infra/ansible-role-nginx
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add support for listen ips

Browse source
This commit is contained in:
nd 2021-07-11 04:08:39 +02:00
parent 75e21a2e2e
commit 13d7194e4f
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
4 changed files with 68 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -69,6 +69,12 @@ listen:
ssl_port: 443 ssl_port: 443
nossl: False nossl: False
nossl_port: 80 nossl_port: 80
v4: True
v4_ip:
- 0.0.0.0
v6: True
v6_ip:
- '[::]'
# example: "https://upstream". If set to None no reverse proxy will be set up. # example: "https://upstream". If set to None no reverse proxy will be set up.
backend: None backend: None

30
defaults/main.yml
View file

@ -14,6 +14,36 @@ nginx:
- 8.8.8.8 - 8.8.8.8
- 8.8.4.4 - 8.8.4.4
nginx_vhosts_defaults:
listen:
nossl: False
nossl_port: 80
ssl: True
ssl_port: 443
v4: True
v4_ip:
- '0.0.0.0'
v6: True
v6_ip:
- '[::]'
custom: []
servername: []
default_server: False
locations: []
includes: []
add_headers: []
letsencrypt: False
crt: ~
key: ~
auth:
enable: False
path: ~
satisfy: 'all'
host: '$host'
add_proxy_headers: {}
hide_proxy_headers: {}
backend: ~
nginx_forcessl_vhost: nginx_forcessl_vhost:
"https-redirect": "https-redirect":
listen: listen:

1
files/monitoring.cfg
View file

@ -1 +0,0 @@
servers=[('http', '127.0.0.1', 5234)]

51
templates/vhost.conf.j2
View file

@ -1,23 +1,34 @@
#jinja2:lstrip_blocks: True #jinja2:lstrip_blocks: True
{% set vhost = item.value %} {% set vhost = {}|combine(nginx_vhosts_defaults, item.value, recursive=True) %}
{% set vhost_name = item.key %} {% set vhost_name = item.key %}
{% set vhost_listen = vhost.listen|default({}) %} {% set vhost_headers = {}|combine(nginx.add_headers, vhost.add_headers) %}
{% set vhost_headers = nginx.add_headers|default({})|combine(vhost.add_headers|default({})) %}
{% macro nginx_listen(ips, port, options) %}
{% for ip in ips %}
listen {{ ip }}:{{ port }} {{ options|join(' ') }}{% if vhost.default_server %} default_server{% endif %};
{% endfor %}
{% endmacro %}
server { server {
{% if vhost.servername|default([])|length > 0 %} {% if vhost.servername|length > 0 %}
server_name {{ vhost.servername|join(' ') }}; server_name {{ vhost.servername|join(' ') }};
{% endif %} {% endif %}
{% if vhost_listen.ssl|default(True) %} {% if vhost.listen.ssl %}
listen {{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %}; {% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
listen [::]:{{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %}; {% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
{% endif %} {% endif %}
{% if vhost_listen.nossl|default(False) %}
listen {{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %}; {% if vhost.listen.nossl %}
listen [::]:{{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %}; {% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.nossl_port, []) }}{% endif %}
{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.nossl_port, []) }}{% endif %}
{% endif %} {% endif %}
{% for i in vhost.listen.custom %}
listen {{ i }};
{% endfor %}
{% for header in vhost_headers if header %} {% for header in vhost_headers if header %}
add_header {{ header }} "{{ vhost_headers[header] }}"; add_header {{ header }} "{{ vhost_headers[header] }}";
{% endfor %} {% endfor %}
@ -27,12 +38,12 @@ server {
{% endfor %} {% endfor %}
{% if vhost.backend|default(False) %} {% if vhost.backend %}
location / { location / {
proxy_pass {{ vhost.backend }}; proxy_pass {{ vhost.backend }};
# add proxy headers # add proxy headers
proxy_set_header Host {% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %}; proxy_set_header Host {{ vhost.host }};
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
@ -40,7 +51,7 @@ server {
proxy_set_header X-Url-Scheme $scheme; proxy_set_header X-Url-Scheme $scheme;
# add custom proxy headers # add custom proxy headers
{% for header in vhost.add_proxy_headers|d({}) if header %} {% for header in vhost.add_proxy_headers if header %}
proxy_set_header {{ header }} "{{ vhost.add_proxy_headers[header] }}"; proxy_set_header {{ header }} "{{ vhost.add_proxy_headers[header] }}";
{% endfor %} {% endfor %}
@ -50,7 +61,7 @@ server {
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
# remove custom proxy headers # remove custom proxy headers
{% for header in vhost.hide_proxy_headers|d({}) if header %} {% for header in vhost.hide_proxy_headers if header %}
proxy_hide_header {{ header }}; proxy_hide_header {{ header }};
{% endfor %} {% endfor %}
# hide downstream headers for security reasons # hide downstream headers for security reasons
@ -64,7 +75,7 @@ server {
} }
{% endif %} {% endif %}
{% for location in vhost.locations|default([]) %} {% for location in vhost.locations %}
location {{ location.match }} { location {{ location.match }} {
{% if "alias" in location %} {% if "alias" in location %}
alias {{ location.alias }}; alias {{ location.alias }};
@ -75,21 +86,21 @@ server {
} }
{% endfor %} {% endfor %}
{% if vhost.auth.enable|default(False) %} {% if vhost.auth.enable %}
auth_basic "restricted area"; auth_basic "restricted area";
auth_basic_user_file {{ vhost.auth.path }}; auth_basic_user_file {{ vhost.auth.path }};
satisfy {{ vhost.auth.satisfy|d('all') }}; satisfy {{ vhost.auth.satisfy }};
{% endif %} {% endif %}
{% for include in vhost.includes|default([]) %} {% for include in vhost.includes %}
include {{ include }}; include {{ include }};
{% endfor %} {% endfor %}
{% if vhost.letsencrypt|d(False) %} {% if vhost.letsencrypt %}
ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt; ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key; ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
{% elif vhost.crt|d(None) and vhost.key|d(None) %} {% elif vhost.crt and vhost.key %}
ssl_certificate {{ vhost.crt }}; ssl_certificate {{ vhost.crt }};
ssl_certificate_key {{ vhost.key }}; ssl_certificate_key {{ vhost.key }};
{% endif %} {% endif %}