Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reverse proxy support #11

Closed
goetzk opened this issue May 9, 2020 · 1 comment
Closed

Reverse proxy support #11

goetzk opened this issue May 9, 2020 · 1 comment

Comments

@goetzk
Copy link
Contributor

goetzk commented May 9, 2020

Hi,

I'm using this role with the following configuration and template to give myself a reverse proxy configuration.
I'm wondering if you are interested in having in built support for reverse proxies like this and if yes which bits you'd like to see made configurable.
Things I'm guessing you'd like to see configurable are listed below but do you have any others?

  • listen directives
  • client_max_body_size ?
  • keepalive_timeout?
  • proxy_pass target host+port

If you're interested I'll put together a PR for a more detailed review.

nginx_sites:
  - id: credentials
    name: "example.com"
    ip: x.x.x.x
    state: present
    add_webroot: no
    aliases:
      - "alias.example.com"
    template: templates-shared/nginx-with-https-upgrade.tmpl
    webroot: "/srv/x/webroot"
    # Where the .well-known folder sits in
    wellknown: "/srv/x/letsencrypt"
    redirects:
      - "{{ another.example.com }}"
      - "{{ something.example.com }}.au"
    ssl:
      cert_path: /etc/letsencrypt/live/{{ x }}
      cert_name: fullchain.pem
      key_name: privkey.pem
    rules: []
    append: ''

cat reverse-proxy.j2 
# {{ ansible_managed }}
# HTTPS terminating proxy sitting in front of webapp.
# TODO: Check: Some of this file can probably be removed with no loss in functionality.

# default_server on listen is required to work around bug https://github.com/certbot/certbot/issues/5817#issuecomment-391051737
server {
    server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %};

    return 301 https://$host$request_uri;

    listen 80 ;
    return 404;
}

server {
    server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %};

    charset utf-8;
    keepalive_timeout 65;
    client_max_body_size 128M;
    gzip_types text/css application/javascript text/javascript text/plain text/xml application/xml;
    gzip_vary on;

    root {{ item.webroot }};

    # Letsencrypt
    location /.well-known {
        alias {{ item.wellknown }}/.well-known;
    }

    location / {
        proxy_pass http://127.0.0.1:8000/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl;
    ssl_certificate {{ item.ssl.cert_path |default(openssl_certs_path) }}/{{ item.ssl.cert_name|default('server.crt') }};
    ssl_certificate_key {{ item.ssl.cert_path |default(openssl_keys_path) }}/{{ item.ssl.key_name|default('server.key') }};

}
goetzk added a commit to goetzk/ansible-nginx that referenced this issue May 9, 2020
@goetzk
WIP: Add a reverse proxy template
b63e8f0 
After asking in weareinteractive#11 I decided to just publish my config to help others easily
deploy a reverse proxy.
@goetzk goetzk mentioned this issue May 9, 2020
Open
@goetzk
Copy link
Contributor Author

goetzk commented May 9, 2020

Writing that up I decided to go for the PR anyway and I've opened #12.

@goetzk goetzk closed this as completed May 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@goetzk