Bind proxy_protocol on port

README.md

@@ -14,6 +14,8 @@ Features:
 - Preconfigured vhost templates (should work on many app)
 - Auto-configure HTTP2 on SSL/TLS vhosts
 - Manage dynamic modules (install and loading)
+- Deploy custom facts.d with sites config
+- Can listen with proxy protocol
 
 Requirements
 ------------

doc/vhost.md

@@ -28,6 +28,8 @@ Common
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
 - `php_version` (O) Sepecify PHP version (5 or 7)
+- `http_proxy_protocol_port` (O) Enable proxy protocol on http port.
+- `https_proxy_protocol_port` (O) Enable proxy protocol on https port.
 
 (O): Optional
 (M): Mandatory

tasks/install_Debian.yml

@@ -4,6 +4,7 @@
   apt: >
     update_cache=yes
     cache_valid_time=3600
+  changed_when: false
 
 - name: APT | Force OpenSSL from backports (fix dependency break)
   apt: >
@@ -20,4 +21,3 @@
 
 - name: APT | Install python-passlib
   apt: pkg=python-passlib state=present
-

tasks/prepare.yml

@@ -19,6 +19,8 @@
     nginx_modules: "{{ shell_modules.stdout_lines }}"
 
 - name: FILE | Create folders
-  file: dest={{ item }} owner=root mode=0755 state=directory
+  file: dest="{{ item.dir }}" owner="{{ item.owner }}" mode="{{ item.mode }}" state=directory
   with_items: "{{ nginx_dirs }}"
 
+- name: FILE | Create ansible facts dir
+  file: path=/etc/ansible/facts.d state=directory

tasks/ssl.yml

@@ -6,6 +6,8 @@
     creates: "{{ nginx_dh_path }}"
   when: nginx_dh is not string
   notify: reload nginx
+  async: 1000
+  register: dh
 
 - name: COPY | Deploy DH file from vars
   copy: >
@@ -20,11 +22,13 @@
     state=directory
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.dest_key is not defined or item.dest_cert is not defined
+  no_log: true
 
 - name: COPY | Deploy SSL keys
   copy: >
     content="{{ item.key }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
+    mode=0640
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.key is defined
   notify: reload nginx
@@ -34,7 +38,15 @@
   copy: >
     content="{{ item.cert }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
+    mode=0644
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.cert is defined
   notify: reload nginx
+  no_log: true
 
+- name: Check DH command status
+  async_status: jid={{ dh.ansible_job_id }}
+  register: job_result
+  until: job_result.finished
+  retries: 30
+  when: nginx_dh is not string

tasks/vhost.yml

@@ -61,7 +61,7 @@
   file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
   with_items: "{{ nginx_vhosts }}"
   notify: ['reload nginx', 'restart nginx freebsd']
-  when: item.state is defined and item.state == 'disabled' 
+  when: item.state is defined and item.state == 'disabled'
 
 - name: FILE | Delete default vhost when explicitely defined
   file: >
@@ -77,3 +77,14 @@
     state=link
   notify: ['reload nginx', 'restart nginx freebsd']
   when: nginx_default_vhost is none
+
+- name: TEMPLATE | Deploy facts
+  template:
+    src=etc/ansible/facts.d/nginx.fact.j2
+    dest=/etc/ansible/facts.d/nginx.fact
+    mode=0644
+  register: fact
+
+- name: SETUP
+  action: setup
+  when: fact.changed

templates/etc/ansible/facts.d/nginx.fact.j2

@@ -0,0 +1,4 @@
+{
+       "fact_nginx_vhosts":
+       {{ nginx_vhosts | to_nice_json(indent=8) }}
+}

templates/etc/nginx/sites-available/_base.j2

@@ -1,7 +1,9 @@
 {% set __proto = item.proto | default(['http']) %}
 {% set __main_name =  item.filename | default(item.name if item.name is string else item.name[0]) %}
-{% set __listen = item.listen | default(['80']) %}
+{% set __listen = item.listen | default([80]) %}
-{% set __listen_ssl = item.listen_ssl | default(['443']) %}
+{% set __listen_ssl = item.listen_ssl | default([443]) %}
+{% set __http_proxy_protocol_port = item.http_proxy_protocol_port | default([]) %}
+{% set __https_proxy_protocol_port = item.https_proxy_protocol_port | default([]) %}
 {% set __location = item.location | default({}) %}
 {% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
 {% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
@@ -28,12 +30,12 @@
 server {
 {% if 'http' in __proto %}
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
+	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
@@ -140,7 +142,7 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t" }}{{ item.name | join("\n\t\t") }}{% endif %};
 	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
@@ -154,7 +156,7 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }};
+	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
 	return 301 $scheme://{{ __main_name }}$request_uri;

tests/test.yml

@@ -147,6 +147,7 @@
         location:
           '/hello':
             - htpasswd: 'hello'
+        use_error_log: true
       - name: 'test-htpasswd-all.local'
         template: '_base'
         htpasswd: 'hello'
@@ -185,7 +186,7 @@
         headers:
           'X-proxyfied': '1'
       - name: 'deleted.local'
-        state: 'absent' 
+        state: 'absent'
       - name: 'redirect-to.local'
         redirect_to: 'http://test.local'
       - name: 'backuppc.local'
@@ -209,9 +210,15 @@
         template: '_base'
         ssl_name: 'test-ssl.local'
         redirect_https: true
-#      - name: 'owncloud.local'
+      - name: 'test-ssl-proxy-protocol.local'
-#        template: '_owncloud'
+        proto: ['http', 'https']
-    nginx_dh_length: 1024
+        listen: [80, 20080]
+        listen_ssl: [443, 20443]
+        http_proxy_protocol_port: [20080]
+        https_proxy_protocol_port: [20443]
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+    nginx_dh_length: 2048
   roles:
     - ../../
   post_tasks:
@@ -228,12 +235,18 @@
       with_items: ['test-php.local', 'test-php-index.local']
     - name: -- Add HTML file --
       copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
-      with_items: ['{{ nginx_root }}/first-test/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
+      with_items: ['{{ nginx_root }}/first-test/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public', '{{ nginx_root }}/test-ssl-proxy-protocol.local/public']
     - name: -- Create directory --
       file: path={{ nginx_root }}/test-htpasswd.local/public/hello state=directory
     - name: -- Add HTML file hello --
       copy: dest="{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content="hello\n"
 # --------------------------------
+# Test custom facts
+# --------------------------------
+    - name: -- CHECK FACTS --
+      assert:
+        that: "'{{ ansible_local.nginx.fact_nginx_vhosts[0].name[0] }}' == 'test.local'"
+# --------------------------------
 # Simple vhosts tests
 # --------------------------------
     - name: -- VERIFY VHOSTS --

vars/main.yml

@@ -23,9 +23,15 @@ nginx_upstream_server_params:
 #    min_version: '1.5.12'
 
 nginx_dirs:
-  - "{{ nginx_htpasswd_dir }}"
+  - dir: "{{ nginx_htpasswd_dir }}"
-  - "{{ nginx_ssl_dir }}"
+    mode: "0750"
-  - "{{ nginx_helper_dir }}"
+    owner: "{{ nginx_user }}"
+  - dir: "{{ nginx_ssl_dir }}"
+    mode: "0750"
+    owner: "root"
+  - dir: "{{ nginx_helper_dir }}"
+    mode: "0755"
+    owner: "root"
 
 nginx_templates_no_dir:
   - '_backuppc'