-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example of ssl termination with nginx reverse proxy #7
Comments
You can take the examples and expand them with the dict objects taken from the templates defaults: https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/template.yml Something like this:
I left out ssl ciphers, dhparam, proxy_set_header etc since I set them in the main config, but you can just take them from the examples or defaults. Same for using upstreams. |
@xTrekStorex is totally right. At some stage I would also like to have working examples for most use cases covered in Molecule playbooks, including SSL (using self-signed certs) if possible. |
I am trying to generate this config below with no luck. I wonder if its supported. location /app1/ { |
Should definitely work. Are you using the latest release or main? If on main, check https://github.com/nginxinc/ansible-role-nginx-config/blob/main/molecule/default/converge.yml#L153-L290 -- you'll see there's two location blocks with |
I am also unable to configure a simple reverse proxy. In the example above I don't recognize the reverse_proxy: section. When I try to use proxy_pass instead of root on a server that I have defined I get
A working example would be appreciated. |
The |
Example:
This results in
|
Right. Try to update to the latest version of Jinja2. The templates require Jinja2 |
Thank you. Does it exist as a package for Ubuntu 20.04? Otherwise what is the recommended update method? |
Jinja2 is a Python package. You can try running |
Hello, Having the same issue on python 2.7 and ansible 2.9.6: On python 3.6 and ansible 2.9.6 everything works fine. Variables: nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
conf_file_name: 50_example.com.conf
conf_file_location: /etc/nginx/conf.d/
servers:
- listen:
- ip: 0.0.0.0
port: 80
- ip: 0.0.0.0
port: 443
ssl: true
ssl:
cert: /etc/pki/tls/certs/example.com.crt
key: /etc/pki/tls/private/example.com.key
server_name: example.com
error_page: /usr/share/nginx/html
autoindex: false
http_demo_conf: false
access_log:
- name: json
location: /var/log/nginx/example.com-access.json.log
error_log:
level: warn
location: /var/log/nginx/example.com-error.log
locations:
- location: /
proxy_pass: http://127.0.0.1
proxy:
bind: false
set_header:
- field: Host
value: $host
- field: X-Forwarded-For
value: $proxy_add_x_forwarded_for
- field: X-Real-IP
value: $remote_addr
- field: REMOTE_ADDR
value: $remote_addr
Results to: +#
+# Ansible managed
+#
+
+
+
+
+server {
+ listen 0.0.0.0:80;
+ listen 0.0.0.0:443 ssl;
+ server_name example.com;
+ ssl_certificate /etc/pki/tls/certs/example.com.crt;
+ ssl_certificate_key /etc/pki/tls/private/example.com.key;
+ location / {
+ proxy_bind off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header REMOTE_ADDR $remote_addr;
+
+ proxy_pass http://127.0.0.1;
+
+ }
+ # redirect server error pages to the static page /50x.html
+ #
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ access_log /var/log/nginx/example.com-access.json.log json;
+ error_log /var/log/nginx/example.com-error.log warn;
+}
|
Try updating Jinja2. You are not using the latest release (v2.11). |
@alessfg Thanks! There was no red output, so I didn't notice that I'm actually having troubles updating Jinja2 locally:
In a clean virtualenv with Python 2.7 and Jinja2 2.11.3 everything works fine:
|
Just for anyone looking for an currently working example: - template_file: http/default.conf.j2
deployment_location: /etc/nginx/conf.d/name.conf
config:
upstreams:
- name: name_example_com
least_conn: true
servers:
- address: '172.16.20.55:80'
weight: 5
servers:
- core:
listen:
- port: 80
server_name:
- name.example.com
locations:
- location: '/robots.txt'
log_not_found: false # wont get set
access:
allow: 'all'
log:
access: false
- location: '/'
rewrite:
return:
code: 301
url: 'https://$server_name:443$request_uri'
- core:
listen:
- port: 443
ssl: true
http2: true
server_name:
- name.example.com
ssl:
certificate:
- /etc/pki/tls/certs/name.example.com-rsa/name.example.com-rsa-fullchain.pem
- /etc/pki/tls/certs/name.example.com-p-384/name.example.com-p-384-fullchain.pem
certificate_key:
- /etc/pki/tls/private/name.example.com-rsa/name.example.com-rsa.key
- /etc/pki/tls/private/name.example.com-p-384/name.example.com-p-384.key
trusted_certificate: '/etc/pki/tls/certs/name.example.com-p-384/name.example.com-p-384-chain.pem'
dhparam: '/etc/pki/tls/misc/dhparam.crt'
protocols:
- TLSv1.2
- TLSv1.3
ciphers:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
ecdh_curve:
- secp521r1
- secp384r1
prefer_server_ciphers: false
# stapling: true
# stapling_verify: true
session_cache:
shared:
name: 'SSL'
size: '10m'
session_tickets: true
session_timeout: '1d'
access:
allow:
- 172.16.0.0/12
- 10.255.255.0/24
deny: 'all'
headers:
add_headers:
- name: 'Strict-Transport-Security'
value: '"max-age=63072000"'
always: true
- name: 'X-Frame-Options'
value: '"SAMEORIGIN"'
always: false
add_trailers:
- name: 'Strict-Transport-Security'
value: '"max-age=63072000"'
always: true
- name: 'X-Frame-Options'
value: '"SAMEORIGIN"'
always: false
log:
access:
- path: '/var/log/nginx/name_access.log'
format: 'main'
error:
- /var/log/nginx/name_error.log
locations:
- location: '/'
proxy:
pass: 'http://name_example_com'
connect_timeout: '1s'
bind: false
set_header:
- field: 'Host'
value: '$host'
- field: 'X-Forwarded-For'
value: '$proxy_add_x_forwarded_for'
- field: 'X-Real-IP'
value: '$remote_addr'
- field: 'REMOTE_ADDR'
value: '$remote_addr' |
But how do i get an nested location block like this:
|
The role in its current iteration does not allow for nested location blocks. You can probably achieve what you want with a little bit of code duplication by creating two different location blocks. Alternatively, and given that you are also using an |
Thanks for that reply. I already utilize But i dont came up with the idea to use them for the entire This did the trick! |
That's pretty useful! I feel there's truly a need to have a simple sample configuration here. I tried the above and it just did zlit here. I have the following playbook: ---
- name: Prometheus installation
hosts: prometheus
tasks:
- name: Install NGINX
ansible.builtin.include_role:
name: nginxinc.nginx
vars:
nginx_manage_repo: false
nginx_install_from: "os_repository"
- name: Configure NGINX
ansible.builtin.include_role:
name: nginxinc.nginx_core.nginx_config
vars:
nginx_config_debug_output: false
nginx_config_cleanup: false
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
conf_file_name: prometheus.debian.net.conf
conf_file_location: /etc/nginx/conf.d/
backup: true
servers:
- core:
listen:
- port: 80
- port: 443
ssl: true
server_name:
- prometheus.debian.net
ssl:
certificate:
- /etc/letsencrypt/live/prometheus.debian.net/fullchain.pem
certificate_key:
- /etc/letsencrypt/live/prometheus.debian.net/privkey.pem
server_name: prometheus.debian.net
error_page: /usr/share/nginx/html
autoindex: false
http_demo_conf: false
log:
access:
- path: /var/log/nginx/prometheus.debian.net_access.log
format: combined
error:
- /var/log/nginx/prometheus.debian.net_error.log
locations:
- location: /
proxy:
pass: http://localhost:9090 this doesn't even create a So could we please have an up-to-date, minimalist configuration people could derive from? It's really nice to have the full details of all the possible configuration items, but we get totally lost in that YAML file there... |
actually, this works now: ---
- name: Prometheus installation
hosts: prometheus
tasks:
- name: Install NGINX
ansible.builtin.include_role:
name: nginxinc.nginx
vars:
nginx_manage_repo: false
nginx_install_from: "os_repository"
- name: Configure NGINX
ansible.builtin.include_role:
name: nginxinc.nginx_core.nginx_config
vars:
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
deployment_location: /etc/nginx/conf.d/prometheus.debian.net.conf
config:
servers:
- core:
listen:
- port: 80
- port: 443
ssl: true
server_name:
- prometheus.debian.net
ssl:
certificate:
- /etc/letsencrypt/live/prometheus.debian.net/fullchain.pem
certificate_key:
- /etc/letsencrypt/live/prometheus.debian.net/privkey.pem
server_name: prometheus.debian.net
log:
access:
- path: /var/log/nginx/prometheus.debian.net_access.log
format: combined
error:
- /var/log/nginx/prometheus.debian.net_error.log
locations:
- location: /
proxy:
pass: http://localhost:9090 that's as minimal as it gets, and i think that something like this should be one of an example directly linked from the readme, if not directly in the readme file... |
I agree! Working on/improving how some use cases are documented is one of the next items in my bucket list (I want to adapt the model used in the core nginx role). I can't promise an exact date but hopefully it'll be within the next month 😁 |
Is your feature request related to a problem? Please describe.
Kind of. I wish to terminate ssl with nginx, and simultaneously apply it as reverse proxy. I do not see an example of this in the docs, even I think it is pretty common scenario.
Describe the solution you'd like
Just an example configuration on how to terminate ssl with reverse proxy
Describe alternatives you've considered
I've considered applying nginx reverse proxy with ssl termination without this role. Like just manually configuring nginx, if it is too hard with this.
The text was updated successfully, but these errors were encountered: