From 13d7194e4fe987b618b4f9c50b8191993d692697 Mon Sep 17 00:00:00 2001 From: nd Date: Sun, 11 Jul 2021 04:08:39 +0200 Subject: [PATCH] add support for listen ips --- README.md | 6 +++++ defaults/main.yml | 30 +++++++++++++++++++++++ files/monitoring.cfg | 1 - templates/vhost.conf.j2 | 53 +++++++++++++++++++++++++---------------- 4 files changed, 68 insertions(+), 22 deletions(-) delete mode 100644 files/monitoring.cfg diff --git a/README.md b/README.md index 4b54767..4fa9738 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,12 @@ listen: ssl_port: 443 nossl: False nossl_port: 80 + v4: True + v4_ip: + - 0.0.0.0 + v6: True + v6_ip: + - '[::]' # example: "https://upstream". If set to None no reverse proxy will be set up. backend: None diff --git a/defaults/main.yml b/defaults/main.yml index bfff1c4..d4cbf07 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,6 +14,36 @@ nginx: - 8.8.8.8 - 8.8.4.4 +nginx_vhosts_defaults: + listen: + nossl: False + nossl_port: 80 + ssl: True + ssl_port: 443 + v4: True + v4_ip: + - '0.0.0.0' + v6: True + v6_ip: + - '[::]' + custom: [] + servername: [] + default_server: False + locations: [] + includes: [] + add_headers: [] + letsencrypt: False + crt: ~ + key: ~ + auth: + enable: False + path: ~ + satisfy: 'all' + host: '$host' + add_proxy_headers: {} + hide_proxy_headers: {} + backend: ~ + nginx_forcessl_vhost: "https-redirect": listen: diff --git a/files/monitoring.cfg b/files/monitoring.cfg deleted file mode 100644 index efb480d..0000000 --- a/files/monitoring.cfg +++ /dev/null @@ -1 +0,0 @@ -servers=[('http', '127.0.0.1', 5234)] diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2 index 5a3f16c..ee4e200 100644 --- a/templates/vhost.conf.j2 +++ b/templates/vhost.conf.j2 @@ -1,23 +1,34 @@ #jinja2:lstrip_blocks: True -{% set vhost = item.value %} +{% set vhost = {}|combine(nginx_vhosts_defaults, item.value, recursive=True) %} {% set vhost_name = item.key %} -{% set vhost_listen = vhost.listen|default({}) %} -{% set vhost_headers = nginx.add_headers|default({})|combine(vhost.add_headers|default({})) %} +{% set vhost_headers = {}|combine(nginx.add_headers, vhost.add_headers) %} + +{% macro nginx_listen(ips, port, options) %} + {% for ip in ips %} + listen {{ ip }}:{{ port }} {{ options|join(' ') }}{% if vhost.default_server %} default_server{% endif %}; + {% endfor %} +{% endmacro %} server { - {% if vhost.servername|default([])|length > 0 %} + {% if vhost.servername|length > 0 %} server_name {{ vhost.servername|join(' ') }}; {% endif %} - {% if vhost_listen.ssl|default(True) %} - listen {{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %}; - listen [::]:{{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %}; + {% if vhost.listen.ssl %} + {% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %} + {% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %} + {% endif %} - {% if vhost_listen.nossl|default(False) %} - listen {{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %}; - listen [::]:{{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %}; + + {% if vhost.listen.nossl %} + {% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.nossl_port, []) }}{% endif %} + {% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.nossl_port, []) }}{% endif %} {% endif %} + {% for i in vhost.listen.custom %} + listen {{ i }}; + {% endfor %} + {% for header in vhost_headers if header %} add_header {{ header }} "{{ vhost_headers[header] }}"; {% endfor %} @@ -27,12 +38,12 @@ server { {% endfor %} - {% if vhost.backend|default(False) %} + {% if vhost.backend %} location / { proxy_pass {{ vhost.backend }}; # add proxy headers - proxy_set_header Host {% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %}; + proxy_set_header Host {{ vhost.host }}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; @@ -40,9 +51,9 @@ server { proxy_set_header X-Url-Scheme $scheme; # add custom proxy headers -{% for header in vhost.add_proxy_headers|d({}) if header %} + {% for header in vhost.add_proxy_headers if header %} proxy_set_header {{ header }} "{{ vhost.add_proxy_headers[header] }}"; -{% endfor %} + {% endfor %} # Websockets proxy_http_version 1.1; @@ -50,7 +61,7 @@ server { proxy_set_header Connection "upgrade"; # remove custom proxy headers -{% for header in vhost.hide_proxy_headers|d({}) if header %} +{% for header in vhost.hide_proxy_headers if header %} proxy_hide_header {{ header }}; {% endfor %} # hide downstream headers for security reasons @@ -64,7 +75,7 @@ server { } {% endif %} - {% for location in vhost.locations|default([]) %} + {% for location in vhost.locations %} location {{ location.match }} { {% if "alias" in location %} alias {{ location.alias }}; @@ -75,21 +86,21 @@ server { } {% endfor %} - {% if vhost.auth.enable|default(False) %} + {% if vhost.auth.enable %} auth_basic "restricted area"; auth_basic_user_file {{ vhost.auth.path }}; - satisfy {{ vhost.auth.satisfy|d('all') }}; + satisfy {{ vhost.auth.satisfy }}; {% endif %} - {% for include in vhost.includes|default([]) %} + {% for include in vhost.includes %} include {{ include }}; {% endfor %} - {% if vhost.letsencrypt|d(False) %} + {% if vhost.letsencrypt %} ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt; ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key; - {% elif vhost.crt|d(None) and vhost.key|d(None) %} + {% elif vhost.crt and vhost.key %} ssl_certificate {{ vhost.crt }}; ssl_certificate_key {{ vhost.key }}; {% endif %}