From 888b4c0adb756c1513249ccf3f75d2e8cbbb2ea6 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Wed, 3 Aug 2022 22:29:59 +0200 Subject: [PATCH] add http proxy config to allow ACME challenges --- tasks/main.yml | 12 +++++++++--- templates/http_proxy_acme.j2 | 17 +++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 templates/http_proxy_acme.j2 diff --git a/tasks/main.yml b/tasks/main.yml index e33aa35..b9c8f31 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -63,10 +63,8 @@ dest: /etc/nginx/nginx.conf notify: Reload nginx -# TODO: << Manage SSL stream reverse proxy >> - # Manage each http site -- name: Copy Http Servers +- name: Copy HTTP Servers template: src: http_server.j2 dest: "/etc/nginx/sites-available/{{ item.key }}" @@ -97,3 +95,11 @@ force: yes loop: "{{ http_sites | dict2items}}" notify: Reload nginx + +# Add HTTP proxy to allow ACME challenges between LE and the SSL endpoints of proxy streams +- name: Copy HTTP Servers allowing ACME challenges with proxy stream + template: + src: http_proxy_acme.j2 + dest: "/etc/nginx/sites-available/acme_http_proxy_{{ item.key }}" + loop: "{{ ssl_reverse_proxy_upstream | dict2items}}" + notify: Reload nginx diff --git a/templates/http_proxy_acme.j2 b/templates/http_proxy_acme.j2 new file mode 100644 index 0000000..947e8b7 --- /dev/null +++ b/templates/http_proxy_acme.j2 @@ -0,0 +1,17 @@ +i{{ ansible_managed | comment }} +server { + listen 80; + listen [::]:80; + + server_name {{ item.value.sni_server_name }}; + + location /.well-known/acme-challenge { + proxy_pass http://{{ item.value.to }}:80; + proxy_set_header Host $host; + } + + # Redirect to https + location / { + return 302 https://$host$request_uri; + } +}