From 684c79456624430d25f549c39796dff88051fde8 Mon Sep 17 00:00:00 2001
From: Emilien Mantel <emilien.mantel@debianiste.org>
Date: Tue, 3 Jan 2017 11:16:28 +0100
Subject: [PATCH] Manage proxy protocol

---
 README.md                                    |  1 +
 doc/vhost.md                                 |  2 ++
 templates/etc/nginx/sites-available/_base.j2 | 10 ++++++----
 tests/test.yml                               |  8 ++++++--
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 9bd334e..acd1e63 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ Features:
 - Auto-configure HTTP2 on SSL/TLS vhosts
 - Manage dynamic modules (install and loading)
 - Deploy custom facts.d with sites config
+- Can listen with proxy protocol
 
 Requirements
 ------------
diff --git a/doc/vhost.md b/doc/vhost.md
index 97830f7..c2dde84 100644
--- a/doc/vhost.md
+++ b/doc/vhost.md
@@ -28,6 +28,8 @@ Common
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
 - `php_version` (O) Sepecify PHP version (5 or 7)
+- `http_proxy_protocol` (O) Enable proxy protocol on http listen (default: false)
+- `https_proxy_protocol` (O) Enable proxy protocol on https listen (default: false)
 
 (O): Optional
 (M): Mandatory
diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2
index ccb251d..e4accae 100644
--- a/templates/etc/nginx/sites-available/_base.j2
+++ b/templates/etc/nginx/sites-available/_base.j2
@@ -2,6 +2,8 @@
 {% set __main_name =  item.filename | default(item.name if item.name is string else item.name[0]) %}
 {% set __listen = item.listen | default(['80']) %}
 {% set __listen_ssl = item.listen_ssl | default(['443']) %}
+{% set __http_proxy_protocol = item.http_proxy_protocol | default(false) %}
+{% set __https_proxy_protocol = item.https_proxy_protocol | default(false) %}
 {% set __location = item.location | default({}) %}
 {% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
 {% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
@@ -28,12 +30,12 @@
 server {
 {% if 'http' in __proto %}
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if __http_proxy_protocol %} proxy_protocol{% endif %};
 {% endfor %}
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
+	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if __https_proxy_protocol %} proxy_protocol{% endif %};
 {% endfor %}
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
@@ -140,7 +142,7 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if __http_proxy_protocol %} proxy_protocol{% endif %};
 {% endfor %}
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t" }}{{ item.name | join("\n\t\t") }}{% endif %};
 	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
@@ -154,7 +156,7 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }};
+	listen {{ port }}{% if __http_proxy_protocol %} proxy_protocol{% endif %};
 {% endfor %}
 	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
 	return 301 $scheme://{{ __main_name }}$request_uri;
diff --git a/tests/test.yml b/tests/test.yml
index 29f7977..1a9c262 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -210,8 +210,12 @@
         template: '_base'
         ssl_name: 'test-ssl.local'
         redirect_https: true
-#      - name: 'owncloud.local'
-#        template: '_owncloud'
+      - name: 'test-ssl-proxy-protocol.local'
+        proto: ['http', 'https']
+        http_proxy_protocol: true
+        https_proxy_protocol: true
+        template: '_base'
+        ssl_name: 'test-ssl.local'
     nginx_dh_length: 2048
   roles:
     - ../../