From cf33f2a5868fb7c27195274e208300bf754f53d3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 1 Feb 2017 17:12:54 +0100 Subject: [PATCH] library/roles/nginx: Add tasks that configure the basic authentication. Fix the generic virtualhost template. --- nginx/defaults/main.yml | 3 +++ nginx/tasks/basic-auth.yml | 12 +++++++++ nginx/tasks/main.yml | 1 + nginx/templates/nginx-virthost.j2 | 41 ++++++++++++++++++++----------- 4 files changed, 43 insertions(+), 14 deletions(-) create mode 100644 nginx/tasks/basic-auth.yml diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index eb6438a..20f867e 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -66,6 +66,9 @@ nginx_use_ldap_pam_auth: False nginx_pam_svc_name: nginx nginx_ldap_uri: "ldap://ldap.example.org" nginx_ldap_base_dn: "dc=example,dc=org" +nginx_basic_auth: False +nginx_basic_auth_users: + - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' } # nginx_ldap_login_attribute: uid # nginx_ldap_pam_groupdn: nginx_letsencrypt_managed: True diff --git a/nginx/tasks/basic-auth.yml b/nginx/tasks/basic-auth.yml new file mode 100644 index 0000000..cdf35c6 --- /dev/null +++ b/nginx/tasks/basic-auth.yml @@ -0,0 +1,12 @@ +--- +- block: + - name: Install the python passlib library + apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600 + + - name: Create the htpasswd file needed by the basic auth + htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }} + with_items: '{{ nginx_basic_auth_users }}' + + when: nginx_basic_auth + tags: nginx + diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index eb0db36..2d2c8ca 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -5,6 +5,7 @@ when: nginx_use_common_virthost - include: nginx-letsencrypt.yml when: letsencrypt_acme_install is defined and letsencrypt_acme_install +- include: basic-auth.yml - include: pam-ldap.yml - name: Ensure that the webserver is running and enabled at boot time diff --git a/nginx/templates/nginx-virthost.j2 b/nginx/templates/nginx-virthost.j2 index ffc54e0..d10134d 100644 --- a/nginx/templates/nginx-virthost.j2 +++ b/nginx/templates/nginx-virthost.j2 @@ -1,5 +1,5 @@ server { - listen {{ item.http_port }}; + listen {{ item.http_port | default (80) }}; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; {% if letsencrypt_acme_install %} include /etc/nginx/snippets/letsencrypt-proxy.conf; @@ -17,7 +17,7 @@ server { server_tokens {{ item.server_tokens | default('off') }}; {% if item.ssl_enabled and item.ssl_only %} location / { - return 301 https://{{ ansible_fqdn }}$request_uri; + return 301 https://{{ item.server_name }}$request_uri; } {% else %} # This is the default for nginx on Ubuntu 14.04 @@ -27,7 +27,6 @@ server { location = /50x.html { root /usr/share/nginx/html; } - {% endif %} location = /favicon.ico { log_not_found off; access_log off; @@ -54,7 +53,6 @@ server { {% else %} client_body_timeout {{ nginx_client_body_timeout }}; {% endif %} - server_tokens {{ item.server_tokens | default('off') }}; {% if item.websockets is defined and item.websockets %} proxy_set_header Upgrade $http_upgrade; @@ -68,23 +66,31 @@ server { {{ popt }} {% endfor %} {% endif %} - {% if item.proxies is defined %} - {% for proxy in item.proxies %} - location {{ proxy.location }} { - proxy_pass {{ proxy.target }}; + {% if item.locations is defined %} + {% for location in item.locations %} + location {{ location.location }} { + {% if location.target is defined %} + proxy_pass {{ location.target }}; + {% endif %} + {% if location.other_opts is defined %} + {% for opt in location.other_opts %} + {{ opt }}; + {% endfor %} + {% endif %} } {% endfor %} {% endif %} {% endif %} {% if item.extra_parameters is defined %} {{ item.extra_parameters }} + {% endif %} {% endif %} } {% if item.ssl_enabled and item.ssl_only %} server { - listen {{ https_port }} ssl; + listen {{ https_port | default(443) }} ssl; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; {% if item.access_log is defined %} access_log {{ item.access_log }}; @@ -102,7 +108,6 @@ server { location = /50x.html { root /usr/share/nginx/html; } - {% endif %} location = /favicon.ico { log_not_found off; access_log off; @@ -145,16 +150,24 @@ server { {{ popt }} {% endfor %} {% endif %} - {% if item.proxies is defined %} - {% for proxy in item.proxies %} - location {{ proxy.location }} { - proxy_pass {{ proxy.target }}; + {% if item.locations is defined %} + {% for location in item.locations %} + location {{ location.location }} { + {% if location.target is defined %} + proxy_pass {{ location.target }}; + {% endif %} + {% if location.other_opts is defined %} + {% for opt in location.other_opts %} + {{ opt }}; + {% endfor %} + {% endif %} } {% endfor %} {% endif %} {% endif %} {% if item.extra_parameters is defined %} {{ item.extra_parameters }} + {% endif %} } {% endif %}