From b63e8f0445a81243e0ca77c70f8ab872089720a0 Mon Sep 17 00:00:00 2001 From: Karl Goetz Date: Sat, 9 May 2020 11:30:23 +1000 Subject: [PATCH 1/3] WIP: Add a reverse proxy template After asking in #11 I decided to just publish my config to help others easily deploy a reverse proxy. --- README.md | 3 ++ .../nginx/sites-available/reverse-proxy.j2 | 46 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 templates/etc/nginx/sites-available/reverse-proxy.j2 diff --git a/README.md b/README.md index 3c6c90c..51bd730 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,9 @@ Here is a list of all the default variables for this role, which are also availa # name: foo # file: foo # append: '' +# proxy_pass: +# - target: 127.0.0.1 +# - target_port: 8000 # # dependencies packages to install package diff --git a/templates/etc/nginx/sites-available/reverse-proxy.j2 b/templates/etc/nginx/sites-available/reverse-proxy.j2 new file mode 100644 index 0000000..3f49cfd --- /dev/null +++ b/templates/etc/nginx/sites-available/reverse-proxy.j2 @@ -0,0 +1,46 @@ +# {{ ansible_managed }} + +# HTTPS terminating proxy sitting in front of webapp. + +# TODO: Check: Some of this file can probably be removed with no loss in functionality. + +# default_server on listen is required to work around bug https://github.com/certbot/certbot/issues/5817#issuecomment-391051737 +server { + server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %}; + + return 301 https://$host$request_uri; + + listen 80 ; + return 404; +} + +server { + server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %}; + + charset utf-8; + keepalive_timeout {{ nginx_keepalive_timeout }}; + client_max_body_size 128M; + gzip_types text/css application/javascript text/javascript text/plain text/xml application/xml; + gzip_vary on; + + root {{ item.webroot }}; + + # Letsencrypt + location /.well-known { + alias {{ item.wellknown }}/.well-known; + } + + location / { + proxy_pass http://{{ item.proxy_pass.target }}:{{ item.proxy_pass.target_port }}/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 443 ssl; + ssl_certificate {{ item.ssl.cert_path |default(openssl_certs_path) }}/{{ item.ssl.cert_name|default('server.crt') }}; + ssl_certificate_key {{ item.ssl.cert_path |default(openssl_keys_path) }}/{{ item.ssl.key_name|default('server.key') }}; + +} + From 2deaecfe0bd0ed00ef40d7785edcc6c32728ef53 Mon Sep 17 00:00:00 2001 From: Karl Goetz Date: Mon, 11 May 2020 20:54:45 +1000 Subject: [PATCH 2/3] Continue development of proxies support Somewhat based on feedback in PR, a number of changes. --- README.md | 20 ++++++++++++- tasks/main.yml | 9 ++++++ tasks/proxies.yml | 30 +++++++++++++++++++ .../nginx/sites-available/reverse-proxy.j2 | 10 +++++-- 4 files changed, 65 insertions(+), 4 deletions(-) create mode 100644 tasks/proxies.yml diff --git a/README.md b/README.md index 51bd730..cf62479 100644 --- a/README.md +++ b/README.md @@ -75,10 +75,28 @@ Here is a list of all the default variables for this role, which are also availa # name: foo # file: foo # append: '' +# + +# nginx_proxies: +# - id: foo (required) +# name: foo.com (required) +# aliases: [] +# ip: '*' +# port: 80 +# state: present +# template: path/to/template.j2 +# wellknown: folder which .well-known sits within (required) +# ssl: +# upgrade: yes +# key_name: mykey.key +# key_path: path/to/key +# cert_name: mycert.crt +# cert_path: path/to/cert # proxy_pass: # - target: 127.0.0.1 # - target_port: 8000 -# +# extra_headers: [] + # dependencies packages to install package nginx_dependencies: diff --git a/tasks/main.yml b/tasks/main.yml index 015886a..0dfee05 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,6 +22,15 @@ - manage - nginx-manage +- import_tasks: proxies.yml + when: nginx_proxies | length + tags: + - web + - nginx + - manage + - nginx-manage + - proxies + - import_tasks: service.yml tags: - web diff --git a/tasks/proxies.yml b/tasks/proxies.yml new file mode 100644 index 0000000..e684771 --- /dev/null +++ b/tasks/proxies.yml @@ -0,0 +1,30 @@ +--- + +- name: Configuring proxies + template: + src: "{{ item.template|default('etc/nginx/sites-available/reverse-proxy.j2') }}" + dest: "/etc/nginx/sites-available/{{ item.id }}" + owner: root + group: root + mode: "0644" + with_items: "{{ nginx_proxies }}" + notify: reload nginx + +- name: Enabling proxies + file: + src: "/etc/nginx/sites-available/{{ item.id }}" + dest: "/etc/nginx/sites-enabled/{{ item.id }}" + state: link + when: item.state is not defined or item.state == 'present' + with_items: "{{ nginx_proxies }}" + notify: reload nginx + +- name: Disabling proxies + file: + src: "/etc/nginx/sites-available/{{ item.id }}" + dest: "/etc/nginx/sites-enabled/{{ item.id }}" + state: absent + when: item.state is defined and item.state == 'absent' + with_items: "{{ nginx_proxies }}" + notify: restart nginx + diff --git a/templates/etc/nginx/sites-available/reverse-proxy.j2 b/templates/etc/nginx/sites-available/reverse-proxy.j2 index 3f49cfd..2429220 100644 --- a/templates/etc/nginx/sites-available/reverse-proxy.j2 +++ b/templates/etc/nginx/sites-available/reverse-proxy.j2 @@ -5,14 +5,17 @@ # TODO: Check: Some of this file can probably be removed with no loss in functionality. # default_server on listen is required to work around bug https://github.com/certbot/certbot/issues/5817#issuecomment-391051737 +# TODO: make this if work +{% if item.ssl.upgrade is defined and item.ssl.upgrade is not false %} server { server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %}; return 301 https://$host$request_uri; - listen 80 ; + listen {{ item.ip|default('*') }}:{{item.port|default(80)}}; return 404; } +{% endif %} server { server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %}; @@ -23,8 +26,6 @@ server { gzip_types text/css application/javascript text/javascript text/plain text/xml application/xml; gzip_vary on; - root {{ item.webroot }}; - # Letsencrypt location /.well-known { alias {{ item.wellknown }}/.well-known; @@ -36,6 +37,9 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + {% for value in item.rules %} + proxy_set_header {{ value }} + {% endfor %} } listen 443 ssl; From e19ed4af7e250fd68ce91012d96507e9e8434222 Mon Sep 17 00:00:00 2001 From: Karl Goetz Date: Mon, 18 May 2020 07:51:46 +1000 Subject: [PATCH 3/3] Changes to role following testing This has been used to deploy a site now; the following changes were made as part of that process. --- README.md | 4 ++-- tasks/main.yml | 2 +- .../nginx/sites-available/reverse-proxy.j2 | 19 ++++++++++++------- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index cf62479..d8afb1e 100644 --- a/README.md +++ b/README.md @@ -93,8 +93,8 @@ Here is a list of all the default variables for this role, which are also availa # cert_name: mycert.crt # cert_path: path/to/cert # proxy_pass: -# - target: 127.0.0.1 -# - target_port: 8000 +# target: 127.0.0.1 +# target_port: 8000 # extra_headers: [] diff --git a/tasks/main.yml b/tasks/main.yml index 0dfee05..187acfb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,7 +23,7 @@ - nginx-manage - import_tasks: proxies.yml - when: nginx_proxies | length + when: nginx_proxies tags: - web - nginx diff --git a/templates/etc/nginx/sites-available/reverse-proxy.j2 b/templates/etc/nginx/sites-available/reverse-proxy.j2 index 2429220..7637327 100644 --- a/templates/etc/nginx/sites-available/reverse-proxy.j2 +++ b/templates/etc/nginx/sites-available/reverse-proxy.j2 @@ -2,17 +2,17 @@ # HTTPS terminating proxy sitting in front of webapp. -# TODO: Check: Some of this file can probably be removed with no loss in functionality. - # default_server on listen is required to work around bug https://github.com/certbot/certbot/issues/5817#issuecomment-391051737 -# TODO: make this if work -{% if item.ssl.upgrade is defined and item.ssl.upgrade is not false %} +{% if item.ssl.upgrade is defined() %} server { server_name {{ item.name }}{% for value in item.aliases|default([]) %} {{ value }}{% endfor %}; return 301 https://$host$request_uri; listen {{ item.ip|default('*') }}:{{item.port|default(80)}}; + + access_log /var/log/nginx/{{ item.id }}-access-http.log; + error_log /var/log/nginx/{{ item.id }}-error-http.log; return 404; } {% endif %} @@ -37,14 +37,19 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - {% for value in item.rules %} - proxy_set_header {{ value }} - {% endfor %} + {% if item.extra_headers is defined() %} + {% for value in item.extra_headers %} + proxy_set_header {{ value }} + {% endfor %} + {% endif %} } listen 443 ssl; ssl_certificate {{ item.ssl.cert_path |default(openssl_certs_path) }}/{{ item.ssl.cert_name|default('server.crt') }}; ssl_certificate_key {{ item.ssl.cert_path |default(openssl_keys_path) }}/{{ item.ssl.key_name|default('server.key') }}; + access_log /var/log/nginx/{{ item.id }}-access-https.log; + error_log /var/log/nginx/{{ item.id }}-error-https.log; + }