Merge branch 'master' of ssh://git-ssh.notandy.de:2222/ansible/roles/nginx

defaults/main.yml

@@ -1,5 +1,6 @@
 nginx:
   add_headers: []
+  real_ip_header: "X-Forwarded-For"
   real_ip_from:
     "127.0.0.1": {}
     "::1": {}
@@ -9,6 +10,7 @@ nginx:
   snakeoil_default: false
   upstreams: {}
   vhosts: {}
+  streams: {}
   maps: {}
   resolver:
     - 8.8.8.8
@@ -44,6 +46,13 @@ nginx_vhosts_defaults:
   hide_proxy_headers: {}
   backend: ~
 
+nginx_streams_defaults:
+  listen:
+    custom: []
+  includes: []
+  proxy_pass: ~
+  proxy_protocol: "off"
+
 nginx_forcessl_vhost:
   "https-redirect":
     listen:

files/config/nginx.conf

@@ -3,6 +3,7 @@ worker_processes auto;
 pid /run/nginx.pid;
 
 load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
 
 events {
 	use epoll;
@@ -22,6 +23,7 @@ http {
 	types_hash_max_size 2048;
 	server_tokens off;
 	reset_timedout_connection on;
+	large_client_header_buffers 4 32k;
 
 	server_names_hash_bucket_size 64;
 	map_hash_bucket_size 64;
@@ -36,3 +38,8 @@ http {
 	##
 	include /etc/nginx/sites-enabled/*;
 }
+
+stream {
+	include /etc/nginx/conf.d/upstreams.conf;
+	include /etc/nginx/streams/*;
+}

tasks/main.yml

@@ -22,6 +22,7 @@
     pkg:
       - nginx
       - libnginx-mod-http-headers-more-filter
+      - libnginx-mod-stream
       - goaccess
   notify:
   - delete nginx index.nginx-debian.html
@@ -83,6 +84,17 @@
   notify:
   - restart nginx
 
+- name: create and enable nginx streams
+  template:
+    src: stream.conf.j2
+    dest: "/etc/nginx/streams/{{ item.key }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_dict: "{{ {}|combine(nginx.streams, recursive=True) }}"
+  notify:
+  - restart nginx
+
 - name: delete nginx default config
   file: path=/etc/nginx/sites-enabled/default state=absent
 

templates/proxy.conf.j2

@@ -1,5 +1,5 @@
 {% for ip in nginx.real_ip_from %}
 set_real_ip_from	{{ ip }};
 {% endfor %}
-real_ip_header		X-Forwarded-For;
+real_ip_header		{{ nginx.real_ip_header }};
 real_ip_recursive	on;

templates/stream.conf.j2

@@ -0,0 +1,22 @@
+#jinja2:lstrip_blocks: True
+{% set stream = {}|combine(nginx_streams_defaults, item.value, recursive=True) %}
+{% set stream_name = item.key %}
+
+server {
+
+	{% for i in stream.listen.custom %}
+	listen {{ i }};
+	{% endfor %}
+
+	proxy_pass {{ stream.proxy_pass }};
+	proxy_protocol {{ stream.proxy_protocol }};
+
+	{% for c in stream.custom|default([]) %}
+	{{ c }};
+	{% endfor %}
+
+	{% for include in stream.includes %}
+	include {{ include }};
+	{% endfor %}
+
+}

templates/vhost.conf.j2

@@ -47,6 +47,8 @@ server {
 		{% if location.backend|d(False) %}
 		proxy_pass {{ location.backend }};
 
+		proxy_buffering off;
+
 		# add proxy headers
 		proxy_set_header Host			{{ vhost.host }};
 		proxy_set_header X-Real-IP		$remote_addr;