From 21bcc2d83df67c87e033f4e712e887270f740b48 Mon Sep 17 00:00:00 2001 From: shenlan Date: Tue, 5 Aug 2025 16:56:48 +0800 Subject: [PATCH] refactor: rename global homepage proxy role --- .../vhosts/nginx-proxy/defaults/main.yml | 4 ++ .../vhosts/nginx-proxy/handlers/main.yml | 4 ++ .../roles/vhosts/nginx-proxy/tasks/main.yml | 28 ++++++++++++ .../nginx-proxy/templates/nginx-proxy.conf.j2 | 45 +++++++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 playbooks/roles/vhosts/nginx-proxy/defaults/main.yml create mode 100644 playbooks/roles/vhosts/nginx-proxy/handlers/main.yml create mode 100644 playbooks/roles/vhosts/nginx-proxy/tasks/main.yml create mode 100644 playbooks/roles/vhosts/nginx-proxy/templates/nginx-proxy.conf.j2 diff --git a/playbooks/roles/vhosts/nginx-proxy/defaults/main.yml b/playbooks/roles/vhosts/nginx-proxy/defaults/main.yml new file mode 100644 index 0000000..43fc08a --- /dev/null +++ b/playbooks/roles/vhosts/nginx-proxy/defaults/main.yml @@ -0,0 +1,4 @@ +vhosts_nginx_proxy_domain: global-homepage.svc.plus +vhosts_nginx_proxy_upstream_host: global-homepage.onwalk.net +vhosts_nginx_proxy_ssl_certificate: /etc/ssl/svc.plus.pem +vhosts_nginx_proxy_ssl_certificate_key: /etc/ssl/svc.plus.rsa.key diff --git a/playbooks/roles/vhosts/nginx-proxy/handlers/main.yml b/playbooks/roles/vhosts/nginx-proxy/handlers/main.yml new file mode 100644 index 0000000..c10ab50 --- /dev/null +++ b/playbooks/roles/vhosts/nginx-proxy/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Reload nginx + ansible.builtin.service: + name: nginx + state: reloaded diff --git a/playbooks/roles/vhosts/nginx-proxy/tasks/main.yml b/playbooks/roles/vhosts/nginx-proxy/tasks/main.yml new file mode 100644 index 0000000..778b753 --- /dev/null +++ b/playbooks/roles/vhosts/nginx-proxy/tasks/main.yml @@ -0,0 +1,28 @@ +- name: Install nginx + ansible.builtin.apt: + name: nginx + state: present + update_cache: true + when: + - ansible_facts['distribution'] == 'Ubuntu' + - ansible_facts['distribution_version'] is version('22.04', '>=') + +- name: Deploy nginx proxy configuration + ansible.builtin.template: + src: nginx-proxy.conf.j2 + dest: /etc/nginx/sites-available/nginx-proxy.conf + mode: '0644' + notify: Reload nginx + +- name: Enable nginx proxy site + ansible.builtin.file: + src: /etc/nginx/sites-available/nginx-proxy.conf + dest: /etc/nginx/sites-enabled/nginx-proxy.conf + state: link + notify: Reload nginx + +- name: Ensure nginx is running + ansible.builtin.service: + name: nginx + state: started + enabled: true diff --git a/playbooks/roles/vhosts/nginx-proxy/templates/nginx-proxy.conf.j2 b/playbooks/roles/vhosts/nginx-proxy/templates/nginx-proxy.conf.j2 new file mode 100644 index 0000000..c504c68 --- /dev/null +++ b/playbooks/roles/vhosts/nginx-proxy/templates/nginx-proxy.conf.j2 @@ -0,0 +1,45 @@ +# HTTP redirect to HTTPS +server { + listen 80; + server_name {{ vhosts_nginx_proxy_domain }}; + return 301 https://{{ vhosts_nginx_proxy_domain }}$request_uri; +} + +# HTTPS entrypoint +server { + listen 443 ssl http2; + server_name {{ vhosts_nginx_proxy_domain }}; + + ssl_certificate {{ vhosts_nginx_proxy_ssl_certificate }}; + ssl_certificate_key {{ vhosts_nginx_proxy_ssl_certificate_key }}; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + location / { + proxy_pass https://{{ vhosts_nginx_proxy_upstream_host }}; + + # Enable TLS SNI + proxy_ssl_server_name on; + + # Spoof browser headers to avoid Cloudflare challenge + proxy_set_header Host {{ vhosts_nginx_proxy_upstream_host }}; + proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"; + proxy_set_header Accept "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; + proxy_set_header Referer "https://{{ vhosts_nginx_proxy_upstream_host }}/"; + + # Preserve client IP + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # HTTP/1.1 and clear connection upgrade headers + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Optional timeout controls + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + } +}