Manage proxy protocol

pull/2/merge
Emilien Mantel 2017-01-03 11:16:28 +01:00
parent f2cfae31b1
commit 684c794566
4 changed files with 15 additions and 6 deletions

View File

@ -15,6 +15,7 @@ Features:
- Auto-configure HTTP2 on SSL/TLS vhosts - Auto-configure HTTP2 on SSL/TLS vhosts
- Manage dynamic modules (install and loading) - Manage dynamic modules (install and loading)
- Deploy custom facts.d with sites config - Deploy custom facts.d with sites config
- Can listen with proxy protocol
Requirements Requirements
------------ ------------

View File

@ -28,6 +28,8 @@ Common
- `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`. - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false". - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
- `php_version` (O) Sepecify PHP version (5 or 7) - `php_version` (O) Sepecify PHP version (5 or 7)
- `http_proxy_protocol` (O) Enable proxy protocol on http listen (default: false)
- `https_proxy_protocol` (O) Enable proxy protocol on https listen (default: false)
(O): Optional (O): Optional
(M): Mandatory (M): Mandatory

View File

@ -2,6 +2,8 @@
{% set __main_name = item.filename | default(item.name if item.name is string else item.name[0]) %} {% set __main_name = item.filename | default(item.name if item.name is string else item.name[0]) %}
{% set __listen = item.listen | default(['80']) %} {% set __listen = item.listen | default(['80']) %}
{% set __listen_ssl = item.listen_ssl | default(['443']) %} {% set __listen_ssl = item.listen_ssl | default(['443']) %}
{% set __http_proxy_protocol = item.http_proxy_protocol | default(false) %}
{% set __https_proxy_protocol = item.https_proxy_protocol | default(false) %}
{% set __location = item.location | default({}) %} {% set __location = item.location | default({}) %}
{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %} {% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
{% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %} {% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
@ -28,12 +30,12 @@
server { server {
{% if 'http' in __proto %} {% if 'http' in __proto %}
{% for port in __listen %} {% for port in __listen %}
listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}; listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if __http_proxy_protocol %} proxy_protocol{% endif %};
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if 'https' in __proto %} {% if 'https' in __proto %}
{% for port in __listen_ssl %} {% for port in __listen_ssl %}
listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}; listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if __https_proxy_protocol %} proxy_protocol{% endif %};
{% endfor %} {% endfor %}
{{ ssl(__ssl_name) }} {{ ssl(__ssl_name) }}
{% if item.ssl_template is not defined or item.ssl_template != false %} {% if item.ssl_template is not defined or item.ssl_template != false %}
@ -140,7 +142,7 @@ server {
# #
server { server {
{% for port in __listen %} {% for port in __listen %}
listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}; listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if __http_proxy_protocol %} proxy_protocol{% endif %};
{% endfor %} {% endfor %}
server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t" }}{{ item.name | join("\n\t\t") }}{% endif %}; server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t" }}{{ item.name | join("\n\t\t") }}{% endif %};
return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri; return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
@ -154,7 +156,7 @@ server {
# #
server { server {
{% for port in __listen %} {% for port in __listen %}
listen {{ port }}; listen {{ port }}{% if __http_proxy_protocol %} proxy_protocol{% endif %};
{% endfor %} {% endfor %}
server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %}; server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
return 301 $scheme://{{ __main_name }}$request_uri; return 301 $scheme://{{ __main_name }}$request_uri;

View File

@ -210,8 +210,12 @@
template: '_base' template: '_base'
ssl_name: 'test-ssl.local' ssl_name: 'test-ssl.local'
redirect_https: true redirect_https: true
# - name: 'owncloud.local' - name: 'test-ssl-proxy-protocol.local'
# template: '_owncloud' proto: ['http', 'https']
http_proxy_protocol: true
https_proxy_protocol: true
template: '_base'
ssl_name: 'test-ssl.local'
nginx_dh_length: 2048 nginx_dh_length: 2048
roles: roles:
- ../../ - ../../