diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index d5378926c..df07f161a 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -8,3 +8,6 @@ nginx_vhosts: # role arguments defaults setup_service: true setup_vhosts: true + +# Disable when nginx node is behind another reverse proxy (e.g. AWS ELB) +nginx_include_additional_forwarded_headers: true diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 84c8c3df8..551a18d69 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -15,13 +15,13 @@ gpgkey: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }} when: ansible_distribution in [ 'RedHat', 'CentOS' ] and ansible_distribution_major_version == '7' - - name: Ensure nginx is installed. + - name: Ensure nginx is installed ansible.builtin.package: name: "{{ nginx_package_name }}" state: present notify: Enable-nginx - - name: Copy nginx configuration in place. + - name: Copy nginx configuration in place ansible.builtin.template: src: "{{ nginx_conf_template }}" dest: "{{ nginx_conf_file_path }}" diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml index c0f05a542..92a4fc9eb 100644 --- a/roles/nginx/tasks/vhosts.yml +++ b/roles/nginx/tasks/vhosts.yml @@ -3,13 +3,13 @@ become: true notify: Reload-nginx block: - - name: Remove default nginx vhost config file (if configured). + - name: Remove default nginx vhost config file (if configured) ansible.builtin.file: path: "{{ nginx_default_vhost_path }}" state: absent when: nginx_remove_default_vhost | bool - - name: Ensure nginx_vhost_path exists. + - name: Ensure nginx_vhost_path exists ansible.builtin.file: path: "{{ nginx_vhost_path }}" state: directory @@ -39,7 +39,7 @@ with_items: "{{ nginx_vhosts }}" when: item.listen == '443' - - name: Add managed vhost config files. + - name: Add managed vhost config files ansible.builtin.template: src: "{{ item.template | default(nginx_vhost_template) }}" dest: "{{ nginx_vhost_path }}/{{ item.filename }}" @@ -52,13 +52,16 @@ - name: Add required proxy config ansible.builtin.template: - src: alfresco_proxy.j2 - dest: "{{ nginx_vhost_path }}/alfresco_proxy.include" + src: "{{ item }}.j2" + dest: "{{ nginx_vhost_path }}/{{ item }}" owner: root group: root mode: "0644" + loop: + - alfresco_proxy.include + - alfresco_proxy_headers.include - - name: Remove legacy vhosts.conf file. + - name: Remove legacy vhosts.conf file ansible.builtin.file: path: "{{ nginx_vhost_path }}/vhosts.conf" state: absent diff --git a/roles/nginx/templates/alfresco_proxy.include.j2 b/roles/nginx/templates/alfresco_proxy.include.j2 index ca559a112..815e584ec 100644 --- a/roles/nginx/templates/alfresco_proxy.include.j2 +++ b/roles/nginx/templates/alfresco_proxy.include.j2 @@ -10,13 +10,7 @@ return 403; } proxy_pass http://tracker_lb; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } location ~ ^/.*/wcs(ervice)?/api/solr/.*$ { return 403; } location ~ ^/.*/proxy/.*/api/solr/.*$ { return 403; } @@ -27,13 +21,7 @@ location / { proxy_pass http://repo_lb; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } # External settings, do not remove @@ -41,79 +29,37 @@ location /share/ { proxy_pass http://share_lb; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } location /alfresco/ { proxy_pass http://repo_lb; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } location /api-explorer/ { proxy_pass http://repo_lb; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } location /auth/ { proxy_pass http://{{ identity_host }}:{{ ports_cfg.identity.http }}/; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } {% if acs.edition == "Enterprise" %} location /syncservice/ { proxy_pass http://{{ sync_host }}:{{ ports_cfg.sync.http }}/alfresco/; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } location /workspace/ { proxy_pass http://{{ adw_host }}:8880/; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } location /control-center/ { proxy_pass http://{{ acc_host }}:8881/; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass_header Set-Cookie; + include {{ nginx_vhost_path }}/alfresco_proxy_headers.include; } {% endif %} diff --git a/roles/nginx/templates/alfresco_proxy_headers.include.j2 b/roles/nginx/templates/alfresco_proxy_headers.include.j2 new file mode 100644 index 000000000..0e95bd41a --- /dev/null +++ b/roles/nginx/templates/alfresco_proxy_headers.include.j2 @@ -0,0 +1,11 @@ +proxy_redirect off; +proxy_buffering off; +proxy_set_header Host $host; +{% if nginx_include_additional_forwarded_headers %} +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $server_port; +{% endif %} +proxy_pass_header Set-Cookie;