From 3421e2d944f0f9e3819656f750cf19e5c9dba376 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 2 Jun 2020 14:52:24 +0200 Subject: [PATCH] Import the old role. --- README.md | 43 ++-- defaults/main.yml | 125 ++++++++- files/nginx-letsencrypt-acme.sh | 25 ++ files/nginx.pam | 26 ++ handlers/main.yml | 7 +- meta/main.yml | 62 ++--- tasks/basic-auth.yml | 17 ++ tasks/main.yml | 24 +- tasks/nginx-config.yml | 45 ++++ tasks/nginx-deb.yml | 27 ++ tasks/nginx-letsencrypt.yml | 20 ++ tasks/nginx-rh.yml | 7 + tasks/nginx-virtualhosts.yml | 32 +++ tasks/pam-ldap.yml | 7 + templates/ldap.conf.j2 | 16 ++ templates/letsencrypt-proxy.conf.j2 | 9 + templates/nginx-browser-cache.conf.j2 | 27 ++ templates/nginx-compression.conf.j2 | 6 + templates/nginx-cors.conf.j2 | 58 +++++ templates/nginx-proxy-params.conf.j2 | 29 +++ templates/nginx-server-ssl.conf.j2 | 49 ++++ templates/nginx-virthost.j2 | 353 ++++++++++++++++++++++++++ templates/nginx-websockets.conf.j2 | 4 + templates/nginx.conf.j2 | 63 +++++ 24 files changed, 1013 insertions(+), 68 deletions(-) create mode 100644 files/nginx-letsencrypt-acme.sh create mode 100644 files/nginx.pam create mode 100644 tasks/basic-auth.yml create mode 100644 tasks/nginx-config.yml create mode 100644 tasks/nginx-deb.yml create mode 100644 tasks/nginx-letsencrypt.yml create mode 100644 tasks/nginx-rh.yml create mode 100644 tasks/nginx-virtualhosts.yml create mode 100644 tasks/pam-ldap.yml create mode 100644 templates/ldap.conf.j2 create mode 100644 templates/letsencrypt-proxy.conf.j2 create mode 100644 templates/nginx-browser-cache.conf.j2 create mode 100644 templates/nginx-compression.conf.j2 create mode 100644 templates/nginx-cors.conf.j2 create mode 100644 templates/nginx-proxy-params.conf.j2 create mode 100644 templates/nginx-server-ssl.conf.j2 create mode 100644 templates/nginx-virthost.j2 create mode 100644 templates/nginx-websockets.conf.j2 create mode 100644 templates/nginx.conf.j2 diff --git a/README.md b/README.md index 3637db8..aaa1d76 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,38 @@ Role Name ========= -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A role that installs and configures the nginx web server and proxy Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +There are a lot of variables. See the **defaults/main.yml** file for a complete list. Here an example of how to setup a virtualhost: + +``` yaml +nginx_virthosts: + - virthost_name: '{{ ansible_fqdn }}' + listen: '{{ http_port }}' + server_name: '{{ ansible_fqdn }}' + server_aliases: '' + index: index.html + error_page: /path_to_error_page.html + ssl_enabled: False + ssl_only: False + ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}' + root: {{ nginx_webroot }} + server_tokens: 'off' + proxy_standard_setup: True + proxy_additional_options: + - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;' + locations: + - location: / + target: http://localhost:{{ local_http_port }} +``` Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +If basic ldap authentication is required: License ------- @@ -35,4 +42,4 @@ EUPL-1.2 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Andrea Dell'Amico, diff --git a/defaults/main.yml b/defaults/main.yml index 95d3c70..cf21aa9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,125 @@ --- -# defaults file for ansible-role-template \ No newline at end of file +nginx_enabled: True +nginx_use_ppa: False +nginx_ppa_repo: ppa:nginx/stable +nginx_package_state: present +# See https://mozilla.github.io/server-side-tls/ssl-config-generator/ +nginx_ssl_level: intermediate + +nginx_snippets_dir: /etc/nginx/snippets + +nginx_conf_snippets: + - nginx-compression.conf + - nginx-websockets.conf + - nginx-browser-cache.conf + - letsencrypt-proxy.conf + - nginx-proxy-params.conf + - nginx-server-ssl.conf + - nginx-cors.conf + +nginx_old_snippets: + - compression.conf + +nginx_workers: 4 +nginx_worker_connections: 1024 +nginx_multi_accept: 'off' +nginx_worker_rlimit_nofile: 2048 +nginx_server_tokens: 'off' + +nginx_large_client_header_buffers: 4 8k + +nginx_enable_compression: True +nginx_gzip_vary: "on" +nginx_gzip_proxied: any +nginx_gzip_comp_level: 6 +nginx_gzip_buffers: 16 8k +nginx_gzip_http_version: 1.1 +nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript" + +nginx_enable_browser_cache: True +nginx_cache_control: public +nginx_html_cache_expire: -1 +nginx_feed_cache_expire_enabled: False +nginx_feed_cache_expire: 1h +nginx_media_cache_expire: 1M +nginx_css_js_cache_expire: -1 + +nginx_reverse_proxy: False +nginx_define_x_real_ip: False +nginx_set_original_uri: True +nginx_proxy_buffering: "on" +nginx_proxy_redirect: "off" +nginx_proxy_buffer_size: 128k +nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}' +nginx_proxy_busy_buffers_size: 256k +nginx_proxy_connect_timeout: 30s +nginx_proxy_read_timeout: 480s +nginx_proxy_send_timeout: 120s +nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}' +nginx_client_max_body_size: 100M +nginx_client_body_timeout: 240s + +nginx_cors_enabled: False +nginx_cors_global: True +nginx_cors_limit_origin: True +nginx_cors_extended_rules: False +nginx_cors_acl_origin: 'http?://(localhost)' +# Possible methods: +# CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK +nginx_cors_allowed_methods: 'GET, POST, OPTIONS' +# Possible headers: +# 'Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With, Observe' +nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range,Observe' + +# Find a set of acceptable defaults for the cache setup +nginx_cache_enabled: False + +nginx_use_ldap_pam_auth: False +nginx_pam_svc_name: nginx +nginx_ldap_uri: "ldap://ldap.example.org" +nginx_ldap_base_dn: "dc=example,dc=org" +nginx_basic_auth: False +nginx_basic_auth_users: + - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' } +# nginx_ldap_login_attribute: uid +# nginx_ldap_pam_groupdn: +nginx_webroot: /usr/share/nginx/html +nginx_letsencrypt_managed: True +nginx_websockets_support: False +nginx_use_common_virthost: False +# Set it to 'ssl http2' if the nginx version supports it +nginx_ssl_type: ssl +# When we do not use letsencrypt: +# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt' +# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key' +nginx_block_dotfiles: True + +# Virtualhost example +# nginx_virthosts: +# - virthost_name: '{{ ansible_fqdn }}' +# listen: '{{ http_port }}' +# server_name: '{{ ansible_fqdn }}' +# server_aliases: '' +# index: index.html +# error_page: /path_to_error_page.html +# ssl_enabled: False +# ssl_only: False +# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}' +# root: {{ nginx_webroot }} +# server_tokens: 'off' +# proxy_standard_setup: True +# proxy_additional_options: +# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;' +# locations: +# - location: / +# target: http://localhost:{{ local_http_port }} +# +# extra_parameters: | +# location ~ \.php$ { +# fastcgi_split_path_info ^(.+\.php)(/.+)$; +# fastcgi_pass unix:/var/run/php5-fpm.sock; +# fastcgi_index index.php; +# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +# include fastcgi_params; +# } + diff --git a/files/nginx-letsencrypt-acme.sh b/files/nginx-letsencrypt-acme.sh new file mode 100644 index 0000000..d18314b --- /dev/null +++ b/files/nginx-letsencrypt-acme.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks +LE_LOG_DIR=/var/log/letsencrypt +DATE=$( date ) + +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_DIR/nginx.log + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log +fi + +echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log +if [ -x /bin/systemctl ] ; then + systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1 +else + service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1 +fi + +echo "Done." >> $LE_LOG_DIR/nginx.log + +exit 0 diff --git a/files/nginx.pam b/files/nginx.pam new file mode 100644 index 0000000..f94005a --- /dev/null +++ b/files/nginx.pam @@ -0,0 +1,26 @@ + +# +auth [success=2 default=ignore] pam_unix.so nullok_secure +auth [success=1 default=ignore] pam_ldap.so +auth requisite pam_deny.so +auth required pam_permit.so + +# +account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=1 default=ignore] pam_ldap.so +account requisite pam_deny.so +account required pam_permit.so + +# +password [success=1 default=ignore] pam_unix.so obscure sha512 +password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass +password requisite pam_deny.so +password required pam_permit.so + +# +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_unix.so +session optional pam_ldap.so diff --git a/handlers/main.yml b/handlers/main.yml index 27474e0..04c7fb2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,7 @@ --- -# handlers file for ansible-role-template \ No newline at end of file +- name: Reload nginx + service: name=nginx state=reloaded + +- name: Restart nginx + service: name=nginx state=restarted + diff --git a/meta/main.yml b/meta/main.yml index 1126a5e..4410ceb 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,61 +1,29 @@ galaxy_info: - author: your name - description: your description + author: Andrea Dell'Amico + description: Systems Architect company: ISTI-CNR - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: EUPL-1.2 + license: EUPL 1.2+ min_ansible_version: 2.8 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # Optionally specify the branch Galaxy will use when accessing the GitHub - # repo for this role. During role install, if no tags are available, - # Galaxy will use this branch. During import Galaxy will access files on - # this branch. If Travis integration is configured, only notifications for this - # branch will be accepted. Otherwise, in all cases, the repo's default branch - # (usually master) will be used. - #github_branch: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. # To view available platforms and versions (or releases), visit: # https://galaxy.ansible.com/api/v1/platforms/ # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + platforms: + - name: Ubuntu + versions: + - bionic - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - users -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. +dependencies: + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-ldap-client-config.git + version: master + name: ldap-client-config + state: latest + when: nginx_use_ldap_pam_auth diff --git a/tasks/basic-auth.yml b/tasks/basic-auth.yml new file mode 100644 index 0000000..1357909 --- /dev/null +++ b/tasks/basic-auth.yml @@ -0,0 +1,17 @@ +--- +- block: + - name: Install the python passlib library on deb based distributions + apt: pkg=python-passlib state=present cache_valid_time=3600 + when: ansible_distribution_file_variety == "Debian" + + - name: Install the python passlib library on RH based distributions + yum: pkg=python-passlib state=present + when: ansible_distribution_file_variety == "RedHat" + + - name: Create the htpasswd file needed by the basic auth + htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }} + with_items: '{{ nginx_basic_auth_users }}' + + when: nginx_basic_auth + tags: nginx + diff --git a/tasks/main.yml b/tasks/main.yml index 53c6cae..b0ed614 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,24 @@ --- -# tasks file for ansible-role-template \ No newline at end of file +- import_tasks: nginx-deb.yml + when: ansible_distribution_file_variety == "Debian" +- import_tasks: nginx-rh.yml + when: ansible_distribution_file_variety == "RedHat" +- import_tasks: nginx-config.yml +- import_tasks: nginx-virtualhosts.yml + when: nginx_use_common_virthost | bool +- import_tasks: nginx-letsencrypt.yml + when: letsencrypt_acme_install is defined and letsencrypt_acme_install +- import_tasks: basic-auth.yml +- import_tasks: pam-ldap.yml + +- name: Ensure that the webserver is running and enabled at boot time + service: name=nginx state=started enabled=yes + when: nginx_enabled + ignore_errors: True + tags: nginx + +- name: Ensure that the webserver is stopped and disabled + service: name=nginx state=stopped enabled=no + when: not nginx_enabled + ignore_errors: True + tags: nginx diff --git a/tasks/nginx-config.yml b/tasks/nginx-config.yml new file mode 100644 index 0000000..1f3b45e --- /dev/null +++ b/tasks/nginx-config.yml @@ -0,0 +1,45 @@ +--- +- block: + - name: Create the snippets directory + file: dest={{ nginx_snippets_dir }} state=directory + + - name: Create the pki directory + file: dest={{ pki_dir }}/nginx state=directory + + - name: Create the client body tmp directory, if needed + file: dest={{ nginx_client_body_temp_dir }}/nginx state=directory owner=www-data group=www-data mode=0700 + when: nginx_client_body_temp_dir is defined + + - name: Create a dhparams file 2048 bits long + shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048 + args: + creates: '{{ pki_dir }}/nginx/dhparams.pem' + when: nginx_ssl_level == 'intermediate' + notify: Reload nginx + + - name: Install the supported configuration snippets + template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444 + with_items: '{{ nginx_conf_snippets }}' + notify: Reload nginx + + - name: Install the main nginx.conf + template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444 + notify: Reload nginx + + - name: Remove the old configuration snippets + file: dest=/etc/nginx/conf.d/{{ item }} state=absent + with_items: '{{ nginx_old_snippets }}' + notify: Reload nginx + + when: nginx_enabled | bool + tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] + +- block: + - name: remove nginx default virtualhost + file: dest=/etc/nginx/sites-enabled/default state=absent + notify: Reload nginx + + when: + - nginx_enabled | bool + - ansible_distribution_file_variety == "Debian" + tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] diff --git a/tasks/nginx-deb.yml b/tasks/nginx-deb.yml new file mode 100644 index 0000000..5ddc9b7 --- /dev/null +++ b/tasks/nginx-deb.yml @@ -0,0 +1,27 @@ +--- +- block: + - name: Install the Ubuntu PPA for nginx + apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes + when: + - nginx_use_ppa + - "'{{ ansible_distribution }}' == 'Ubuntu'" + tags: [ 'nginx', 'nginx_ppa' ] + + - name: Install the nginx web server + apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800 + when: + - not nginx_use_ldap_pam_auth + - ansible_distribution_major_version <= '14' + + - name: Install the nginx web server if we need ldap auth via pam + apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800 + when: + - nginx_use_ldap_pam_auth + - ansible_distribution_major_version <= '14' + + - name: Install the nginx web server on Ubuntu >= 16.04 + apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800 + when: ansible_distribution_major_version >= '16' + + when: ansible_distribution_file_variety == "Debian" + tags: nginx \ No newline at end of file diff --git a/tasks/nginx-letsencrypt.yml b/tasks/nginx-letsencrypt.yml new file mode 100644 index 0000000..2c57d94 --- /dev/null +++ b/tasks/nginx-letsencrypt.yml @@ -0,0 +1,20 @@ +--- +- block: + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a letsencrypt hook for nginx + copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555 + + when: + - letsencrypt_acme_install is defined and letsencrypt_acme_install + - nginx_letsencrypt_managed + tags: [ 'nginx', 'letsencrypt' ] + +- block: + - name: Remove the letsencrypt hook for nginx + file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent + + when: not nginx_letsencrypt_managed + tags: [ 'nginx', 'letsencrypt' ] + diff --git a/tasks/nginx-rh.yml b/tasks/nginx-rh.yml new file mode 100644 index 0000000..57211c2 --- /dev/null +++ b/tasks/nginx-rh.yml @@ -0,0 +1,7 @@ +--- +- block: + - name: Install the nginx web server + yum: pkg=nginx state={{ nginx_package_state }} + + when: ansible_distribution_file_variety == "RedHat" + tags: nginx diff --git a/tasks/nginx-virtualhosts.yml b/tasks/nginx-virtualhosts.yml new file mode 100644 index 0000000..1615c60 --- /dev/null +++ b/tasks/nginx-virtualhosts.yml @@ -0,0 +1,32 @@ +--- +- block: + - name: Create the nginx webroot if different from the default + file: dest={{ nginx_webroot }} state=directory mode=0755 + when: nginx_webroot != '/usr/share/nginx/html' + + tags: [ 'nginx', 'virtualhost' ] + +- name: Install and enable the nginx virtualhost files on Deb based systems + block: + - name: Install the nginx virtualhost files + template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444 + with_items: '{{ nginx_virthosts | default(omit) }}' + notify: Reload nginx + + - name: Enable the nginx virtualhosts + file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link + with_items: '{{ nginx_virthosts | default(omit) }}' + notify: Reload nginx + + when: ansible_distribution_file_variety == "Debian" + tags: [ 'nginx', 'virtualhost' ] + +- name: Install and enable the nginx virtualhost files on RH based systems + block: + - name: Install the nginx virtualhost files + template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444 + with_items: '{{ nginx_virthosts | default(omit) }}' + notify: Reload nginx + + when: ansible_distribution_file_variety == "RedHat" + tags: [ 'nginx', 'virtualhost' ] diff --git a/tasks/pam-ldap.yml b/tasks/pam-ldap.yml new file mode 100644 index 0000000..ae25351 --- /dev/null +++ b/tasks/pam-ldap.yml @@ -0,0 +1,7 @@ +--- +- name: Install pam service for nginx + copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }} + notify: Reload nginx + when: nginx_use_ldap_pam_auth + tags: nginx + diff --git a/templates/ldap.conf.j2 b/templates/ldap.conf.j2 new file mode 100644 index 0000000..b748f41 --- /dev/null +++ b/templates/ldap.conf.j2 @@ -0,0 +1,16 @@ +# The distinguished name of the search base. +base {{ nginx_ldap_base_dn }} + +# Another way to specify your LDAP server is to provide an +uri {{ nginx_ldap_uri }} +if {% nginx_ldap_login_attribute is defined %} +pam_login_attribute {{ nginx_ldap_login_attribute }} +{% endif %} +if {% nginx_ldap_pam_groupdn is defined %} +pam_groupdn +{% endif %} +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data diff --git a/templates/letsencrypt-proxy.conf.j2 b/templates/letsencrypt-proxy.conf.j2 new file mode 100644 index 0000000..d385cf1 --- /dev/null +++ b/templates/letsencrypt-proxy.conf.j2 @@ -0,0 +1,9 @@ +# Include this one inside a "server" directive listening on port 80, this way: +# include /etc/nginx/snippets/letsencrypt-proxy.conf; + location ^~ /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge; + access_log /var/log/nginx/letsencrypt_acmetool_access.log; + error_log /var/log/nginx/letsencrypt_acmetool_error.log; + } + + diff --git a/templates/nginx-browser-cache.conf.j2 b/templates/nginx-browser-cache.conf.j2 new file mode 100644 index 0000000..ade0132 --- /dev/null +++ b/templates/nginx-browser-cache.conf.j2 @@ -0,0 +1,27 @@ +# include inside a 'server' directive +# +location ~* \.(?:manifest|appcache|html?|xml|json)$ { + expires {{ nginx_html_cache_expire }}; +} + +{% if nginx_feed_cache_expire_enabled %} +# +location ~* \.(?:rss|atom)$ { + expires {{ nginx_feed_cache_expire }}; + add_header Cache-Control "{{ nginx_cache_control }}"; +} +{% endif %} + +# +location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { + expires {{ nginx_media_cache_expire }}; + access_log off; + add_header Cache-Control "{{ nginx_cache_control }}"; +} + +# +location ~* \.(?:css|js)$ { + expires {{ nginx_css_js_cache_expire }}; + access_log off; + add_header Cache-Control "{{ nginx_cache_control }}"; +} diff --git a/templates/nginx-compression.conf.j2 b/templates/nginx-compression.conf.j2 new file mode 100644 index 0000000..4a06955 --- /dev/null +++ b/templates/nginx-compression.conf.j2 @@ -0,0 +1,6 @@ +gzip_vary {{ nginx_gzip_vary }}; +gzip_proxied {{ nginx_gzip_proxied }}; +gzip_comp_level {{ nginx_gzip_comp_level }}; +gzip_buffers {{ nginx_gzip_buffers }}; +gzip_http_version {{ nginx_gzip_http_version }}; +gzip_types {{ nginx_gzip_types }}; diff --git a/templates/nginx-cors.conf.j2 b/templates/nginx-cors.conf.j2 new file mode 100644 index 0000000..1f3af86 --- /dev/null +++ b/templates/nginx-cors.conf.j2 @@ -0,0 +1,58 @@ +{% if nginx_cors_extended_rules %} +if ($request_method = 'OPTIONS') { +{% if nginx_cors_limit_origin %} + add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; +{% else %} + add_header 'Access-Control-Allow-Origin' '*'; +{% endif %} + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}'; + # + # Custom headers and headers various browsers *should* be OK with but aren't + # + add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}'; + # + # Tell client that this pre-flight info is valid for 20 days + # + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; +} +if ($request_method = 'POST') { +{% if nginx_cors_limit_origin %} + add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; +{% else %} + add_header 'Access-Control-Allow-Origin' '*'; +{% endif %} + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}'; + add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}'; + add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}'; +} +if ($request_method = 'GET') { +{% if nginx_cors_limit_origin %} + add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; +{% else %} + add_header 'Access-Control-Allow-Origin' '*'; +{% endif %} + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}'; + add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}'; + add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}'; +} +{% else %} +{% if nginx_cors_limit_origin %} +add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; +{% else %} +add_header 'Access-Control-Allow-Origin' '*'; +{% endif %} +if ($request_method = OPTIONS ) { + return 204; +} +add_header 'Access-Control-Allow-Credentials' 'true'; +add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}'; +add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}'; +add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}'; +{% endif %} + diff --git a/templates/nginx-proxy-params.conf.j2 b/templates/nginx-proxy-params.conf.j2 new file mode 100644 index 0000000..2d834a4 --- /dev/null +++ b/templates/nginx-proxy-params.conf.j2 @@ -0,0 +1,29 @@ +# Proxy stuff +# include /etc/nginx/snippets/nginx-proxy-params.conf; +proxy_http_version 1.1; +proxy_set_header Connection ""; +{% if haproxy_ips is defined %} +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-Host $remote_addr; +proxy_set_header X-Forwarded-Server $host; +{% else %} +proxy_set_header Host $host; +{% if nginx_define_x_real_ip %} +proxy_set_header X-Real-IP $remote_addr; +{% endif %} +{% endif %} +{% if nginx_set_original_uri %} +proxy_set_header nginx-request-uri $request_uri; +{% endif %} +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_buffering {{ nginx_proxy_buffering }}; +proxy_buffer_size {{ nginx_proxy_buffer_size }}; +proxy_buffers {{ nginx_proxy_buffers }}; +proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }}; +proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }}; +proxy_redirect {{ nginx_proxy_redirect }}; +proxy_connect_timeout {{ nginx_proxy_connect_timeout }}; +proxy_read_timeout {{ nginx_proxy_read_timeout }}; +proxy_send_timeout {{ nginx_proxy_send_timeout }}; diff --git a/templates/nginx-server-ssl.conf.j2 b/templates/nginx-server-ssl.conf.j2 new file mode 100644 index 0000000..f09f52e --- /dev/null +++ b/templates/nginx-server-ssl.conf.j2 @@ -0,0 +1,49 @@ +{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} +ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain; +ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey; +{% else %} +ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }}; +ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }}; +{% endif %} +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 1d; +ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem; +{% if nginx_ssl_level == 'old' %} +{% if ansible_distribution_version is version_compare('18.04', '>=') %} +ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; +{% else %} +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +{% endif %} +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; +ssl_prefer_server_ciphers on; +{% endif %} +{% if nginx_ssl_level == 'intermediate' %} +{% if ansible_distribution_version is version_compare('18.04', '>=') %} +ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; +{% else %} +ssl_protocols TLSv1.1 TLSv1.2; +{% endif %} +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; +ssl_prefer_server_ciphers off; +{% endif %} +{% if nginx_ssl_level == 'modern' %} +ssl_session_tickets off; +# modern configuration. tweak to your needs. +{% if ansible_distribution_version is version_compare('18.04', '>=') %} +ssl_protocols TLSv1.2 TLSv1.3; +{% else %} +ssl_protocols TLSv1.2; +{% endif %} +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; +{% endif %} +{% if ansible_distribution_version is version_compare('14.04', '>=') %} +ssl_stapling on; +ssl_stapling_verify on; +{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} +ssl_trusted_certificate {{ letsencrypt_acme_certs_dir }}/fullchain; +{% else %} +ssl_trusted_certificate {{ nginx_ssl_fullchain_file | default('/etc/nginx/ssl/cacert.crt') }}; +{% endif %} +add_header Strict-Transport-Security max-age=15768000; +{% endif %} diff --git a/templates/nginx-virthost.j2 b/templates/nginx-virthost.j2 new file mode 100644 index 0000000..d5f52b9 --- /dev/null +++ b/templates/nginx-virthost.j2 @@ -0,0 +1,353 @@ +{% if nginx_websockets_support is defined and nginx_websockets_support %} +include /etc/nginx/snippets/nginx-websockets.conf; +{% else %} +{% if item.websockets is defined and item.websockets %} +include /etc/nginx/snippets/nginx-websockets.conf; +{% endif %} +{% endif %} + +server { + listen {{ item.http_port | default ('80') }}; + server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; +{% if nginx_block_dotfiles %} + location ~ /\.(?!well-known).* { + deny all; + access_log off; + log_not_found off; + return 404; + } +{% endif %} + +{% if letsencrypt_acme_install %} + include /etc/nginx/snippets/letsencrypt-proxy.conf; +{% endif %} + + {% if item.access_log is defined %} + access_log {{ item.access_log }}; + {% else %} + access_log /var/log/nginx/{{ item.server_name }}_access.log; + {% endif %} + + {% if item.error_log is defined %} + error_log {{ item.error_log }}; + {% else %} + error_log /var/log/nginx/{{ item.server_name }}_error.log; + {% endif %} + + server_tokens {{ item.server_tokens | default('off') }}; + +{% if item.ssl_enabled and item.ssl_only %} + location / { + return 301 https://{{ item.server_name }}$request_uri; + } +{% else %} + root {{ item.root | default('/usr/share/nginx/html/') }}; + index {{ item.index | default('index.html index.htm') }}; + error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; + location = /50x.html { + root {{ item.error_path | default('/usr/share/nginx/html') }}; + } + location = /favicon.ico { + log_not_found off; + access_log off; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } +{% if nginx_block_dotfiles %} + location ~ /\. { + deny all; + access_log off; + log_not_found off; + return 404; + } +{% endif %} + {% if haproxy_ips is defined %} + # We are behind haproxy + {% for ip in haproxy_ips %} + set_real_ip_from {{ ip }}; + {% endfor %} + real_ip_header X-Forwarded-For; + {% endif %} + + {% if item.max_body is defined %} + client_max_body_size {{ item.max_body }}; + {% else %} + client_max_body_size {{ nginx_client_max_body_size }}; + {% endif %} + + {% if item.body_timeout is defined %} + client_body_timeout {{ item.body_timeout }}; + {% else %} + client_body_timeout {{ nginx_client_body_timeout }}; + {% endif %} + + {% if nginx_cors_enabled %} + {% if nginx_cors_global %} + include /etc/nginx/snippets/nginx-cors.conf; + {% endif %} + {% endif %} + + {% if item.additional_options is defined %} + {% for add_opt in item.additional_options %} + {{ add_opt }}; + {% endfor %} + {% endif %} + + {% if item.http_acls is defined %} + {% for acl in item.http_acls %} + {{ acl }}; + {% endfor %} + {% endif %} + + {% if nginx_websockets_support is defined and nginx_websockets_support %} + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% else %} + {% if item.websockets is defined and item.websockets %} + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% endif %} + {% endif %} + + {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} + + # Proxy stuff + {% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %} + {% else %} + include /etc/nginx/snippets/nginx-proxy-params.conf; + {% endif %} + + {% if item.proxy_additional_options is defined %} + {% for popt in item.proxy_additional_options %} + {{ popt }}; + {% endfor %} + {% endif %} + + {% if item.locations is defined %} + {% for location in item.locations -%} + + location {{ location.location }} { + + {% if nginx_cors_enabled %} + {% if not nginx_cors_global %} + {% if location.cors is defined and location.cors %} + include /etc/nginx/snippets/nginx-cors.conf; + {% endif %} + {% endif %} + {% endif %} + + {% if location.target is defined %} + proxy_pass {{ location.target }}; + {% elif location.php_target is defined %} + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass {{ location.php_target }}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REMOTE_ADDR $http_x_forwarded_for; + #fastcgi_param REMOTE_ADDR $remote_addr; + include fastcgi_params; + {% endif %} + + {% if location.websockets is defined and location.websockets %} + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + {% endif %} + + {% if location.extra_conf is defined %} + {{ location.extra_conf }} + {% endif %} + + {% if location.acls is defined %} + {% for acl in location.acls %} + {{ acl }}; + {% endfor %} + {% endif %} + + {% if location.other_opts is defined %} + {% for opt in location.other_opts %} + {{ opt }}; + {% endfor %} + {% endif %} + } + {% endfor %} + {% endif %} + {% endif %} + + {% if item.extra_parameters is defined %} + {{ item.extra_parameters }} + {% endif %} + +{% endif %} + +} + +{% if item.ssl_enabled %} +server { + {% if item.https_port is defined %} + listen {{ item.https_port }} {{ nginx_ssl_type }}; + {% else %} + listen {{ https_port | default('443') }} {{ nginx_ssl_type }}; + {% endif %} + server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; + + {% if item.access_log is defined %} + access_log {{ item.access_log }}; + {% else %} + access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log; + {% endif %} + + {% if item.error_log is defined %} + error_log {{ item.error_log }}; + {% else %} + error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log; + {% endif %} + + root {{ item.root | default('/usr/share/nginx/html/') }}; + index {{ item.index | default('index.html index.htm') }}; + error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; + location = /50x.html { + root {{ item.error_path | default('/usr/share/nginx/html') }}; + } + location = /favicon.ico { + log_not_found off; + access_log off; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } +{% if nginx_block_dotfiles %} + location ~ /\. { + deny all; + access_log off; + log_not_found off; + return 404; + } +{% endif %} + + {% if haproxy_ips is defined %} + # We are behind haproxy + {% for ip in haproxy_ips %} + set_real_ip_from {{ ip }}; + {% endfor %} + real_ip_header X-Forwarded-For; + {% endif %} + + {% if item.max_body is defined %} + client_max_body_size {{ item.max_body }}; + {% else %} + client_max_body_size {{ nginx_client_max_body_size }}; + {% endif %} + {% if item.body_timeout is defined %} + client_body_timeout {{ item.body_timeout }}; + {% else %} + client_body_timeout {{ nginx_client_body_timeout }}; + {% endif %} + + include /etc/nginx/snippets/nginx-server-ssl.conf; + + server_tokens {{ item.server_tokens | default('off') }}; + + {% if nginx_cors_enabled %} + {% if nginx_cors_global %} + include /etc/nginx/snippets/nginx-cors.conf; + {% endif %} + {% endif %} + + {% if nginx_websockets_support is defined and nginx_websockets_support %} + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% else %} + {% if item.websockets is defined and item.websockets %} + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% endif %} + {% endif %} + + {% if item.additional_options is defined %} + {% for add_opt in item.additional_options %} + {{ add_opt }}; + {% endfor %} + {% endif %} + + {% if item.https_acls is defined %} + {% for acl in item.https_acls %} + {{ acl }}; + {% endfor %} + {% endif %} + + {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} + + # Proxy stuff + {% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %} + {% else %} + include /etc/nginx/snippets/nginx-proxy-params.conf; + {% endif %} + + {% if item.proxy_additional_options is defined %} + {% for popt in item.proxy_additional_options %} + {{ popt }} + {% endfor %} + {% endif %} + + {% if item.locations is defined %} + {% for location in item.locations -%} + location {{ location.location }} { + + {% if nginx_cors_enabled %} + {% if not nginx_cors_global %} + {% if location.cors is defined and location.cors %} + include /etc/nginx/snippets/nginx-cors.conf; + {% endif %} + {% endif %} + {% endif %} + + {% if location.target is defined %} + proxy_pass {{ location.target }}; + {% elif location.php_target is defined %} + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass {{ location.php_target }}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REMOTE_ADDR $http_x_forwarded_for; + #fastcgi_param REMOTE_ADDR $remote_addr; + include fastcgi_params; + {% endif %} + + {% if location.websockets is defined and location.websockets %} + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + {% endif %} + + {% if location.extra_conf is defined %} + {{ location.extra_conf }} + {% endif %} + + {% if location.acls is defined %} + {% for acl in location.acls %} + {{ acl }}; + {% endfor %} + {% endif %} + + {% if location.other_opts is defined %} + {% for opt in location.other_opts %} + {{ opt }}; + {% endfor %} + {% endif %} + } + {% endfor %} + {% endif %} + {% endif %} + + {% if item.extra_parameters is defined %} + {{ item.extra_parameters }} + {% endif %} +} + +{% endif %} diff --git a/templates/nginx-websockets.conf.j2 b/templates/nginx-websockets.conf.j2 new file mode 100644 index 0000000..32af4c3 --- /dev/null +++ b/templates/nginx-websockets.conf.j2 @@ -0,0 +1,4 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 new file mode 100644 index 0000000..9dc5392 --- /dev/null +++ b/templates/nginx.conf.j2 @@ -0,0 +1,63 @@ +pid /run/nginx.pid; +{% if ansible_distribution_file_variety == "Debian" %} +user www-data; +{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %} +worker_processes auto; +include /etc/nginx/modules-enabled/*.conf; + +{% else %} +worker_processes {{ nginx_workers }}; +{% endif %} +{% endif %} + +{% if ansible_distribution_file_variety == "RedHat" %} +user nginx; +worker_processes auto; +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; +{% endif %} + +events { + worker_connections {{ nginx_worker_connections }}; + multi_accept {{ nginx_multi_accept }}; +} +worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens {{ nginx_server_tokens }}; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + include /etc/nginx/mime.types; + default_type application/octet-stream; + large_client_header_buffers {{ nginx_large_client_header_buffers }}; + ## + # Logging Settings + ## + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + +{% if nginx_enable_compression %} + include /etc/nginx/snippets/nginx-compression.conf; +{% endif %} +{% if nginx_websockets_support %} + include /etc/nginx/snippets/nginx-websockets.conf; +{% endif %} + include /etc/nginx/conf.d/*.conf; + +{% if ansible_distribution_file_variety == "RedHat" %} + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; +{% endif %} + +{% if ansible_distribution_file_variety == "Debian" %} + include /etc/nginx/sites-enabled/*; +{% endif %} +}