diff --git a/README.md b/README.md index 0ea52a1..33019bc 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,11 @@ Install and configure Nginx on Debian/FreeBSD. Features: - SSL/TLS "hardened" support -- Manage basic auth on vhost / location +- Manage basic auth on site / location - Proxy + Upstream - Fast PHP configuration -- Preconfigured vhost templates (should work on many app) -- Auto-configure HTTP2 on SSL/TLS vhosts +- Preconfigured site templates (should work on many app) +- Auto-configure HTTP2 on SSL/TLS sites - Manage dynamic modules (install and loading) - Deploy custom facts.d with sites config - Can listen with proxy protocol @@ -63,7 +63,7 @@ Last updates from Debian backports loads modules from /etc/nginx/modules-enabled Fine configuration ------------------ -[Vhost configuration](doc/vhost.md) +[Site configuration](doc/site.md) [PHP configuration](doc/php.md) diff --git a/defaults/main.yml b/defaults/main.yml index bce97d7..2a1461a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -16,8 +16,8 @@ nginx_resolver_valid: '300s' nginx_resolver_timeout: '5s' nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log nginx_auto_config_httpv2: true -nginx_default_vhost: null -nginx_default_vhost_ssl: null +nginx_default_site: null +nginx_default_site_ssl: null nginx_fastcgi_fix_realpath: true # @@ -91,9 +91,9 @@ nginx_http_gzip_disable: '"msie6"' nginx_custom_http: [] # -# Vhosts +# Sites # -nginx_vhosts: [] +nginx_sites: [] # # htpasswd diff --git a/doc/auth.md b/doc/auth.md index 7521f9a..28bf962 100644 --- a/doc/auth.md +++ b/doc/auth.md @@ -4,7 +4,7 @@ Auth Basic management Description ----------- -Auth basic is managed in a separate list. Each auth file can be shared between locations or vhosts. +Auth basic is managed in a separate list. Each auth file can be shared between locations or sites. Each htpasswd has few keys: @@ -19,8 +19,8 @@ Example ------- ```yaml -nginx_vhosts: -# htpasswd on all vhost +nginx_sites: +# htpasswd on all site - name: test.local htpasswd: 'hello' template: '_base' diff --git a/doc/vhost.md b/doc/site.md similarity index 84% rename from doc/vhost.md rename to doc/site.md index 541af36..c9183ac 100644 --- a/doc/vhost.md +++ b/doc/site.md @@ -1,17 +1,17 @@ -Vhost management -================ +Site management +=============== You can see many examples in: [tests/test.yml](../tests/test.yml). -`nginx_vhosts`: List of dict. A vhost has few keys. See bellow. +`nginx_sites`: List of dict. A site has few keys. See bellow. Common ------ - `name`: (M) Domain or list of domain used. -- `template`: (D) template used to create vhost. Optional if you set `delete` to true or using `redirect_tor`. +- `template`: (D) template used to create site. Optional if you set `delete` to true or using `redirect_tor`. - `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword). It will be used for log filenames and directories creation. -- `state`: (O) Vhost status. Can be "present" (default), "absent" and "disabled". +- `state`: (O) Site status. Can be "present" (default), "absent" and "disabled". - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme). - `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html). @@ -23,7 +23,7 @@ Common - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP) - `override_try_files`: (O) overrides default try\_files defined in template - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature. -- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost. Set "false" to disable. +- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all site. Set "false" to disable. - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support. - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`. - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false". @@ -57,17 +57,17 @@ About proxy template Proxy template allow you to use Nginx as reverse proxy. Usefull when you have an application service such as Redmine, Jenkins... -You have many key added to vhost key: +You have many key added to site key: - `upstream_name`: (O) upstream name used to pass proxy -- `proxy_params`: (M) list of raw params passed to the vhost +- `proxy_params`: (M) list of raw params passed to the site (O) : Optional -Default vhosts +Default sites -------------- -You can manage default vhost by setting domain name to these variables. +You can manage default site by setting domain name to these variables. -- `nginx_default_vhost` -- `nginx_default_vhost_ssl` +- `nginx_default_site` +- `nginx_default_site_ssl` diff --git a/doc/ssl.md b/doc/ssl.md index f7ee5bf..908ae14 100644 --- a/doc/ssl.md +++ b/doc/ssl.md @@ -33,7 +33,7 @@ Tips ---- - Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`! -- In `nginx_vhosts`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with vhost `name` (first in list if it's a list). +- In `nginx_sites`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with site `name` (first in list if it's a list). Diffie-Hellman -------------- @@ -44,7 +44,7 @@ Example ------- ```yaml -nginx_vhosts; +nginx_sites; - name: 'test-ssl.local' proto: ['http', 'https'] template: '_base' diff --git a/doc/upstream.md b/doc/upstream.md index 7d3147d..1da2410 100644 --- a/doc/upstream.md +++ b/doc/upstream.md @@ -8,7 +8,7 @@ Note: Few params are unavailable on old Nginx version. But this role do _not_ pu Upstream params --------------- -- `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name* +- `name`: upstream name. Can be use in site with *proxy_pass http://upstream_name* - `params`: list of param (hash, zone...) - `servers`: each upstream MUST have at least 1 server - `state`: Optional. Can be 'absent' or 'present' diff --git a/tasks/main.yml b/tasks/main.yml index 94c6687..462dd65 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,6 +25,5 @@ - name: INCLUDE | SSL configuration include: ssl.yml -- name: INCLUDE | Vhosts configuration - include: vhost.yml - +- name: INCLUDE | Sites configuration + include: site.yml diff --git a/tasks/prepare.yml b/tasks/prepare.yml index b5b7869..f414e60 100644 --- a/tasks/prepare.yml +++ b/tasks/prepare.yml @@ -1,5 +1,20 @@ --- +- name: SET_FACT | Backward compatibility (nginx_vhosts) + set_fact: + nginx_sites: "{{ nginx_vhosts }}" + when: nginx_vhosts is defined + +- name: SET_FACT | Backward compatibility (nginx_default_vhost_ssl) + set_fact: + nginx_default_site_ssl: "{{ nginx_default_vhost_ssl }}" + when: nginx_default_vhost_ssl is defined + +- name: SET_FACT | Backward compatibility (nginx_default_vhost) + set_fact: + nginx_default_site: "{{ nginx_default_vhost }}" + when: nginx_default_vhost is defined + - name: SHELL | Get Nginx version shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1 args: diff --git a/tasks/vhost.yml b/tasks/site.yml similarity index 80% rename from tasks/vhost.yml rename to tasks/site.yml index 30c0671..c476cf7 100644 --- a/tasks/vhost.yml +++ b/tasks/site.yml @@ -1,82 +1,82 @@ --- - name: FAIL | Check filenames - fail: msg="Forbidden keyword default on vhost {{ item.name if item.name is string else item.name[0] }}" + fail: msg="Forbidden keyword default on site {{ item.name if item.name is string else item.name[0] }}" when: item.filename is defined and item.filename == 'default' - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" - name: FAIL | Check HTTPS redir and proto fail: msg="You can't have HTTP proto and HTTPS redirection at the same time" when: > ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and (item.redirect_http is defined and item.redirect_http) - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" - name: FILE | Create root directory file: > path={{ nginx_root }} state=directory -- name: FILE | Create root public folders (foreach nginx_vhosts) +- name: FILE | Create root public folders (foreach nginx_sites) file: > path={{ nginx_root }}/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}/public state=directory owner={{ item.owner | default(nginx_user) }} group={{ item.group | default(nginx_user) }} mode={{ item.mode | default('0755') }} - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" when: > item.root is not defined and (item.template is defined and item.template not in nginx_templates_no_dir) and (item.state is not defined or not item.state != 'absent') and item.redirect_to is not defined -- name: TEMPLATE | Create vhosts +- name: TEMPLATE | Create sites template: > src=etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2 dest={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" notify: ['reload nginx', 'restart nginx freebsd'] when: item.state is not defined or item.state != 'absent' -- name: FILE | Delete vhosts +- name: FILE | Delete sites file: path={{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0.filename | default(item.0.name if item.0.name is string else item.0.name[0]) }} state=absent with_nested: - - "{{ nginx_vhosts }}" + - "{{ nginx_sites }}" - ['sites-available', 'sites-enabled'] notify: ['reload nginx', 'restart nginx freebsd'] when: item.state is defined and item.state == 'absent' -- name: FILE | Enable vhosts +- name: FILE | Enable sites file: > src={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} dest={{ nginx_etc_dir }}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=link - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" notify: ['reload nginx', 'restart nginx freebsd'] when: > item.state is not defined or item.state == 'present' -- name: FILE | Disable vhosts +- name: FILE | Disable sites file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" notify: ['reload nginx', 'restart nginx freebsd'] when: item.state is defined and item.state == 'disabled' -- name: FILE | Delete default vhost when explicitely defined +- name: FILE | Delete default site when explicitely defined file: > path={{ nginx_etc_dir }}/sites-enabled/default state=absent notify: ['reload nginx', 'restart nginx freebsd'] - when: nginx_default_vhost is not none + when: nginx_default_site is not none -- name: FILE | Auto set default vhost +- name: FILE | Auto set default site file: > src={{ nginx_etc_dir }}/sites-available/default dest={{ nginx_etc_dir }}/sites-enabled/default state=link notify: ['reload nginx', 'restart nginx freebsd'] - when: nginx_default_vhost is none + when: nginx_default_site is none - name: TEMPLATE | Deploy facts template: diff --git a/templates/etc/ansible/facts.d/nginx.fact.j2 b/templates/etc/ansible/facts.d/nginx.fact.j2 index 54f202e..2293487 100644 --- a/templates/etc/ansible/facts.d/nginx.fact.j2 +++ b/templates/etc/ansible/facts.d/nginx.fact.j2 @@ -1,4 +1,4 @@ { - "fact_nginx_vhosts": - {{ nginx_vhosts | to_nice_json(indent=8) }} + "fact_nginx_sites": + {{ nginx_sites | to_nice_json(indent=8) }} } diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2 index c91e2b3..006db16 100644 --- a/templates/etc/nginx/sites-available/_base.j2 +++ b/templates/etc/nginx/sites-available/_base.j2 @@ -42,12 +42,12 @@ server { server { {% if 'http' in __proto %} {% for port in __listen %} - listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %}; + listen {{ port }}{% if nginx_default_site == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %}; {% endfor %} {% endif %} {% if 'https' in __proto %} {% for port in __listen_ssl %} - listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %}; + listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %}; {% endfor %} {{ ssl(__ssl_name) }} {% if item.ssl_template is not defined or item.ssl_template != false %} diff --git a/tests/test.yml b/tests/test.yml index bf5b508..80bc039 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -115,8 +115,9 @@ - ' DZ no;' - ' TN no;' - '}' - nginx_default_vhost: 'first-test' - nginx_default_vhost_ssl: 'test-ssl-predeployed.local' + nginx_default_site: 'first-test' + nginx_default_site_ssl: 'test-ssl-predeployed.local' +# TODO: nginx_vhosts -> nginx_sites (for now check backward compatibility) nginx_vhosts: - name: - 'test.local' @@ -255,13 +256,13 @@ # -------------------------------- - name: -- CHECK FACTS -- assert: - that: "'{{ ansible_local.nginx.fact_nginx_vhosts[0].name[0] }}' == 'test.local'" + that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'" # -------------------------------- -# Simple vhosts tests +# Simple sites tests # -------------------------------- - - name: -- VERIFY VHOSTS -- + - name: -- VERIFY SITES -- command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/" - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" when: item.state is undefined or item.state != "absent" changed_when: false - name: -- VERIFY FORBIDDEN -- @@ -269,9 +270,9 @@ register: f failed_when: f.stdout.find('403 Forbidden') == -1 changed_when: false - - name: -- VERIFY REDIRECT VHOSTS -- + - name: -- VERIFY REDIRECT SITES -- command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/" - with_items: "{{ nginx_vhosts }}" + with_items: "{{ nginx_sites }}" when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") changed_when: false register: r @@ -280,7 +281,7 @@ # -------------------------------- # PHP # -------------------------------- - - name: -- VERIFY PHP5 VHOSTS (implicit default) -- + - name: -- VERIFY PHP5 SITES (implicit default) -- command: "curl -H 'Host: {{ item }}' http://127.0.0.1/" register: p changed_when: false @@ -288,7 +289,7 @@ with_items: ['test-php-index.local'] when: nginx_php56 - - name: -- VERIFY PHP7 VHOSTS -- + - name: -- VERIFY PHP7 SITES -- command: "curl -H 'Host: {{ item }}' http://127.0.0.1/" register: p changed_when: false @@ -394,33 +395,33 @@ port: '8443' # -------------------------------- -# Default vhosts +# Default sites # -------------------------------- - - name: -- VERIFY DEFAULT VHOST -- + - name: -- VERIFY DEFAULT SITE -- command: "curl -v http://127.0.0.1/" changed_when: false register: vdefault failed_when: > vdefault.stdout.find('Index HTML test OK') == -1 or vdefault.stderr.find('X-ansible-default') == -1 - - name: -- VERIFY DEFAULT SSL VHOST -- + - name: -- VERIFY DEFAULT SSL SITE -- command: "curl --insecure -v https://127.0.0.1/" changed_when: false register: defaultssl failed_when: > defaultssl.stdout.find('Index HTML test OK') == -1 or defaultssl.stderr.find('X-ansible-default') == -1 - - name: -- VERIFY NOT DEFAULT VHOST -- + - name: -- VERIFY NOT DEFAULT SITE -- command: "curl -v -H 'Host: test-php.local' http://127.0.0.1/" changed_when: false register: vphp failed_when: vphp.stderr.find('X-ansible-default') != -1 - - name: -- VERIFY NOT DEFAULT SSL VHOST -- + - name: -- VERIFY NOT DEFAULT SSL SITE -- command: "curl --insecure -v -H 'Host: test-ssl.local' https://127.0.0.1/" changed_when: false register: notdefaultssl failed_when: notdefaultssl.stderr.find('X-ansible-default') != -1 - - name: -- VERIFY DEFAULT VHOST + STUB_STATUS -- + - name: -- VERIFY DEFAULT SITE + STUB_STATUS -- command: "curl -v http://127.0.0.1/status" changed_when: false register: vdefault_status diff --git a/vars/Debian.yml b/vars/Debian.yml index ac83d51..017a6c4 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -2,7 +2,7 @@ nginx_events_use: 'epoll' nginx_pid: '/run/nginx.pid' nginx_etc_dir: '/etc/nginx' -# Specific vhosts +# Specific sites nginx_nagios_root: '/usr/share/nagios3/htdocs' nginx_nagios_stylesheets: '/etc/nagios3/stylesheets' nginx_fcgiwrap_sock: '/var/run/fcgiwrap.socket' diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index 02c757b..18642b1 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -2,6 +2,6 @@ nginx_events_use: 'kqueue' nginx_pid: '/var/run/nginx.pid' nginx_etc_dir: '/usr/local/etc/nginx' -# Specific vhosts +# Specific sites nginx_nagios_root: '/usr/local/www/nagios' nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock'