From 96be4c5f9ae28860bada0057a8bd17793c5c4856 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Wed, 18 Oct 2023 16:41:39 +0200 Subject: [PATCH 1/2] Fix nginx redirect when behind ELB via argument --- roles/nginx/defaults/main.yml | 1 + roles/nginx/meta/argument_specs.yml | 8 ++++++++ roles/nginx/templates/alfresco_proxy.include.j2 | 2 ++ roles/nginx/templates/alfresco_redirect.conf.j2 | 6 +++--- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index fec654824..18a103c38 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -11,3 +11,4 @@ setup_vhosts: true # Disable when nginx node is behind another reverse proxy (e.g. AWS ELB) nginx_set_proxy_headers: true +nginx_absolute_redirect: true diff --git a/roles/nginx/meta/argument_specs.yml b/roles/nginx/meta/argument_specs.yml index 33bb94d3a..fe1fd65d2 100644 --- a/roles/nginx/meta/argument_specs.yml +++ b/roles/nginx/meta/argument_specs.yml @@ -10,3 +10,11 @@ argument_specs: description: If the nginx reverse proxy vhosts should be enabled type: bool default: true + nginx_set_proxy_headers: + description: Useful to disable when nginx node is behind another reverse proxy (e.g. AWS ELB) + type: bool + default: true + nginx_absolute_redirect: + description: Useful to disable when nginx node is behind another reverse proxy (e.g. AWS ELB) + type: bool + default: true diff --git a/roles/nginx/templates/alfresco_proxy.include.j2 b/roles/nginx/templates/alfresco_proxy.include.j2 index 815e584ec..c5ff1a52a 100644 --- a/roles/nginx/templates/alfresco_proxy.include.j2 +++ b/roles/nginx/templates/alfresco_proxy.include.j2 @@ -1,5 +1,7 @@ client_max_body_size 0; + absolute_redirect {{ 'on' if nginx_absolute_redirect else 'off' }}; + set $allowOriginSite *; proxy_pass_request_headers on; proxy_pass_header Set-Cookie; diff --git a/roles/nginx/templates/alfresco_redirect.conf.j2 b/roles/nginx/templates/alfresco_redirect.conf.j2 index 2e84ce07b..6ff96410d 100644 --- a/roles/nginx/templates/alfresco_redirect.conf.j2 +++ b/roles/nginx/templates/alfresco_redirect.conf.j2 @@ -1,7 +1,7 @@ map $remote_addr $rogue_repo_clients { - default 1; - ::1 0; - 127.0.0.1 0; + default 1; + ::1 0; + 127.0.0.1 0; {% for trusted_repo_client in (repo_hosts | map(attribute='local_addr') + [ solr_host, sync_host ]) | unique | reject('equalto', '127.0.0.1') %} {{ trusted_repo_client }} 0; {% endfor %} From 5b216747dbab611f0303b97ca45a4b2f788d3ce8 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo <71768+gionn@users.noreply.github.com> Date: Thu, 19 Oct 2023 14:40:37 +0200 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Alex Chapellon --- roles/nginx/meta/argument_specs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/meta/argument_specs.yml b/roles/nginx/meta/argument_specs.yml index fe1fd65d2..cb605237c 100644 --- a/roles/nginx/meta/argument_specs.yml +++ b/roles/nginx/meta/argument_specs.yml @@ -11,10 +11,10 @@ argument_specs: type: bool default: true nginx_set_proxy_headers: - description: Useful to disable when nginx node is behind another reverse proxy (e.g. AWS ELB) + description: Useful when nginx node is behind another reverse proxy (e.g. should be disabled when behind an AWS ELB) type: bool default: true nginx_absolute_redirect: - description: Useful to disable when nginx node is behind another reverse proxy (e.g. AWS ELB) + description: Useful when nginx node is behind another reverse proxy (e.g. should be disabled when behind an AWS ELB) type: bool default: true