Add Reverse Proxies with SWAG and Ansible
2 min read

Add Reverse Proxies with SWAG and Ansible

I've created an ansible role to allow me to build reverse proxy configurations and just deploy them.
Add Reverse Proxies with SWAG and Ansible

My previous post described a simple SWAG role with Ansible. While I have a static site to the main page, I also have a number of applications, which I use internally (like Photoprism and Paperless). I prefer to access these via names (like and respectively), rather than ip_address:port.

I've used the available resources and sample config files in SWAG to write my own reverse proxy configs for these applications, and that was all good until I noticed that I have quite a few apps - and config files created over time. I could just leave them like they are and back them up, but I love a bit of over-engineering and configuration as code. I've decided to create a complement to the SWAG ansible role to allow me to build reverse proxy configurations and just deploy them. Hence, my new swag_reverse_proxy role.


The role is a template-based role, which makes it quite flexible in the sense that you can create your templates with whatever variables you'd like.

You can start from a base configuration found online or from a template provided with SWAG. I've used a mix. For example my UniFi controller configuration is based on a gist and uses the SWAG's include /config/nginx/ssl.conf; line. It looks like this:

server {
  listen 80;
  listen [::]:80;
  server_name {{ site_name }};

  return 301 https://$server_name$request_uri;
server {
  listen 443 ssl;
  listen [::]:443 ssl;

  include /config/nginx/ssl.conf;

  server_name {{ site_name }};

  location / {
    proxy_set_header    Host $http_host;
    proxy_set_header    X-Forwarded-Host $host;
    proxy_set_header    X-Forwarded-Server $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Scheme $scheme;
    proxy_set_header    Referer "";
    proxy_set_header    Upgrade $http_upgrade;
    proxy_set_header    Connection "upgrade";
    proxy_pass          {{ site_internal_url }};

The role configuration is also simple:

  - src:
      protocol: https
      host: services
      port: '8443'
    template_name: unifi.config.j2
    alias: unifi-controller
    domain: ''

Now, when I hit, I get the web interface of the UniFi controller.

What now?

The description above gives you a glimpse of the role's capabilities. It has more stuff (like figuring out the IP address from the site's name). I strongly suggest you read its documentation to see how you can work with it. There you'll find the most up-to-date information.