Issue #83: Add Nginx HTTPS Proxy example and test.

Author: geerlingguy

.travis.yml

@@ -32,6 +32,9 @@ env:
   - playbook: https-self-signed.yml
     distro: ubuntu1604
 
+  - playbook: https-nginx-proxy.yml
+    distro: debian10
+
   - playbook: includes.yml
     distro: ubuntu1604
 

https-nginx-proxy/README.md

@@ -0,0 +1,36 @@
+# HTTPS Nginx Proxy demo VM
+
+This project spins up a VM and demonstrates Nginx proxying HTTPS traffic to an HTTP-only backend application.
+
+## Quick Start Guide
+
+### 1 - Install dependencies (VirtualBox, Vagrant, Ansible)
+
+  1. Download and install [VirtualBox](https://www.virtualbox.org/wiki/Downloads).
+  2. Download and install [Vagrant](http://www.vagrantup.com/downloads.html).
+  3. [Mac/Linux only] Install [Ansible](http://docs.ansible.com/intro_installation.html).
+
+Note for Windows users: *This guide assumes you're on a Mac or Linux host. Windows hosts are unsupported at this time.*
+
+### 2 - Build the Virtual Machine
+
+  1. Download this project and put it wherever you want.
+  2. Open Terminal, cd to this 'provisioning' directory.
+  3. Run `ansible-galaxy install -r requirements.yml` to install required Ansible roles.
+  4. cd up one level to this directory (with the README and Vagrantfile).
+  4. Type in `vagrant up`, and let Vagrant do its magic.
+
+Note: *If there are any errors during the course of running `vagrant up`, and it drops you back to your command prompt, just run `vagrant provision` to continue building the VM from where you left off. If there are still errors after doing this a few times, post an issue to this project's issue queue on GitHub with the error.*
+
+### 3 - Configure your host machine to access the VM.
+
+  1. [Edit your hosts file](http://www.rackspace.com/knowledge_center/article/how-do-i-modify-my-hosts-file), adding the line `192.168.46.84  https-proxy.test` so you can connect to the VM.
+  2. Open your browser and access [http://https.test](http://https.test), and you should be redirected to the `https://` version of the URL.
+
+## Notes
+
+  - To shut down the virtual machine, enter `vagrant halt` in the Terminal in the same folder that has the `Vagrantfile`. To destroy it completely (if you want to save a little disk space, or want to rebuild it from scratch with `vagrant up` again), type in `vagrant destroy`.
+
+## About the Author
+
+This project was created by [Jeff Geerling](https://www.jeffgeerling.com/) as an example for [Ansible for DevOps](https://www.ansiblefordevops.com/).

https-nginx-proxy/Vagrantfile

@@ -0,0 +1,24 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.box = "geerlingguy/debian10"
+  config.vm.hostname = "https-proxy.test"
+  config.vm.network :private_network, ip: "192.168.46.84"
+  config.ssh.insert_key = false
+
+  config.vm.provider :virtualbox do |v|
+    v.memory = 512
+  end
+
+  # Ansible provisioning.
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "provisioning/main.yml"
+    ansible.become = true
+    ansible.extra_vars = {
+      ansible_python_interpreter: "/usr/bin/python3",
+    }
+  end
+end

https-nginx-proxy/provisioning/ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+host_key_checking = False
+roles_path = ./roles
+nocows = 1
+
+[ssh_connection]
+control_path = %(directory)s/%%h-%%p-%%r
+pipelining = True

https-nginx-proxy/provisioning/files/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>HTTPS Nginx Proxy Test</title>
+  <style>* { font-family: Helvetica, Arial, sans-serif }</style>
+</head>
+<body>
+  <h1>HTTPS Nginx Proxy Test</h1>
+    <p>If you can see this message, it worked!</p>
+</body>
+</html>

https-nginx-proxy/provisioning/main.yml

@@ -0,0 +1,45 @@
+---
+- hosts: all
+
+  vars_files:
+    - vars/main.yml
+
+  pre_tasks:
+    - name: Ensure apt cache is updated.
+      apt: update_cache=true cache_valid_time=600
+
+    - name: Install dependency for pyopenssl.
+      apt: name=libssl-dev state=present
+
+  roles:
+    - geerlingguy.firewall
+    - geerlingguy.pip
+    - geerlingguy.nginx
+
+  tasks:
+    - import_tasks: tasks/self-signed-cert.yml
+
+    - name: Ensure docroot exists.
+      file:
+        path: "{{ nginx_docroot }}"
+        state: directory
+
+    - name: Copy example index.html file in place.
+      copy:
+        src: files/index.html
+        dest: "{{ nginx_docroot }}/index.html"
+        mode: 0755
+
+    - name: Start simple python webserver on port 8080.
+      shell: >
+        python3 -m http.server 8080 --directory {{ nginx_docroot }} &
+      changed_when: false
+      async: 45
+      poll: 0
+
+    - name: Copy Nginx server configuration in place.
+      template:
+        src: templates/https.test.conf.j2
+        dest: /etc/nginx/sites-enabled/https.test.conf
+        mode: 0644
+      notify: restart nginx

https-nginx-proxy/provisioning/requirements.yml

@@ -0,0 +1,4 @@
+---
+- src: geerlingguy.firewall
+- src: geerlingguy.pip
+- src: geerlingguy.nginx

https-nginx-proxy/provisioning/tasks/self-signed-cert.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure directory exists for local self-signed TLS certs.
+  file:
+    path: "{{ certificate_dir }}/{{ server_hostname }}"
+    state: directory
+
+- name: Generate an OpenSSL private key.
+  openssl_privatekey:
+    path: "{{ certificate_dir }}/{{ server_hostname }}/privkey.pem"
+
+- name: Generate an OpenSSL CSR.
+  openssl_csr:
+    path: "{{ certificate_dir }}/{{ server_hostname }}.csr"
+    privatekey_path: "{{ certificate_dir }}/{{ server_hostname }}/privkey.pem"
+    common_name: "{{ server_hostname }}"
+
+- name: Generate a Self Signed OpenSSL certificate.
+  openssl_certificate:
+    path: "{{ certificate_dir }}/{{ server_hostname }}/fullchain.pem"
+    privatekey_path: "{{ certificate_dir }}/{{ server_hostname }}/privkey.pem"
+    csr_path: "{{ certificate_dir }}/{{ server_hostname }}.csr"
+    provider: selfsigned

https-nginx-proxy/provisioning/templates/https.test.conf.j2

@@ -0,0 +1,25 @@
+# HTTPS Test server configuration.
+
+# Redirect HTTP traffic to HTTPS.
+server {
+    listen 80 default_server;
+    server_name _;
+    index index.html;
+    return 301 https://$host$request_uri;
+}
+
+# Proxy HTTPS traffic using the self-signed certificate created by Ansible.
+server {
+    listen 443 ssl default_server;
+    server_name {{ server_hostname }};
+
+    location / {
+        include /etc/nginx/proxy_params;
+        proxy_pass          http://localhost:8080;
+        proxy_read_timeout  90s;
+        proxy_redirect      http://localhost:8080 {{ server_hostname }};
+    }
+
+    ssl_certificate {{ certificate_dir }}/{{ server_hostname }}/fullchain.pem;
+    ssl_certificate_key {{ certificate_dir }}/{{ server_hostname }}/privkey.pem;
+}

https-nginx-proxy/provisioning/vars/main.yml

@@ -0,0 +1,21 @@
+---
+# Firewall settings.
+firewall_allowed_tcp_ports:
+  - "22"
+  - "80"
+  - "443"
+
+# Python settings.
+pip_package: python3-pip
+pip_install_packages: ['pyopenssl']
+
+# Nginx settings.
+nginx_vhosts: []
+nginx_remove_default_vhost: True
+nginx_ppa_use: True
+nginx_ppa_version: stable
+nginx_docroot: /var/www/html
+
+# Self-signed certificate settings.
+certificate_dir: /etc/ssl/private
+server_hostname: https-proxy.test