Http auth req additions - issue 120 (#121)

* added http_auth_req

* removed existing set-headers

* is defined for proxy_pass_request_body

README.md

@@ -313,6 +313,7 @@ nginx_main_template:
     keyval: false
   stream_enable: false
   http_global_autoindex: false
+  #auth_request_http: /auth
 
 # Enable creating dynamic templated NGINX HTTP configuration files.
 # Defaults will not produce a valid configuration. Instead they are meant to showcase
@@ -329,6 +330,7 @@ nginx_http_template:
     root: /usr/share/nginx/html
     https_redirect: false
     autoindex: false
+    #auth_request: /auth
     ssl:
       cert: /etc/ssl/certs/default.crt
       key: /etc/ssl/private/default.key
@@ -345,6 +347,11 @@ nginx_http_template:
           autoindex: false
           auth_basic: null
           auth_basic_file: null
+          #auth_req: /auth
+          #returns:
+            #return302:
+              #code: 302
+              #url: https://sso.somehost.local/?url=https://$http_host$request_uri
       http_demo_conf: false
     reverse_proxy:
       proxy_cache_path:
@@ -371,6 +378,32 @@ nginx_http_template:
           location: /
           proxy_connect_timeout: null
           proxy_pass: http://backend
+          #proxy_pass_request_body: off
+          proxy_set_header:
+            header_host:
+              name: Host
+              value: $host
+            header_x_real_ip:
+              name: X-Real-IP
+              value: $remote_addr
+            header_x_forwarded_for:
+              name: X-Forwarded-For
+              value: $proxy_add_x_forwarded_for
+            header_x_forwarded_proto:
+              name: X-Forwarded-Proto
+              value: $scheme
+            #header_upgrade:
+              #name: Upgrade
+              #value: $http_upgrade
+            #header_connection:
+              #name: Connection
+              #value: "Upgrade"
+            #header_random:
+              #name: RandomName
+              #value: RandomValue
+          #internal: false
+          #proxy_store: off
+          #proxy_store_acccess: user:rw
           proxy_read_timeout: null
           proxy_ssl:
             cert: /etc/ssl/certs/proxy_default.crt
@@ -400,6 +433,11 @@ nginx_http_template:
           websocket: false
           auth_basic: null
           auth_basic_file: null
+          #auth_req: /auth
+          #returns:
+            #return302:
+              #code: 302
+              #url: https://sso.somehost.local/?url=https://$http_host$request_uri
       health_check_plus: false
     proxy_cache:
       proxy_cache_path:

defaults/main.yml

@@ -155,6 +155,7 @@ nginx_main_template:
     keyval: false
   stream_enable: false
   http_global_autoindex: false
+  #auth_request_http: /auth
 
 # Enable creating dynamic templated NGINX HTTP configuration files.
 # Defaults will not produce a valid configuration. Instead they are meant to showcase
@@ -172,6 +173,7 @@ nginx_http_template:
     https_redirect: false
     autoindex: false
     try_files: $uri $uri/index.html $uri.html =404
+    #auth_request: /auth
     ssl:
       cert: /etc/ssl/certs/default.crt
       key: /etc/ssl/private/default.key
@@ -190,6 +192,11 @@ nginx_http_template:
           auth_basic: null
           auth_basic_file: null
           try_files: $uri $uri/index.html $uri.html =404
+          #auth_request: /auth
+          #returns:
+            #return302:
+              #code: 302
+              #url: https://sso.somehost.local/?url=https://$http_host$request_uri
       http_demo_conf: false
     reverse_proxy:
       proxy_cache_path:
@@ -216,6 +223,32 @@ nginx_http_template:
           location: /
           proxy_connect_timeout: null
           proxy_pass: http://backend
+          #proxy_pass_request_body: off
+          proxy_set_header:
+            header_host:
+              name: Host
+              value: $host
+            header_x_real_ip:
+              name: X-Real-IP
+              value: $remote_addr
+            header_x_forwarded_for:
+              name: X-Forwarded-For
+              value: $proxy_add_x_forwarded_for
+            header_x_forwarded_proto:
+              name: X-Forwarded-Proto
+              value: $scheme
+            #header_upgrade:
+              #name: Upgrade
+              #value: $http_upgrade
+            #header_connection:
+              #name: Connection
+              #value: "Upgrade"
+            #header_random:
+              #name: RandomName
+              #value: RandomValue
+          #internal: false
+          #proxy_store: off
+          #proxy_store_acccess: user:rw
           proxy_read_timeout: null
           proxy_ssl:
             cert: /etc/ssl/certs/proxy_default.crt
@@ -242,6 +275,11 @@ nginx_http_template:
           auth_basic: null
           auth_basic_file: null
           try_files: $uri $uri/index.html $uri.html =404
+          #auth_req: /auth
+          #returns:
+            #return302:
+              #code: 302
+              #url: https://sso.somehost.local/?url=https://$http_host$request_uri
       health_check_plus: false
     proxy_cache:
       proxy_cache_path:

templates/http/default.conf.j2

@@ -46,6 +46,9 @@ proxy_temp_path {{ item.value.reverse_proxy.proxy_temp_path.path }} {{ item.valu
 {% endif %}
 {% endif %}
 {% endif %}
+{% if item.value.auth_request_http is defined %}
+auth_request {{ item.value.auth_request_http }};
+{% endif %}
 
 server {
 {% if item.value.ssl is defined %}
@@ -83,15 +86,34 @@ server {
 {% if item.value.try_files is defined %}
     try_files {{ item.value.try_files }};
 {% endif %}
+{% if item.value.auth_request is defined %}
+    auth_request {{ item.value.auth_request }};
+{% endif %}
+
 {% if item.value.reverse_proxy is defined %}
 {% for location in item.value.reverse_proxy.locations %}
     location {{ item.value.reverse_proxy.locations[location].location }} {
+{% if item.value.reverse_proxy.locations[location].internal is sameas true %}
+        internal;
+{% endif %}
+{% if item.value.reverse_proxy.locations[location].auth_request is defined %}
+        auth_request {{ item.value.reverse_proxy.locations[location].auth_request }};
+{% endif %}
 {% if item.value.reverse_proxy.locations[location].auth_basic is defined and item.value.reverse_proxy.locations[location].auth_basic %}
         auth_basic "{{ item.value.reverse_proxy.locations[location].auth_basic }}";
 {% endif %}
 {% if item.value.reverse_proxy.locations[location].auth_basic_file is defined and item.value.reverse_proxy.locations[location].auth_basic_file %}
         auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }};
 {% endif %}
+{% if item.value.reverse_proxy.locations[location].returns is defined %}
+{% for code in item.value.reverse_proxy.locations[location].returns %}
+{% if item.value.reverse_proxy.locations[location].returns[code] is defined %}
+        return {{ item.value.reverse_proxy.locations[location].returns[code].code }} {{ item.value.reverse_proxy.locations[location].returns[code].url }};
+{% else %}
+        return {{ item.value.reverse_proxy.locations[location].returns[code].url }};
+{% endif %}
+{% endfor %}
+{% endif %}
 {% if item.value.reverse_proxy.locations[location].proxy_connect_timeout is defined and item.value.reverse_proxy.locations[location].proxy_connect_timeout %}
         proxy_connect_timeout {{ item.value.reverse_proxy.locations[location].proxy_connect_timeout }};
 {% endif %}
@@ -99,6 +121,20 @@ server {
 {% if item.value.reverse_proxy.locations[location].proxy_read_timeout is defined and item.value.reverse_proxy.locations[location].proxy_read_timeout %}
         proxy_read_timeout {{ item.value.reverse_proxy.locations[location].proxy_read_timeout }};
 {% endif %}
+{% if item.value.reverse_proxy.locations[location].proxy_pass_request_body is defined %}
+        proxy_pass_request_body {{ item.value.reverse_proxy.locations[location].proxy_pass_request_body }};
+{% endif %}
+{% if item.value.reverse_proxy.locations[location].proxy_store is defined %}
+        proxy_store {{ item.value.reverse_proxy.locations[location].proxy_store | ternary("on", "off") }};
+{% endif %}
+{% if item.value.reverse_proxy.locations[location].proxy_store_access is defined %}
+        proxy_store_access {{ item.value.reverse_proxy.locations[location].proxy_store_access }};
+{% endif %}
+{% if item.value.reverse_proxy.locations[location].proxy_set_header is defined %}
+{% for header in item.value.reverse_proxy.locations[location].proxy_set_header %}
+        proxy_set_header {{ item.value.reverse_proxy.locations[location].proxy_set_header[header].name }} {{ item.value.reverse_proxy.locations[location].proxy_set_header[header].value }};
+{% endfor %}
+{% endif %}
 {% if item.value.reverse_proxy.locations[location].try_files is defined %}
         try_files {{ item.value.reverse_proxy.locations[location].try_files }};
 {% endif %}
@@ -166,14 +202,6 @@ server {
         health_check;
 {% endif %}
 
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-{% if item.value.reverse_proxy.locations[location].websocket is defined and item.value.reverse_proxy.locations[location].websocket %}
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-{% endif %}
     }
 {% endfor %}
 {% endif %}
@@ -189,11 +217,23 @@ server {
 {% if item.value.web_server.locations[location].try_files is defined %}
         try_files {{ item.value.web_server.locations[location].try_files }};
 {% endif %}
+{% if item.value.web_server.locations[location].returns is defined %}
+{% for code in item.value.web_server.locations[location].returns %}
+{% if item.value.web_server.locations[location].returns[code] is defined %}
+        return {{ item.value.web_server.locations[location].returns[code].code }} {{ item.value.web_server.locations[location].returns[code].url }};
+{% else %}
+        return {{ item.value.web_server.locations[location].returns[code].url }};
+{% endif %}
+{% endfor %}
+{% endif %}
 {% if item.value.web_server.locations[location].auth_basic is defined and item.value.web_server.locations[location].auth_basic %}
         auth_basic "{{ item.value.web_server.locations[location].auth_basic }}";
 {% endif %}
 {% if item.value.web_server.locations[location].auth_basic_file is defined and item.value.web_server.locations[location].auth_basic_file %}
         auth_basic_user_file {{ item.value.web_server.locations[location].auth_basic_file }};
+{% endif %}
+{% if item.value.web_server.locations[location].auth_request is defined %}
+        auth_request {{ item.value.web_server.locations[location].auth_request }};
 {% endif %}
     }
 {% endfor %}

tests/playbooks/nginx-http-template.yml

@@ -60,6 +60,19 @@
                 - Vary
                 - Cache-Control
               proxy_redirect: false
+              proxy_set_header:
+                header_host:
+                  name: Host
+                  value: $host
+                header_x_real_ip:
+                  name: X-Real-IP
+                  value: $remote_addr
+                header_x_forwarded_for:
+                  name: X-Forwarded-For
+                  value: $proxy_add_x_forwarded_for
+                header_x_forwarded_proto:
+                  name: X-Forwarded-Proto
+                  value: $scheme
             backend:
               location: /backend
               proxy_pass: http://backend_servers/
@@ -74,6 +87,19 @@
                 - http_502
                 - http_503
               proxy_redirect: default
+              proxy_set_header:
+                header_host:
+                  name: Host
+                  value: $host
+                header_x_real_ip:
+                  name: X-Real-IP
+                  value: $remote_addr
+                header_x_forwarded_for:
+                  name: X-Forwarded-For
+                  value: $proxy_add_x_forwarded_for
+                header_x_forwarded_proto:
+                  name: X-Forwarded-Proto
+                  value: $scheme
         upstreams:
           frontend_upstream:
             name: frontend_servers