jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: forward tcp traffic easily

Browse Source
This commit is contained in:
Clément Désiles
2025-12-15 22:14:46 +01:00
parent bd2e806aa1
commit ebeb6d5c6b
8 changed files with 287 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/nginx/README.md
+39 -1
View File
@@ -9,6 +9,8 @@ Installs and configures Nginx as a reverse proxy for web applications with modul
- Configurable logging backend (journald or traditional files)
- Automatic logrotate for file-based logging
- SSL/TLS configuration
- **Native ACME/Let's Encrypt support** (Nginx 1.25.0+)
- **Transparent proxy forwarding** (HTTP/HTTPS to other hosts)
## Service Integration Pattern
@@ -32,6 +34,33 @@ Each service role should deploy its own vhost config:
notify: Reload nginx
```
## Transparent Proxy Forwarding
Forward TCP traffic from this Nginx instance to services on other hosts using the `stream` module (layer 4 proxy).
**Configuration:**
```yaml
nginx_forwarder:
"blog.hello.com":
forward_to: "my.host.lan"
http: true # Forward port 80 (default: true)
https: true # Forward port 443 (default: true)
```
**How it works:**
- **Stream-based TCP proxy** (layer 4, not HTTP layer 7)
- No protocol inspection - just forwards raw TCP packets
- **HTTPS passes through encrypted** - backend host handles TLS termination
- HTTP also uses stream (simpler, but no HTTP features like headers/logging)
**Use case:** Omega (gateway) forwards all traffic to Andromeda (internal server) that handles its own TLS certificates.
**Important notes:**
- Stream configs deployed to `/etc/nginx/streams.d/`
- No HTTP logging (stream doesn't understand HTTP protocol)
- No X-Forwarded-For headers (transparent TCP forwarding)
- Only ONE domain can use port 443 forwarding (TCP port limitation)
## Logging Backends
**journald (default):**
@@ -64,10 +93,19 @@ tail -f /var/log/nginx/error.log
# List loaded vhosts
ls -la /etc/nginx/conf.d/
# List stream forwarders
ls -la /etc/nginx/streams.d/
```
## Configuration Variables
See [defaults/main.yml](defaults/main.yml) for all available variables.
## References
- [Nginx Documentation](https://nginx.org/en/docs/)
- [Nginx ACME Support](https://blog.nginx.org/blog/native-support-for-acme-protocol)
- [Nginx Stream Module](https://nginx.org/en/docs/stream/ngx_stream_core_module.html)
- [Nginx Logging](https://nginx.org/en/docs/syslog.html)
- [Nginx SSL/TLS](https://nginx.org/en/docs/http/configuring_https_servers.html)
- [Nginx SSL/TLS](https://nginx.org/en/docs/http/configuring_https_servers.html)