 alert of the client. This is 100% SSL/TLS standard compliant, but in
+    #	 practice often causes hanging connections with brain-dead browsers. Use
+    #	 this only for browsers where you know that their SSL implementation
+    #	 works correctly.
+    #   Notice: Most problems of broken clients are also related to the HTTP
+    #   keep-alive facility, so you usually additionally want to disable
+    #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+    #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+    #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+    #   "force-response-1.0" for this.
+    # BrowserMatch "MSIE [2-6]" \
+    #		nokeepalive ssl-unclean-shutdown \
+    #		downgrade-1.0 force-response-1.0
+
+    #automatically inserted by `certbot --apache`: (also, generate www.$domain alias with: certbot certonly --expand -d rather.puzzling.org,www.rather.puzzling.org
+#    Include /etc/letsencrypt/options-ssl-apache.conf
+#    SSLCertificateFile /etc/letsencrypt/live/pve.rather.puzzling.org/fullchain.pem
+#    SSLCertificateKeyFile /etc/letsencrypt/live/pve.rather.puzzling.org/privkey.pem
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

hosts.yml

@@ -35,6 +35,7 @@ all:
           host_has_backports: true
           host_has_radeon: true
           host_is_small: true
+          host_is_mgmt: true  # needs to be able to access management hosts when everything else is broken
           XKBMODEL: "inspiron"
         dirac-laptop:
           host_is_desktop: true
@@ -76,6 +77,7 @@ all:
           munin_plugin_links:
             - { src: 'ssl_rather.puzzling.org', dest: 'ssl_' }
             - { src: 'ssl_angelahughes.org', dest: 'ssl_' }
+            - { src: 'ssl_pve.rather.puzzling.org', dest: 'ssl_' }
         zm:
           debian_codename: buster
           host_is_container: true

roles/openwrt/templates/dnsmasq.hosts.j2

@@ -12,14 +12,20 @@
 192.168.1.245 ap1
 192.168.1.244 ap2
 {#
-  First pve entry is to ensure reverse DNS is correct (even though
+  pve entries are to ensure reverse DNS is correct (even though
   that IP is already defined in DHCP reservations, for the sake of
-  DHCP MAC mappings), and second entry is for the multiple records in
-  A record pretending to be a proxmox HA cluster address.  FIXME: need
-  to share SSL certs, or maybe have pve point to a HA LXC container
-  that forwards onto pve1,pve2,pve3.  See also:
+  DHCP MAC mappings; since these hosts don't request DHCP, they don't
+  show up in DNS reverse mappings)
+#}
+192.168.1.6 pve2
+192.168.1.7 pve3
+192.168.1.8 pve1
+
+{#
+  And our pve loadbalancer on webserver that forwards onto
+  pve1,pve2,pve3.  We could have also just done it here by assining
+  all three nodes to DNS and sharing SSL certs, but that would be
+  suboptimal when there's an outage. See also:
   https://github.com/lae/ansible-role-proxmox/blob/develop/tasks/ssl_config.yml
 #}
-192.168.1.6 pve2 pve
-192.168.1.7 pve3 pve
-192.168.1.8 pve1 pve
+192.168.1.18 pve

roles/webserver/tasks/external_website.yml

@@ -55,6 +55,9 @@
     - proxy
     - proxy_http
     - proxy_wstunnel
+    # proxy_balancer and lbmethod_byrequests for pve load balancer
+    - proxy_balancer
+    - lbmethod_byrequests
     - rewrite
     - ssl
   become: true

vars/main.yml

@@ -344,7 +344,7 @@
     - { name: /etc/updatedb.conf, source: etc/updatedb.conf.default, when: "{{ (inventory_hostname != 'dirac') and (inventory_hostname != 'fs') }}" }
 
     - { source: etc/apache2/mods-available/userdir.conf.int, name: /etc/apache2/mods-available/userdir.conf, notify: "restart apache2", when: '{{ ( host_is_user_web_server | default(false) ) and ( deb_release == "bookworm" ) }}' }
-    - { name: /etc/apache2/,         source: etc/apache2.webserver.ext/, notify: "restart apache2", when: '{{ host_is_ext_web_server | default(false) }}' }
+    - { name: /etc/apache2/,         source: etc/apache2.webserver.ext/, notify: "restart apache2",                         when: '{{ host_is_ext_web_server | default(false) }}' }
     - { name: /etc/apache2/secrets/, source: etc/apache2.webserver.secrets, owner: www-data, group: www-data, mode: "0640", when: '{{ host_is_ext_web_server | default(false) }}' }
 
     - { name: /etc/rkhunter.conf,  source: etc/rkhunter.conf.j2 }  # kept separate to the tree because we want to store the various distribution versions for easier comparison