Browse Source

roles/reverse_proxy: proxy_protocol and random fix

python3
Zolfa 5 years ago
parent
commit
1b3f7b8592
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
5 changed files with 56 additions and 40 deletions
  1. +6
    -1
      roles/reverse_proxy/defaults/main.yaml
  2. +47
    -33
      roles/reverse_proxy/tasks/main.yaml
  3. +3
    -1
      roles/reverse_proxy/templates/http.conf.j2
  4. +0
    -2
      roles/reverse_proxy/templates/map.j2
  5. +0
    -3
      roles/reverse_proxy/templates/upstream.j2

+ 6
- 1
roles/reverse_proxy/defaults/main.yaml View File

@ -1 +1,6 @@
hostname: "{{ ansible_hostname }}"
---
server_fqdns:
- '{{ ansible_hostname }}.{{ domain }}'
- 'www.{{ ansible_hostname }}.{{ domain }}'
proxy_protocol: true
...

+ 47
- 33
roles/reverse_proxy/tasks/main.yaml View File

@ -1,12 +1,15 @@
--- ---
- name: 'add https configs to nginx'
- name: 'configure nginx tcp 443 forwarder'
blockinfile: blockinfile:
dest: '/etc/nginx/nginx.conf' dest: '/etc/nginx/nginx.conf'
block: | block: |
stream { stream {
# Get upstream $name rom TLS SNI Header
map $ssl_preread_server_name $name { map $ssl_preread_server_name $name {
include /etc/nginx/map.conf.d/*.conf; include /etc/nginx/map.conf.d/*.conf;
} }
# Include upstream definitions
include /etc/nginx/upstream.conf.d/*.conf; include /etc/nginx/upstream.conf.d/*.conf;
log_format stream_routing '$remote_addr [$time_local] ' log_format stream_routing '$remote_addr [$time_local] '
@ -14,19 +17,29 @@
'proxying to "$name" ' 'proxying to "$name" '
'$protocol $status $bytes_sent $bytes_received ' '$protocol $status $bytes_sent $bytes_received '
'$session_time'; '$session_time';
server { server {
listen {{ public_ip }}:443; listen {{ public_ip }}:443;
ssl_preread on;
proxy_pass $name;
# Pass original Client IP with PROXY PROTOCOL
proxy_protocol on;
access_log /var/log/nginx/stream_443.log stream_routing;
# Inspect TLS Headers
ssl_preread on;
# Proxy connection to upstream $name
proxy_pass $name;
# Log connection
access_log /var/log/nginx/stream_443.log stream_routing;
# If on send PROXY Protocol headers to EVERY upstream
# servers. WARNING: It will break connection to upstreams
# not configured to accept PROXY Protocol!
proxy_protocol {{ 'on' if proxy_protocol else 'off' }};
} }
} }
delegate_to: 'reverse_proxy' delegate_to: 'reverse_proxy'
notify: reload nginx
notify: 'reload nginx'
- name: 'add http configs to nginx'
- name: 'configure nginx http 80 forwarder'
lineinfile: lineinfile:
dest: '/etc/nginx/nginx.conf' dest: '/etc/nginx/nginx.conf'
insertafter: '^http {' insertafter: '^http {'
@ -34,44 +47,45 @@
delegate_to: 'reverse_proxy' delegate_to: 'reverse_proxy'
notify: 'reload nginx' notify: 'reload nginx'
- name: 'create the http.conf.d directory for nginx'
- name: 'create configuration directories for sites'
file: file:
state: 'directory' state: 'directory'
dest: '/etc/nginx/http.conf.d'
dest: '/etc/nginx/{{ item }}'
delegate_to: 'reverse_proxy' delegate_to: 'reverse_proxy'
notify: 'reload nginx' notify: 'reload nginx'
loop:
- 'http.conf.d'
- 'map.conf.d'
- 'upstream.conf.d'
- name: 'upload http to reverse proxy'
- name: 'configure http proxy for https redirect and acme challenge'
template: template:
src: 'http.j2'
dest: '/etc/nginx/http.conf.d/http_{{ hostname }}.conf'
src: 'http.conf.j2'
dest: '/etc/nginx/http.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy' delegate_to: 'reverse_proxy'
notify: 'reload nginx' notify: 'reload nginx'
- name: 'create the map.conf directory for nginx'
file:
state: 'directory'
dest: '/etc/nginx/map.conf.d'
- name: 'configure upstream server spec'
copy:
content: |
upstream {{ ansible_hostname }}_https {
server {{ hostvars|ip_from_inventory(ansible_hostname) }}:{{
"10443" if proxy_protocol else "443"
}};
}
dest: '/etc/nginx/upstream.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy' delegate_to: 'reverse_proxy'
notify: 'reload nginx' notify: 'reload nginx'
- name: 'create the upstream.conf directory for nginx'
file:
state: 'directory'
dest: '/etc/nginx/upstream.conf.d'
- name: 'configure sni-upstream mapping'
copy:
content: |
{% for server_fqdn in server_fqdns %}
{{ server_fqdn }} {{ ansible_hostname }}_https;
{% endfor %}
dest: '/etc/nginx/map.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy' delegate_to: 'reverse_proxy'
notify: 'reload nginx' notify: 'reload nginx'
- name: 'upload mappings to reverse proxy'
template:
src: 'map.j2'
dest: '/etc/nginx/map.conf.d/map_{{ hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: 'upload upstream to reverse proxy'
template:
src: 'upstream.j2'
dest: '/etc/nginx/upstream.conf.d/upstream_{{ hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'

roles/reverse_proxy/templates/http.j2 → roles/reverse_proxy/templates/http.conf.j2 View File


+ 0
- 2
roles/reverse_proxy/templates/map.j2 View File

@ -1,2 +0,0 @@
{{ hostname }}.{{ domain }} {{ hostname }}_https;
www.{{ hostname }}.{{ domain }} {{ hostname }}_https;

+ 0
- 3
roles/reverse_proxy/templates/upstream.j2 View File

@ -1,3 +0,0 @@
upstream {{ hostname }}_https {
server {{ hostvars | ip_from_inventory(ansible_hostname) }}:443;
}

Loading…
Cancel
Save