ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: geolocate svc.plus redirects

Browse Source
This commit is contained in:
shenlan 2025-08-18 15:07:35 +08:00
parent 5a6c2b3d14
commit 0807ac1a34
4 changed files with 120 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
playbooks/deploy_exporters_vhosts.yml
View File

@ -3,6 +3,11 @@
become: true
vars:
group: cn-homepage.svc.plus
domains:
- cn-homepage.svc.plus
- cn-artifact.svc.plus
- www.svc.plus
- artifact.svc.plus
roles:
- roles/vhosts/common/
- roles/vhosts/node_exporter/
@ -12,6 +17,11 @@
become: true
vars:
group: global-homepage.svc.plus
domains:
- global-homepage.svc.plus
- global-artifact.svc.plus
- www.svc.plus
- artifact.svc.plus
roles:
- roles/vhosts/common/
- roles/vhosts/node_exporter/

24
playbooks/deploy_openresty_vhosts.yml
View File

@ -9,6 +9,18 @@
- name: cn-artifact.svc.plus
ssl_certificate: /etc/ssl/svc.plus.pem
ssl_certificate_key: /etc/ssl/svc.plus.rsa.key
- name: www.svc.plus
template: geo_redirect.conf.j2
cn_target: cn-homepage.svc.plus
global_target: global-homepage.svc.plus
ssl_certificate: /etc/ssl/svc.plus.pem
ssl_certificate_key: /etc/ssl/svc.plus.rsa.key
- name: artifact.svc.plus
template: geo_redirect.conf.j2
cn_target: cn-artifact.svc.plus
global_target: global-artifact.svc.plus
ssl_certificate: /etc/ssl/svc.plus.pem
ssl_certificate_key: /etc/ssl/svc.plus.rsa.key
roles:
- roles/vhosts/common/
- roles/vhosts/OpenResty/
@ -23,6 +35,18 @@
- name: global-artifact.svc.plus
ssl_certificate: /etc/ssl/svc.plus.pem
ssl_certificate_key: /etc/ssl/svc.plus.rsa.key
- name: www.svc.plus
template: geo_redirect.conf.j2
cn_target: cn-homepage.svc.plus
global_target: global-homepage.svc.plus
ssl_certificate: /etc/ssl/svc.plus.pem
ssl_certificate_key: /etc/ssl/svc.plus.rsa.key
- name: artifact.svc.plus
template: geo_redirect.conf.j2
cn_target: cn-artifact.svc.plus
global_target: global-artifact.svc.plus
ssl_certificate: /etc/ssl/svc.plus.pem
ssl_certificate_key: /etc/ssl/svc.plus.rsa.key
roles:
- roles/vhosts/common/
- roles/vhosts/OpenResty/

47
playbooks/roles/vhosts/OpenResty/tasks/main.yml
View File

@ -5,25 +5,59 @@
- gnupg
- apt-transport-https
state: present
update_cache: yes
update_cache: true
- name: Import OpenResty GPG key
command: >-
bash -c 'curl -fsSL https://openresty.org/package/pubkey.gpg | gpg --dearmor -o /usr/share/keyrings/openresty.gpg'
shell: |
curl -fsSL https://openresty.org/package/pubkey.gpg | \
gpg --dearmor -o /usr/share/keyrings/openresty.gpg
args:
creates: /usr/share/keyrings/openresty.gpg
# yamllint disable rule:line-length
- name: Add OpenResty apt repository
apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/ubuntu jammy main"
filename: openresty
state: present
# yamllint enable rule:line-length
- name: Install OpenResty
apt:
name: openresty
state: present
update_cache: yes
update_cache: true
- name: Install GeoIP dependencies
apt:
name: luarocks
state: present
update_cache: true
- name: Install lua-resty-maxminddb
command: "luarocks install lua-resty-maxminddb"
args:
creates: /usr/local/openresty/site/lualib/resty/maxminddb.lua
- name: Ensure GeoIP database directory exists
file:
path: /usr/share/GeoIP
state: directory
mode: "0755"
# yamllint disable rule:line-length
- name: Download GeoLite2 Country database
get_url:
url: https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
dest: /usr/share/GeoIP/GeoLite2-Country.mmdb.gz
# yamllint enable rule:line-length
- name: Decompress GeoLite2 Country database
unarchive:
src: /usr/share/GeoIP/GeoLite2-Country.mmdb.gz
dest: /usr/share/GeoIP/
remote_src: true
creates: /usr/share/GeoIP/GeoLite2-Country.mmdb
- name: Ensure sites-available directory exists
file:
@ -38,7 +72,8 @@
- name: Deploy vhost configurations
template:
# Use item.template if provided; otherwise default to the unified site template
# Use item.template if provided;
# otherwise default to the unified site template
src: "{{ item.template | default('site.conf.j2') }}"
dest: "/usr/local/openresty/nginx/conf/sites-available/{{ item.name }}.conf"
loop: "{{ domain | default([]) }}"
@ -47,7 +82,7 @@
- name: Enable and start OpenResty
systemd:
name: openresty
enabled: yes
enabled: true
state: started
- name: Verify OpenResty core API

45
playbooks/roles/vhosts/OpenResty/templates/geo_redirect.conf.j2 Normal file
View File

@ -0,0 +1,45 @@
lua_package_path "/usr/local/openresty/lualib/?.lua;;";
server {
listen 443 ssl http2;
server_name {{ item.name }};
ssl_certificate {{ item.ssl_certificate }};
ssl_certificate_key {{ item.ssl_certificate_key }};
location / {
access_by_lua_block {
local region = ngx.var.cookie_region
if region == "CN" then
return ngx.redirect("https://{{ item.cn_target }}" .. ngx.var.request_uri, 302)
elseif region == "GLOBAL" then
return ngx.redirect("https://{{ item.global_target }}" .. ngx.var.request_uri, 302)
end
local geoip = require("resty.maxminddb")
local reader, err = geoip.new("/usr/share/GeoIP/GeoLite2-Country.mmdb")
if not reader then
ngx.log(ngx.ERR, "failed to open MaxMind DB: ", err)
ngx.header["Set-Cookie"] = "region=GLOBAL; Path=/; Max-Age=3600"
return ngx.redirect("https://{{ item.global_target }}" .. ngx.var.request_uri, 302)
end
local res, err = reader:lookup(ngx.var.remote_addr)
if err then
ngx.log(ngx.ERR, "failed to lookup IP: ", err)
ngx.header["Set-Cookie"] = "region=GLOBAL; Path=/; Max-Age=3600"
return ngx.redirect("https://{{ item.global_target }}" .. ngx.var.request_uri, 302)
end
local country = res and res.country and res.country.iso_code or "XX"
if country == "CN" then
ngx.header["Set-Cookie"] = "region=CN; Path=/; Max-Age=3600"
return ngx.redirect("https://{{ item.cn_target }}" .. ngx.var.request_uri, 302)
else
ngx.header["Set-Cookie"] = "region=GLOBAL; Path=/; Max-Age=3600"
return ngx.redirect("https://{{ item.global_target }}" .. ngx.var.request_uri, 302)
end
}
}
}