From 272c0eea0da28aff185a142cbb4b1d2428267927 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 27 Sep 2016 19:33:52 +0200 Subject: [PATCH] library/roles/nginx: Manage the main configuration file. library/roles/nginx: Provide parts of embeddable optional configurations inside /etc/nginx/snippets. --- nginx/defaults/main.yml | 24 +++++++++++++ nginx/tasks/main.yml | 1 + nginx/tasks/nginx-config.yml | 19 +++++++++++ nginx/tasks/nginx.yml | 17 ---------- nginx/templates/letsencrypt-proxy.conf.j2 | 5 ++- nginx/templates/nginx-browser-cache.conf.j2 | 27 +++++++++++++++ nginx/templates/nginx-proxy-params.conf.j2 | 16 +++++++++ nginx/templates/nginx.conf.j2 | 37 +++++++++++++++++++++ 8 files changed, 126 insertions(+), 20 deletions(-) create mode 100644 nginx/tasks/nginx-config.yml create mode 100644 nginx/templates/nginx-browser-cache.conf.j2 create mode 100644 nginx/templates/nginx-proxy-params.conf.j2 create mode 100644 nginx/templates/nginx.conf.j2 diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 4a89cd6..8c70ac4 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -6,6 +6,21 @@ nginx_package_state: installed #nginx_virthosts: [] +nginx_snippets_dir: /etc/nginx/snippets + +nginx_conf_snippets: + - nginx-compression.conf + - nginx-websockets.conf + - nginx-browser-cache.conf + - letsencrypt-proxy.conf + - nginx-proxy-params.conf + +nginx_workers: 4 +nginx_worker_connections: 1024 +nginx_multi_accept: 'off' +nginx_worker_rlimit_nofile: 2048 +nginx_server_tokens: 'off' + nginx_enable_compression: True nginx_gzip_vary: "on" nginx_gzip_proxied: any @@ -14,6 +29,15 @@ nginx_gzip_buffers: 16 8k nginx_gzip_http_version: 1.1 nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript" +nginx_enable_browser_cache: True +nginx_cache_control: public +nginx_html_cache_expire: -1 +nginx_feed_cache_expire_enabled: False +nginx_feed_cache_expire: 1h +nginx_media_cache_expire: 24h +nginx_css_js_cache_expire: -1 + +nginx_reverse_proxy: False nginx_proxy_buffering: "on" nginx_proxy_redirect: "off" nginx_proxy_buffer_size: 128k diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 001b4d1..faf000e 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -1,5 +1,6 @@ --- - include: nginx.yml +- include: nginx-config.yml #- include: nginx-virtualhosts.yml # when: nginx_virthosts|length > 0 - include: nginx-letsencrypt.yml diff --git a/nginx/tasks/nginx-config.yml b/nginx/tasks/nginx-config.yml new file mode 100644 index 0000000..06ea36f --- /dev/null +++ b/nginx/tasks/nginx-config.yml @@ -0,0 +1,19 @@ +--- +- block: + - name: Create the snippets directory + file: dest={{ nginx_snippets_dir }} state=directory + + - name: remove nginx default virtualhost + file: dest=/etc/nginx/sites-enabled/default state=absent + notify: Reload nginx + + - name: Install the supported configuration snippets + template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444 + with_items: '{{ nginx_conf_snippets }}' + + - name: Install the main nginx.conf + template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444 + notify: Reload nginx + + when: nginx_enabled + tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] diff --git a/nginx/tasks/nginx.yml b/nginx/tasks/nginx.yml index ffb30e1..d11dad8 100644 --- a/nginx/tasks/nginx.yml +++ b/nginx/tasks/nginx.yml @@ -20,20 +20,3 @@ when: nginx_use_ldap_pam_auth tags: nginx -- name: remove nginx default config - file: dest=/etc/nginx/sites-enabled/default state=absent - notify: Reload nginx - tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] - -- name: Install the gzip compression configuration if enabled - template: src=nginx-compression.conf.j2 dest=/etc/nginx/conf.d/compression.conf owner=root group=root mode=0444 - when: nginx_enable_compression - notify: Reload nginx - tags: [ 'nginx', 'nginx_conf' ] - -- name: Install websockets configuration if enabled - template: src=nginx-websockets.conf.j2 dest=/etc/nginx/conf.d/websockets.conf owner=root group=root mode=0444 - when: nginx_websockets_support - notify: Reload nginx - tags: [ 'nginx', 'nginx_conf' ] - diff --git a/nginx/templates/letsencrypt-proxy.conf.j2 b/nginx/templates/letsencrypt-proxy.conf.j2 index 4c3978b..8cd468a 100644 --- a/nginx/templates/letsencrypt-proxy.conf.j2 +++ b/nginx/templates/letsencrypt-proxy.conf.j2 @@ -1,10 +1,9 @@ -server { - listen 80 default_server; +# Include this one inside a "server" directive listening on port 80, this way: +# include /etc/nginx/snippets/letsencrypt-proxy.conf location ^~ /.well-known/acme-challenge { proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge; access_log /var/log/nginx/letsencrypt_acmetool_access.log; error_log /var/log/nginx/letsencrypt_acmetool_error.log; } -} diff --git a/nginx/templates/nginx-browser-cache.conf.j2 b/nginx/templates/nginx-browser-cache.conf.j2 new file mode 100644 index 0000000..ade0132 --- /dev/null +++ b/nginx/templates/nginx-browser-cache.conf.j2 @@ -0,0 +1,27 @@ +# include inside a 'server' directive +# +location ~* \.(?:manifest|appcache|html?|xml|json)$ { + expires {{ nginx_html_cache_expire }}; +} + +{% if nginx_feed_cache_expire_enabled %} +# +location ~* \.(?:rss|atom)$ { + expires {{ nginx_feed_cache_expire }}; + add_header Cache-Control "{{ nginx_cache_control }}"; +} +{% endif %} + +# +location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { + expires {{ nginx_media_cache_expire }}; + access_log off; + add_header Cache-Control "{{ nginx_cache_control }}"; +} + +# +location ~* \.(?:css|js)$ { + expires {{ nginx_css_js_cache_expire }}; + access_log off; + add_header Cache-Control "{{ nginx_cache_control }}"; +} diff --git a/nginx/templates/nginx-proxy-params.conf.j2 b/nginx/templates/nginx-proxy-params.conf.j2 new file mode 100644 index 0000000..860aa03 --- /dev/null +++ b/nginx/templates/nginx-proxy-params.conf.j2 @@ -0,0 +1,16 @@ +# Proxy stuff +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_buffer_size {{ nginx_proxy_buffer_size }}; +proxy_buffers {{ nginx_proxy_buffers }}; +proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }}; +proxy_set_header X-Forwarded-Host $remote_addr; +proxy_set_header X-Forwarded-Server $host; +proxy_http_version 1.1; +proxy_redirect {{ nginx_proxy_redirect }}; +proxy_buffering {{ nginx_proxy_buffering }}; +proxy_connect_timeout {{ nginx_proxy_connect_timeout }}; +proxy_read_timeout {{ nginx_proxy_read_timeout }}; +proxy_send_timeout {{ nginx_proxy_send_timeout }}; diff --git a/nginx/templates/nginx.conf.j2 b/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..ae69f9b --- /dev/null +++ b/nginx/templates/nginx.conf.j2 @@ -0,0 +1,37 @@ +user www-data; +worker_processes {{ nginx_workers }}; +pid /run/nginx.pid; + +events { + worker_connections {{ nginx_worker_connections }}; + multi_accept {{ nginx_multi_accept }}; +} +worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens {{ nginx_server_tokens }}; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + include /etc/nginx/mime.types; + default_type application/octet-stream; + ## + # Logging Settings + ## + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + include /etc/nginx/conf.d/*.conf; +{% if nginx_enable_compression %} + include /etc/nginx/snippets/nginx-compression.conf; +{% endif %} +{% if nginx_websockets_support %} + include /etc/nginx/snippets/nginx-websockets.conf; +{% endif %} + include /etc/nginx/sites-enabled/*; +} +