From 41841311e6e468faffd971f3dbe8d8974dd267c1 Mon Sep 17 00:00:00 2001 From: nd Date: Sat, 4 Sep 2021 22:44:41 +0200 Subject: [PATCH 1/3] add support for generic streams --- defaults/main.yml | 8 ++++++++ files/config/nginx.conf | 6 ++++++ tasks/main.yml | 12 ++++++++++++ templates/stream.conf.j2 | 22 ++++++++++++++++++++++ 4 files changed, 48 insertions(+) create mode 100644 templates/stream.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 4479272..5d94416 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,6 +9,7 @@ nginx: snakeoil_default: false upstreams: {} vhosts: {} + streams: {} maps: {} resolver: - 8.8.8.8 @@ -44,6 +45,13 @@ nginx_vhosts_defaults: hide_proxy_headers: {} backend: ~ +nginx_streams_defaults: + listen: + custom: [] + includes: [] + proxy_pass: ~ + proxy_protocol: "off" + nginx_forcessl_vhost: "https-redirect": listen: diff --git a/files/config/nginx.conf b/files/config/nginx.conf index 889052d..b8780cf 100644 --- a/files/config/nginx.conf +++ b/files/config/nginx.conf @@ -3,6 +3,7 @@ worker_processes auto; pid /run/nginx.pid; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; +load_module /usr/lib/nginx/modules/ngx_stream_module.so; events { use epoll; @@ -36,3 +37,8 @@ http { ## include /etc/nginx/sites-enabled/*; } + +stream { + include /etc/nginx/conf.d/upstreams.conf; + include /etc/nginx/streams/*; +} diff --git a/tasks/main.yml b/tasks/main.yml index 2191a57..5a05673 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,6 +22,7 @@ pkg: - nginx - libnginx-mod-http-headers-more-filter + - libnginx-mod-stream - goaccess notify: - delete nginx index.nginx-debian.html @@ -83,6 +84,17 @@ notify: - restart nginx +- name: create and enable nginx streams + template: + src: stream.conf.j2 + dest: "/etc/nginx/streams/{{ item.key }}" + owner: root + group: root + mode: 0644 + with_dict: "{{ {}|combine(nginx.streams, recursive=True) }}" + notify: + - restart nginx + - name: delete nginx default config file: path=/etc/nginx/sites-enabled/default state=absent diff --git a/templates/stream.conf.j2 b/templates/stream.conf.j2 new file mode 100644 index 0000000..f5cb28c --- /dev/null +++ b/templates/stream.conf.j2 @@ -0,0 +1,22 @@ +#jinja2:lstrip_blocks: True +{% set stream = {}|combine(nginx_streams_defaults, item.value, recursive=True) %} +{% set stream_name = item.key %} + +server { + + {% for i in stream.listen.custom %} + listen {{ i }}; + {% endfor %} + + proxy_pass {{ stream.proxy_pass }}; + proxy_protocol {{ stream.proxy_protocol }}; + + {% for c in stream.custom|default([]) %} + {{ c }}; + {% endfor %} + + {% for include in stream.includes %} + include {{ include }}; + {% endfor %} + +} From 1b81731a4b2e9951e4794e25895e79b426f1e380 Mon Sep 17 00:00:00 2001 From: nd Date: Sat, 4 Sep 2021 23:54:05 +0200 Subject: [PATCH 2/3] add config option for real-ip header --- defaults/main.yml | 1 + templates/proxy.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2dba269..33f2141 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,6 @@ nginx: add_headers: [] + real_ip_header: "X-Forwarded-For" real_ip_from: "127.0.0.1": {} "::1": {} diff --git a/templates/proxy.conf.j2 b/templates/proxy.conf.j2 index 0103e1a..4d3095e 100644 --- a/templates/proxy.conf.j2 +++ b/templates/proxy.conf.j2 @@ -1,5 +1,5 @@ {% for ip in nginx.real_ip_from %} set_real_ip_from {{ ip }}; {% endfor %} -real_ip_header X-Forwarded-For; +real_ip_header {{ nginx.real_ip_header }}; real_ip_recursive on; From f5b437785d81f340ca62032c3ea5ed6423ceef93 Mon Sep 17 00:00:00 2001 From: nd Date: Thu, 7 Oct 2021 23:52:59 +0200 Subject: [PATCH 3/3] disable proxy buffering and add larger header buffer --- files/config/nginx.conf | 1 + templates/vhost.conf.j2 | 2 ++ 2 files changed, 3 insertions(+) diff --git a/files/config/nginx.conf b/files/config/nginx.conf index b8780cf..59f8e3f 100644 --- a/files/config/nginx.conf +++ b/files/config/nginx.conf @@ -23,6 +23,7 @@ http { types_hash_max_size 2048; server_tokens off; reset_timedout_connection on; + large_client_header_buffers 4 32k; server_names_hash_bucket_size 64; map_hash_bucket_size 64; diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2 index 7cb386a..3d8fbb4 100644 --- a/templates/vhost.conf.j2 +++ b/templates/vhost.conf.j2 @@ -47,6 +47,8 @@ server { {% if location.backend|d(False) %} proxy_pass {{ location.backend }}; + proxy_buffering off; + # add proxy headers proxy_set_header Host {{ vhost.host }}; proxy_set_header X-Real-IP $remote_addr;