LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
355 Commits
12 Branches
967 KiB
 
 
 
 
Tree: 43291bb572
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '43291bb572'
${ noResults }
lilik_playbook/roles/reverse_proxy/tasks/main.yaml

91 lines
2.7 KiB
Raw Blame History

---
- name: 'configure nginx tcp 443 forwarder'
blockinfile:
dest: '/etc/nginx/nginx.conf'
block: |
stream {
# Get upstream $name rom TLS SNI Header
map $ssl_preread_server_name $name {
include /etc/nginx/map.conf.d/*.conf;
}
# Include upstream definitions
include /etc/nginx/upstream.conf.d/*.conf;
log_format stream_routing '$remote_addr [$time_local] '
'with SNI name "$ssl_preread_server_name" '
'proxying to "$name" '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
server {
listen {{ public_ip }}:443;
# Inspect TLS Headers
ssl_preread on;
# Proxy connection to upstream $name
proxy_pass $name;
# Log connection
access_log /var/log/nginx/stream_443.log stream_routing;
# If on send PROXY Protocol headers to EVERY upstream
# servers. WARNING: It will break connection to upstreams
# not configured to accept PROXY Protocol!
proxy_protocol {{ 'on' if proxy_protocol else 'off' }};
}
}
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: 'configure nginx http 80 forwarder'
lineinfile:
dest: '/etc/nginx/nginx.conf'
insertafter: '^http {'
line: 'include /etc/nginx/http.conf.d/*.conf;'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: 'create configuration directories for sites'
file:
state: 'directory'
dest: '/etc/nginx/{{ item }}'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
loop:
- 'http.conf.d'
- 'map.conf.d'
- 'upstream.conf.d'
- name: 'configure http proxy for https redirect and acme challenge'
template:
src: 'http.conf.j2'
dest: '/etc/nginx/http.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: 'configure upstream server spec'
copy:
content: |
upstream {{ ansible_hostname }}_https {
server {{ hostvars|ip_from_inventory(ansible_hostname) }}:{{
"10443" if proxy_protocol else "443"
}};
}
dest: '/etc/nginx/upstream.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'
- name: 'configure sni-upstream mapping'
copy:
content: |
{% for server_fqdn in server_fqdns %}
{{ server_fqdn }} {{ ansible_hostname }}_https;
{% endfor %}
dest: '/etc/nginx/map.conf.d/{{ ansible_hostname }}.conf'
delegate_to: 'reverse_proxy'
notify: 'reload nginx'