From b63e8f0445a81243e0ca77c70f8ab872089720a0 Mon Sep 17 00:00:00 2001 From: Karl Goetz Date: Sat, 9 May 2020 11:30:23 +1000 Subject: [PATCH] WIP: Add a reverse proxy template After asking in #11 I decided to just publish my config to help others easily deploy a reverse proxy. --- README.md | 3 ++ .../nginx/sites-available/reverse-proxy.j2 | 46 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 templates/etc/nginx/sites-available/reverse-proxy.j2 diff --git a/README.md b/README.md index 3c6c90c..51bd730 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,9 @@ Here is a list of all the default variables for this role, which are also availa # name: foo # file: foo # append: '' +# proxy_pass: +# - target: 127.0.0.1 +# - target_port: 8000 # # dependencies packages to install package diff --git a/templates/etc/nginx/sites-available/reverse-proxy.j2 b/templates/etc/nginx/sites-available/reverse-proxy.j2 new file mode 100644 index 0000000..3f49cfd --- /dev/null +++ b/templates/etc/nginx/sites-available/reverse-proxy.j2 @@ -0,0 +1,46 @@ +# {{ ansible_managed }} + +# HTTPS terminating proxy sitting in front of webapp. + +# TODO: Check: Some of this file can probably be removed with no loss in functionality. + +# default_server on listen is required to work around bug https://github.com/certbot/certbot/issues/5817#issuecomment-391051737 +server { + server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %}; + + return 301 https://$host$request_uri; + + listen 80 ; + return 404; +} + +server { + server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %}; + + charset utf-8; + keepalive_timeout {{ nginx_keepalive_timeout }}; + client_max_body_size 128M; + gzip_types text/css application/javascript text/javascript text/plain text/xml application/xml; + gzip_vary on; + + root {{ item.webroot }}; + + # Letsencrypt + location /.well-known { + alias {{ item.wellknown }}/.well-known; + } + + location / { + proxy_pass http://{{ item.proxy_pass.target }}:{{ item.proxy_pass.target_port }}/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 443 ssl; + ssl_certificate {{ item.ssl.cert_path |default(openssl_certs_path) }}/{{ item.ssl.cert_name|default('server.crt') }}; + ssl_certificate_key {{ item.ssl.cert_path |default(openssl_keys_path) }}/{{ item.ssl.key_name|default('server.key') }}; + +} +