LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

roles/reverse_proxy: better handling of multi names

python3
Zolfa 4 years ago
parent
b963521513
commit
9cf3c87b0d
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
6 changed files with 29 additions and 26 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      matrix.yaml
  2. +1
    -1
      projects.yaml
  3. +2
    -3
      roles/reverse_proxy/defaults/main.yaml
  4. +4
    -2
      roles/reverse_proxy/handlers/main.yaml
  5. +8
    -9
      roles/reverse_proxy/tasks/main.yaml
  6. +13
    -10
      roles/reverse_proxy/templates/http.conf.j2

+ 1
- 1
matrix.yaml View File

@ -8,7 +8,7 @@
roles:
- role: 'dns_record'
- role: 'reverse_proxy'
reverse_proxy_site_fqdns:
reverse_proxy_site_fqdn:
- 'matrix.{{ domain }}'
- 'riot.{{ domain }}'
- role: 'coturn'


+ 1
- 1
projects.yaml View File

@ -8,7 +8,7 @@
roles:
- role: 'dns_record'
- role: 'reverse_proxy'
reverse_proxy_site_fqdns:
reverse_proxy_site_fqdn:
- 'projects.{{ domain }}'
- 'mattermost.{{ domain }}'
- role: 'gitlab'


+ 2
- 3
roles/reverse_proxy/defaults/main.yaml View File

@ -1,6 +1,5 @@
---
reverse_proxy_site_fqdns:
- '{{ ansible_hostname }}.{{ domain }}'
- 'www.{{ ansible_hostname }}.{{ domain }}'
reverse_proxy_site_fqdn: '{{ ansible_hostname }}.{{ domain }}'
reverse_proxy_proxy_protocol: true
reverse_proxy_www_redir: false
...

+ 4
- 2
roles/reverse_proxy/handlers/main.yaml View File

@ -1,3 +1,5 @@
- name: reload nginx
---
- name: 'reload reverse proxy'
command: '/usr/sbin/nginx -s reload'
delegate_to: reverse_proxy
delegate_to: 'reverse_proxy'
...

+ 8
- 9
roles/reverse_proxy/tasks/main.yaml View File

@ -35,9 +35,8 @@
proxy_protocol {{ 'on' if reverse_proxy_proxy_protocol else 'off' }};
}
}
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
notify: 'reload reverse proxy'
- name: 'configure nginx http 80 forwarder'
lineinfile:
@ -45,14 +44,14 @@
insertafter: '^http {'
line: 'include /etc/nginx/http.conf.d/*.conf;'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
notify: 'reload reverse proxy'
- name: 'create configuration directories for sites'
file:
state: 'directory'
dest: '/etc/nginx/{{ item }}'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
notify: 'reload reverse proxy'
loop:
- 'http.conf.d'
- 'map.conf.d'
@ -63,7 +62,7 @@
src: 'http.conf.j2'
dest: '/etc/nginx/http.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
notify: 'reload reverse proxy'
- name: 'configure upstream server spec'
copy:
@ -75,18 +74,18 @@
}
dest: '/etc/nginx/upstream.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
notify: 'reload reverse proxy'
- name: 'configure sni-upstream mapping'
copy:
content: |
{% for site_fqdn in reverse_proxy_site_fqdns %}
{% for site_fqdn in [reverse_proxy_site_fqdn] | flatten(levels=1) %}
{{ site_fqdn }} {{ ansible_hostname }}_https;
{% endfor %}
dest: '/etc/nginx/map.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
notify: 'reload reverse proxy'
- meta: 'flush_handlers'
- meta: 'flush_handlers'

+ 13
- 10
roles/reverse_proxy/templates/http.conf.j2 View File

@ -1,22 +1,25 @@
{% for server_name in [reverse_proxy_site_fqdn] | flatten(levels=1) %}
server {
listen {{ public_ip }}:80;
server_name {{ reverse_proxy_site_fqdns | join(" ") }};
server_name
{{ server_name }}{% if reverse_proxy_www_redir %} www.{{ server_name }}{% endif %};
# Redirect ACME Challenges to the upstream server port 80
location /.well-known/acme-challenge/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://{{ hostvars | ip_from_inventory(ansible_hostname) }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://{{ hostvars | ip_from_inventory(ansible_hostname) }};
}
# Redirect to HTTPS all non-ACME requests
location / {
if ($request_method = POST) {
return 307 https://$host$request_uri;
}
return 301 https://$host$request_uri;
if ($request_method = POST) {
return 307 https://$server_name$request_uri;
}
return 301 https://$server_name$request_uri;
}
}
{% endfor %}

Write Preview
Loading…
Cancel
Save