add real-ip config for running behind upstream proxy

ansibleguy · Jun 2, 2024 · e07f4ab · e07f4ab
1 parent 89d3583
commit e07f4ab
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
@@ -12,6 +12,7 @@ defaults_nginx:
   state: 'present'
 
   ipv6: true
+  log_forwarded_for: true  # if request is received from internal IPs - log X-forwarded-for header if exists
 
   status_page:
     state: 'present'

diff --git a/tasks/debian/main.yml b/tasks/debian/main.yml
@@ -35,6 +35,20 @@
   notify: [Validate-nginx-config, Restart-nginx]
   loop: "{{ NGINX_HC.main_config }}"
 
+- name: Nginx | Setting base config
+  ansible.builtin.copy:
+    content: |
+      # ansible_managed
+      set_real_ip_from  10.0.0.0/8;
+      set_real_ip_from  172.16.0.0/12;
+      set_real_ip_from  192.168.0.0/16;
+      real_ip_header    X-Forwarded-For;
+
+    dest: '/etc/nginx/conf.d/real-ip.conf'
+    mode: 0644
+  notify: [Validate-nginx-config, Reload-nginx]
+  when: NGINX_CONFIG.log_forwarded_for | bool
+
 # todo: implement GeoIP
 #   https://fedingo.com/how-to-block-ip-by-country-in-nginx/