Skip to content

Commit

Permalink
optionally disable forwarded for headers
Browse files Browse the repository at this point in the history
  • Loading branch information
@gionn
gionn committed Oct 9, 2023
1 parent 529a351 commit ad661cf
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 71 deletions.
3 changes: 3 additions & 0 deletions roles/nginx/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,6 @@ nginx_vhosts:
# role arguments defaults
setup_service: true
setup_vhosts: true

# Disable when nginx node is behind another reverse proxy (e.g. AWS ELB)
nginx_include_additional_forwarded_headers: true
4 changes: 2 additions & 2 deletions roles/nginx/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,13 @@
gpgkey: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
when: ansible_distribution in [ 'RedHat', 'CentOS' ] and ansible_distribution_major_version == '7'

- name: Ensure nginx is installed.
- name: Ensure nginx is installed
ansible.builtin.package:
name: "{{ nginx_package_name }}"
state: present
notify: Enable-nginx

- name: Copy nginx configuration in place.
- name: Copy nginx configuration in place
ansible.builtin.template:
src: "{{ nginx_conf_template }}"
dest: "{{ nginx_conf_file_path }}"
Expand Down
15 changes: 9 additions & 6 deletions roles/nginx/tasks/vhosts.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,13 @@
become: true
notify: Reload-nginx
block:
- name: Remove default nginx vhost config file (if configured).
- name: Remove default nginx vhost config file (if configured)
ansible.builtin.file:
path: "{{ nginx_default_vhost_path }}"
state: absent
when: nginx_remove_default_vhost | bool

- name: Ensure nginx_vhost_path exists.
- name: Ensure nginx_vhost_path exists
ansible.builtin.file:
path: "{{ nginx_vhost_path }}"
state: directory
Expand Down Expand Up @@ -39,7 +39,7 @@
with_items: "{{ nginx_vhosts }}"
when: item.listen == '443'

- name: Add managed vhost config files.
- name: Add managed vhost config files
ansible.builtin.template:
src: "{{ item.template | default(nginx_vhost_template) }}"
dest: "{{ nginx_vhost_path }}/{{ item.filename }}"
Expand All @@ -52,13 +52,16 @@

- name: Add required proxy config
ansible.builtin.template:
src: alfresco_proxy.j2
dest: "{{ nginx_vhost_path }}/alfresco_proxy.include"
src: "{{ item }}.j2"
dest: "{{ nginx_vhost_path }}/{{ item }}"
owner: root
group: root
mode: "0644"
loop:
- alfresco_proxy.include
- alfresco_proxy_headers.include

- name: Remove legacy vhosts.conf file.
- name: Remove legacy vhosts.conf file
ansible.builtin.file:
path: "{{ nginx_vhost_path }}/vhosts.conf"
state: absent
72 changes: 9 additions & 63 deletions roles/nginx/templates/alfresco_proxy.include.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,7 @@
return 403;
}
proxy_pass http://tracker_lb;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}
location ~ ^/.*/wcs(ervice)?/api/solr/.*$ { return 403; }
location ~ ^/.*/proxy/.*/api/solr/.*$ { return 403; }
Expand All @@ -27,93 +21,45 @@

location / {
proxy_pass http://repo_lb;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}

# External settings, do not remove
#ENV_ACCESS_LOG

location /share/ {
proxy_pass http://share_lb;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}

location /alfresco/ {
proxy_pass http://repo_lb;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}

location /api-explorer/ {
proxy_pass http://repo_lb;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}

location /auth/ {
proxy_pass http://{{ identity_host }}:{{ ports_cfg.identity.http }}/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}

{% if acs.edition == "Enterprise" %}
location /syncservice/ {
proxy_pass http://{{ sync_host }}:{{ ports_cfg.sync.http }}/alfresco/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}

location /workspace/ {
proxy_pass http://{{ adw_host }}:8880/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}

location /control-center/ {
proxy_pass http://{{ acc_host }}:8881/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
include {{ nginx_vhost_path }}/alfresco_proxy_headers.include;
}
{% endif %}
11 changes: 11 additions & 0 deletions roles/nginx/templates/alfresco_proxy_headers.include.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
{% if nginx_include_additional_forwarded_headers %}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
{% endif %}
proxy_pass_header Set-Cookie;

0 comments on commit ad661cf

Please sign in to comment.