Import the old role.

This commit is contained in:
Andrea Dell'Amico 2020-06-02 14:52:24 +02:00
parent 2e36eb0cb8
commit 3421e2d944
24 changed files with 1013 additions and 68 deletions

View File

@ -1,31 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that installs and configures the nginx web server and proxy
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
There are a lot of variables. See the **defaults/main.yml** file for a complete list. Here an example of how to setup a virtualhost:
``` yaml
nginx_virthosts:
- virthost_name: '{{ ansible_fqdn }}'
listen: '{{ http_port }}'
server_name: '{{ ansible_fqdn }}'
server_aliases: ''
index: index.html
error_page: /path_to_error_page.html
ssl_enabled: False
ssl_only: False
ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
root: {{ nginx_webroot }}
server_tokens: 'off'
proxy_standard_setup: True
proxy_additional_options:
- 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
locations:
- location: /
target: http://localhost:{{ local_http_port }}
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
If basic ldap authentication is required: <git+https@gitea-s2i2s.isti.cnr.it:ISTI-ansible-roles/ansible-role-ldap-client-config.git>
License
-------
@ -35,4 +42,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

View File

@ -1,2 +1,125 @@
---
# defaults file for ansible-role-template
nginx_enabled: True
nginx_use_ppa: False
nginx_ppa_repo: ppa:nginx/stable
nginx_package_state: present
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
nginx_snippets_dir: /etc/nginx/snippets
nginx_conf_snippets:
- nginx-compression.conf
- nginx-websockets.conf
- nginx-browser-cache.conf
- letsencrypt-proxy.conf
- nginx-proxy-params.conf
- nginx-server-ssl.conf
- nginx-cors.conf
nginx_old_snippets:
- compression.conf
nginx_workers: 4
nginx_worker_connections: 1024
nginx_multi_accept: 'off'
nginx_worker_rlimit_nofile: 2048
nginx_server_tokens: 'off'
nginx_large_client_header_buffers: 4 8k
nginx_enable_compression: True
nginx_gzip_vary: "on"
nginx_gzip_proxied: any
nginx_gzip_comp_level: 6
nginx_gzip_buffers: 16 8k
nginx_gzip_http_version: 1.1
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
nginx_enable_browser_cache: True
nginx_cache_control: public
nginx_html_cache_expire: -1
nginx_feed_cache_expire_enabled: False
nginx_feed_cache_expire: 1h
nginx_media_cache_expire: 1M
nginx_css_js_cache_expire: -1
nginx_reverse_proxy: False
nginx_define_x_real_ip: False
nginx_set_original_uri: True
nginx_proxy_buffering: "on"
nginx_proxy_redirect: "off"
nginx_proxy_buffer_size: 128k
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
nginx_proxy_busy_buffers_size: 256k
nginx_proxy_connect_timeout: 30s
nginx_proxy_read_timeout: 480s
nginx_proxy_send_timeout: 120s
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
nginx_client_max_body_size: 100M
nginx_client_body_timeout: 240s
nginx_cors_enabled: False
nginx_cors_global: True
nginx_cors_limit_origin: True
nginx_cors_extended_rules: False
nginx_cors_acl_origin: 'http?://(localhost)'
# Possible methods:
# CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK
nginx_cors_allowed_methods: 'GET, POST, OPTIONS'
# Possible headers:
# 'Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With, Observe'
nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range,Observe'
# Find a set of acceptable defaults for the cache setup
nginx_cache_enabled: False
nginx_use_ldap_pam_auth: False
nginx_pam_svc_name: nginx
nginx_ldap_uri: "ldap://ldap.example.org"
nginx_ldap_base_dn: "dc=example,dc=org"
nginx_basic_auth: False
nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn:
nginx_webroot: /usr/share/nginx/html
nginx_letsencrypt_managed: True
nginx_websockets_support: False
nginx_use_common_virthost: False
# Set it to 'ssl http2' if the nginx version supports it
nginx_ssl_type: ssl
# When we do not use letsencrypt:
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
nginx_block_dotfiles: True
# Virtualhost example
# nginx_virthosts:
# - virthost_name: '{{ ansible_fqdn }}'
# listen: '{{ http_port }}'
# server_name: '{{ ansible_fqdn }}'
# server_aliases: ''
# index: index.html
# error_page: /path_to_error_page.html
# ssl_enabled: False
# ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: {{ nginx_webroot }}
# server_tokens: 'off'
# proxy_standard_setup: True
# proxy_additional_options:
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
# locations:
# - location: /
# target: http://localhost:{{ local_http_port }}
#
# extra_parameters: |
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }

View File

@ -0,0 +1,25 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/nginx.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
fi
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
if [ -x /bin/systemctl ] ; then
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
else
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/nginx.log
exit 0

26
files/nginx.pam Normal file
View File

@ -0,0 +1,26 @@
#
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so
auth requisite pam_deny.so
auth required pam_permit.so
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
#
password [success=1 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
#
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so

View File

@ -1,2 +1,7 @@
---
# handlers file for ansible-role-template
- name: Reload nginx
service: name=nginx state=reloaded
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -1,61 +1,29 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
platforms:
- name: Ubuntu
versions:
- bionic
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- users
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
dependencies:
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-ldap-client-config.git
version: master
name: ldap-client-config
state: latest
when: nginx_use_ldap_pam_auth

17
tasks/basic-auth.yml Normal file
View File

@ -0,0 +1,17 @@
---
- block:
- name: Install the python passlib library on deb based distributions
apt: pkg=python-passlib state=present cache_valid_time=3600
when: ansible_distribution_file_variety == "Debian"
- name: Install the python passlib library on RH based distributions
yum: pkg=python-passlib state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'
when: nginx_basic_auth
tags: nginx

View File

@ -1,2 +1,24 @@
---
# tasks file for ansible-role-template
- import_tasks: nginx-deb.yml
when: ansible_distribution_file_variety == "Debian"
- import_tasks: nginx-rh.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost | bool
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml
- import_tasks: pam-ldap.yml
- name: Ensure that the webserver is running and enabled at boot time
service: name=nginx state=started enabled=yes
when: nginx_enabled
ignore_errors: True
tags: nginx
- name: Ensure that the webserver is stopped and disabled
service: name=nginx state=stopped enabled=no
when: not nginx_enabled
ignore_errors: True
tags: nginx

45
tasks/nginx-config.yml Normal file
View File

@ -0,0 +1,45 @@
---
- block:
- name: Create the snippets directory
file: dest={{ nginx_snippets_dir }} state=directory
- name: Create the pki directory
file: dest={{ pki_dir }}/nginx state=directory
- name: Create the client body tmp directory, if needed
file: dest={{ nginx_client_body_temp_dir }}/nginx state=directory owner=www-data group=www-data mode=0700
when: nginx_client_body_temp_dir is defined
- name: Create a dhparams file 2048 bits long
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
args:
creates: '{{ pki_dir }}/nginx/dhparams.pem'
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
notify: Reload nginx
- name: Install the main nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
notify: Reload nginx
- name: Remove the old configuration snippets
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
with_items: '{{ nginx_old_snippets }}'
notify: Reload nginx
when: nginx_enabled | bool
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
- block:
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
when:
- nginx_enabled | bool
- ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

27
tasks/nginx-deb.yml Normal file
View File

@ -0,0 +1,27 @@
---
- block:
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
when: ansible_distribution_file_variety == "Debian"
tags: nginx

View File

@ -0,0 +1,20 @@
---
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for nginx
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]
- block:
- name: Remove the letsencrypt hook for nginx
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
when: not nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]

7
tasks/nginx-rh.yml Normal file
View File

@ -0,0 +1,7 @@
---
- block:
- name: Install the nginx web server
yum: pkg=nginx state={{ nginx_package_state }}
when: ansible_distribution_file_variety == "RedHat"
tags: nginx

View File

@ -0,0 +1,32 @@
---
- block:
- name: Create the nginx webroot if different from the default
file: dest={{ nginx_webroot }} state=directory mode=0755
when: nginx_webroot != '/usr/share/nginx/html'
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on Deb based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
- name: Enable the nginx virtualhosts
file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on RH based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'nginx', 'virtualhost' ]

7
tasks/pam-ldap.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install pam service for nginx
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags: nginx

16
templates/ldap.conf.j2 Normal file
View File

@ -0,0 +1,16 @@
# The distinguished name of the search base.
base {{ nginx_ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
uri {{ nginx_ldap_uri }}
if {% nginx_ldap_login_attribute is defined %}
pam_login_attribute {{ nginx_ldap_login_attribute }}
{% endif %}
if {% nginx_ldap_pam_groupdn is defined %}
pam_groupdn
{% endif %}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

View File

@ -0,0 +1,9 @@
# Include this one inside a "server" directive listening on port 80, this way:
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
}

View File

@ -0,0 +1,27 @@
# include inside a 'server' directive
#
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires {{ nginx_html_cache_expire }};
}
{% if nginx_feed_cache_expire_enabled %}
#
location ~* \.(?:rss|atom)$ {
expires {{ nginx_feed_cache_expire }};
add_header Cache-Control "{{ nginx_cache_control }}";
}
{% endif %}
#
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires {{ nginx_media_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}
#
location ~* \.(?:css|js)$ {
expires {{ nginx_css_js_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}

View File

@ -0,0 +1,6 @@
gzip_vary {{ nginx_gzip_vary }};
gzip_proxied {{ nginx_gzip_proxied }};
gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_buffers {{ nginx_gzip_buffers }};
gzip_http_version {{ nginx_gzip_http_version }};
gzip_types {{ nginx_gzip_types }};

View File

@ -0,0 +1,58 @@
{% if nginx_cors_extended_rules %}
if ($request_method = 'OPTIONS') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
}
if ($request_method = 'GET') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
}
{% else %}
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
if ($request_method = OPTIONS ) {
return 204;
}
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
{% endif %}

View File

@ -0,0 +1,29 @@
# Proxy stuff
# include /etc/nginx/snippets/nginx-proxy-params.conf;
proxy_http_version 1.1;
proxy_set_header Connection "";
{% if haproxy_ips is defined %}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Server $host;
{% else %}
proxy_set_header Host $host;
{% if nginx_define_x_real_ip %}
proxy_set_header X-Real-IP $remote_addr;
{% endif %}
{% endif %}
{% if nginx_set_original_uri %}
proxy_set_header nginx-request-uri $request_uri;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering {{ nginx_proxy_buffering }};
proxy_buffer_size {{ nginx_proxy_buffer_size }};
proxy_buffers {{ nginx_proxy_buffers }};
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
proxy_redirect {{ nginx_proxy_redirect }};
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
proxy_read_timeout {{ nginx_proxy_read_timeout }};
proxy_send_timeout {{ nginx_proxy_send_timeout }};

View File

@ -0,0 +1,49 @@
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
{% else %}
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
{% if nginx_ssl_level == 'old' %}
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
{% else %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{% endif %}
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
{% endif %}
{% if nginx_ssl_level == 'intermediate' %}
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
{% else %}
ssl_protocols TLSv1.1 TLSv1.2;
{% endif %}
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers off;
{% endif %}
{% if nginx_ssl_level == 'modern' %}
ssl_session_tickets off;
# modern configuration. tweak to your needs.
{% if ansible_distribution_version is version_compare('18.04', '>=') %}
ssl_protocols TLSv1.2 TLSv1.3;
{% else %}
ssl_protocols TLSv1.2;
{% endif %}
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
{% endif %}
{% if ansible_distribution_version is version_compare('14.04', '>=') %}
ssl_stapling on;
ssl_stapling_verify on;
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_trusted_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
{% else %}
ssl_trusted_certificate {{ nginx_ssl_fullchain_file | default('/etc/nginx/ssl/cacert.crt') }};
{% endif %}
add_header Strict-Transport-Security max-age=15768000;
{% endif %}

353
templates/nginx-virthost.j2 Normal file
View File

@ -0,0 +1,353 @@
{% if nginx_websockets_support is defined and nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% else %}
{% if item.websockets is defined and item.websockets %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
{% endif %}
server {
listen {{ item.http_port | default ('80') }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if nginx_block_dotfiles %}
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
return 404;
}
{% endif %}
{% if letsencrypt_acme_install %}
include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %}
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_error.log;
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
{% if item.ssl_enabled and item.ssl_only %}
location / {
return 301 https://{{ item.server_name }}$request_uri;
}
{% else %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root {{ item.error_path | default('/usr/share/nginx/html') }};
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if nginx_block_dotfiles %}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
return 404;
}
{% endif %}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
{% if nginx_cors_enabled %}
{% if nginx_cors_global %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.http_acls is defined %}
{% for acl in item.http_acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if nginx_websockets_support is defined and nginx_websockets_support %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% else %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
{% else %}
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% endif %}
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }};
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations -%}
location {{ location.location }} {
{% if nginx_cors_enabled %}
{% if not nginx_cors_global %}
{% if location.cors is defined and location.cors %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% endif %}
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% elif location.php_target is defined %}
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass {{ location.php_target }};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
#fastcgi_param REMOTE_ADDR $remote_addr;
include fastcgi_params;
{% endif %}
{% if location.websockets is defined and location.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.acls is defined %}
{% for acl in location.acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
{% endif %}
}
{% if item.ssl_enabled %}
server {
{% if item.https_port is defined %}
listen {{ item.https_port }} {{ nginx_ssl_type }};
{% else %}
listen {{ https_port | default('443') }} {{ nginx_ssl_type }};
{% endif %}
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
{% endif %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root {{ item.error_path | default('/usr/share/nginx/html') }};
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if nginx_block_dotfiles %}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
return 404;
}
{% endif %}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
include /etc/nginx/snippets/nginx-server-ssl.conf;
server_tokens {{ item.server_tokens | default('off') }};
{% if nginx_cors_enabled %}
{% if nginx_cors_global %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% if nginx_websockets_support is defined and nginx_websockets_support %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% else %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.https_acls is defined %}
{% for acl in item.https_acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
{% else %}
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% endif %}
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }}
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations -%}
location {{ location.location }} {
{% if nginx_cors_enabled %}
{% if not nginx_cors_global %}
{% if location.cors is defined and location.cors %}
include /etc/nginx/snippets/nginx-cors.conf;
{% endif %}
{% endif %}
{% endif %}
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% elif location.php_target is defined %}
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass {{ location.php_target }};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
#fastcgi_param REMOTE_ADDR $remote_addr;
include fastcgi_params;
{% endif %}
{% if location.websockets is defined and location.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.acls is defined %}
{% for acl in location.acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
}
{% endif %}

View File

@ -0,0 +1,4 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

63
templates/nginx.conf.j2 Normal file
View File

@ -0,0 +1,63 @@
pid /run/nginx.pid;
{% if ansible_distribution_file_variety == "Debian" %}
user www-data;
{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %}
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;
{% else %}
worker_processes {{ nginx_workers }};
{% endif %}
{% endif %}
{% if ansible_distribution_file_variety == "RedHat" %}
user nginx;
worker_processes auto;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
{% endif %}
events {
worker_connections {{ nginx_worker_connections }};
multi_accept {{ nginx_multi_accept }};
}
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens {{ nginx_server_tokens }};
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
large_client_header_buffers {{ nginx_large_client_header_buffers }};
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
include /etc/nginx/conf.d/*.conf;
{% if ansible_distribution_file_variety == "RedHat" %}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
{% endif %}
{% if ansible_distribution_file_variety == "Debian" %}
include /etc/nginx/sites-enabled/*;
{% endif %}
}