diff --git a/tests/group_vars/all.yml b/tests/group_vars/all.yml new file mode 100644 index 0000000..a8380b9 --- /dev/null +++ b/tests/group_vars/all.yml @@ -0,0 +1,250 @@ +--- + +# Internal vars +int_ansible_ssl_dir: '/etc/ansible-ssl' +# Role vars +nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number +nginx_apt_package: 'nginx-extras' +nginx_module_packages: ['libnginx-mod-http-headers-more-filter'] + +nginx_upstreams: + - name: 'test' + servers: + - path: '127.0.0.1:80' + max_conns: 150 + weight: 10 + down: false + - name: 'test-absent' + servers: + - path: '127.0.0.1:80' + max_conns: 150 + weight: 10 + down: false + state: 'absent' + +nginx_htpasswd: + - name: 'hello' + description: 'Please login!' + users: + - name: 'hx' + password: 'asdfg' + state: 'absent' + - name: 'hanx' + password: 'qwerty' + - name: 'deleteme' + description: 'Please login!' + users: [] + state: 'absent' + +nginx_acmesh: true +nginx_acmesh_test: true + +nginx_ssl_pairs: + - name: '{{ ngrok.stdout }}' + acme: true + - name: 'test-ssl-selfsigned.local' + self_signed: true + force: false + - name: + - 'test-ssl-predeployed.local' + - 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme + dest_key: "{{ int_ansible_ssl_dir }}/test.key" + dest_cert: "{{ int_ansible_ssl_dir }}/test.crt" + - name: 'test-ssl.local' + key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEAvavrJWFp3Al2VwRgKx+4Y2mbRRvoxvyd2pyN0xMJ/tCJscaG + 8s60v6WZ9FcCOeMkSI2DXsk4z7pbQdQn0h2GDr/5MOJkPAVWSWEN46tpaLZ3v0zp + 88ZIbnEk1G0PsdFuW/pnLsakPlAMrl1VArFsV6YsatLt30UIYYcRO97StkoOehCx + A5w+XqtfHZeQZ0/DS81633gwYUcMuSTUFZ60r7ge1/m77DTSKg3rTVk5sebP8cjS + +aWHvxP/GyvvDsT+3gjRJx2/5O3JkfH0zaOsaU2Avj0PR0c5rhynrNO/l1k+GJJB + cbBrM+yA8Ofzp4oXUrCfaIq3RuL3Pd+khcKsiwIDAQABAoIBAQCPpAMQ7BUfbosQ + m1+5SOx7XR8Z12kSSX3CcY12rJSFRakB2TeZ6rE38lIFmV82N67iw0kaH4nGx3sU + /3aoyXMc+IXfX5RJYEFYkQfTw5ywkH9fgQAsfZ2dBlK+DVo1cEYDoj9CTW1VQ4pX + Ape+0l8agd5hiBxdWgpe0ctbbARnx584viLiA/iPBDNxKi9zEYw+WP7hSj5QWahr + a09tubcC4L6tjvv8CoZTRSKfCW64vWRDvE6vmA+zJN9Arc1WTYzF1KO1Gybwf8h7 + stJb191smAgGDFhKo0j58ncyAnrS1k4mapm86QQhlfIA6DKvvC0qm3KdQns5b7HM + PyzW0hwBAoGBAO2mTVTOsziom9vtBwM0nRMMEgynR2X3EKMJz2mjcCf66f1F+aQ5 + DvQFM2V8S2s1nGnPh8NKKZ8DxW1NKuR4qx82zeAXpUs9ibHxOnw4YRC485zqc2Wt + fSO1OEDYeKyzWP1nGGtCntYUXzJnWn/wz0mBGKzLKTuLwyFIKx1b7bybAoGBAMxR + N+lT57rX6d4GUqcgNOuWMZ/D8egnE5+hsoiFnHOisRLOgUgBBSy4rwAZx+rdHYT+ + RO11L1PLYEzyvnO0f13R+N7aqKwNXDSzZGA+jb4pjkVidIC2smG/JYKJH5Z+kakw + mwMKP0wdRZJsCaMgScHmWJS8d6Ox/XJJoWrTWTbRAoGAWJlEgVaiaIArwz1F/QLz + gHNik0cWDkSi9jWlFxwwpycbbypUXM5M7dq2g6JoN6sACk6trbgLdlYgl5RKZm06 + VuPGs0H9hOSHXkix5jfasDJT2G9r4D9ixRo9w6cwriobBjYWW3612tgzeYYgrkwn + 655uhZUkZSfA8rqGIGbyZfsCgYAf5WH8G+wmIATTc1s92epJCOZwUY+XNVp75itP + 4sPczX4lOHW4PuiG5cH0GxI5mRE9rNAn3c5on2xGNvMCbyAfDmNyruH8Eg3d8E9w + MvO/xw79x/P2EA9i8QszCKMUxGeK6RqZ6+SbxkoRJKqQe77n9UTI228179hoGhSH + 77ySsQKBgQC8SSZn6a8PpSIIFXB9WCFMwfGFYbUz0wvpaeZP8GKx3BEzMeJqSUaJ + hrQgpwQXkueeamlCQcvV3AUCoBRWTYRLDrWiUIXuIgikDWBFp6TBvTnVRI7iktly + fNED7jXOSjJqnFmdkZlAI5V8dM++mVYVykJD6jcaVRQvxqFLrhSaRg== + -----END RSA PRIVATE KEY----- + cert: | + -----BEGIN CERTIFICATE----- + MIIDBTCCAe2gAwIBAgIJALKJfbk5vuieMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV + BAMMDnRlc3Qtc3NsLmxvY2FsMB4XDTE2MDExMTE2NDI0NFoXDTI2MDEwODE2NDI0 + NFowGTEXMBUGA1UEAwwOdGVzdC1zc2wubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA + A4IBDwAwggEKAoIBAQC9q+slYWncCXZXBGArH7hjaZtFG+jG/J3anI3TEwn+0Imx + xobyzrS/pZn0VwI54yRIjYNeyTjPultB1CfSHYYOv/kw4mQ8BVZJYQ3jq2lotne/ + TOnzxkhucSTUbQ+x0W5b+mcuxqQ+UAyuXVUCsWxXpixq0u3fRQhhhxE73tK2Sg56 + ELEDnD5eq18dl5BnT8NLzXrfeDBhRwy5JNQVnrSvuB7X+bvsNNIqDetNWTmx5s/x + yNL5pYe/E/8bK+8OxP7eCNEnHb/k7cmR8fTNo6xpTYC+PQ9HRzmuHKes07+XWT4Y + kkFxsGsz7IDw5/OnihdSsJ9oirdG4vc936SFwqyLAgMBAAGjUDBOMB0GA1UdDgQW + BBRaSF1L+ivPhmIVGQjtviBqZWDS9DAfBgNVHSMEGDAWgBRaSF1L+ivPhmIVGQjt + viBqZWDS9DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCjrgB9+Zuq + Rx7T2mRUl4jf75dLabuBQD0ePALTtvNyBSghhzSr90mE7GlFOYAv0JsmEa3R1LVF + wLPIdrIhNHpt7hN0PkhUlfgmxBnRSCfhpiq4xxsDVFM7ehtDz4+dv1LUDMXo07+E + f24g9aqmypiFzHisUQrYIhtQmHxRpKyGp6kDAW9qNxg6k/Um00aHdYfuD9ER4ksR + f8Hto7f+vssKxCRY2OZXqq13PxEwC5+hgAUkTdrycA/moXFuHJi3lCnCND7sSzvG + tXBggOusyFZFC4bs2m+V+Z+RN+tK2c/c0nq5HR8MV5HwIm4Z8GoT2/0BfJ00cgWL + lVz0gDBfdH8f + -----END CERTIFICATE----- + +nginx_custom_http: + - 'add_header X-ansible 1;' + - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};' + - 'map $geoip_country_code $allowed_country {' + - ' default yes;' + - ' MA no;' + - ' DZ no;' + - ' TN no;' + - '}' + +nginx_default_site: 'test.local' +nginx_default_site_ssl: 'test-ssl-predeployed.local' + +nginx_sites: + - name: + - 'test.local' + - 'test-alias.local' + - 'test2-alias.local' + template: '_base' + filename: 'first-test' + override_try_files: '$uri/ $uri =404' + headers: + 'X-Frame-Options': 'deny always' + 'X-ansible-default': '1' + manage_local_content: false + use_error_log: true + more: + - 'autoindex off;' + location: + '/test': + - 'return 403;' + '/gunther': + - 'return 404;' + '/status': + - 'stub_status on;' + - 'access_log off;' + - 'allow 127.0.0.1;' + - 'deny all;' + - name: 'test-htpasswd.local' + template: '_base' + location_before: + '/hello': + - htpasswd: 'hello' + location: + '/public': + - htpasswd: false + use_error_log: true + - name: 'test-htpasswd-all.local' + template: '_base' + htpasswd: 'hello' + - name: 'test-location.local' + template: '_base' + location_before: + '/b': + - 'alias /var/tmp;' + '/c': + - 'alias /var/tmp;' + location: + '/': + - 'alias /var/tmp;' + '/a': + - 'alias /var/tmp;' + location_order_before: + - '/b' + - '/c' + location_order: + - '/' + - '/a' + - name: 'test-php.local' + php_upstream: "manual" + upstream_params: + - 'fastcgi_param FOO bar;' + redirect_from: + - 'www.test-php.local' + template: '_php' + use_error_log: true + use_access_log: true + - name: 'test-php-index.local' + template: '_php_index' + php_upstream: 'hx_unix' + - name: 'test-php-index2.local' + template: '_php_index2' + php_upstream: 'hx_ip' + - name: 'test-proxy.local' + listen: + - 8080 + template: '_proxy' + upstream_name: 'test' + headers: + 'X-proxyfied': '1' + - name: 'deleted.local' + state: 'absent' + - name: 'redirect-to.local' + redirect_to: 'http://test.local' + - name: 'test-ssl.local' + proto: ['http', 'https'] + template: '_base' + - name: + - 'test-ssl-selfsigned.local' + - 'www.test-ssl-selfsigned.local' + proto: ['http', 'https'] + template: '_base' + hsts: 'max-age=1664;' + - name: 'test-ssl-predeployed.local' + proto: ['http', 'https'] + template: '_base' + ssl_name: 'test-ssl-predeployed.local' + headers: + 'X-ansible-default': '1' + ssl_template: false + - name: 'test-ssl-redirect.local' + proto: ['https'] + template: '_base' + ssl_name: 'test-ssl.local' + redirect_https: true + - name: + - 'test-ssl-redirect-many.local' + - 'test-ssl-redirect-many2.local' + listen_ssl: [8443] + proto: ['https'] + template: '_base' + ssl_name: 'test-ssl.local' + redirect_https: true + redirect_from: + - 'www.test-ssl-redirect-many.local' + - 'www.test-ssl-redirect-many2.local' + - name: 'test-ssl-proxy-protocol.local' + proto: ['http', 'https'] + listen_proxy_protocol: [20080] + listen_proxy_protocol_ssl: [20443] + template: '_base' + ssl_name: 'test-ssl.local' + headers: + 'X-Proxy-Protocol': '1' + - name: '{{ ngrok.stdout }}' + proto: ['http', 'https'] + listen_proxy_protocol: [21080] + listen_proxy_protocol_ssl: [21443] + template: '_base' + ssl_name: '{{ ngrok.stdout }}' + headers: + 'X-acme': '1' + - name: 'test-custom-template.local' + custom_template: 'templates/custom_template.conf.j2' + root: '/tmp/custom-template' + +nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636' }] }] }}" +nginx_dh_length: 1024 diff --git a/tests/includes/post_common.yml b/tests/includes/post_common.yml new file mode 100644 index 0000000..28dc38c --- /dev/null +++ b/tests/includes/post_common.yml @@ -0,0 +1,270 @@ +--- + +# -------------------------------- +# Deploy index files +# -------------------------------- +- name: -- Add PHP file -- + ansible.builtin.copy: + dest: "{{ nginx_root }}/{{ item }}/public/index.php" + content: " + item.template is defined and + (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2') + failed_when: p.content.find('PHP Version') == -1 + +- name: -- VERIFY INDEX2 -- + ansible.builtin.uri: + url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet" + return_content: true + register: p2 + failed_when: p2.content.find('PHP Version') == -1 + +# -------------------------------- +# Basic Auth +# -------------------------------- +- name: -- VERIFY AUTH BASIC NONE -- + ansible.builtin.uri: + url: "http://test-htpasswd.local/hello/" + status_code: 401 + +- name: -- VERIFY AUTH BASIC FAIL -- + ansible.builtin.uri: + url: "http://test-htpasswd.local/hello/" + status_code: 401 + user: "fail" + password: "fail" + force_basic_auth: true + +- name: -- VERIFY AUTH BASIC OK -- + ansible.builtin.uri: + url: "http://test-htpasswd.local/hello/" + user: "hanx" + password: "qwerty" + force_basic_auth: true + +- name: -- VERIFY AUTH BASIC FAIL GLOBAL -- + ansible.builtin.uri: + url: "http://test-htpasswd-all.local/" + status_code: 401 + user: "fail" + password: "fail" + force_basic_auth: true + +- name: -- VERIFY AUTH BASIC OK GLOBAL -- + ansible.builtin.uri: + url: "http://test-htpasswd-all.local/" + user: "hanx" + password: "qwerty" + force_basic_auth: true + +# -------------------------------- +# SSL +# -------------------------------- +- name: -- VERIFY SSL -- + ansible.builtin.uri: + url: "https://{{ item }}/" + return_content: true + validate_certs: false + register: sslok + failed_when: sslok.content.find('Index HTML test OK') == -1 + loop: + - 'test-ssl-predeployed.local' + - 'test-ssl-selfsigned.local' + - 'test-ssl.local' + - '{{ ngrok.stdout }}' + +- name: -- VERIFY SSL REDIRECT -- + ansible.builtin.uri: + url: "http://{{ item.name }}/" + validate_certs: false + status_code: 301 + return_content: true + follow_redirects: none + register: sslredirok + failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location' + loop: + - name: 'test-ssl-redirect.local' + - name: 'test-ssl-redirect-many.local' + port: '8443' + - name: 'test-ssl-redirect-many2.local' + port: '8443' + +# -------------------------------- +# Default sites +# -------------------------------- +- name: -- VERIFY DEFAULT SITE -- + ansible.builtin.uri: + url: 'http://127.0.0.1/' + return_content: true + register: vdefault + failed_when: > + vdefault.content.find('Index HTML test OK') == -1 or + vdefault.x_ansible_default is not defined + +- name: -- VERIFY DEFAULT SITE + STUB STATUS-- + ansible.builtin.uri: + url: 'http://127.0.0.1/status' + return_content: true + register: vdefault_status + failed_when: > + vdefault_status.content.find('Active connections') == -1 or + vdefault_status.x_ansible_default is not defined + +- name: -- VERIFY DEFAULT SSL SITE -- + ansible.builtin.uri: + url: 'https://127.0.0.1/' + return_content: true + validate_certs: false + register: vdefault + failed_when: > + vdefault.content.find('Index HTML test OK') == -1 or + vdefault.x_ansible_default is not defined + +- name: -- VERIFY NOT DEFAULT SITE -- + ansible.builtin.uri: + url: 'http://test-php.local/' + return_content: true + register: vphp + failed_when: vphp.x_ansible_default is defined + +- name: -- VERIFY NOT DEFAULT SSL SITE -- + ansible.builtin.uri: + url: 'https://test-ssl.local/' + return_content: true + validate_certs: false + register: notdefaultssl + failed_when: notdefaultssl.x_ansible_default is defined + +# -------------------------------- +# Check Proxy protocol +# Note: Debian Stretch doesn't any version of curl with "--haproxy-protocol" argument +# -------------------------------- +- block: + + - name: SHELL | Check HTTP proxy protocol + ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' + args: + executable: /bin/bash + warn: false + changed_when: false + + - name: SHELL | Check HTTPS proxy protocol + ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' + args: + executable: /bin/bash + warn: false + changed_when: false + + when: not (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', 'eq')) + +# -------------------------------- +# Check HTTP2 +# -------------------------------- +- name: SHELL | Check HTTP2 + ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2 + args: + executable: /bin/bash + changed_when: false + when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules diff --git a/tests/includes/pre_common.yml b/tests/includes/pre_common.yml index 91793b9..d137923 100644 --- a/tests/includes/pre_common.yml +++ b/tests/includes/pre_common.yml @@ -28,3 +28,47 @@ loop: - /root - /home/vagrant + +- name: FILE | Create an internal SSL dir + ansible.builtin.file: + path: "{{ int_ansible_ssl_dir }}" + state: directory + mode: 0750 + owner: root + group: root + +- name: COPY | Deploy test certificate + ansible.builtin.copy: + src: "file/test.crt" + dest: "{{ int_ansible_ssl_dir }}/test.crt" + mode: 0640 + owner: root + group: root + +- name: COPY | Deploy test key + ansible.builtin.copy: + src: "file/test.key" + dest: "{{ int_ansible_ssl_dir }}/test.key" + mode: 0640 + owner: root + group: root + +- name: COPY | Add all hosts in /etc/hosts + ansible.builtin.copy: + content: | + 127.0.0.1 localhost + {% for s in nginx_sites %} + {% if s.name is string %} + 127.0.0.1 {{ s.name }} + {% else %} + 127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %} + {% endif %} + {% if s.redirect_from is defined %} + 127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %} + {% endif %} + {% endfor %} + dest: "/etc/hosts" + mode: 0644 + owner: root + group: root + unsafe_writes: true diff --git a/tests/test.yml b/tests/test.yml index 2f3c027..8b87e0d 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -2,573 +2,18 @@ - hosts: all pre_tasks: - - name: INCLUDE_TASKS | Pre_tasks related to OS version ansible.builtin.include_tasks: "includes/pre_{{ ansible_distribution }}.yml" - name: IMPORT_TASKS | Pre_tasks common ansible.builtin.import_tasks: "includes/pre_common.yml" - - name: FILE | Create an internal SSL dir - ansible.builtin.file: - path: "{{ int_ansible_ssl_dir }}" - state: directory - mode: 0750 - owner: root - group: root - - - name: COPY | Deploy test certificate - ansible.builtin.copy: - src: "file/test.crt" - dest: "{{ int_ansible_ssl_dir }}/test.crt" - mode: 0640 - owner: root - group: root - - - name: COPY | Deploy test key - ansible.builtin.copy: - src: "file/test.key" - dest: "{{ int_ansible_ssl_dir }}/test.key" - mode: 0640 - owner: root - group: root - - - name: COPY | Add all hosts in /etc/hosts - ansible.builtin.copy: - content: | - 127.0.0.1 localhost - {% for s in nginx_sites %} - {% if s.name is string %} - 127.0.0.1 {{ s.name }} - {% else %} - 127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %} - {% endif %} - {% if s.redirect_from is defined %} - 127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %} - {% endif %} - {% endfor %} - dest: "/etc/hosts" - mode: 0644 - owner: root - group: root - unsafe_writes: true - - vars: - # Internal vars - int_ansible_ssl_dir: '/etc/ansible-ssl' - # Role vars - nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number - nginx_apt_package: 'nginx-extras' - nginx_module_packages: ['libnginx-mod-http-headers-more-filter'] - nginx_upstreams: - - name: 'test' - servers: - - path: '127.0.0.1:80' - max_conns: 150 - weight: 10 - down: false - - name: 'test-absent' - servers: - - path: '127.0.0.1:80' - max_conns: 150 - weight: 10 - down: false - state: 'absent' - nginx_htpasswd: - - name: 'hello' - description: 'Please login!' - users: - - name: 'hx' - password: 'asdfg' - state: 'absent' - - name: 'hanx' - password: 'qwerty' - - name: 'deleteme' - description: 'Please login!' - users: [] - state: 'absent' - nginx_acmesh: true - nginx_acmesh_test: true - nginx_ssl_pairs: - - name: '{{ ngrok.stdout }}' - acme: true - - name: 'test-ssl-selfsigned.local' - self_signed: true - force: false - - name: - - 'test-ssl-predeployed.local' - - 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme - dest_key: "{{ int_ansible_ssl_dir }}/test.key" - dest_cert: "{{ int_ansible_ssl_dir }}/test.crt" - - name: 'test-ssl.local' - key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEAvavrJWFp3Al2VwRgKx+4Y2mbRRvoxvyd2pyN0xMJ/tCJscaG - 8s60v6WZ9FcCOeMkSI2DXsk4z7pbQdQn0h2GDr/5MOJkPAVWSWEN46tpaLZ3v0zp - 88ZIbnEk1G0PsdFuW/pnLsakPlAMrl1VArFsV6YsatLt30UIYYcRO97StkoOehCx - A5w+XqtfHZeQZ0/DS81633gwYUcMuSTUFZ60r7ge1/m77DTSKg3rTVk5sebP8cjS - +aWHvxP/GyvvDsT+3gjRJx2/5O3JkfH0zaOsaU2Avj0PR0c5rhynrNO/l1k+GJJB - cbBrM+yA8Ofzp4oXUrCfaIq3RuL3Pd+khcKsiwIDAQABAoIBAQCPpAMQ7BUfbosQ - m1+5SOx7XR8Z12kSSX3CcY12rJSFRakB2TeZ6rE38lIFmV82N67iw0kaH4nGx3sU - /3aoyXMc+IXfX5RJYEFYkQfTw5ywkH9fgQAsfZ2dBlK+DVo1cEYDoj9CTW1VQ4pX - Ape+0l8agd5hiBxdWgpe0ctbbARnx584viLiA/iPBDNxKi9zEYw+WP7hSj5QWahr - a09tubcC4L6tjvv8CoZTRSKfCW64vWRDvE6vmA+zJN9Arc1WTYzF1KO1Gybwf8h7 - stJb191smAgGDFhKo0j58ncyAnrS1k4mapm86QQhlfIA6DKvvC0qm3KdQns5b7HM - PyzW0hwBAoGBAO2mTVTOsziom9vtBwM0nRMMEgynR2X3EKMJz2mjcCf66f1F+aQ5 - DvQFM2V8S2s1nGnPh8NKKZ8DxW1NKuR4qx82zeAXpUs9ibHxOnw4YRC485zqc2Wt - fSO1OEDYeKyzWP1nGGtCntYUXzJnWn/wz0mBGKzLKTuLwyFIKx1b7bybAoGBAMxR - N+lT57rX6d4GUqcgNOuWMZ/D8egnE5+hsoiFnHOisRLOgUgBBSy4rwAZx+rdHYT+ - RO11L1PLYEzyvnO0f13R+N7aqKwNXDSzZGA+jb4pjkVidIC2smG/JYKJH5Z+kakw - mwMKP0wdRZJsCaMgScHmWJS8d6Ox/XJJoWrTWTbRAoGAWJlEgVaiaIArwz1F/QLz - gHNik0cWDkSi9jWlFxwwpycbbypUXM5M7dq2g6JoN6sACk6trbgLdlYgl5RKZm06 - VuPGs0H9hOSHXkix5jfasDJT2G9r4D9ixRo9w6cwriobBjYWW3612tgzeYYgrkwn - 655uhZUkZSfA8rqGIGbyZfsCgYAf5WH8G+wmIATTc1s92epJCOZwUY+XNVp75itP - 4sPczX4lOHW4PuiG5cH0GxI5mRE9rNAn3c5on2xGNvMCbyAfDmNyruH8Eg3d8E9w - MvO/xw79x/P2EA9i8QszCKMUxGeK6RqZ6+SbxkoRJKqQe77n9UTI228179hoGhSH - 77ySsQKBgQC8SSZn6a8PpSIIFXB9WCFMwfGFYbUz0wvpaeZP8GKx3BEzMeJqSUaJ - hrQgpwQXkueeamlCQcvV3AUCoBRWTYRLDrWiUIXuIgikDWBFp6TBvTnVRI7iktly - fNED7jXOSjJqnFmdkZlAI5V8dM++mVYVykJD6jcaVRQvxqFLrhSaRg== - -----END RSA PRIVATE KEY----- - cert: | - -----BEGIN CERTIFICATE----- - MIIDBTCCAe2gAwIBAgIJALKJfbk5vuieMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV - BAMMDnRlc3Qtc3NsLmxvY2FsMB4XDTE2MDExMTE2NDI0NFoXDTI2MDEwODE2NDI0 - NFowGTEXMBUGA1UEAwwOdGVzdC1zc2wubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA - A4IBDwAwggEKAoIBAQC9q+slYWncCXZXBGArH7hjaZtFG+jG/J3anI3TEwn+0Imx - xobyzrS/pZn0VwI54yRIjYNeyTjPultB1CfSHYYOv/kw4mQ8BVZJYQ3jq2lotne/ - TOnzxkhucSTUbQ+x0W5b+mcuxqQ+UAyuXVUCsWxXpixq0u3fRQhhhxE73tK2Sg56 - ELEDnD5eq18dl5BnT8NLzXrfeDBhRwy5JNQVnrSvuB7X+bvsNNIqDetNWTmx5s/x - yNL5pYe/E/8bK+8OxP7eCNEnHb/k7cmR8fTNo6xpTYC+PQ9HRzmuHKes07+XWT4Y - kkFxsGsz7IDw5/OnihdSsJ9oirdG4vc936SFwqyLAgMBAAGjUDBOMB0GA1UdDgQW - BBRaSF1L+ivPhmIVGQjtviBqZWDS9DAfBgNVHSMEGDAWgBRaSF1L+ivPhmIVGQjt - viBqZWDS9DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCjrgB9+Zuq - Rx7T2mRUl4jf75dLabuBQD0ePALTtvNyBSghhzSr90mE7GlFOYAv0JsmEa3R1LVF - wLPIdrIhNHpt7hN0PkhUlfgmxBnRSCfhpiq4xxsDVFM7ehtDz4+dv1LUDMXo07+E - f24g9aqmypiFzHisUQrYIhtQmHxRpKyGp6kDAW9qNxg6k/Um00aHdYfuD9ER4ksR - f8Hto7f+vssKxCRY2OZXqq13PxEwC5+hgAUkTdrycA/moXFuHJi3lCnCND7sSzvG - tXBggOusyFZFC4bs2m+V+Z+RN+tK2c/c0nq5HR8MV5HwIm4Z8GoT2/0BfJ00cgWL - lVz0gDBfdH8f - -----END CERTIFICATE----- - nginx_custom_http: - - 'add_header X-ansible 1;' - - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};' - - 'map $geoip_country_code $allowed_country {' - - ' default yes;' - - ' MA no;' - - ' DZ no;' - - ' TN no;' - - '}' - nginx_default_site: 'test.local' - nginx_default_site_ssl: 'test-ssl-predeployed.local' - nginx_sites: - - name: - - 'test.local' - - 'test-alias.local' - - 'test2-alias.local' - template: '_base' - filename: 'first-test' - override_try_files: '$uri/ $uri =404' - headers: - 'X-Frame-Options': 'deny always' - 'X-ansible-default': '1' - manage_local_content: false - use_error_log: true - more: - - 'autoindex off;' - location: - '/test': - - 'return 403;' - '/gunther': - - 'return 404;' - '/status': - - 'stub_status on;' - - 'access_log off;' - - 'allow 127.0.0.1;' - - 'deny all;' - - name: 'test-htpasswd.local' - template: '_base' - location_before: - '/hello': - - htpasswd: 'hello' - location: - '/public': - - htpasswd: false - use_error_log: true - - name: 'test-htpasswd-all.local' - template: '_base' - htpasswd: 'hello' - - name: 'test-location.local' - template: '_base' - location_before: - '/b': - - 'alias /var/tmp;' - '/c': - - 'alias /var/tmp;' - location: - '/': - - 'alias /var/tmp;' - '/a': - - 'alias /var/tmp;' - location_order_before: - - '/b' - - '/c' - location_order: - - '/' - - '/a' - - name: 'test-php.local' - php_upstream: "manual" - upstream_params: - - 'fastcgi_param FOO bar;' - redirect_from: - - 'www.test-php.local' - template: '_php' - use_error_log: true - use_access_log: true - - name: 'test-php-index.local' - template: '_php_index' - php_upstream: 'hx_unix' - - name: 'test-php-index2.local' - template: '_php_index2' - php_upstream: 'hx_ip' - - name: 'test-proxy.local' - listen: - - 8080 - template: '_proxy' - upstream_name: 'test' - headers: - 'X-proxyfied': '1' - - name: 'deleted.local' - state: 'absent' - - name: 'redirect-to.local' - redirect_to: 'http://test.local' - - name: 'test-ssl.local' - proto: ['http', 'https'] - template: '_base' - - name: - - 'test-ssl-selfsigned.local' - - 'www.test-ssl-selfsigned.local' - proto: ['http', 'https'] - template: '_base' - hsts: 'max-age=1664;' - - name: 'test-ssl-predeployed.local' - proto: ['http', 'https'] - template: '_base' - ssl_name: 'test-ssl-predeployed.local' - headers: - 'X-ansible-default': '1' - ssl_template: false - - name: 'test-ssl-redirect.local' - proto: ['https'] - template: '_base' - ssl_name: 'test-ssl.local' - redirect_https: true - - name: - - 'test-ssl-redirect-many.local' - - 'test-ssl-redirect-many2.local' - listen_ssl: [8443] - proto: ['https'] - template: '_base' - ssl_name: 'test-ssl.local' - redirect_https: true - redirect_from: - - 'www.test-ssl-redirect-many.local' - - 'www.test-ssl-redirect-many2.local' - - name: 'test-ssl-proxy-protocol.local' - proto: ['http', 'https'] - listen_proxy_protocol: [20080] - listen_proxy_protocol_ssl: [20443] - template: '_base' - ssl_name: 'test-ssl.local' - headers: - 'X-Proxy-Protocol': '1' - - name: '{{ ngrok.stdout }}' - proto: ['http', 'https'] - listen_proxy_protocol: [21080] - listen_proxy_protocol_ssl: [21443] - template: '_base' - ssl_name: '{{ ngrok.stdout }}' - headers: - 'X-acme': '1' - - name: 'test-custom-template.local' - custom_template: 'templates/custom_template.conf.j2' - root: '/tmp/custom-template' - - nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636' }] }] }}" - nginx_dh_length: 1024 roles: - ../../ + post_tasks: - # -------------------------------- - # Apps - # -------------------------------- - name: INCLUDE_TASKS | Post_tasks related to OS version ansible.builtin.include_tasks: "includes/post_{{ ansible_distribution }}.yml" - # -------------------------------- - # Deploy index files - # -------------------------------- - - name: -- Add PHP file -- - ansible.builtin.copy: - dest: "{{ nginx_root }}/{{ item }}/public/index.php" - content: " - item.template is defined and - (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2') - failed_when: p.content.find('PHP Version') == -1 - - - name: -- VERIFY INDEX2 -- - ansible.builtin.uri: - url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet" - return_content: true - register: p2 - failed_when: p2.content.find('PHP Version') == -1 - - # -------------------------------- - # Basic Auth - # -------------------------------- - - name: -- VERIFY AUTH BASIC NONE -- - ansible.builtin.uri: - url: "http://test-htpasswd.local/hello/" - status_code: 401 - - - name: -- VERIFY AUTH BASIC FAIL -- - ansible.builtin.uri: - url: "http://test-htpasswd.local/hello/" - status_code: 401 - user: "fail" - password: "fail" - force_basic_auth: true - - - name: -- VERIFY AUTH BASIC OK -- - ansible.builtin.uri: - url: "http://test-htpasswd.local/hello/" - user: "hanx" - password: "qwerty" - force_basic_auth: true - - - name: -- VERIFY AUTH BASIC FAIL GLOBAL -- - ansible.builtin.uri: - url: "http://test-htpasswd-all.local/" - status_code: 401 - user: "fail" - password: "fail" - force_basic_auth: true - - - name: -- VERIFY AUTH BASIC OK GLOBAL -- - ansible.builtin.uri: - url: "http://test-htpasswd-all.local/" - user: "hanx" - password: "qwerty" - force_basic_auth: true - - # -------------------------------- - # SSL - # -------------------------------- - - name: -- VERIFY SSL -- - ansible.builtin.uri: - url: "https://{{ item }}/" - return_content: true - validate_certs: false - register: sslok - failed_when: sslok.content.find('Index HTML test OK') == -1 - loop: - - 'test-ssl-predeployed.local' - - 'test-ssl-selfsigned.local' - - 'test-ssl.local' - - '{{ ngrok.stdout }}' - - - name: -- VERIFY SSL REDIRECT -- - ansible.builtin.uri: - url: "http://{{ item.name }}/" - validate_certs: false - status_code: 301 - return_content: true - follow_redirects: none - register: sslredirok - failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location' - loop: - - name: 'test-ssl-redirect.local' - - name: 'test-ssl-redirect-many.local' - port: '8443' - - name: 'test-ssl-redirect-many2.local' - port: '8443' - - # -------------------------------- - # Default sites - # -------------------------------- - - name: -- VERIFY DEFAULT SITE -- - ansible.builtin.uri: - url: 'http://127.0.0.1/' - return_content: true - register: vdefault - failed_when: > - vdefault.content.find('Index HTML test OK') == -1 or - vdefault.x_ansible_default is not defined - - - name: -- VERIFY DEFAULT SITE + STUB STATUS-- - ansible.builtin.uri: - url: 'http://127.0.0.1/status' - return_content: true - register: vdefault_status - failed_when: > - vdefault_status.content.find('Active connections') == -1 or - vdefault_status.x_ansible_default is not defined - - - name: -- VERIFY DEFAULT SSL SITE -- - ansible.builtin.uri: - url: 'https://127.0.0.1/' - return_content: true - validate_certs: false - register: vdefault - failed_when: > - vdefault.content.find('Index HTML test OK') == -1 or - vdefault.x_ansible_default is not defined - - - name: -- VERIFY NOT DEFAULT SITE -- - ansible.builtin.uri: - url: 'http://test-php.local/' - return_content: true - register: vphp - failed_when: vphp.x_ansible_default is defined - - - name: -- VERIFY NOT DEFAULT SSL SITE -- - ansible.builtin.uri: - url: 'https://test-ssl.local/' - return_content: true - validate_certs: false - register: notdefaultssl - failed_when: notdefaultssl.x_ansible_default is defined - - # -------------------------------- - # Check Proxy protocol - # Note: Debian Stretch doesn't any version of curl with "--haproxy-protocol" argument - # -------------------------------- - - block: - - - name: SHELL | Check HTTP proxy protocol - ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' - args: - executable: /bin/bash - warn: false - changed_when: false - - - name: SHELL | Check HTTPS proxy protocol - ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' - args: - executable: /bin/bash - warn: false - changed_when: false - - when: not (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', 'eq')) - - # -------------------------------- - # Check HTTP2 - # -------------------------------- - - name: SHELL | Check HTTP2 - ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2 - args: - executable: /bin/bash - changed_when: false - when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules + - name: IMPORT_TASKS | Post_tasks common + ansible.builtin.import_tasks: "includes/post_common.yml"