{"id":24863671,"url":"https://github.com/stuvusit/reverse_proxy","last_synced_at":"2025-09-09T04:33:22.147Z","repository":{"id":17276475,"uuid":"81590179","full_name":"stuvusIT/reverse_proxy","owner":"stuvusIT","description":"Configure a nginx reverse proxy with Ansible","archived":false,"fork":false,"pushed_at":"2024-12-03T14:09:19.000Z","size":134,"stargazers_count":5,"open_issues_count":6,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-12-03T15:23:21.148Z","etag":null,"topics":["ansible-galaxy","ansible-role","nginx","nginx-proxy","reverse-proxy"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-sa-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stuvusIT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-10T17:41:25.000Z","updated_at":"2024-12-03T14:10:46.000Z","dependencies_parsed_at":"2024-12-03T15:20:58.339Z","dependency_job_id":"bb156212-dedd-4318-a5e6-92059f440644","html_url":"https://github.com/stuvusIT/reverse_proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Freverse_proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Freverse_proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Freverse_proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Freverse_proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stuvusIT","download_url":"https://codeload.github.com/stuvusIT/reverse_proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":236600148,"owners_count":19175167,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible-galaxy","ansible-role","nginx","nginx-proxy","reverse-proxy"],"created_at":"2025-01-31T23:32:48.717Z","updated_at":"2025-01-31T23:32:49.336Z","avatar_url":"https://github.com/stuvusIT.png","language":"Jinja","readme":"# Reverse proxy\n\nInstalls and configure nginx as reverse proxy. Redirects all http requests to https, certificates are automatically issued by [Let's Encrypt](https://letsencrypt.org).\n\nIf necessary, certificates are automatically obtained or renewed, any time ansible-playbook is executed.\nSupport for Unix-PAM authentication, by setting `auth` to true at target server.\nAbility to restrict target domains by ip ranges and addresses.\nOptions to copy obtained certificates to target servers, when requested by them.\n\nWhen multiple names are given for a `served_domain`, only the first name will proxy, while the other names will redirect to the first name.\n\n## Requirements\n\nA Debian based distribution with certbot available in current apt sources. Correctly configured DNS server.\n\n## Role Variables\n\n### Primary\n| Option | Type | Default | Description | Required |\n| :------------------------------------------ | :-------------- | :----------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------- | :-----------------------: |\n| proxy_domains | list of dicts | | List of all target servers | Y |\n| default_url | string | `https://github.com/stuvusIT/reverse_proxy` | Url to redirect to if no target with requested domain is configured | N |\n| letsencrypt_email | string | | E-Mail address to use to request certificates | Y |\n| default_cert_mode | string | `0400` | Default file access mode on certificates at target servers | N |\n| default_cert_group | string | `root` | Default owner group for certificates at target servers | N |\n| default_cert_owner | string | `root` | Default owner user for certificates at target servers | N |\n| default_crypto | boolean | `True` | Use https as default to forward traffic | N |\n| reverse_proxy_default_proxy_ssl_verify | boolean | `False` | Whether the SSL certificate of the proxied host should be verified by default | N |\n| domain_suffixes | list of strings | `['']` | Domain suffixes to append to every not full qualified domain name | N |\n| domain_prefixes | list of strings | `['']` | Domain prefixes to append to every not full qualified domain name | N |\n| letsencrypt_staging | boolean | `False` | Use letsencrypt staging servers | N |\n| client_max_body_size | string | `1m` | Set the maximum upload size at the http context | N |\n| hsts_max_age | integer | `300` | Strict Transport Security (HSTS) time of life | N ___(but recommended)___ |\n| reverse_proxy_use_dhparam | bool | `True` | Use and generate Diffie-Hellman parameters | N |\n| reverse_proxy_dhparam_size | integer | `2048` | Size of Diffie-Hellman parameter | N |\n| reverse_proxy_dhparam_path | string | `/etc/ssl/dhparam.pem` | Path to store the Diffie-Hellman parameters | N |\n| reverse_proxy_ssl_session_timeout | string | `1d` | nginx `ssl_session_timeout` option | N |\n| reverse_proxy_ssl_session_cache | string | `shared:SSL:50m` | nginx `ssl_session_cache` option | N |\n| reverse_proxy_ssl_session_tickets | boolean | `False` | nginx `ssl_session_tickets` option | N |\n| reverse_proxy_ssl_protocols | list of strings | `TLSv1 TLSv1.1 TLSv1.2` | nginx `ssl_protocols` option | N |\n| reverse_proxy_ssl_ciphers | list of strings | ___see [defaults/main.yml](defaults/main.yml)___ | nginx `ssl_ciphers` option | N |\n| reverse_proxy_ssl_prefer_server_ciphers | boolean | `True` | nginx `ssl_prefer_server_ciphers` option | N |\n| reverse_proxy_ssl_stapling | boolean | `True` | Enable OCSP Stapling | N |\n| reverse_proxy_ssl_trusted_certificate | string | | nginx `ssl_trusted_certificate` option, path to the intermediate certificate of your CA | N |\n| reverse_proxy_redirect_to_first_domain | boolean | `True` | Redirect to first domain from every `served_domains[].domains` list by default | N |\n| reverse_proxy_redirect_to_first_domain_code | integer | `302` | Specify default HTTP redirect code for redirects to first(default) domain | N |\n| reverse_proxy_https_redirect_code | integer | `302` | HTTP status code used to direct users to the https version of a page | N |\n| reverse_proxy_error_log | string | `/var/log/nginx/error.log` | Location of the error log | N |\n| reverse_proxy_redirect_code | integer | `302` | Default HTTP status code used for custom domain redirects | N |\n| reverse_proxy_upstreams | dict of strings | `{}` | Name-Content dict of upstreams to add to nginx.conf | N |\n| reverse_proxy_cache_paths | dict of strings | `{}` | Path-Options dict of cache paths to add to nginx.conf (see example below) | N |\n| reverse_proxy_additional_http_locations | dict of strings | `{}` | Match-Content dict of additional `location` blocks to add to the server on port 80 | N |\n| reverse_proxy_keep_until_expiring | boolean | `True` | If the requested certificate matches an existing certificate, always keep the existing one until it is due for renewal | N |\n| reverse_proxy_force_renew | boolean | `False` | Force certificate renew, regardless of whether it is near expiry | N |\n| reverse_proxy_additional_config | string | | Additional config to be written into the nginx http section once. | N |\n\n\n### proxy_domains\n| Option | Type | Default | Description | Required |\n| :------------------ | :------------ | :------ | :--------------------------------------------------------------------------------------------------------------------- | :------: |\n| target_description | string | | A short description of the target server | Y |\n| target_host | string | | Ansible host name (will be used to copy requested certificates) | Y |\n| target_ip | string | | IP address of target server (will be used as target address to redirect to) | Y |\n| keep_until_expiring | boolean | | If the requested certificate matches an existing certificate, always keep the existing one until it is due for renewal | N |\n| force_renew | boolean | | Force certificate renew, regardless of whether it is near expiry | N |\n| served_domains | list of dicts | | List of all domain lists served by this target server | Y |\n\n### served_domains\n\n| Option | Type | Default | Description | Required |\n| :---------------------------- | :---------------------- | :-------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------- | :------: |\n| no_proxy | boolean | `false` | Don't actually configure anything target-related (use extra_* variables from below) | N |\n| port | integer | | Target port to redirect to | N |\n| crypto | boolean | [`{{ default_crypto }}`](#primary) | Use https to forward traffic | N |\n| auth | boolean | `false` | restrict access to system users | N |\n| reverse_proxy_ssl_verify | boolean | [`{{ reverse_proxy_default_proxy_ssl_verify }}`](#primary) | Whether the SSL certificate of the proxied host should be verified | N |\n| domains | list of strings | | A list of domains to proxy [(see below for more information)¹](#served_domains__1) | Y |\n| redirect_to_first_domain | boolean | [`{{ reverse_proxy_redirect_to_first_domain }}`](#primary) | Redirect to first domain from every `served_domains[].domains` list | N |\n| redirect_to_first_domain_code | integer | [`{{ reverse_proxy_redirect_to_first_domain_code }}`](#primary) | Specify HTTP redirect code for redirects to first(default) domain | N |\n| access_control | list of dicts | | A list of dicts to restrict access to given set of ip ranges | N |\n| fullchain_path | string | | [Destination path²](#served_domains__2) for fullchain.pem at _target_host_ | N |\n| cert_path | string | | [Destination path²](#served_domains__2) for cert.pem at _target_host_ | N |\n| chain_path | string | | [Destination path²](#served_domains__2) for chain.pem at _target_host_ | N |\n| privkey_path | string | | [Destination path²](#served_domains__2) for privkey.pem at _target_host_ | N |\n| fullchain_mode | string | [`{{ default_cert_mode }}`](#primary) | File access mode for fullchain.pwm at _target_host_ | N |\n| cert_mode | string | [`{{ default_cert_mode }}`](#primary) | File access mode for cert.pwm at _target_host_ | N |\n| chain_mode | string | [`{{ default_cert_mode }}`](#primary) | File access mode for chain.pwm at _target_host_ | N |\n| privkey_mode | string | [`{{ default_cert_mode }}`](#primary) | File access mode for privkey.pwm at _target_host_ | N |\n| fullchain_group | string | [`{{ default_cert_group }}`](#primary) | Owner group of fullchain.pwm at _target_host_ | N |\n| cert_group | string | [`{{ default_cert_group }}`](#primary) | Owner group of cert.pwm at _target_host_ | N |\n| chain_group | string | [`{{ default_cert_group }}`](#primary) | Owner group of chain.pwm at _target_host_ | N |\n| privkey_group | string | [`{{ default_cert_group }}`](#primary) | Owner group of privkey.pwm at _target_host_ | N |\n| fullchain_owner | string | [`{{ default_cert_owner }}`](#primary) | Owner of fullchain.pwm at _target_host_ | N |\n| cert_owner | string | [`{{ default_cert_owner }}`](#primary) | Owner of cert.pwm at _target_host_ | N |\n| chain_owner | string | [`{{ default_cert_owner }}`](#primary) | Owner of chain.pwm at _target_host_ | N |\n| privkey_owner | string | [`{{ default_cert_owner }}`](#primary) | Owner of privkey.pwm at _target_host_ | N |\n| client_max_body_size | string | | Set the maximum upload size at server context | N |\n| extra_server_config | string | | Additional configuration items to add to the server block before location blocks | N |\n| extra_location_config | string | | Additional configuration items to add to the default location block (location /) | N |\n| extra_locations | list of key value dicts | [] | Add custom locations to this server block, the key should be a location string, the value defines the location body | N |\n| redirect | string | | Instead of proxying the request, redirect to this URL. The request URI is automatically appended. | N |\n| redirect_code | integer | [`{{ reverse_proxy_redirect_code }}`](#primary) | HTTP status code used to redirect the user to the URL specified by `redirect` | N |\n| enable_http2_proxy | boolean | `true` | Enable http2 for this host | N |\n| use_keepalive | boolean | `false` | Enable keepalive for this host | N |\n| proxy_keepalive | integer | `1024` | Number of connections to keepalive between the proxy and the host | N |\n| keep_until_expiring | boolean | | If the requested certificate matches an existing certificate, always keep the existing one until it is due for renewal | N |\n| force_renew | boolean | | Force certificate renew, regardless of whether it is near expiry | N |\n\n\n\u003ca id=\"served_domains__1\"\u003e¹\u003c/a\u003e Can be either a fully qualified domain name(with following dot ex. `www.example.com.`) or a short internal domain(will be expanded by `domain_suffixes` and `domain_prefixes` ex. `wiki` or `static.media`)\n\n\u003ca id=\"served_domains__2\"\u003e²\u003c/a\u003e Path must point to a file in a already existing directory. The file will be either overwritten or created.\n\n### access_control\n| Option | Type | Default | Description | Required |\n|:-------|:-------|:--------|:------------------------------|:--------:|\n| allow | string | | IP address or subnet to allow | N |\n| deny | string | | IP address or subnet to deny | N |\n\nThese dicts are evaluated in given order, so a complete subnet can be allowed with the exception of a given ip, see: [nginx doku](http://nginx.org/en/docs/http/ngx_http_access_module.html#allow) for future information.\n\n## Example Playbook\n### Vars:\n```yml\nletsencrypt_email: hostmaster@example.com\ndefault_url: https://stuvus.uni-stuttgart.de\ndomain_suffixes:\n - \"example.com\"\nreverse_proxy_cache_paths:\n /var/mycache:\n - keys_zone=my_cache:50m\n - max_size=500g\nproxy_domains:\n - target_description: music player\n target_host: mpd01\n target_ip: 172.27.10.66\n served_domains:\n - access_control:\n - allow: 172.27.0.0/16\n - deny: all\n port: 6680\n https: false\n domains:\n - mpd\n - target_description: DokuWiki\n target_host: validator\n target_ip: 172.27.10.101\n served_domains:\n - auth: true\n domains:\n - wiki\n - www.wiki\n - wiki.wiki.de.\n```\n### Result:\nThis example playbook proxies as follows:\n\n| Domain | Proxies to | Redirects to | Restrictions |\n|:---------------------|:-------------------------|:-------------------------|:-------------------------------------|\n| mpd.example.com | http://172.27.10.66:6680 | - | allow: 172.27.0.0/16, deny all other |\n| wiki.example.com | https://172.27.10.101 | - | only system users |\n| www.wiki.example.com | https://172.27.10.101 | https://wiki.example.com | only system users |\n| wiki.wiki.de | https://172.27.10.101 | https://wiki.example.com | only system users |\n\n## License\n\n\u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by-sa/4.0/\"\u003e\u003cimg alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https://i.creativecommons.org/l/by-sa/4.0/80x15.png\" /\u003e\u003c/a\u003e\u003cbr /\u003eThis work is licensed under a \u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by-sa/4.0/\"\u003eCreative Commons Attribution-ShareAlike 4.0 International License\u003c/a\u003e.\n\n## Author Information\n- [Markus Mroch (Mr. Pi)](https://github.com/Mr-Pi) _markus.mroch@stuvus.uni-stuttgart.de_\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuvusit%2Freverse_proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstuvusit%2Freverse_proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuvusit%2Freverse_proxy/lists"}