Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow configuration of nginx_ssl_directory #17

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Allow configuration of nginx_ssl_directory #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
6506d1f
Allow configuration of nginx_ssl_directory
cristoper Jan 30, 2018
26946e6
Fix try_files directive so upstream is last parameter
cristoper Feb 11, 2018
d40f885
Move common proxy settings to include
cristoper Feb 11, 2018
81fd456
Add direct_proxy configuration variable
cristoper Feb 11, 2018
f73a87a
Move SSL settings to separate config files
cristoper Feb 15, 2018
b1d3d29
Move common_proxy.conf out of conf.d
cristoper Feb 15, 2018
a27a708
Don't use global conf.d directory
cristoper Feb 15, 2018
a439beb
Create ansible-nginx-conf.d directory with playbook
cristoper Feb 15, 2018
240c557
Move SSL settings to separate config files
cristoper Feb 15, 2018
e68ada3
Allow user to provide main (top-level) directives
cristoper Feb 15, 2018
8540bf0
Fix listen directive: s/default/default_server/
cristoper Nov 11, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,13 @@ nginx_http_gzip: 'on'
nginx_http_gzip_types: 'text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/svg'
nginx_http_gzip_disable: 'msie6'

# Add your own custom nginx.conf directives in a list.
# Add your own custom nginx.conf main directives in a list.
# Example:
# nginx_main_directives:
# - 'include /etc/nginx/modules-enabled/*.conf'
nginx_main_directives: []

# Add your own custom nginx.conf http directives in a list.
# Example:
# nginx_http_directives:
# - 'auth_http_header X-Auth-Key "secret_string"'
Expand All @@ -74,6 +80,9 @@ nginx_http_directives: []
# - { user: 'nick', password: 'insecurepassword' }
nginx_basic_auth: []

# Where should we find the SSL certificate?
nginx_ssl_directory: /etc/nginx/ssl

# How many bits should we use to generate a dhparam?
# Technically 2048 is 'good enough' but 4096 combined with a few other
# things will get you to a perfect 100 A+ SSL rating, do not go below 2048.
Expand Down Expand Up @@ -164,6 +173,13 @@ nginx_default_sites:
# If you want to override the default / location's try_files, this is the
# place to do it. This could be useful for php-fpm based virtual hosts.
custom_root_location_try_files: ''
# Set direct_proxy to the name of an upstream to proxy ALL requests to it
# (bypasses try_file directive). Example:
# direct_proxy: apache
# upstreams:
# - name: apache
# servers: ['apache_upstream_server']
direct_proxy: ''
# Is basic auth enabled for this virtual host?
basic_auth: False
# A 1 line message to show during the authentication required dialog.
Expand Down
3 changes: 3 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,12 @@ nginx_http_types_hash_max_size: 2048
nginx_http_gzip: 'on'
nginx_http_gzip_types: 'text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/svg'
nginx_http_gzip_disable: 'msie6'
nginx_main_directives: []
nginx_http_directives: []

nginx_basic_auth: []

nginx_ssl_directory: /etc/nginx/ssl
nginx_ssl_dhparam_bits: 2048
nginx_ssl_override_filename: ''
nginx_ssl_generate_self_signed_certs: True
Expand Down Expand Up @@ -64,6 +66,7 @@ nginx_default_sites:
expires: 'max'
custom_locations: ''
custom_root_location_try_files: ''
direct_proxy: ''
basic_auth: False
basic_auth_message: 'Please sign in'
disallow_hidden_files:
Expand Down
45 changes: 39 additions & 6 deletions tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@
- '/etc/nginx/sites-available'
- '/etc/nginx/sites-enabled'
- '/etc/nginx/conf.d'
- '/etc/nginx/ssl'
- '/etc/nginx/ansible-nginx-conf.d'
- '{{ nginx_ssl_directory }}'

- name: Remove default site
file:
Expand All @@ -40,6 +41,16 @@
notify:
- Test nginx and reload

- name: Expand common_proxy.conf
template:
src: 'etc/nginx/ansible-nginx-conf.d/common_proxy.conf.j2'
dest: '/etc/nginx/ansible-nginx-conf.d/common_proxy.conf'
group: 'root'
owner: 'root'
mode: '0644'
notify:
- Test nginx and reload

- name: Configure nginx
template:
src: 'etc/nginx/nginx.conf.j2'
Expand All @@ -60,19 +71,19 @@
-nodes
-x509
-subj "/C=US/ST=NY/L=NY/O=NA/CN=localhost"
-keyout /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.value.domains[0]) }}.key
-out /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.value.domains[0]) }}.pem
-keyout '{{ nginx_ssl_directory }}/{{ nginx_ssl_override_filename | default(item.value.domains[0]) }}.key'
-out '{{ nginx_ssl_directory }}/{{ nginx_ssl_override_filename | default(item.value.domains[0]) }}.pem'
args:
creates: '/etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.value.domains[0]) }}.pem'
creates: '{{ nginx_ssl_directory }}/{{ nginx_ssl_override_filename | default(item.value.domains[0]) }}.pem'
with_dict: '{{ nginx_sites }}'
when: nginx_ssl_generate_self_signed_certs
notify:
- Test nginx and restart

- name: Generate X bit dhparam.pem file (this may take a while)
command: openssl dhparam -out /etc/nginx/ssl/dhparam.pem {{ nginx_ssl_dhparam_bits }}
command: 'openssl dhparam -out {{ nginx_ssl_directory }}/dhparam.pem {{ nginx_ssl_dhparam_bits }}'
args:
creates: '/etc/nginx/ssl/dhparam.pem'
creates: '{{ nginx_ssl_directory }}/dhparam.pem'
notify:
- Test nginx and restart

Expand All @@ -87,6 +98,28 @@
mode: '0644'
with_items: '{{ nginx_basic_auth }}'

- name: Expand default SSL conf file
template:
src: 'etc/nginx/ansible-nginx-conf.d/common_ssl.conf.j2'
dest: '/etc/nginx/ansible-nginx-conf.d/common_ssl_default.conf'
group: 'root'
owner: 'root'
mode: '0644'
with_dict: '{{ nginx_default_sites }}'
notify:
- Test nginx and reload

- name: Configure vhost SSL conf files
template:
src: 'etc/nginx/ansible-nginx-conf.d/common_ssl.conf.j2'
dest: '/etc/nginx/ansible-nginx-conf.d/common_ssl_{{ item.value.domains[0] }}.conf'
group: 'root'
owner: 'root'
mode: '0644'
with_dict: '{{ nginx_sites }}'
notify:
- Test nginx and reload

- name: Configure sites-enabled (vhosts)
template:
src: 'etc/nginx/sites-available/default.conf.j2'
Expand Down
5 changes: 5 additions & 0 deletions templates/etc/nginx/ansible-nginx-conf.d/common_proxy.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{% if nginx_default_upstream_proxy_settings is iterable -%}
{% for key in nginx_default_upstream_proxy_settings %}
{{ key }};
{% endfor %}
{% endif %}
19 changes: 19 additions & 0 deletions templates/etc/nginx/ansible-nginx-conf.d/common_ssl.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# {{ ansible_managed }}

{% set item = (nginx_default_sites['default'] | combine(item.value, recursive=True)) %}

ssl_protocols {{ item.ssl.protocols }};
ssl_ciphers "{{ item.ssl.ciphers }}";
ssl_prefer_server_ciphers {{ item.ssl.prefer_server_ciphers }};
ssl_session_cache {{ item.ssl.session_cache }};
ssl_session_timeout {{ item.ssl.session_timeout }};
ssl_stapling {{ item.ssl.ssl_stapling }};
ssl_stapling_verify {{ item.ssl.ssl_stapling_verify }};
resolver {{ item.ssl.resolver }};
resolver_timeout {{ item.ssl.resolver_timeout }};
add_header {{ item.ssl.sts_header }};

ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_certificate /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.pem;
ssl_certificate_key /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.key;
ssl_trusted_certificate /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.pem;
19 changes: 19 additions & 0 deletions templates/etc/nginx/conf.d/ansible_nginx/common_ssl.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# {{ ansible_managed }}

{% set item = (nginx_default_sites['default'] | combine(item.value, recursive=True)) %}

ssl_protocols {{ item.ssl.protocols }};
ssl_ciphers "{{ item.ssl.ciphers }}";
ssl_prefer_server_ciphers {{ item.ssl.prefer_server_ciphers }};
ssl_session_cache {{ item.ssl.session_cache }};
ssl_session_timeout {{ item.ssl.session_timeout }};
ssl_stapling {{ item.ssl.ssl_stapling }};
ssl_stapling_verify {{ item.ssl.ssl_stapling_verify }};
resolver {{ item.ssl.resolver }};
resolver_timeout {{ item.ssl.resolver_timeout }};
add_header {{ item.ssl.sts_header }};

ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_certificate /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.pem;
ssl_certificate_key /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.key;
ssl_trusted_certificate /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.pem;
8 changes: 8 additions & 0 deletions templates/etc/nginx/nginx.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,14 @@ user {{ nginx_user }};
worker_processes {{ nginx_worker_processes }};
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};


{% if nginx_main_directives is iterable -%}
{% for key in nginx_main_directives %}
{{ key }};
{% endfor %}
{% endif %}


events {
worker_connections {{ nginx_events_worker_connections }};
}
Expand Down
44 changes: 21 additions & 23 deletions templates/etc/nginx/sites-available/default.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ upstream {{ upstream.name }} {
{% endif %}

server {
listen {{ item.listen_http }}{{ ' default deferred' if item.default_server else '' }};
listen {{ item.listen_http }}{{ ' default_server deferred' if item.default_server else '' }};
server_name {{ item.domains | join(' ') }};
root {{ nginx_letsencrypt_root }};

Expand All @@ -34,6 +34,8 @@ server {
listen {{ item.listen_https }} ssl;
server_name {{ item.domains[1] }};

include /etc/nginx/ansible-nginx-conf.d/common_ssl_{{ item.domains[0] }}.conf;

return 301 https://{{ item.domains[0] }}$request_uri;
}
{% endif %}
Expand All @@ -48,21 +50,7 @@ server {
{% endfor %}
{% endif %}

ssl_protocols {{ item.ssl.protocols }};
ssl_ciphers "{{ item.ssl.ciphers }}";
ssl_prefer_server_ciphers {{ item.ssl.prefer_server_ciphers }};
ssl_session_cache {{ item.ssl.session_cache }};
ssl_session_timeout {{ item.ssl.session_timeout }};
ssl_stapling {{ item.ssl.ssl_stapling }};
ssl_stapling_verify {{ item.ssl.ssl_stapling_verify }};
resolver {{ item.ssl.resolver }};
resolver_timeout {{ item.ssl.resolver_timeout }};
add_header {{ item.ssl.sts_header }};

ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_certificate /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.pem;
ssl_certificate_key /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.key;
ssl_trusted_certificate /etc/nginx/ssl/{{ nginx_ssl_override_filename | default(item.domains[0]) }}.pem;
include /etc/nginx/ansible-nginx-conf.d/common_ssl_{{ item.domains[0] }}.conf;

{% if item.cache_all_locations.enabled %}
expires {{ item.cache_all_locations.duration }};
Expand Down Expand Up @@ -100,25 +88,35 @@ server {
}

location / {
{% if item.custom_root_location_try_files %}
include /etc/nginx/ansible-nginx-conf.d/common_proxy.conf;
{% if item.direct_proxy and item.upstreams -%}
{% set upstream = item.upstreams|selectattr('name', '==', item.direct_proxy)|first -%}
{% if upstream -%}
{% if upstream.add_proxy_settings is defined -%}
{% for setting in upstream.add_proxy_settings %}
{{ setting }};

{% endfor %}
{% endif %}
proxy_pass http://{{ upstream.name }};
{% endif %}
{% elif item.custom_root_location_try_files %}
try_files {{ item.custom_root_location_try_files }};
{% else %}
try_files $uri $uri.html $uri/{{ (' @' + item.upstreams[0].name) if (item.upstreams) else '' }} =404;
try_files $uri $uri.html $uri/{{ (' @' + item.upstreams[0].name) if (item.upstreams) else ' =404' }};
{% endif %}

{% if item.basic_auth | bool %}
auth_basic "{{ item.basic_auth_message }}";
auth_basic_user_file /etc/nginx/.htpasswd;
{% endif %}
}

{% if item.upstreams %}
{% for upstream in item.upstreams %}

location @{{ upstream.name }} {
{% if nginx_default_upstream_proxy_settings is iterable -%}
{% for key in nginx_default_upstream_proxy_settings %}
{{ key }};
{% endfor %}
{% endif %}
include /etc/nginx/ansible-nginx-conf.d/common_proxy.conf;
{% if upstream.add_proxy_settings is defined -%}
{% for setting in upstream.add_proxy_settings %}
{{ setting }};
Expand Down