diff --git a/roles/reverse-proxy/README.md b/roles/reverse-proxy/README.md new file mode 100644 index 0000000..ab83b7a --- /dev/null +++ b/roles/reverse-proxy/README.md @@ -0,0 +1,5 @@ +Set up a basic nginx reverse proxy. + +NetBox config context should contain a proxy_pass property with the server address. + +Custom error page can be placed in /srv/http/error/index.html. diff --git a/roles/reverse-proxy/tasks/main.yml b/roles/reverse-proxy/tasks/main.yml new file mode 100644 index 0000000..8cbf5ce --- /dev/null +++ b/roles/reverse-proxy/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Set up nginx site + template: + dest: '/etc/nginx/http.d/{{ inventory_hostname }}.conf' + src: 'nginx.conf.j2' + notify: reload nginx diff --git a/roles/reverse-proxy/templates/nginx.conf.j2 b/roles/reverse-proxy/templates/nginx.conf.j2 new file mode 100644 index 0000000..94c6276 --- /dev/null +++ b/roles/reverse-proxy/templates/nginx.conf.j2 @@ -0,0 +1,28 @@ +server { + server_name {{ ([dns_name] + tls_domains|default([])) | join(" ") }}; + + listen [::]:443 ssl ipv6only=off; + ssl_certificate /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ dns_name }}/privkey.pem; + + error_page 500 501 502 503 504 505 506 507 508 510 511 /error/; + + location / { + proxy_pass {{ proxy_pass }}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_connect_timeout 30s; + proxy_max_temp_file_size 0; + + # TODO maybe + #proxy_ssl_verify on; + #proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + } + + location /error/ { + root /srv/http; + try_files $uri $uri/index.html =503; + } +} diff --git a/setup.yml b/setup.yml index cb68863..15efc69 100644 --- a/setup.yml +++ b/setup.yml @@ -66,3 +66,9 @@ roles: - proxmox-backup - frr + +- hosts: web-front + roles: + - alpine + - nginx + - reverse-proxy