reverse_proxy: use PROXY PROTOCOL

Original Client IP is correctly passed to upstream nginx instances (nginx role or gitlab). Affected roles: - reverse_proxy: Pass PROXY PROTOCOL by default to all upstream server. May cause problem with upstream server unable to understand PROXY PROTOCOL. We should put a nginx proxy in front in that case. - nginx: Expect PROXY PROTOCOL for all incoming TLS connection on nginx clients. *Warning:* now you can access local server only passing by the firewall reverse proxy, not directly. - gitlab: Built-in nginx instance configured to expect PROXY PROTOCOL for tls incoming connections.
4 years ago · c99cb8a9d5
--- a/roles/gitlab/templates/gitlab.rb.j2
+++ b/roles/gitlab/templates/gitlab.rb.j2
@ -1168,7 +1168,11 @@ external_url 'http://{{ server_fqdn }}'

 ##! **Override only if you use a reverse proxy**
 ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
 {% if enable_https %}
 nginx['listen_port'] = "443 proxy_protocol"
 {% else %}
 # nginx['listen_port'] = nil
 {% endif %}

 ##! **Override only if your reverse proxy internally communicates over HTTP**
 ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
@ -1190,8 +1194,8 @@ external_url 'http://{{ server_fqdn }}'
 # nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
 # nginx['proxy_cache'] = 'gitlab'
 # nginx['http2_enabled'] = true
 # nginx['real_ip_trusted_addresses'] = []
 # nginx['real_ip_header'] = nil
 nginx['real_ip_trusted_addresses'] = [ '{{ hostvars | ip_from_inventory('vm_gateway') }}' ]
 nginx['real_ip_header'] = "proxy_protocol"
 # nginx['real_ip_recursive'] = nil
 # nginx['custom_error_pages'] = {
 #   '404' => {
--- a/roles/nginx/templates/base.j2
+++ b/roles/nginx/templates/base.j2
@ -1,6 +1,9 @@
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    listen 443 ssl http2 proxy_protocol;
    listen [::]:443 ssl http2 proxy_protocol;

    set_real_ip_from {{ hostvars | ip_from_inventory('vm_gateway') }};
    real_ip_header proxy_protocol;

    ssl_certificate /etc/letsencrypt/live/{{ server_fqdn }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ server_fqdn }}/privkey.pem;
--- a/roles/reverse_proxy/tasks/main.yaml
+++ b/roles/reverse_proxy/tasks/main.yaml
@ -19,6 +19,7 @@
               ssl_preread on;
               proxy_pass $name;
               # Pass original Client IP with PROXY PROTOCOL
               proxy_protocol on;
               access_log /var/log/nginx/stream_443.log stream_routing;
          }
      }