crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[nginx] Define proper set_realip_from 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
certbot_on_virtu
Yohann D'ANELLO 2021-02-22 18:55:10 +01:00 committed by ynerant
parent 3b79c0177c
commit 82119c746e
5 changed files with 61 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
group_vars/nginx.yml
View File

@ -26,4 +26,7 @@ glob_nginx:
default_server: default_server:
default_ssl_server: default_ssl_server:
default_ssl_domain: crans.org default_ssl_domain: crans.org
real_ip_from:
- "172.16.0.0/16"
- "2a0c:700:0:2::/64"
deploy_robots_file: false deploy_robots_file: false

20
roles/nginx/templates/nginx/sites-available/redirect.j2
View File

@ -8,6 +8,11 @@ server {
server_name {{ site.from }}; server_name {{ site.from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 http://{{ site.to }}$request_uri; return 302 http://{{ site.to }}$request_uri;
} }
@ -23,6 +28,11 @@ server {
# SSL common conf # SSL common conf
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 https://{{ site.to }}$request_uri; return 302 https://{{ site.to }}$request_uri;
} }
@ -42,6 +52,11 @@ server {
server_name {{ from }}; server_name {{ from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 http://{{ site.to }}$request_uri; return 302 http://{{ site.to }}$request_uri;
} }
@ -57,6 +72,11 @@ server {
# SSL common conf # SSL common conf
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 https://{{ site.to }}$request_uri; return 302 https://{{ site.to }}$request_uri;
} }

10
roles/nginx/templates/nginx/sites-available/reverseproxy.j2
View File

@ -15,6 +15,11 @@ server {
server_name {{ site.from }}; server_name {{ site.from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 https://$host$request_uri; return 302 https://$host$request_uri;
} }
@ -43,8 +48,9 @@ server {
root /var/www/html; root /var/www/html;
} }
set_real_ip_from 10.231.136.0/24; {% for realip in nginx.real_ip_from %}
set_real_ip_from 2a0c:700:0:2::/64; set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip; real_ip_header P-Real-Ip;
location / { location / {

10
roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
View File

@ -12,6 +12,11 @@ server {
server_name {{ from }}; server_name {{ from }};
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 http://{{ to }}$request_uri; return 302 http://{{ to }}$request_uri;
} }
@ -27,6 +32,11 @@ server {
# SSL common conf # SSL common conf
include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf"; include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 https://{{ to }}$request_uri; return 302 https://{{ to }}$request_uri;
} }

20
roles/nginx/templates/nginx/sites-available/service.j2
View File

@ -27,6 +27,11 @@ server {
# Hide Nginx version # Hide Nginx version
server_tokens off; server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 https://{{ nginx.default_ssl_server }}$request_uri; return 302 https://{{ nginx.default_ssl_server }}$request_uri;
} }
@ -45,6 +50,11 @@ server {
# Hide Nginx version # Hide Nginx version
server_tokens off; server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 http://{{ nginx.default_server }}$request_uri; return 302 http://{{ nginx.default_server }}$request_uri;
} }
@ -64,6 +74,11 @@ server {
# Hide Nginx version # Hide Nginx version
server_tokens off; server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
location / { location / {
return 302 https://$host$request_uri; return 302 https://$host$request_uri;
} }
@ -86,6 +101,11 @@ server {
# Hide Nginx version # Hide Nginx version
server_tokens off; server_tokens off;
{% for realip in nginx.real_ip_from %}
set_real_ip_from {{ realip }};
{% endfor %}
real_ip_header P-Real-Ip;
{% if server.root is defined %}root {{ server.root }};{% endif %} {% if server.root is defined %}root {{ server.root }};{% endif %}
{% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %} {% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}