Setup nginx reverse proxy

2022-05-22 00:19:56 -04:00
parent cd11567164
commit acd2cefb1e
9 changed files with 159 additions and 1 deletions
--- a/roles/proxy/handlers/main.yml
+++ b/roles/proxy/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: Reload nginx
+  service:
+    name: nginx
+    state: reloaded
+  listen: reload_nginx
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -0,0 +1,35 @@
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+    update_cache: true
+
+- name: Install nginx base configuration
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: '0644'
+  notify: reload_nginx
+
+- name: Install nginx sites configuration
+  template:
+    src: server-nginx.conf.j2
+    dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
+    mode: '0644'
+  loop: "{{ proxy }}"
+  notify: reload_nginx
+
+- name: Generate self-signed certificate
+  shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
+          -keyout /etc/ssl/private/nginx-selfsigned.key \
+          -out    /etc/ssl/certs/nginx-selfsigned.crt'
+  args:
+    creates: /etc/ssl/certs/nginx-selfsigned.crt
+  notify: reload_nginx
+
+- name: Start nginx and enable on boot
+  service:
+    name: nginx
+    state: started
+    enabled: true
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@@ -0,0 +1,25 @@
+user www-data;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  include           /etc/nginx/mime.types;
+  default_type      application/octet-stream;
+  log_format        main '$remote_addr - $remote_user [$time_local]  $status '
+                         '"$request" $body_bytes_sent "$http_referer" '
+                         '"$http_user_agent" "$http_x_forwarded_for"';
+  access_log        /var/log/nginx/access.log  main;
+  server_tokens     off;
+  sendfile          on;
+  tcp_nopush        on;
+  keepalive_timeout 65;
+  server_names_hash_bucket_size 128;
+
+  include           /etc/nginx/conf.d/*.conf;
+}
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -0,0 +1,14 @@
+server {
+  listen              443 ssl;
+  server_name         {{ item.domain }};
+  access_log          /var/log/nginx/{{ item.domain }}.log main;
+{% if not item.production %}
+  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
+  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+{% endif %}
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass {{ item.proxy_pass }};
+  }
+}