Merge pull request #1 from CoffeeITWorks/ssl_nginx_servers

Ssl nginx servers

README.md

@@ -121,6 +121,65 @@ nginx_reverse_proxy_proxies:
 
 ```
 
+Example adding ssl reverse proxy support
+----------------------------------------
+
+First add a task in your playbook to extract the ssl files
+
+```yaml
+- name: Apply tasks for docker nginx servers
+  hosts: docker_nginx_servers
+  become: yes
+  environment: "{{ proxy_env }}"
+  tasks:
+    - name: Install Unzip required for unarchive
+      package:
+        name: ["unzip","tar"]
+        state: present
+    - name: install docker ansible dependencies
+      pip:
+        name: docker-py
+        state: present
+    - name: Download SSL Certificate bundle
+      environment: 
+        http_proxy: ''
+        https_proxy: ''
+      # Example getting the file from gitlab api
+      # you can also use unarchive or get_url module
+      shell: "wget --header='PRIVATE-TOKEN: {{ VAULT_DOCKER_NGINX_SERVERS_VAULT_FILES_TOKEN }}' 'http://exampledomain.com/api/v4/projects/50/repository/files/ssl-certificate.tar.gz/raw?ref=master' -O /tmp/ssl-certificate.tar.gz"
+      changed_when: False
+      no_log: True
+    - name: Unarchive SSL Certificate to ssl folder
+      unarchive:
+        src: /tmp/ssl-certificate.tar.gz
+        dest: /etc/ssl
+        remote_src: yes        
+```
+
+```yaml
+# Remmember also to modify nginx_exposed_volumes to allow access to the files
+nginx_reverse_proxy_proxies_ssl:
+  - config_name: app2proxy
+    backend_name: my-backend-2
+    backends:
+      - localhost:1882
+      - localhost:1883 backup  # will act as backup, and nginx only passes traffic when primary is unavailable.
+    domains:
+      - app2.192.168.88.10.xip.io
+    balancer_config: least_conn; # Important to add semicolon at the end ; if not the config will break
+
+nginx_reverse_proxy_ssl_crt:  '/etc/ssl/exampledomain_com.crt'
+nginx_reverse_proxy_ssl_key:  '/etc/ssl/exampledomain_com.key'
+
+nginx_exposed_volumes:
+  - "{{ nginx_base_directory }}/nginx.conf:/etc/nginx/nginx.conf:ro"
+  - "{{ nginx_base_directory }}/defaults:/usr/share/nginx/html:ro"
+  - "{{ nginx_reverse_proxy_config_directory }}:/etc/nginx/conf.d:ro"
+  - "/etc/ssl/exampledomain_com.crt:/etc/ssl/exampledomain_com.crt:ro"
+  - "/etc/ssl/exampledomain_com.key:/etc/ssl/exampledomain_com.key:ro"
+
+```
+
 License
 -------
 

defaults/main.yml

@@ -7,13 +7,20 @@ nginx_static_html_directory: 'defaults'
 
 nginx_reverse_proxy_proxies: []
 
+# Remmember also to modify nginx_exposed_volumes to allow access to the files
+nginx_reverse_proxy_proxies_ssl: []
+nginx_reverse_proxy_ssl_crt:  '/etc/ssl/exampledomain_com.crt'
+nginx_reverse_proxy_ssl_key:  '/etc/ssl/exampledomain_com.key'
+
 nginx_custom_conf: []
 
 nginx_exposed_ports:
   - '80'
+  - '443'
 
 nginx_published_ports:
   - '80:80'
+  - '443:443'
 
 nginx_exposed_volumes:
   - "{{ nginx_base_directory }}/nginx.conf:/etc/nginx/nginx.conf:ro"

tasks/main.yml

@@ -51,6 +51,13 @@
   with_items: "{{ nginx_reverse_proxy_proxies }}"
   notify: 'restart-docker-nginx'
 
+- name: deploy reverse proxy configurations ssl
+  template:
+    src: reverse-proxy-ssl.conf.j2
+    dest: "{{ nginx_reverse_proxy_config_directory }}/{{ item.config_name }}.conf"
+  with_items: "{{ nginx_reverse_proxy_proxies_ssl }}"
+  notify: 'restart-docker-nginx'
+
 - name: deploy custom conf files
   template:
     src: custom-config.conf.j2

templates/reverse-proxy-ssl.conf.j2

@@ -0,0 +1,72 @@
+# {{ ansible_managed }}
+
+upstream {{ item.backend_name }} {
+    {% if item.balancer_config is defined %}
+    {{ item.balancer_config }}
+    {% endif %}
+    {% for backend in item.backends %}
+    server {{ backend }};
+    {% endfor %}
+}
+
+access_log /var/log/nginx/nginx.vhost.access.log;
+error_log /var/log/nginx/nginx.vhost.error.log;
+
+server {
+    listen 80;
+    server_name {{ item.domains|join(' ') }};
+    return 301 https://$host$request_uri;
+
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ item.domains|join(' ') }};
+    ssl_certificate {{ nginx_reverse_proxy_ssl_crt }};
+    ssl_certificate_key {{ nginx_reverse_proxy_ssl_key }};
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
+    ssl_prefer_server_ciphers on;
+    proxy_next_upstream error timeout http_404 http_500 http_502 http_503;
+
+    access_log /var/log/nginx/nginx.vhost.access.log;
+    error_log /var/log/nginx/nginx.vhost.error.log;
+
+{% if item.root_redirect_location is defined %}
+    location / {
+        include       /etc/nginx/mime.types;
+        return 301 https://$host{{ item.root_redirect_location }};
+    }
+{% else %}
+    location / {
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   Host      $http_host;
+        proxy_set_header   X-Forwarded-Host   $http_host;
+        proxy_set_header   X-Forwarded-Proto  $scheme;
+        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_pass         http://{{ item.backend_name }}$request_uri;
+
+        include       /etc/nginx/mime.types;
+    }
+{% endif %}
+
+{% if item.locations is defined %}
+{% for location in item.locations %}
+    # refs: https://superuser.com/questions/689885/make-nginx-reverse-proxy-302-redirect-to-a-uri-sub-folder-instead-of-root
+    location ^~ {{ location }} {
+      proxy_pass         http://{{ item.backend_name }}{{ location }};
+      proxy_redirect    default;
+
+      proxy_set_header          Host               $http_host;
+      proxy_set_header          X-Real-IP          $remote_addr;
+      proxy_set_header          X-Forwarded-Host   $http_host;
+      proxy_set_header          X-Forwarded-For    $proxy_add_x_forwarded_for;
+      proxy_set_header          X-Forwarded-Proto  $scheme;
+      proxy_buffer_size         128k;
+      proxy_buffers             8 128k;
+      proxy_busy_buffers_size   256k;
+    }
+{% endfor %}
+{% endif %}
+
+}