diff options
author | Johannes Stoelp <johannes.stoelp@gmail.com> | 2023-01-03 14:35:21 +0100 |
---|---|---|
committer | Johannes Stoelp <johannes.stoelp@gmail.com> | 2023-01-03 14:35:21 +0100 |
commit | fc5551b90f4317ccdf2d8c6b6a331647d676e138 (patch) | |
tree | f7e7ca66df93062658580c8b2e1e243175c9d7e1 /roles/webserver | |
parent | 80636776f6e811f4f1f5e4fe552661cd00ef23ca (diff) | |
download | ansible-memzero-fc5551b90f4317ccdf2d8c6b6a331647d676e138.tar.gz ansible-memzero-fc5551b90f4317ccdf2d8c6b6a331647d676e138.zip |
firewall: move from iptables to firewalld (nftables)
Diffstat (limited to 'roles/webserver')
-rw-r--r-- | roles/webserver/tasks/main.yml | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml index e2624c4..7838896 100644 --- a/roles/webserver/tasks/main.yml +++ b/roles/webserver/tasks/main.yml @@ -29,22 +29,12 @@ # Use 'z' to shared-ly relable selinux contexts. - "{{ DATA_ROOT }}/nginx/www:/www:ro,z" -# All services run in rootless-podman and nginx is the only entry point from -# the outside acting as webserver and reverse proxy. -# Since we dont want to lower the *unprivileged* port start (1024) we install -# two forwarding routes from -# 80 -> 8080 -# 443 -> 8443 - name: Forward port 80/443 to 8080/8443 - ansible.builtin.iptables: - table: nat - chain: PREROUTING - protocol: tcp - match: tcp - destination_port: "{{ item.from }}" - jump: REDIRECT - to_ports: "{{ item.to }}" - comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}" + ansible.posix.firewalld: + rich_rule: "rule family=ipv4 forward-port port={{ item.from }} protocol=tcp to-port={{ item.to }}" + permanent: yes + immediate: yes + state: enabled become: true loop: - { from: 80 , to: 8080 } |