From e61be47f2e2ea7b269a2bb0099a706a7560f2f04 Mon Sep 17 00:00:00 2001
From: Theo Chatzimichos <tampakrap@opensuse.org>
Date: Jan 24 2018 19:32:43 +0000
Subject: remove duplicate values from various nginx configs, add location support


---

diff --git a/pillar/role/common/nginx.sls b/pillar/role/common/nginx.sls
index df753de..0e4e9f0 100644
--- a/pillar/role/common/nginx.sls
+++ b/pillar/role/common/nginx.sls
@@ -1,3 +1,5 @@
+{% set country = salt['grains.get']('country') %}
+
 nginx:
   ng:
     lookup:
@@ -14,7 +16,22 @@ nginx:
             - mime.types
             - conf.d/*.conf
             - vhosts.d/*.conf
-          set_real_ip_from: 192.168.47.4
+          set_real_ip_from:
+            {% if country == 'de' %}
+            # HA proxies
+            - 192.168.47.4
+            - 192.168.47.101
+            - 192.168.47.102
+            # login proxies
+            - 192.168.47.16
+            - 192.168.47.21
+            - 192.168.47.22
+            - 172.16.42.3
+            {% elif country == 'us' %}
+            - 192.168.67.1
+            - 192.168.67.2
+            - 192.168.67.3
+            {% endif %}
           real_ip_header: X-Forwarded-For
           real_ip_recursive: 'on'
         worker_processes: 1
diff --git a/pillar/role/web_gitlab.sls b/pillar/role/web_gitlab.sls
index 1b1ba35..c784033 100644
--- a/pillar/role/web_gitlab.sls
+++ b/pillar/role/web_gitlab.sls
@@ -128,10 +128,6 @@ nginx:
                 - ssl_dhparam: /etc/nginx/ssl/gitlab.infra.opensuse.org.dhparams
                 ## [Optional] Enable HTTP Strict Transport Security
                 - add_header: Strict-Transport-Security "max-age=31536000; includeSubDomains"
-                ## Real IP Module Config
-                ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
-                - real_ip_header: X-Forwarded-For
-                - real_ip_recursive: 'off'
                 - access_log:
                     - /var/log/nginx/gitlab_access.log
                     - gitlab_ssl_access
diff --git a/pillar/role/web_keyserver.sls b/pillar/role/web_keyserver.sls
index beb71ba..d0e6600 100644
--- a/pillar/role/web_keyserver.sls
+++ b/pillar/role/web_keyserver.sls
@@ -1,3 +1,4 @@
+{% set host = salt['grains.get']('host') %}
 {% set ip4_private = salt['grains.get']('ipv4_interfaces:private[0]') %}
 
 include:
@@ -35,15 +36,11 @@ nginx:
                     - {{ ip4_private }}:11371
                     - default_server
                 - server_name: keyserver.opensuse.org
-                - server_name: keyserver1.opensuse.org
+                - server_name: {{ host }}.opensuse.org
                 - server_name: '*.sks-keyservers.net'
                 - server_name: '*.pool.sks-keyservers.net'
                 - server_name: pgp.mit.edu
                 - server_name: keys.gnupg.net
-                - set_real_ip_from: 192.168.47.4
-                - set_real_ip_from: 192.168.47.101
-                - set_real_ip_from: 192.168.47.102
-                - real_ip_header: X-Forwarded-For
                 - root: /srv/www/htdocs
                 - rewrite: ^/stats /pks/lookup?op=stats
                 - rewrite: ^/s/(.*) /pks/lookup?search=$1
@@ -68,7 +65,7 @@ nginx:
                 - location /pks:
                     - proxy_pass: http://127.0.0.1:11371
                     - proxy_pass_header: Server
-                    - add_header: Via "1.1 keyserver1.opensuse.org:11371"
+                    - add_header: Via "1.1 {{ host }}.opensuse.org:11371"
                     - proxy_ignore_client_abort: 'on'
                     - client_max_body_size: 8m
                 - error_page: 500 502 503 504 /50x.html
diff --git a/pillar/role/web_mirrors.sls b/pillar/role/web_mirrors.sls
index 5f5d4e9..3bcd330 100644
--- a/pillar/role/web_mirrors.sls
+++ b/pillar/role/web_mirrors.sls
@@ -14,9 +14,6 @@ nginx:
           config:
             - server:
                 - listen: {{ ip4_private }}:80
-                - set_real_ip_from: 192.168.47.101
-                - set_real_ip_from: 192.168.47.102
-                - real_ip_header: X-Forwarded-For
                 - location /:
                     - root: /srv/www/vhosts/mirrors.opensuse.org
                     - index:
diff --git a/pillar/role/web_progress.sls b/pillar/role/web_progress.sls
index 8d2f3b4..e59d1fd 100644
--- a/pillar/role/web_progress.sls
+++ b/pillar/role/web_progress.sls
@@ -14,12 +14,6 @@ nginx:
             - server:
                 - listen: 80
                 - server_tokens: 'off'
-                - set_real_ip_from: 192.168.47.4
-                - set_real_ip_from: 192.168.47.101
-                - set_real_ip_from: 192.168.47.102
-                - set_real_ip_from: 192.168.47.16
-                - set_real_ip_from: 172.16.42.3
-                - real_ip_header: X-Forwarded-For
                 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
                 - add_header: Strict-Transport-Security max-age=15768000
                 - location /:
diff --git a/pillar/role/web_static.sls b/pillar/role/web_static.sls
index 498995d..a7e99fb 100644
--- a/pillar/role/web_static.sls
+++ b/pillar/role/web_static.sls
@@ -25,7 +25,6 @@ nginx:
                     - default_server
                     {% endif %}
                 - root: /srv/www/vhosts/{{ website }}.opensuse.org
-                - gzip: 'on'
                 - gzip_vary: 'on'
                 - gzip_min_length: 1000
                 - gzip_comp_level: 5