Ansible-role-nginx-config: Example of ssl termination with nginx reverse proxy
Is your feature request related to a problem? Please describe.
Kind of. I wish to terminate ssl with nginx, and simultaneously apply it as reverse proxy. I do not see an example of this in the docs, even I think it is pretty common scenario.
Describe the solution you'd like
Just an example configuration on how to terminate ssl with reverse proxy
Describe alternatives you've considered
I've considered applying nginx reverse proxy with ssl termination without this role. Like just manually configuring nginx, if it is too hard with this.
VilleMiekkoja
All 13 comments
You can take the examples and expand them with the dict objects taken from the templates defaults: https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/template.yml
Something like this:
nginx_http_template_enable: true
nginx_http_template:
jira_mydomain_net:
conf_file_name: jira_mydomain_net.conf
servers:
first:
listen:
listen_public:
ip: 0.0.0.0
port: 443
ssl: true
server_name: jira.mydomain.net
ssl:
cert: /etc/ssl/certs/jira.mydomain.net.crt
key: /etc/ssl/private/jira.mydomain.net.key
access_log:
- name: combined
location: /var/log/nginx/jira.mydomain.net_access.log
error_log:
location: /var/log/nginx/jira.mydomain.net_error.log
level: warn
reverse_proxy:
locations:
default:
location: /
proxy_pass: http://jira01.local.mydomain.net:8080
I left out ssl ciphers, dhparam, proxy_set_header etc since I set them in the main config, but you can just take them from the examples or defaults. Same for using upstreams.
xTrekStorex
on 24 May 2020
@xTrekStorex is totally right. At some stage I would also like to have working examples for most use cases covered in Molecule playbooks, including SSL (using self-signed certs) if possible.
alessfg
on 25 May 2020
I am trying to generate this config below with no luck. I wonder if its supported.
location /app1/ {
proxy_pass http://localhost:6000;
}
location /app2/ {
proxy_pass http://localhost:5000;
}
vietcgi
on 4 Mar 2021
Should definitely work. Are you using the latest release or main? If on main, check https://github.com/nginxinc/ansible-role-nginx-config/blob/main/molecule/default/converge.yml#L153-L290 -- you'll see there's two location blocks with proxy_pass. You can delete all the other variables that are being tested and set the values you mentioned for location and proxy_pass. (Side note: might want to create a new issue, your question is not related to ssl as far as I can tell.)
alessfg
on 5 Mar 2021
I am also unable to configure a simple reverse proxy. In the example above I don't recognize the
reverse_proxy:
section.
When I try to use proxy_pass instead of root on a server that I have defined I get
TemplateAssertionError: no test named 'boolean'
A working example would be appreciated.
ghomem
on 23 Mar 2021
The reverse_proxy section no longer exists. It got refactored into the proxy dictionaries you can now find on main (and 0.4.0). Did you check the molecule examples in the previous comment? In addition, proxy_pass is not allowed within a server context. It always has to be inside a location https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass.
alessfg
on 23 Mar 2021
Example:
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file : http/default.conf.j2
conf_file_name : '{{ my_server_name }}.conf'
conf_file_location: /etc/nginx/conf.d/
servers:
- listen:
- port: 443
ssl : true
opts: []
server_name: '{{ my_server_name }}'
ssl:
cert : '/etc/ssl/certs/{{ my_ssl_prefix }}.nginx.bundle.crt'
key : '/etc/ssl/private/{{ my_ssl_prefix }}.key'
protocols : '{{ NGINX_PROTOCOLS }}'
prefer_server_ciphers: true
ciphers : '{{ NGINX_CIPHERS }}'
stapling : true
stapling_verify : true
autoindex : false
locations :
- location: /
root : '{{ my_root_folder }}'
- location: /backend
proxy_pass: http://127.0.0.1:8080/
proxy:
set_header:
- field: Host
value: $host
- field: X-Real-IP
value: $remote_addr
- field: X-Forwarded-For
value: $proxy_add_x_forwarded_for
- field: X-Forwarded-Proto
value: $scheme
This results in
failed: [testing-snap05.MYDOMAIN.TLD] (item={'template_file': 'http/default.conf.j2', 'conf_file_name': 'testing-snap05.staging.MYDOMAIN.TLD.conf', 'conf_file_location': '/etc/nginx/conf.d/', 'servers': [{'listen': [{'port': 443, 'ssl': True, 'opts': []}], 'server_name': 'testing-snap05.staging.MYDOMAIN.TLD', 'ssl': {'cert': '/etc/ssl/certs/star.staging.MYDOMAIN.TLD.nginx.bundle.crt', 'key': '/etc/ssl/private/star.staging.MYDOMAIN.TLD.key', 'protocols': 'TLSv1.3', 'prefer_server_ciphers': True, 'ciphers': 'HIGH:!aNULL:!MD5', 'stapling': True, 'stapling_verify': True}, 'autoindex': False, 'locations': [{'location': '/', 'root': '/usr/share/nginx/html'}, {'location': '/backend', 'proxy_pass': 'http://127.0.0.1:8080/', 'proxy': {'set_header': [{'field': 'Host', 'value': '$host'}, {'field': 'X-Real-IP', 'value': '$remote_addr'}, {'field': 'X-Forwarded-For', 'value': '$proxy_add_x_forwarded_for'}, {'field': 'X-Forwarded-Proto', 'value': '$scheme'}]}}]}]}) => {"ansible_loop_var": "item", "changed": false, "item": {"conf_file_location": "/etc/nginx/conf.d/", "conf_file_name": "testing-snap05.staging.MYDOMAIN.TLD.conf", "servers": [{"autoindex": false, "listen": [{"opts": [], "port": 443, "ssl": true}], "locations": [{"location": "/", "root": "/usr/share/nginx/html"}, {"location": "/backend", "proxy": {"set_header": [{"field": "Host", "value": "$host"}, {"field": "X-Real-IP", "value": "$remote_addr"}, {"field": "X-Forwarded-For", "value": "$proxy_add_x_forwarded_for"}, {"field": "X-Forwarded-Proto", "value": "$scheme"}]}, "proxy_pass": "http://127.0.0.1:8080/"}], "server_name": "testing-snap05.staging.MYDOMAIN.TLD", "ssl": {"cert": "/etc/ssl/certs/star.staging.MYDOMAIN.TLD.nginx.bundle.crt", "ciphers": "HIGH:!aNULL:!MD5", "key": "/etc/ssl/private/star.staging.MYDOMAIN.TLD.key", "prefer_server_ciphers": true, "protocols": "TLSv1.3", "stapling": true, "stapling_verify": true}}], "template_file": "http/default.conf.j2"}, "msg": "TemplateAssertionError: no test named 'boolean'"}
Right. Try to update to the latest version of Jinja2. The templates require Jinja2 2.11.x to properly work. This is most likely related to the errors you were finding on https://github.com/nginxinc/ansible-role-nginx-config/issues/94.
alessfg
on 24 Mar 2021
Thank you. Does it exist as a package for Ubuntu 20.04? Otherwise what is the recommended update method?
ghomem
on 24 Mar 2021
Jinja2 is a Python package. You can try running pip install -U Jinja2. You can read more here https://jinja.palletsprojects.com/en/2.11.x/intro/#installation
alessfg
on 24 Mar 2021
Hello,
Having the same issue on python 2.7 and ansible 2.9.6:
"TemplateAssertionError: no test named 'boolean'"
On python 3.6 and ansible 2.9.6 everything works fine.
Variables:
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
conf_file_name: 50_example.com.conf
conf_file_location: /etc/nginx/conf.d/
servers:
- listen:
- ip: 0.0.0.0
port: 80
- ip: 0.0.0.0
port: 443
ssl: true
ssl:
cert: /etc/pki/tls/certs/example.com.crt
key: /etc/pki/tls/private/example.com.key
server_name: example.com
error_page: /usr/share/nginx/html
autoindex: false
http_demo_conf: false
access_log:
- name: json
location: /var/log/nginx/example.com-access.json.log
error_log:
level: warn
location: /var/log/nginx/example.com-error.log
locations:
- location: /
proxy_pass: http://127.0.0.1
proxy:
bind: false
set_header:
- field: Host
value: $host
- field: X-Forwarded-For
value: $proxy_add_x_forwarded_for
- field: X-Real-IP
value: $remote_addr
- field: REMOTE_ADDR
value: $remote_addr
Results to:
+#
+# Ansible managed
+#
+
+
+
+
+server {
+ listen 0.0.0.0:80;
+ listen 0.0.0.0:443 ssl;
+ server_name example.com;
+ ssl_certificate /etc/pki/tls/certs/example.com.crt;
+ ssl_certificate_key /etc/pki/tls/private/example.com.key;
+ location / {
+ proxy_bind off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header REMOTE_ADDR $remote_addr;
+
+ proxy_pass http://127.0.0.1;
+
+ }
+ # redirect server error pages to the static page /50x.html
+ #
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ access_log /var/log/nginx/example.com-access.json.log json;
+ error_log /var/log/nginx/example.com-error.log warn;
+}
pavelkim
on 15 Apr 2021
Try updating Jinja2. You are not using the latest release (v2.11).
alessfg
on 15 Apr 2021
@alessfg Thanks!
There was no red output, so I didn't notice that I'm actually having troubles updating Jinja2 locally:
bash-3.2$ pip install -U Jinja2
Collecting Jinja2
Using cached https://files.pythonhosted.org/packages/7e/c2/1eece8c95ddbc9b1aeb64f5783a9e07a286de42191b7204d67b7496ddf35/Jinja2-2.11.3-py2.py3-none-any.whl
Requirement not upgraded as not directly required: MarkupSafe>=0.23 in /opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages (from Jinja2) (0.23)
Installing collected packages: Jinja2
Found existing installation: Jinja2 2.10.1
Uninstalling Jinja2-2.10.1:
Successfully uninstalled Jinja2-2.10.1
Rolling back uninstall of Jinja2
You are using pip version 10.0.0, however version 20.3.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
In a clean virtualenv with Python 2.7 and Jinja2 2.11.3 everything works fine:
(py27) bash-3.2$ pip freeze
ansible==2.9.6
cffi==1.14.5
cryptography==3.3.2
enum34==1.1.10
ipaddress==1.0.23
Jinja2==2.11.3
MarkupSafe==1.1.1
pycparser==2.20
PyYAML==5.4.1
six==1.15.0
Related issues
alexsegura
·
15Comments
luminouw
·
4Comments
asabhaney
·
5Comments
rolandjitsu
·
8Comments
ghomem
·
10Comments
Most helpful comment
You can take the examples and expand them with the dict objects taken from the templates defaults: https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/template.yml
Something like this:
I left out ssl ciphers, dhparam, proxy_set_header etc since I set them in the main config, but you can just take them from the examples or defaults. Same for using upstreams.