From 0410643732195626e8be8bc1b2c6fbc23b3b3cc3 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 13 May 2021 04:20:44 +0200 Subject: make nginx vhost templates more generic --- roles/apps/jitsi/meet/tasks/main.yml | 7 +++- roles/apps/keycloak/tasks/main.yml | 7 +++- roles/apps/nextcloud/tasks/main.yml | 17 +++++---- roles/apps/onlyoffice/tasks/main.yml | 7 +++- roles/elevate/liquidtruth/tasks/main.yml | 4 +- roles/monitoring/grafana/tasks/main.yml | 7 +++- roles/nginx/vhost/defaults/main.yml | 24 +++++++----- .../generic-proxy-no-buffering-with-acme.conf.j2 | 44 ++++++++++++---------- .../templates/generic-proxy-no-buffering.conf.j2 | 32 +++++++++------- 9 files changed, 92 insertions(+), 57 deletions(-) (limited to 'roles') diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml index f85fd572..8fcef577 100644 --- a/roles/apps/jitsi/meet/tasks/main.yml +++ b/roles/apps/jitsi/meet/tasks/main.yml @@ -40,7 +40,10 @@ acme: true hostnames: - "{{ jitsi_meet_hostname }}" - client_max_body_size: "0" - proxy_pass: "http://127.0.0.1:{{ jitsi_meet_http_port }}" + locations: + '/': + proxy_pass: "http://127.0.0.1:{{ jitsi_meet_http_port }}" + extra_directives: |- + client_max_body_size 0; include_role: name: nginx/vhost diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml index b5a756d0..3df78018 100644 --- a/roles/apps/keycloak/tasks/main.yml +++ b/roles/apps/keycloak/tasks/main.yml @@ -99,7 +99,10 @@ acme: true hostnames: - "{{ item.value.hostname }}" - client_max_body_size: "0" - proxy_pass: "http://127.0.0.1:{{ item.value.port }}/auth/" + locations: + '/': + proxy_pass: "http://127.0.0.1:{{ item.value.port }}/auth/" + extra_directives: |- + client_max_body_size 0; include_role: name: nginx/vhost diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml index 474d0d88..8d930b9a 100644 --- a/roles/apps/nextcloud/tasks/main.yml +++ b/roles/apps/nextcloud/tasks/main.yml @@ -162,13 +162,16 @@ template: generic-proxy-no-buffering-with-acme acme: true hostnames: "{{ item.value.hostnames }}" - client_max_body_size: "0" - proxy_pass: "http://127.0.0.1:{{ item.value.port }}" - proxy_redirect: - - redirect: "http://$host/" - replacement: "https://$host/" - - redirect: "http://$host:8080/" - replacement: "https://$host/" + locations: + '/': + proxy_pass: "http://127.0.0.1:{{ item.value.port }}" + proxy_redirect: + - redirect: "http://$host/" + replacement: "https://$host/" + - redirect: "http://$host:8080/" + replacement: "https://$host/" + extra_directives: |- + client_max_body_size 0; include_role: name: nginx/vhost diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml index da253a77..bde60e5b 100644 --- a/roles/apps/onlyoffice/tasks/main.yml +++ b/roles/apps/onlyoffice/tasks/main.yml @@ -143,7 +143,10 @@ acme: true hostnames: - "{{ item.value.hostname }}" - client_max_body_size: "0" - proxy_pass: "http://127.0.0.1:{{ item.value.port }}" + locations: + '/': + proxy_pass: "http://127.0.0.1:{{ item.value.port }}" + extra_directives: |- + client_max_body_size 0; include_role: name: nginx/vhost diff --git a/roles/elevate/liquidtruth/tasks/main.yml b/roles/elevate/liquidtruth/tasks/main.yml index 6bb00821..2c61f372 100644 --- a/roles/elevate/liquidtruth/tasks/main.yml +++ b/roles/elevate/liquidtruth/tasks/main.yml @@ -20,7 +20,9 @@ template: generic-proxy-no-buffering-with-acme acme: true hostnames: "{{ liquidtruth_hostnames }}" - proxy_pass: "http://127.0.0.1:8080" + locations: + '/': + proxy_pass: "http://127.0.0.1:8080" - name: create app user user: diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml index 87f16bd0..2e7594ec 100644 --- a/roles/monitoring/grafana/tasks/main.yml +++ b/roles/monitoring/grafana/tasks/main.yml @@ -65,7 +65,10 @@ template: generic-proxy-no-buffering hostnames: - "_" - client_max_body_size: "0" - proxy_pass: "http://127.0.0.1:{{ grafana_config_server.http_port | default(3000) }}" + locations: + '/': + proxy_pass: "http://127.0.0.1:{{ grafana_config_server.http_port | default(3000) }}" + extra_directives: |- + client_max_body_size 0; include_role: name: nginx/vhost diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index b5de1fad..233015be 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -7,15 +7,21 @@ # hostnames: # - example.com # - www.example.com -# proxy_pass: http://127.0.0.1:8080 -# proxy_redirect: -# - redirect: "http://$host/" -# replacement: "https://$host/" -# - redirect: "http://$host:8080/" -# replacement: "https://$host/" -# proxy_ssl: -# verify: on -# trusted_certificate: /path/to/ca.pem +# extra_directives: |- +# add_header X-Example-Header "foo"; +# locations: +# '/': +# proxy_pass: http://127.0.0.1:8080 +# proxy_redirect: +# - redirect: "http://$host/" +# replacement: "https://$host/" +# - redirect: "http://$host:8080/" +# replacement: "https://$host/" +# extra_directives: |- +# add_header X-Example-Header "foo"; +# proxy_ssl: +# verify: on +# trusted_certificate: /path/to/ca.pem # nginx_vhost: # name: other-example diff --git a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 index f74f920b..fe6cb70b 100644 --- a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 +++ b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 @@ -1,6 +1,6 @@ server { - listen 80; - listen [::]:80; + listen 80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; include snippets/acmetool.conf; @@ -11,8 +11,8 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; include snippets/acmetool.conf; @@ -21,12 +21,13 @@ server { ssl_certificate_key /var/lib/acme/live/{{ nginx_vhost.hostnames[0] }}/privkey; include snippets/hsts.conf; - location / { - include snippets/proxy-nobuff.conf; -{% if 'client_max_body_size' in nginx_vhost %} - client_max_body_size {{ nginx_vhost.client_max_body_size }}; -{% endif %} +{% if 'extra_directives' in nginx_vhost %} + {{ nginx_vhost.extra_directives | indent(4) }} +{% endif %} +{% for path, location in nginx_vhost.locations.items() %} + location {{ path }} { + include snippets/proxy-nobuff.conf; proxy_set_header Host $host; include snippets/proxy-forward-headers.conf; @@ -34,16 +35,21 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass {{ nginx_vhost.proxy_pass }}; -{% if 'proxy_redirect' in nginx_vhost %} -{% for entry in nginx_vhost.proxy_redirect %} + proxy_pass {{ location.proxy_pass }}; +{% if 'proxy_redirect' in location %} +{% for entry in location.proxy_redirect %} proxy_redirect {{ entry.redirect }} {{ entry.replacement }}; -{% endfor %} -{% endif %} -{% if 'proxy_ssl' in nginx_vhost %} -{% for prop in (nginx_vhost.proxy_ssl | list | sort) %} - proxy_ssl_{{ prop }} {{ nginx_vhost.proxy_ssl[prop] }}; -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} +{% if 'proxy_ssl' in location %} +{% for prop in (location.proxy_ssl | list | sort) %} + proxy_ssl_{{ prop }} {{ location.proxy_ssl[prop] }}; +{% endfor %} +{% endif %} +{% if 'extra_directives' in location %} + + {{ location.extra_directives | indent(8) }} +{% endif %} } +{% endfor %} } diff --git a/roles/nginx/vhost/templates/generic-proxy-no-buffering.conf.j2 b/roles/nginx/vhost/templates/generic-proxy-no-buffering.conf.j2 index 10697441..2a74697e 100644 --- a/roles/nginx/vhost/templates/generic-proxy-no-buffering.conf.j2 +++ b/roles/nginx/vhost/templates/generic-proxy-no-buffering.conf.j2 @@ -1,14 +1,15 @@ server { - listen 80; - listen [::]:80; + listen 80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; - location / { - include snippets/proxy-nobuff.conf; -{% if 'client_max_body_size' in nginx_vhost %} - client_max_body_size {{ nginx_vhost.client_max_body_size }}; -{% endif %} +{% if 'extra_directives' in nginx_vhost %} + {{ nginx_vhost.extra_directives | indent(4) }} +{% endif %} +{% for path, location in nginx_vhost.locations.items() %} + location {{ path }} { + include snippets/proxy-nobuff.conf; proxy_set_header Host $host; include snippets/proxy-forward-headers.conf; @@ -16,16 +17,21 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass {{ nginx_vhost.proxy_pass }}; -{% if 'proxy_redirect' in nginx_vhost %} -{% for entry in nginx_vhost.proxy_redirect %} + proxy_pass {{ location.proxy_pass }}; +{% if 'proxy_redirect' in location %} +{% for entry in location.proxy_redirect %} proxy_redirect {{ entry.redirect }} {{ entry.replacement }}; {% endfor %} {% endif %} -{% if 'proxy_ssl' in nginx_vhost %} -{% for prop in (nginx_vhost.proxy_ssl | list | sort) %} - proxy_ssl_{{ prop }} {{ nginx_vhost.proxy_ssl[prop] }}; +{% if 'proxy_ssl' in location %} +{% for prop in (location.proxy_ssl | list | sort) %} + proxy_ssl_{{ prop }} {{ location.proxy_ssl[prop] }}; {% endfor %} +{% endif %} +{% if 'extra_directives' in location %} + + {{ location.extra_directives | indent(8) }} {% endif %} } +{% endfor %} } -- cgit v1.2.3