FEATURES:
- Add validation tasks to check the Ansible version, the Jinja2 version, and whether the required Ansible collections for this role are installed.
- Bump the Ansible
community.general
collection to9.2.0
,community.crypto
collection to2.21.1
andcommunity.docker
collection to3.11.0
.
BUG FIXES:
- Fix the default path for the stream template deployment location.
- Fix incompatibility when using the
listen
directive and setting both thequic
andso_keepalive
parameters. - Correct cleanup error when
nginx_config_cleanup_paths
is not defined. - Disable check_mode for validation task
jinja2_version
.
TESTS:
- Add Molecule tests covering common NGINX use cases (web server, reverse proxy), enabling the NGINX stub status metrics, and NGINX Plus API and live metrics dashboard.
- Update the platforms used in the various Molecule scenarios.
- Use the local role name (
ansible-role-nginx-config
) instead of the fully qualified role name (nginxinc.nginx_config
) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand. - Update RHEL UBI images to UBI 9.4.
- Update Molecule NGINX Plus tests to work with R33 by introducing the new license JWT.
DOCUMENTATION:
- Update community docs per the latest NGINX template repository guidelines.
- Update and tweak the README. In order to make the installation instructions easier, some file names used by the various GitHub Actions workflows have been renamed.
CI/CD:
- Bump the minimum version of Ansible supported on Ansible Galaxy to
2.16
. - Update GitHub Actions to Ubuntu 24.04.
- Switch GitHub Actions from using tags to release hashes.
- Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG.
- Implement OSSF Scorecard.
- Implement Renovate and replace Dependabot.
- Automatically add milestone and project data to Renovate Bot PRs.
MAINTENANCE:
- Remove CentOS 7 related artifacts, tests, and metadata since RHEL 7 related distributions are no longer tested nor supported.
- Tweak Release Drafter to work better with conventional commits.
ENHANCEMENTS:
- Implement directives for the
http_v3
module.
BUG FIXES:
- Add handler to reload NGINX when SSL cert or key is changed.
CI/CD:
- Uncomment the
ansible-compat
version from the CI/CD pipeline. - Implement F5 CLA.
BREAKING CHANGES:
- Two parameters have been removed from the
listen
dictionary:-
spdy
-> This parameter is no longer supported. -
http2
-> This parameter has been replaced by thehttp2
directive. To enable HTTP2, use theenable
parameter in the newly implementedhttp2
module/dictionary:http2: enable: true
-
ENHANCEMENTS:
- Initial pass at implementing directives for the
http2
(officially namedhttp_v2
) module. - Bump the Ansible
community.general
collection to7.1.0
,ansible.posix
collection to1.5.4
,community.crypto
collection to2.14.0
, andcommunity.docker
collection to3.4.7
.
BUG FIXES:
- The default template now has a proper example value and comment for the
map.mappings
directive.
CI/CD:
- Split Ansible Lint into its own GitHub Actions job since Molecule no longer runs linters natively.
- Remove the "stable" part of the
stable_push
Molecule scenario since installing the NGINX stable branch is already tested by the core NGINX Ansible role. - Replace
molecule[docker]
withmolecule
andmolecule-plugins[docker]
. - Explicitly set the
ansible-compat
version (commented out for the time being whilst waiting for a new release of Molecule). - Add pre-releases to Release Drafter.
ENHANCEMENTS:
- Standardize code from dot to array notation to keep in with the standards set by the other roles in the Ansible NGINX core collection.
- Bump the minimum version of Ansible core required to run the role to
2.12
(2.11
is no longer supported by Ansible). - Support the
include
directive in the main NGINX context. - Bump the Ansible
community.general
collection to6.2.0
andcommunity.docker
collection to3.4.0
.
BUG FIXES:
- GitHub Actions should now correctly skip *plus* scenarios only when the NGINX Plus license secrets are not present.
- The
ignore-tags
GitHub Actions key does not exist. Replace it with the correct key,tags-ignore
.
TESTS:
- Update GitHub Actions to run on Ubuntu 22.04 (and thus support
cgroups
v2). - Explicitly specify
amd64
as the platform used in NGINX Plus Molecule tests. This will ensure that tests involving NGINX App Protect will work as expected when run on different host architectures (e.g. newer Macbooks witharm
processors). - Update the versions of the Ansible NGINX and NGINX App Protect roles used by Molecule.
ENHANCEMENTS:
- Bump the Ansible
community.general
collection to5.5.0
,ansible.posix
collection to1.4.0
andcommunity.docker
collection to3.1.0
. - Add support for the latest NGINX Plus R26 directives:
auth_jwt_require
now allows you to optionally set theerror
code you wish to return.health_check
now lets you set akeepalive_time
.
- Add support for the latest NGINX App Protect DoS directives (
app_protect_dos_arb_fqdn
,app_protect_dos_api
, andapp_protect_dos_accelerated_mitigation
).
BUG FIXES:
Improve the NGINX main config defaults to bring them closer to the standard NGINX defaults on a fresh NGINX install.
TESTS:
- Update GitHub Actions to only skip *plus* scenarios when the NGINX Plus license secrets are not present (it used to only run the NGINX Plus test scenarios during internal PRs).
- Remove Yamllint (Ansible Lint now incorporates Yamllint).
- Skip Ansible Lint line length rules. Slightly refactor code to incorporate changes added to Ansible Lint 6.7.0.
FEATURES:
Rename all modules to use the fully qualified collection name (FQCN) per Ansible guidelines.
ENHANCEMENTS:
- Bump the Ansible
community.general
collection to4.7.0
andcommunity.docker
collection to2.3.0
. - Add labels to loops in
tasks/config/template-config.yml
to reduce amount of output data. - Implement
gunzip
,map
,mirror
,realip
andsplit_clients
modules intohttp
templates. - Streamline configuring SELinux.
- Update Dependabot to trigger updates at the same time across all NGINX core roles at the same time and to avoid triggering release drafter on GitHub Actions dependency updates.
BUG FIXES:
Ansible check mode runs will no longer fail if NGINX has not yet been installed.
BREAKING CHANGES:
- Remove parameters deprecated in release
0.4.0
. To recap, these arenginx_config_main_upload_*
,nginx_config_upload_html_*
, andnginx_config_stream_upload_*
. Usenginx_config_upload
instead. - Refactor all the
stream
Jinja2 templates!:-
Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
-
This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
-
You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with
servers
:core: root: /usr/share/nginx/html proxy: set_header: [] servers: - core: {} proxy: {}
-
Check
defaults/main/template.yml
andmolecule/default/converge.yml
for examples! -
These changes follow in the footsteps of the
http
Jinja2 refactor introduced in the0.4.0
release. If you want more information on how to port yourstream
configurations, the release notes/changelog for0.4.0
are a good place to start.
-
- Replace
conf_file_name
andconf_file_location
withdeployment_location
insidenginx_config_stream_template
. - Replace
html_file_name
andhtml_file_location
withdeployment_location
insidenginx_config_html_demo_template
.
FEATURES:
- Add
backup
variable to template and upload parameters. Set tofalse
if you don't want to keep backups of your previous NGINX config files. - Automatically create a NGINX
client_body_temp_path
directory if your NGINX config uses the directive.
ENHANCEMENTS:
Bump the Ansible community.general
collection to 4.4.0
and community.docker
collection to 2.1.1
.
BUG FIXES:
- Fix a bug when using a single
custom_directives
entry and the http template. - Fix check mode issue when running with SELinux enabled. Role no longer reports a change in check mode when setting the host to permissive mode.
- Fix typo in the REST API template.
- Fix incorrect REST API and status log variable names in
defaults/main/template.yml
. - Fix bugged conditional check in the
http/ssl.j2
Jinja2 template.
BUG FIXES:
- Dictionaries are a sequence per Jinja2 contrary to Python's defaults (dictionaries are not a sequence in Python). The template conditionals assumed the latter.
- NAP DoS monitor directive would fail if some variables were commented out.
- NGINX listen
so_keepalive
parameter was not working as intended when setting specific values. - Make sure all template objects are properly transformed into strings before doing Jinja2 operations.
- Remove unnecessary parentheses.
BUG FIXES:
- Fix issue where your
deployment_location
directory would not be properly created due to an outdated variable. - Remove duplicated brace in
http/auth.j2
.
This is a very big release which fundamentally refactors the whole NGINX configuration templating engine. Almost all of the templates have undergone some breaking changes. Please take extra caution when upgrading your environment to this release and make sure you test any required changes before using the role in any potential production environments.
Efforts have been made to thoroughly test all these changes and make sure they work as intended, but due to the magnitude of the refactoring work, there will be some bugs that have escaped our tests. If you find any, please open an issue or PR through the usual channels.
DEPRECATION WARNINGS:
The nginx_config_main_upload_*
, nginx_config_upload_html_*
, and nginx_config_stream_upload_*
parameters have been deprecated in favor of a newly introduced parameter, nginx_config_upload
(previously nginx_config_snippet_upload_*
). The new parameter provides greater flexibility in configuring your upload settings in addition to simplifying the upload Ansible tasks. The deprecated parameters will be removed in the next major release (0.5.0), due December 2021.
BREAKING CHANGES:
General updates:
- Rename upload related variables:
- Rename the
nginx_config_snippet_upload_*
parameters tonginx_config_upload_*
(checkdefaults/main/upload.yml
for an example). - Rename the
nginx_config_html_upload_*
parameters tonginx_config_upload_html_*
. - Rename the
nginx_config_ssl_upload_*
parameters tonginx_config_upload_ssl_*
.
- Rename the
- Tweak the
nginx_config_html_upload
andnginx_config_ssl_upload
parameters to use a list instead of a singlesrc
anddest
value (checkdefaults/main/upload.yml
for an example).
Template engine updates:
-
Refactor all the
http
Jinja2 templates!:-
Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
-
This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
-
You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with
servers
andlocations
:core: root: /usr/share/nginx/html proxy: set_header: [] servers: - core: {} proxy: {} locations: - core: {} proxy: {}
-
Check
defaults/main/template.yml
andmolecule/default/converge.yml
for examples!
-
-
Refactor the base config templates to simplify the creation of templates as well as development and maintenance moving forward:
- Modify
servers
,servers.listen
,server.locations
,upstream
andupstream.servers
from nested dictionaries in thehttp
andstream
configuration templates to lists. - Remove/merge the
web_server
andreverse_proxy
nested dictionary keys from the HTTP templates. These often lead to confusing and unnecessary code duplication and hard to maintain code. To update your templates, remove both keys and adjust your spacing accordingly. - Replaced
conf_file_name
andconf_file_location
with a single variable,deployment_location
. - All config related parameters now live under the
config
key in both the core/main and HTTP templates. - Modify the
nginx_config_html_demo_template
variable from a nested dictionary to a list.
- Modify
-
Refactor the
nginx_config_main_template
to now include all the respectivecore
andevents
directives. The following variables have changed:http_enable
no longer exists, neither doeshttp_settings
. You can still usehttp.include
to include files within thehttp
context.stream_enable
no longer exists, neither doesstream_settings
. You can still usestream.include
to include files within thestream
context.
-
Refactor the
upstream
HTTP config template into its own separate file. All theupstream
module directives are now included. The following variables have changed:port
is no longer supported. Instead, include the port as part of youraddress
.lb_method
is no longer supported. Instead, you will have to specifically set the method you want to use.zone_name
andzone_size
have been modified into a dictionary.sticky_cookie
is no longer supported as is. You will now have to configure the respectivesticky_cookie
values.- The
health_check
parameter within theserver
dictionary is no longer supported. Instead, manually setmax_fails
andfail_timeout
.
-
Refactor various individual variables into the
core
HTTP config template. All thecore
module directives are now included. The following variables are now included in thecore
dictionary:alias
,client_max_body_size
,error_log
,error_page
,include
,index
,keepalive_timeout
,listen
,root
,send_file
,server_name
,server_names_hash_bucket_size
,server_names_hash_max_size
,server_tokens
,tcp_nodelay
,tcp_nopush
,try_files
listen.port
is nowlisten.address
, andlisten.opts
no longer exists (there are now individual keys for eachlisten
parameter).
-
Refactor the
ssl
HTTP config template into its own separate file. All thessl
module directives are now included. Almost all variables have changed:- All
ssl
variables still live within anssl
dictionary, but the names have changed to reflect the official NGINX directive names. ssl
configs are now supported within both thehttp
andserver
contexts.
- All
-
Refactor both the
app_protect_waf
andapp_protect_dos
modules into a single file:- The
app_protect
dictionary now has theapp_protect_waf
key. app_protect_global
directives are now found inside theapp_protect_waf
dictionary too.
- The
-
Refactor the
proxy
HTTP config template into its own separate file. All theproxy
module directives are now included. All variables have changed:-
All
proxy_*
related variables now live under theproxy
dictionary key. You can specify theproxy
dictionary key inside thehttp
,server
, andlocation
contexts. -
Removed the
nginx_config_main_template.http_settings.cache
dictionary variable. Usenginx_config_http_template.*.proxy.cache_path
instead. -
Removed the
location.websocket
variable. Uselocation.proxy.set_header
instead:proxy: set_header: - field: Upgrade value: $http_upgrade - field: Connection value: Upgrade
-
-
Combine the
grpc_global
directives with thegrpc
directives. -
Refactor the
auth
HTTP config template into its own separateauth
modules file. All the variousauth
related module directives including allauth_jwt
directives are now available. All variables have changed:- All the various
auth
variables now live within their respectiveauth
dictionaries. auth
configs are now supported within thehttp
,server
, andlocation
contexts.
- All the various
-
Refactor the
autoindex
HTTP config template into its own separate filemodules
file and added missingautoindex
module directives. All variables have changed:- The
autoindex
directives now live within theautoindex
dictionary. - The
autoindex
dictionary now lives in the HTTP template config instead of the Main template config.
- The
-
Refactor the
add_headers
dictionary into aheaders
dictionary that now includes all theheaders
HTTP config directives:- The
add_headers
directive now lives within theheaders
dictionary.
- The
-
Refactor the
keyval
directives into its own template config that now includes all thekeyval
HTTP module directives:- Both
keyval
directives now live within thekeyval
dictionary. - The
keyval
dictionary now lives in the HTTP template config instead of the Main template config.
- Both
-
Refactor
server.health_check_plus
into its own dictionary that now includes all thehealth_check
module directives (checkdefaults/main/template.yml
for examples). -
Refactor the
limit_req
directive into its own dictionary:- The
limit_req
directives now live within thelimit_req
dictionary. - The
limit_req
dictionary now lives in the HTTP template config instead of the Main template config.
- The
-
Refactor the
access_log
andlog_format
directives into alog
dictionary that now includes all thelog
module directives:- An
access
andformat
directive now lives within thelog
dictionary. - The
log
dictionary HTTP context now lives in the HTTP template config instead of the Main template config.
- An
-
Refactor the
return
andrewrite
directives into their own dictionary that now includes all therewrite
HTTP module directives:-
The
rewrites
directive has transitioned from a list of one linersrewrites: - (.*).html(.*) $1$2
to
rewrites: - regex: (.*).html(.*) replacement: $1$2
-
The
return
directive has transitioned from a slightly complex dictionary structure (wherein thelocation
variable didn't necessarily have any effect)returns: return301: location: ^~ /old-path code: 301 value: http://$host/new-path
to a slightly less complicated structure
return: # 200 -- Alternatively you could also include a code here instead of fleshing out the dictionary. code: 200 text: nginx
-
-
Refactor the
sub_filter
directives into their ownsub_filter
dictionary that includes all thesub_filter
HTTP module directives:-
The only major difference is that one liners under the
sub_filters
dictionary key have changed fromsub_filters: - sub_filter 'server_hostname' '$hostname';
to
sub_filters: - string: server_hostname replacement: $hostname
-
Removed the
server.http_demo_conf
dictionary. Useserver.sub_filters
instead:sub_filter: sub_filters: - string: server_hostname replacement: $hostname - string: server_address replacement: $server_addr:$server_port - string: server_url replacement: $request_uri - string: remote_addr replacement: '$remote_addr:$remote_port' - string: server_date replacement: $time_local - string: client_browser replacement: $http_user_agent - string: request_id replacement: $request_id - string: nginx_version replacement: $nginx_version - string: document_root replacement: $document_root - string: proxied_for_ip replacement: $http_x_forwarded_for
-
The
sub_filter
dictionary HTTP context now lives in the HTTP template config instead of the Main template config.
-
-
Rename some NGINX template config parameters to align with NGINX directive names:
- Rename
html_file_location
toroot
. - Rename
html_file_name
toindex
.
- Rename
-
NGINX App Protect 3.2 supports multiple log destinations per scope. Changing the
security_log
variable from a dictionary to a list of objects in order to support this. -
NGINX App Protect 3.5 supports a new timeout directive which allows the user to configure the period of time between reconnect retries of the module to the web application firewall (WAF) engine. Added this as a supported directive.
FEATURES:
-
Replace Ansible community distribution with Ansible base and add the necessary extra collections as a dependency requirement. For reference, these are:
--- collections: - name: community.general version: 3.8.0 - name: ansible.posix version: 1.3.0 - name: community.docker # This collection is only used as part of the Molecule testing suite version: 1.10.0
-
Explicitly list Jinja2
2.11.3
as a requirement, as well as detail the minimum supported version (2.11.x
). -
Implement Release Drafter.
-
Add support for configuring NGINX App Protect DoS (Denial of Service) module and directives.
-
Add support for configuring the NGINX Rest API module and the NGINX stub status module.
ENHANCEMENTS:
- Move the
gzip
HTTP config template into themodules
file. It's a small module and did not warrant being in its own individual file. - Update Ansible Lint to
5.1.3
, Molecule to3.4.0
, Yamllint to1.26.3
and Docker Python SDK to5.0.2
. - Consolidate Molecule testing scenarios to address changes introduced in Ansible Lint
5.*
. - Specify GitHub Actions Ubuntu release.
- Minor GitHub template tweaks, including the creation of a SECURITY doc.
- Replace Molecule tests using Debian stretch with Debian buster (stretch has reached its EoL), and update list of supported platforms.
- Replace Ansible base with Ansible core. Ansible core will be the "core" Ansible release moving forward from Ansible
2.11
. - Update GitHub Actions to add a workflow dispatch option.
- Update GitHub Actions
if
conditionals to use thecontains
function instead of checking for exact names. - Remove Debian Buster from the
plus
Molecule scenario since it often fails in the GitHub Actions CI/CD pipeline. - Replace "yes"/"no" boolean values with "true"/"false" to comply with YAML spec
1.2
. - Ensure the default values for the
nginx.conf
template match the default values found on a fresh NGINX installation. - Change Dependabot frequency from daily to weekly.
- Minor touch-up of GitHub Actions workflows.
BUG FIXES:
- Add
state
parameter to package module in Molecule verification tests. - In NGINX App Protect environments on SELinux enforced systems, the
nginx -t
handler fails when run from a directory that the NGINX process' user does not have access to. - Fix missing GRPC boolean check in GRPC template.
- Fix
nginx_config_cleanup_paths
not working as intended. - Fix issue with the
app_protect.j2
template that was causing the default values fornginx.conf
to fail.
FEATURES:
- Add support for configuration snippets (use the
nginx_config_snippet_upload_*
parameters to configure it). - Add support for Dependabot.
ENHANCEMENTS:
- Add support for NGINX GRPC directives.
- Add support for NGINX GZIP directives.
- Add support for upstream server
backup
parameter in http and stream template. - Only run GitHub Actions Galaxy CI/CD workflow when a new release is published.
- Update list of supported platforms.
- Update Ansible base to
2.10.5
and Ansible to2.10.6
.
BUG FIXES:
- Address inconsistent types within Jinja templates.
- Add Jinja2 checks to all config template parameters to ensure that they are only included when appropriately defined.
- Fix edge case where
proxy_pass
is still required when usinggrpc_pass
.
ENHANCEMENTS:
- The GitHub Actions Molecule CI/CD workflow is no longer run on a new release (this is not necessary since it already runs on every push).
- The GitHub Actions Molecule CI/CD workflow should now correctly avoid running 'Plus' related tests on external PRs.
- The
cleanup-config.yml
playbook has been slightly refactored and simplified. - Update Ansible base to
2.10.4
, Ansible to2.10.5
, Molecule to3.2.2
and Docker Python SDK to4.4.1
. - Update copyright notice.
ENHANCEMENTS:
- Update Molecule to
3.2.1
and Docker Python SDK to4.4.0
. - Replace TravisCI with GitHub Actions.
BUG FIXES:
- Switch to explicit boolean values in
sub_filter
defaults forlast_modified
andsince
innginx_config_main_template
."on"
and"off"
values are treated as true instead of true/false when surrounded by double quotes. By always resorting to true/false we avoid unaccounted edge cases. - Fix issue whereas SELinux state would not be correctly set back to
enforcing
whennginx_config_selinux: true
.
BREAKING CHANGES:
- The default port of the status and REST API config is now
8080
and matches the CI Molecule test which already uses it. You can setnginx_config_status_port
to another value if desired. - The allow/deny directives for
nginx_config_status
andnginx_config_rest_api
now take a list instead of a single value. - The default
nginx_config_*_log
values have changed tonginx_config_*_access_log
and no longer have a default value ofoff
. Set the respective variables tofalse
to preserve the previous behaviour.
ENHANCEMENTS:
- Add survey to README.
- Improve README structure and use tables where relevant.
- Update Ansible (now Ansible base) to
2.10.3
, Ansible (now Ansible Community Distribution) to2.10.3
, Ansible Lint to4.3.7
, Molecule to3.1.5
, and Yamllint to1.25.0
. - Improve templating of stub status and REST API config.
BUG FIXES:
- Prevent TravisCI from trying to build (and failing) NGINX Plus images on external PRs.
- Fix naming for SELinux facts dictionary.
- Correctly import
app_protect
global directives in template. - Role now runs correctly when using Ansible's check mode.
- Fix issue with access log in stub status and REST API config template not being properly parsed.
BREAKING CHANGES:
The process to configure modules has changed. Instead of manually setting the modules you want to install to true
or false
, you will now have to use either:
- A newly introduced top level list variable,
nginx_config_modules
. - A newly introduced list variable within your main NGINX config template,
nginx_config_main_template.modules
.
Make sure you only use one variable or the other, since they will overwrite each other. This change will simplify adding future supported modules to this role, and allows you to include any external modules you may wish in your NGINX config.
FEATURES:
- Support for all NGINX App Protect directives has been added. You can find details on the supported directives on
defaults/main/template.yml
. This is the first module to be included using J2 macros. Expect to slowly see a refactor of various modules to use macros where possible. - Add Alpine
3.12
to the list of supported platforms. - Remove Alpine
3.8
from the list of supported platforms . - Add NGINX Plus tests to TravisCI
ENHANCEMENTS:
- Added handlers to check for NGINX syntax validity and fail if any errors are detected.
- Switch to using
ansible_facts
wherever possible. - Improved tasks naming conventions.
- Update Ansible to
2.9.13
and Ansible Lint to4.3.5
. - Explicitly defined
mode
in relevant tasks. - Improve configuration templating capabilities:
- Allow setting
access_log
/access_log_location
tooff
. - Add IP restriction for web servers
- Allow setting
BUG FIXES:
An empty nginx_config_cleanup_files
will no longer cause nginx_config_cleanup
related tasks to fail.
Initial release of the NGINX Config role. Contains all NGINX Config related features previously available on the NGINX Ansible role.