vhost: Allow setting proxy headers

roles/vhost/defaults/main.yaml

@@ -14,7 +14,9 @@ vhost_basicauth_users: {}
 vhost_proxy_target_netproto: tcp
 vhost_proxy_target_protocol: http
 vhost_proxy_target_host: localhost
+vhost_proxy_headers: {}
 vhost_proxy_delete_headers: []
+vhost_proxy_pass_host_header: true
 
 vhost_redirect_type: temporary
 vhost_redirect_preserve_path: false

roles/vhost/meta/argument_specs.yaml

@@ -103,12 +103,22 @@ argument_specs:
           - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is unix.
         type: str
         required: false
+      vhost_proxy_headers:
+        description: Dict of request headers and their values to set for proxied requests
+        type: dict
+        required: false
+        default: {}
       vhost_proxy_delete_headers:
         description: List of headers to delete from proxied requests
         type: list
         elements: str
         required: false
         default: []
+      vhost_proxy_pass_host_header:
+        description: Whether to pass the host header unchanged (true) or change it to the proxy target host (false)
+        trpe: bool
+        required: false
+        default: true
 
       vhost_redirect_target:
         description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -224,12 +234,22 @@ argument_specs:
             type: str
             required: false
             default: "{{ vhost_proxy_target_socket if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else '' }}"
+          proxy_headers:
+            description: Dict of request headers and their values to set for proxied requests
+            type: dict
+            required: false
+            default: "{{ vhost_proxy_headers }}"
           proxy_delete_headers:
             description: List of request headers to delete from proxied requests
             type: list
             elements: str
             required: false
             default: "{{ vhost_proxy_delete_headers }}"
+          proxy_pass_host_header:
+            description: Whether to pass the host header unchanged (true) or change it to the proxy target host (false)
+            trpe: bool
+            required: false
+            default: "{{ vhost_proxy_pass_host_header }}"
 
           redirect_target:
             description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"

roles/vhost/tasks/caddy.yaml

@@ -3,56 +3,7 @@
   ansible.builtin.blockinfile:
     path: /etc/caddy/Caddyfile
     marker: "# {mark} ANSIBLE MANAGED BLOCK {{ vhost_id }}"
-    # yamllint disable rule:line-length
+    block: "{{ lookup('ansible.builtin.template', 'Caddyfile_block.j2') }}"
-    block: |
-      {{ vhost_domains | join(' ') }} {
-        {% for location in _vhost_locations_complete %}
-        handle {{ location.path }} {
-          {% for header in location.delete_headers %}
-          header -{{ header }}
-          {% endfor %}
-          {% for header in location.headers | dict2items %}
-          header {{ header.key }} `{{ header.value }}`
-          {% endfor %}
-          {% if location.basicauth %}
-          basicauth {
-            {% for user in location.basicauth_users | dict2items %}
-            {{ user.key }} {{ user.value }}
-            {% endfor %}
-          }
-          {% endif %}
-          {% if location.type == 'reverse_proxy' %}
-          reverse_proxy  {
-            {% if location.proxy_target_netproto == 'tcp' %}
-            to tcp/{{ location.proxy_target_host }}:{{ location.proxy_target_port }}
-            {% else %}
-            to unix/{{ location.proxy_target_socket }}
-            {% endif %}
-            {% if location.proxy_target_protocol == 'https' %}
-            transport http {
-              tls
-              {% if location.proxy_target_host == 'localhost' %}
-              tls_insecure_skip_verify
-              {% endif %}
-            }
-            {% endif %}
-          }
-          {% for header in location.proxy_delete_headers %}
-          request_header -{{ header }}
-          {% endfor %}
-          {% elif location.type == 'redirect' %}
-          redir * {{ location.redirect_target }}{{ '{path}' if location.redirect_preserve_path }}{{ '?{query}' if location.redirect_preserve_query }} {{ location.redirect_type }}
-          {% elif location.type == 'respond' %}
-            {% if location.respond_content_type == 'json' %}
-            respond `{{ location.respond_content | to_json }}`
-            {% else %}
-            respond `{{ location.respond_content }}`
-            {% endif %}
-          {% endif %}
-        }
-        {% endfor %}
-      }
-    # yamllint enable rule:line-length
     validate: 'caddy validate --config %s --adapter caddyfile'
     backup: true
     state: "{{ vhost_state }}"

roles/vhost/templates/Caddyfile_block.j2

@@ -0,0 +1,54 @@
+#jinja2: lstrip_blocks: True
+{{ vhost_domains | join(' ') }} {
+  {% for location in _vhost_locations_complete %}
+    handle {{ location.path }} {
+      {% for header in location.delete_headers %}
+        header -{{ header }}
+      {% endfor %}
+      {% for header in location.headers | dict2items %}
+        header {{ header.key }} `{{ header.value }}`
+      {% endfor %}
+      {% if location.basicauth %}
+        basicauth {
+          {% for user in location.basicauth_users | dict2items %}
+            {{ user.key }} {{ user.value }}
+          {% endfor %}
+        }
+      {% endif %}
+      {% if location.type == 'reverse_proxy' %}
+        reverse_proxy {
+          {% if location.proxy_target_netproto == 'tcp' %}
+            to tcp/{{ location.proxy_target_host }}:{{ location.proxy_target_port }}
+          {% else %}
+            to unix/{{ location.proxy_target_socket }}
+          {% endif %}
+          {% if location.proxy_target_protocol == 'https' %}
+            transport http {
+                tls
+              {% if location.proxy_target_host == 'localhost' %}
+                tls_insecure_skip_verify
+              {% endif %}
+            }
+          {% endif %}
+          {% for header in location.proxy_delete_headers %}
+            header_up -{{ header }}
+          {% endfor %}
+          {% for header in location.proxy_headers | dict2items %}
+            header_up {{ header.key }} `{{ header.value }}`
+          {% endfor %}
+          {% if (not location.proxy_pass_host_header) and ('host' not in location.proxy_headers | map('lower')) %}
+            header_up Host {upstream_hostport}
+          {% endif %}
+        }
+      {% elif location.type == 'redirect' %}
+        redir * {{ location.redirect_target }}{{ '{path}' if location.redirect_preserve_path }}{{ '?{query}' if location.redirect_preserve_query }} {{ location.redirect_type }}
+      {% elif location.type == 'respond' %}
+       {% if location.respond_content_type == 'json' %}
+        respond `{{ location.respond_content | to_json }}`
+       {% else %}
+        respond `{{ location.respond_content }}`
+       {% endif %}
+      {% endif %}
+    }
+  {% endfor %}
+}

roles/vhost/vars/main.yaml

@@ -14,7 +14,9 @@ _vhost_location_defaults:
     vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' else '' }}"
   proxy_target_socket: "{{ vhost_proxy_target_socket if
     vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else '' }}"
+  proxy_headers: "{{ vhost_proxy_headers }}"
   proxy_delete_headers: "{{ vhost_proxy_delete_headers }}"
+  proxy_pass_host_header: "{{ vhost_proxy_pass_host_header }}"
 
   redirect_target: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
   redirect_preserve_path: "{{ vhost_redirect_preserve_path }}"