Meilleure gestion des dossiers et htpasswd par location

defaults/main.yml

@@ -75,3 +75,8 @@ nginx_http:
 # Vhosts
 #
 nginx_vhosts: []
+
+#
+# htpasswd
+#
+nginx_htpasswd: []

tasks/htpasswd.yml

@@ -0,0 +1,19 @@
+---
+
+- name: FILE | Delete htpasswd file
+  file: >
+    path={{ nginx_htpasswd_dir }}/{{ item.name }}
+    state=absent
+  with_items: nginx_htpasswd
+  when: item.state is defined and item.state == 'absent'
+
+- name: HTPASSWD | Manage files
+  htpasswd: >
+    name={{ item.1.name }}
+    password={{ item.1.password }}
+    state={{ item.1.state | default('present') }}
+    path={{ nginx_htpasswd_dir }}/{{ item.0.name }}
+  with_subelements:
+    - nginx_htpasswd
+    - users
+  when: item.0.state is not defined or item.0.state == 'present' 

tasks/legacy.yml

@@ -0,0 +1,4 @@
+---
+
+- name: FILE | Remove old directories
+  file: path=/etc/nginx/helpers state=absent

tasks/main.yml

@@ -1,7 +1,10 @@
 ---
 
-- name: APT | Install nginx
+- name: APT | Install nginx and dependencies
-  apt: pkg={{ nginx_apt_package }} state=latest update_cache=yes cache_valid_time=3600
+  apt: pkg={{ item }} state=latest update_cache=yes cache_valid_time=3600
+  with_items:
+    - "{{ nginx_apt_package }}"
+    - python-passlib
 
 - name: SHELL | Get Nginx version
   shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
@@ -14,11 +17,12 @@
     dest=/etc/nginx/nginx.conf
   notify: reload nginx
 
-- name: FILE | Create /etc/nginx/helpers
+- name: INCLUDE | Fix legacy
-  file: dest=/etc/nginx/helpers owner=root mode=0755 state=directory
+  include: legacy.yml
 
-- name: FILE | Create /etc/nginx/ssl
+- name: FILE | Create folders
-  file: dest=/etc/nginx/ssl owner=root mode=0755 state=directory
+  file: dest={{ item }} owner=root mode=0755 state=directory
+  with_items: "{{ nginx_dirs }}"
 
 #- name: COMMAND | Creates DH file
 #  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
@@ -28,14 +32,17 @@
 - name: TEMPLATE | Deploy all helpers
   template: >
     src={{ item }}
-    dest=/etc/nginx/helpers/{{ item | basename | regex_replace('\.j2$','') }}
+    dest={{ nginx_helper_dir }}/{{ item | basename | regex_replace('\.j2$','') }}
-  with_fileglob: '../templates/etc/nginx/helpers/*.j2'
+  with_fileglob: '../templates/etc/nginx/helper/*.j2'
   notify: reload nginx
 
 - name: INCLUDE | Upstream configuration
   include: upstream.yml
   when: nginx_php
 
+- name: INCLUDE | htpasswd configuration
+  include: htpasswd.yml
+
 - name: INCLUDE | Vhosts configuration
   include: vhost.yml
 

templates/etc/nginx/sites-available/_base.j2

@@ -67,7 +67,13 @@ server {
 {% for location, opts in __location.iteritems() %}
 	location {{ location }} {
 {% for opt in opts %}
+{% if opt.htpasswd is defined %}{% for ht in nginx_htpasswd %}{% if ht.name == opt.htpasswd %}
+		auth_basic "{{ ht.description }}";
+		auth_basic_user_file {{ nginx_htpasswd_dir }}/{{ opt.htpasswd }};
+{% endif %}{% endfor %}
+{% else %}
 		{{ opt }}
+{% endif %}
 {% endfor  %}
 	}
 {% endfor %}	# <-- Custom locations
@@ -86,15 +92,12 @@ server {
 }
 
 {#
+# HTTPS
+#server {
 ssl on;
 ssl_certificate {{ nginx_ssl_dir }}/{{ item.name }}/{{ item.name }}.crt;
 ssl_certificate_key {{ nginx_ssl_dir }}/{{ item.name }}/{{ item.name }}.key;
-include /etc/nginx/helpers/ssl-{{ item.ssl.template | default('strong') }};
+include {{ nginx_helper_dir }}/ssl-{{ item.ssl.template | default('strong') }};
-#}
-
-
-# HTTPS
-#server {
 #}
 
 {% if item.redirect_from is defined and item.redirect_from is iterable %}

tests/test.yml

@@ -15,6 +15,19 @@
             max_conns: 150
             weight: 10
             down: false
+    nginx_htpasswd:
+      - name: 'hello'
+        description: 'Please login!'
+        users:
+          - name: 'hx'
+            password: 'asdfg'
+            state: 'absent'
+          - name: 'hanx'
+            password: 'qwerty'
+      - name: 'deleteme'
+        description: 'Please login!'
+        users: []
+        state: 'absent'
     nginx_vhosts:
       - name:
           - 'test.local'
@@ -30,6 +43,16 @@
             - 'return 403;'
           '/gunther':
             - 'return 404;'
+      - name: 'test-htpasswd.local'
+        template: '_base'
+        location:
+          '/hello':
+            - htpasswd: 'hello'
+            - 'default_type "text/html; charset=UTF-8";'
+            - 'echo hello;'
+      - name: 'test-htpasswd-all.local'
+        template: '_base'
+        htpasswd: 'hello'
       - name: 'test-location.local'
         template: '_base'
         location:
@@ -78,3 +101,18 @@
       changed_when: false
       register: r
       failed_when: r.stdout.find('301 Moved Permanently') == -1
+    - name: -- VERIFY AUTH BASIC NONE --
+      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      changed_when: false
+      register: authnone
+      failed_when: authnone.stdout.find('401 Authorization Required') == -1
+    - name: -- VERIFY AUTH BASIC FAIL --
+      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      changed_when: false
+      register: authfail
+      failed_when: authfail.stdout.find('401 Authorization Required') == -1
+    - name: -- VERIFY AUTH BASIC OK --
+      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      changed_when: false
+      register: authok
+      failed_when: authok.stdout.find('hello') == -1

vars/main.yml

@@ -23,3 +23,13 @@ nginx_upstream_server_params:
 #  - key: 'resolve'
 #    is_bool: true
 #    min_version: '1.5.12'
+
+nginx_dirs:
+  - "{{ nginx_htpasswd_dir }}"
+  - "{{ nginx_ssl_dir }}"
+  - "{{ nginx_helper_dir }}"
+
+nginx_htpasswd_dir: '/etc/nginx/htpasswd'
+nginx_ssl_dir: '/etc/nginx/ssl'
+nginx_helper_dir: '/etc/nginx/helper'
+