From 6eaf509ff3a06b47983fe4ad04e56655d8d32701 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 3 May 2020 15:19:29 +0200 Subject: [PATCH] [nginx] Reverse WebSocket --- network.yml | 2 +- roles/nginx-reverseproxy/tasks/main.yml | 7 +++++-- .../nginx/sites-available/reverseproxy.j2 | 13 ++++++++----- .../nginx/snippets/options-proxypass.conf.j2 | 17 +++++++++++++++++ 4 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 diff --git a/network.yml b/network.yml index 8f70b911..23160615 100755 --- a/network.yml +++ b/network.yml @@ -74,7 +74,7 @@ # Services web Crans - {from: lutim.crans.org, to: 10.231.136.69} - {from: zero.crans.org, to: 10.231.136.76} - - {from: pad.crans.org, to: 10.231.136.76} + - {from: pad.crans.org, to: "10.231.136.76:9001"} - {from: ethercalc.crans.org, to: 10.231.136.203} - {from: mediadrop.crans.org, to: 10.231.136.106} - {from: videos.crans.org, to: 10.231.136.106} diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml index 55af7c18..5a0e298f 100644 --- a/roles/nginx-reverseproxy/tasks/main.yml +++ b/roles/nginx-reverseproxy/tasks/main.yml @@ -11,8 +11,11 @@ - name: Copy snippets template: - src: nginx/snippets/options-ssl.conf.j2 - dest: /etc/nginx/snippets/options-ssl.conf + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + loop: + - options-ssl.conf + - options-proxypass.conf - name: Copy dhparam template: diff --git a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index 50ef7b2e..52a278bf 100644 --- a/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -1,5 +1,12 @@ {{ ansible_header | comment }} +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + {% for site in nginx.reverseproxy_sites %} # Redirect http://{{ site.from }} to https://{{ site.from }} server { @@ -41,12 +48,8 @@ server { real_ip_header P-Real-Ip; location / { - proxy_set_header Host {{ site.from }}; - proxy_set_header P-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_redirect off; proxy_pass http://{{ site.to }}; + include "/etc/nginx/snippets/options-proxypass.conf"; } } diff --git a/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 new file mode 100644 index 00000000..a14f3b7f --- /dev/null +++ b/roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +proxy_redirect off; +proxy_set_header Host $host; + +# Pass the real client IP +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +# Tell proxified server that we are HTTPS, fix Wordpress +proxy_set_header X-Forwarded-Proto https; + +# WebSocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; +