Install Nginx for use as a front-end proxy.
Requires the nginx role (automatically included).
nginx_proxy_worker_processes: Number of worker processes, default 1nginx_proxy_worker_connections: Number of worker connections, default 1024nginx_proxy_buffers: Number and size of proxy buffers (optional)nginx_dynamic_proxy_resolvers: If the proxied servers are referred to by hostname instead of IP addresses you must provide at least one DNS server
nginx_proxy_server_name: The server name, default$hostname. Set this if you are configuring a virtualhost.nginx_proxy_listen_http: Listen on this port, default80.nginx_proxy_cachebuster_port: An alternative port which can be used to force a cache refresh, disabled by default. You should ensure this is firewalled. You must also setnginx_proxy_cachebuster_enabledto enable this for individual sites.nginx_proxy_404: The URI to show for 404 errors, default ''.nginx_proxy_log_format_custom: Additional Nginx log format, will be namedcustom. This only adds the format, to use it as the default log format you should setnginx_proxy_log_format: custom.
SSL variables:
nginx_proxy_ssl: IfTrueenable SSL on port443, defaultFalsenginx_proxy_hsts_age: The max-age in seconds for a HSTS (HTTP Strict Transport Security) header, default is to omit this headernginx_proxy_http2: IfTrueenable HTTP2, defaultFalsenginx_proxy_force_ssl: IfTruepermanently redirect allhttprequests tohttps, defaultFalse
If SSL is enabled you should install the certificates on the server and set the following two variables:
nginx_proxy_ssl_certificate: Server path to SSL certificatenginx_proxy_ssl_certificate_key: Server path to SSL certificate key
Optionally this role can handle the certificate installation for you, if you specify the local source paths (default empty, you must handle the installation yourself):
nginx_proxy_ssl_certificate_source_path: Local path to SSL certificatenginx_proxy_ssl_certificate_key_source_path: Local path to SSL certificate key
Backend servers:
-
nginx_proxy_backends: List of dictionaries of backend servers with fieldsname: A variable name for proxies using dynamic IP (ignored for static IPs)location: The URL locationlimit_methods: Limit to these HTTP methods only, default allserver: The backend server including schemedynamic: IfTruelookup IP on every request, defaultFalse(only lookup at startup).cache_validity: The time that an object should be cached for, if omitted caching is disabled for this backendwebsockets: IfTrueenable proxying of websockets, defaultFalsewebsocketsonly: IfTrueandwebsockets: Trueonly allow websocket requests, otherwise return HTTP status 400, defaultFalseread_timeout: The proxy read timeout, optionalhost_header: Optionally set the Host header, you shouldn't need to set this unless you're trying to work around bugs in applicationsmaintenance_flag: Name of an optional local flag file used to indicate the backend is undergoing maintenance, if this file existsmaintenance_uriwill be returned for this location with a503errormaintenance_uri: URI to a maintenance page that will be returned if themaintenance_flagfile exists
-
nginx_proxy_upstream_servers: List of dictionaries of backend servers used for load-balancing with fields:name: The name of the load-balancing group (can be referenced innginx_proxy_backends.[].server)balance: Load balancing algorithmservers: List of backend servers to be load-balancedadditional: List of additional directives
-
nginx_proxy_streams: List of dictionaries of backend streaming serversname: A variable name used for grouping multiple upstream serversport: The port Nginx should listen onservers: A list of backend servers, each item may include server specific parameterstimeout: Timeout between successive reads/writesconnect_timeout: Backend connection timeout
Warning: Using non-standard http ports in nginx_proxy_streams may lead to SELinux failures. This role will attempt to configure SELinux but may fail.
Redirection:
-
nginx_proxy_redirect_map: List of dictionaries of URL redirects with fields:match: The request uri to match (operators such as ~ are allowed, matching can include query arguments)dest: The new uri
-
nginx_proxy_redirect_map_locations: List of dictionaries of locations to be mapped usingnginx_proxy_redirect_maplocation: An nginx location to be mappedcode: Optional HTTP redirect status code, default302(use301for a permanent redirect)
-
nginx_proxy_direct_locations: List of dictionaries of locations to be handled directly with the following fields.locationis required, along with at least one of the other fields:location: An nginx location to be mapped (required)redirect301: The new uri to redirect to with code 301redirect302: The new uri to redirect to with code 302index: Nginx index locationsroot: Root directory for requestsalias: Alias this directory to locationcustom: List of additional configuration directives
-
nginx_proxy_block_locations: List of locations which should be blocked (404)
Use nginx_proxy_direct_locations with redirect* if you need to redirect based on Nginx location only, use nginx_proxy_redirect_map with nginx_proxy_redirect_map_locations if you also want to redirect based on query arguments.
Websockets:
nginx_proxy_websockets_enable: This must beTrueif any proxies require proxying of websockets, defaultFalse
Caching:
-
nginx_proxy_cache_parent_path: The parent directory for the nginx caches (optional) -
nginx_proxy_caches: List of dictionaries of cache specifications with fields:name: Name of the cachekeysize: Amount of shared memory to use for storing cache keysmaxsize: Upper limit of the size of the cacheinactive: Time that items should be cached formatch: List of patterns to be stored in this cache, you probably want one item with the valuedefaultsomewhere
-
nginx_proxy_cache_skip_uri: List of URI patterns that shouldn't be cached (default: everything that doesn't matchnginx_proxy_cache_match_uri) -
nginx_proxy_cache_match_uri: List of URI patterns that should be cached -
nginx_proxy_cache_skip_arg: List of query patterns that shouldn't be cached (default for this is always the result ofnginx_proxy_cache_*_url) -
nginx_proxy_cache_match_arg: List of query patterns that should be cached (default for this is always the result ofnginx_proxy_cache_*_url) -
nginx_proxy_set_header_host: Override the hostname seen by the backend proxy, default is to use the Nginx$hostvariable (recommended for most cases) -
nginx_proxy_forward_scheme_header: A header to be set containing the scheme (e.g.http,https) that will be passed to the backend -
nginx_proxy_debug_cache_headers: IfTrueadd extra headers for debugging (not for production), defaultFalse -
nginx_proxy_cache_ignore_headers: Headers to be ignored, e.g.'"Set-Cookie" "Vary" "Expires"' -
nginx_proxy_cache_hide_headers: Headers to be hidden from clients in cached responses, must be a list e.g.[Set-Cookie] -
nginx_proxy_cache_key: Override the default Nginx cache key, for example"$host$request_uri"to ignore session cookies -
nginx_proxy_cache_key_map: Optionally mapnginx_proxy_cache_keyto the desired cache key, for instance if you want to ignore part of the url. This should be a list of dictionaries with fields:match: Match in nginx_proxy_cache_keykey: The cache keynginx_proxy_cache_keyis always included as the default.
-
nginx_proxy_cache_use_stale: Situations in which stale cache results should be returned, seedefaults/main.ymlfor default, if enabled this will also turn on background updates. -
nginx_proxy_cache_lock_time: Prevent multiple backend requests to the same object (subsequent requests will wait for the first to either return or time-out), default 1 minute -
nginx_proxy_cachebuster_enabled: Set toTrueto enable cache-busting on portnginx_proxy_cachebuster_port
Warning: for convenience, put nginx_proxy_cache_parent_path on a separate partition (calculate size of the partition based on max_size set on disk caches).
Warning: If SELinux is enabled you may need to update your policy yourself to allow Nginx to bind to a non-standard port (typically 80, 81, 443, 488, 8008, 8009, 8443, 9000 are allowed).
Additional custom configuration:
nginx_proxy_conf_http: Additional directives to be added to top-levelhttpcontextnginx_proxy_additional_maps: List of custom Nginx maps for use in other custom configurationnginx_proxy_additional_directives: List of additional directives to be added to the proxyservercontextnginx_proxy_systemd_setup: Start/restart nginx using systemd, defaulttrue, if you want to manage Nginx yourself set this tofalse
nginx_proxy_sites: Additional sites can be configured by creating an array of dictionaries overriding the above "Main site" parameters. The default:nginx_proxy_sites: { nginx_proxy_is_default: True }mean a single site will be created using the parameters defined above. Most parameters are supported in site specific configurations with the exception of those namednginx_proxy_*cache*, andnginx_proxy_redirect_map. One site-specific additional parameter is supported:nginx_proxy_is_default: IfTruethis is the default Nginx site, defaultFalse.
Proxy:
- http://localhost/ to http://a.internal/ statically, make a single DNS request for
a.internalat the start - http://localhost/b to http://b.internal/subdir dynamically, making a DNS request for
b.internalon every request
- hosts: localhost
roles:
- role: ome.nginx_proxy
nginx_proxy_backends:
- location: /
server: http://a.internal
- name: testb
location: /b
server: http://b.internal/subdir
dynamic: TrueAdvanced configuration: force https, use HSTS, enable HTTP2
- hosts: localhost
roles:
- role: ome.nginx_proxy
nginx_proxy_backends:
- location: /
server: http://a.internal
cache_validity: 1h
nginx_proxy_worker_processes: 4
nginx_proxy_404: '/404.html'
nginx_proxy_ssl: True
nginx_proxy_ssl_certificate: /etc/nginx/ssl/website.crt
nginx_proxy_ssl_certificate_key: /etc/nginx/ssl/website.key
nginx_proxy_http2: True
nginx_proxy_force_ssl: True
nginx_proxy_hsts_age: 31536000
nginx_proxy_conf_http:
- "client_max_body_size 500m"
- "server_tokens off"