infra/ansible-role-nginx
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add support for listen ips

Browse source
This commit is contained in:
nd 2021-07-11 04:08:39 +02:00
parent 75e21a2e2e
commit 13d7194e4f
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
4 changed files with 68 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -69,6 +69,12 @@ listen:
ssl_port: 443
nossl: False
nossl_port: 80
v4: True
v4_ip:
- 0.0.0.0
v6: True
v6_ip:
- '[::]'
# example: "https://upstream". If set to None no reverse proxy will be set up.
backend: None

30
defaults/main.yml
View file

@ -14,6 +14,36 @@ nginx:
- 8.8.8.8
- 8.8.4.4
nginx_vhosts_defaults:
listen:
nossl: False
nossl_port: 80
ssl: True
ssl_port: 443
v4: True
v4_ip:
- '0.0.0.0'
v6: True
v6_ip:
- '[::]'
custom: []
servername: []
default_server: False
locations: []
includes: []
add_headers: []
letsencrypt: False
crt: ~
key: ~
auth:
enable: False
path: ~
satisfy: 'all'
host: '$host'
add_proxy_headers: {}
hide_proxy_headers: {}
backend: ~
nginx_forcessl_vhost:
"https-redirect":
listen:

1
files/monitoring.cfg
View file

@ -1 +0,0 @@
servers=[('http', '127.0.0.1', 5234)]

53
templates/vhost.conf.j2
View file

@ -1,23 +1,34 @@
#jinja2:lstrip_blocks: True
{% set vhost = item.value %}
{% set vhost = {}|combine(nginx_vhosts_defaults, item.value, recursive=True) %}
{% set vhost_name = item.key %}
{% set vhost_listen = vhost.listen|default({}) %}
{% set vhost_headers = nginx.add_headers|default({})|combine(vhost.add_headers|default({})) %}
{% set vhost_headers = {}|combine(nginx.add_headers, vhost.add_headers) %}
{% macro nginx_listen(ips, port, options) %}
{% for ip in ips %}
listen {{ ip }}:{{ port }} {{ options|join(' ') }}{% if vhost.default_server %} default_server{% endif %};
{% endfor %}
{% endmacro %}
server {
{% if vhost.servername|default([])|length > 0 %}
{% if vhost.servername|length > 0 %}
server_name {{ vhost.servername|join(' ') }};
{% endif %}
{% if vhost_listen.ssl|default(True) %}
listen {{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %};
listen [::]:{{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %};
{% if vhost.listen.ssl %}
{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
{% endif %}
{% if vhost_listen.nossl|default(False) %}
listen {{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %};
listen [::]:{{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %};
{% if vhost.listen.nossl %}
{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.nossl_port, []) }}{% endif %}
{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.nossl_port, []) }}{% endif %}
{% endif %}
{% for i in vhost.listen.custom %}
listen {{ i }};
{% endfor %}
{% for header in vhost_headers if header %}
add_header {{ header }} "{{ vhost_headers[header] }}";
{% endfor %}
@ -27,12 +38,12 @@ server {
{% endfor %}
{% if vhost.backend|default(False) %}
{% if vhost.backend %}
location / {
proxy_pass {{ vhost.backend }};
# add proxy headers
proxy_set_header Host {% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %};
proxy_set_header Host {{ vhost.host }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
@ -40,9 +51,9 @@ server {
proxy_set_header X-Url-Scheme $scheme;
# add custom proxy headers
{% for header in vhost.add_proxy_headers|d({}) if header %}
{% for header in vhost.add_proxy_headers if header %}
proxy_set_header {{ header }} "{{ vhost.add_proxy_headers[header] }}";
{% endfor %}
{% endfor %}
# Websockets
proxy_http_version 1.1;
@ -50,7 +61,7 @@ server {
proxy_set_header Connection "upgrade";
# remove custom proxy headers
{% for header in vhost.hide_proxy_headers|d({}) if header %}
{% for header in vhost.hide_proxy_headers if header %}
proxy_hide_header {{ header }};
{% endfor %}
# hide downstream headers for security reasons
@ -64,7 +75,7 @@ server {
}
{% endif %}
{% for location in vhost.locations|default([]) %}
{% for location in vhost.locations %}
location {{ location.match }} {
{% if "alias" in location %}
alias {{ location.alias }};
@ -75,21 +86,21 @@ server {
}
{% endfor %}
{% if vhost.auth.enable|default(False) %}
{% if vhost.auth.enable %}
auth_basic "restricted area";
auth_basic_user_file {{ vhost.auth.path }};
satisfy {{ vhost.auth.satisfy|d('all') }};
satisfy {{ vhost.auth.satisfy }};
{% endif %}
{% for include in vhost.includes|default([]) %}
{% for include in vhost.includes %}
include {{ include }};
{% endfor %}
{% if vhost.letsencrypt|d(False) %}
{% if vhost.letsencrypt %}
ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
{% elif vhost.crt|d(None) and vhost.key|d(None) %}
{% elif vhost.crt and vhost.key %}
ssl_certificate {{ vhost.crt }};
ssl_certificate_key {{ vhost.key }};
{% endif %}