uumas/ansible-general
1
0
Fork 0
Code Issues 5 Pull Requests Projects Releases Wiki Activity

vhost: Support proxy forward auth

Browse Source
This commit is contained in:
uumas
2025-07-13 19:03:02 +03:00
parent 83569c59ee
commit c0753aeaa2
4 changed files with 81 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/vhost/defaults/main.yaml
View File

@@ -17,6 +17,9 @@ vhost_proxy_target_host: localhost
vhost_proxy_headers: {} vhost_proxy_headers: {}
vhost_proxy_delete_headers: [] vhost_proxy_delete_headers: []
vhost_proxy_pass_host_header: true vhost_proxy_pass_host_header: true
vhost_proxy_auth_socket: ""
vhost_proxy_auth_uri: ""
vhost_proxy_auth_unauthorized_redir: ""
vhost_redirect_type: temporary vhost_redirect_type: temporary
vhost_redirect_preserve_path: false vhost_redirect_preserve_path: false

63
roles/vhost/meta/argument_specs.yaml
View File

@@ -119,6 +119,27 @@ argument_specs:
type: bool type: bool
required: false required: false
default: true default: true
vhost_proxy_auth_socket:
description: >-
Unix socket path to forward requests to for auhtentication, before
proxying them
type: str
required: false
default: ""
vhost_proxy_auth_uri:
description: >-
The authentication endpoint of the auth host. Required if
proxy_auth_socket is defined. Does nothing otherwise.
type: str
required: false
default: ""
vhost_proxy_auth_unauthorized_redir:
description: >-
Where to redirect requests if authentication service returns 401
unathorized. If not set, returns responses as is.
type: str
required: false
default: ""
vhost_redirect_target: vhost_redirect_target:
description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location" description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -282,6 +303,27 @@ argument_specs:
type: bool type: bool
required: false required: false
default: "{{ vhost_proxy_pass_host_header }}" default: "{{ vhost_proxy_pass_host_header }}"
proxy_auth_socket:
description: >-
Unix socket path to forward requests to for auhtentication, before
proxying them
type: str
required: false
default: "{{ vhost_proxy_auth_socket }}"
proxy_auth_uri:
description: >-
The authentication endpoint of the auth host. Required if
proxy_auth_socket is defined. Does nothing otherwise.
type: str
required: false
default: "{{ vhost_proxy_auth_uri }}"
proxy_auth_unauthorized_redir:
description: >-
Where to redirect requests if authentication service returns 401
unathorized. If not set, returns responses as is.
type: str
required: false
default: "{{ vhost_proxy_auth_unauthorized_redir }}"
redirect_target: redirect_target:
description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location" description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -422,6 +464,27 @@ argument_specs:
type: bool type: bool
required: false required: false
default: "{{ vhost_proxy_pass_host_header }}" default: "{{ vhost_proxy_pass_host_header }}"
proxy_auth_socket:
description: >-
Unix socket path to forward requests to for auhtentication, before
proxying them
type: str
required: false
default: "{{ vhost_proxy_auth_socket }}"
proxy_auth_uri:
description: >-
The authentication endpoint of the auth host. Required if
proxy_auth_socket is defined. Does nothing otherwise.
type: str
required: false
default: "{{ vhost_proxy_auth_uri }}"
proxy_auth_unauthorized_redir:
description: >-
Where to redirect requests if authentication service returns 401
unathorized. If not set, returns responses as is.
type: str
required: false
default: "{{ vhost_proxy_auth_unauthorized_redir }}"
redirect_target: redirect_target:
description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location" description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"

12
roles/vhost/templates/Caddyfile_block.j2
View File

@@ -28,6 +28,18 @@
} }
{% endif %} {% endif %}
{% if matcher.type == 'reverse_proxy' %} {% if matcher.type == 'reverse_proxy' %}
{% if matcher.proxy_auth_socket | length > 0 %}
forward_auth {
to unix//{{ matcher.proxy_auth_socket }}
uri {{ matcher.proxy_auth_uri }}
{% if matcher.proxy_auth_unauthorized_redir | length > 0 %}
@unauthorized status 401
handle_response @unauthorized {
redir * {{ matcher.proxy_auth_unauthorized_redir }}
}
{% endif %}
}
{% endif %}
reverse_proxy { reverse_proxy {
{% if matcher.proxy_target_netproto == 'tcp' %} {% if matcher.proxy_target_netproto == 'tcp' %}
to tcp/{{ matcher.proxy_target_host }}:{{ matcher.proxy_target_port }} to tcp/{{ matcher.proxy_target_host }}:{{ matcher.proxy_target_port }}

3
roles/vhost/vars/main.yaml
View File

@@ -28,6 +28,9 @@ _vhost_location_defaults:
proxy_headers: "{{ vhost_proxy_headers }}" proxy_headers: "{{ vhost_proxy_headers }}"
proxy_delete_headers: "{{ vhost_proxy_delete_headers }}" proxy_delete_headers: "{{ vhost_proxy_delete_headers }}"
proxy_pass_host_header: "{{ vhost_proxy_pass_host_header }}" proxy_pass_host_header: "{{ vhost_proxy_pass_host_header }}"
proxy_auth_socket: "{{ vhost_proxy_auth_socket }}"
proxy_auth_uri: "{{ vhost_proxy_auth_uri }}"
proxy_auth_unauthorized_redir: "{{ vhost_proxy_auth_unauthorized_redir }}"
redirect_target: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}" redirect_target: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
redirect_preserve_path: "{{ vhost_redirect_preserve_path }}" redirect_preserve_path: "{{ vhost_redirect_preserve_path }}"