In tests, dh = 1024bits (speedup tests)

This reverts commit f8d138828b.

README.md

@@ -1,118 +1,64 @@
 Nginx for Debian Ansible role
 =============================
 
-[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/list#/roles/4399) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg)](https://travis-ci.org/HanXHX/ansible-nginx)
+[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/list#/roles/4399) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
 
 Install and configure Nginx on Debian.
 
-This role is not production ready. SSL management wille come later.
+Features:
+
+- SSL/TLS "hardened" support
+- Manage basic auth on vhost / location
+- Proxy + Upstream
+- Fast PHP configuration
+- Preconfigured vhost templates (should work on many app)
+- Auto-configure HTTP2 on SSL/TLS vhosts
 
 Requirements
 ------------
 
-None.
+None. If you set true to `nginx_backports`, you must install backports repository before lauching this role.
 
 Role Variables
 --------------
 
-  - `nginx_apt_package`: APT nginx package (try: apt-cache search ^nginx)
+### Packaging
-  - `nginx_root`: root directory where you want to have your files
-  - `nginx_log_dir`: log directory (if you change it, don't forget to change logrotate config)
-  - `nginx_ssl_dir`: directory where you install your SSL/TLS keys
-  - `nginx_resolver`: list of DNS resolver (default: OpenDNS)
-  - `nginx_error_log_level`: default log level
-  - `nginx_dh_length`: DH key length (default is 2048)
 
-### PHP
+- `nginx_apt_package`: APT nginx package (try: apt-cache search ^nginx)
+- `nginx_backports`: Install nginx from backport repository (bool)
 
-  - `nginx_php`: boolean if you need to preconfigure PHP (default: false)
+### Shared
-  - `nginx_php_sockets`: list of //sockets//
 
-You should see [Nginx upstream module doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
+- `nginx_root`: root directory where you want to have your files
-
+- `nginx_log_dir`: log directory (if you change it, don't forget to change logrotate config)
-Socket:
+- `nginx_resolver`: list of DNS resolver (default: OpenDNS)
-  - `unix_socket`
+- `nginx_error_log_level`: default log level
-  - `host`
+- `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
-  - `port`
-  - `weight`
-  - `max_fails`
-  - `fail_timeout`
 
 ### Nginx Configuration
 
-  - `nginx_user`
+- `nginx_user`
-  - `nginx_worker_processes`
+- `nginx_worker_processes`
-  - `nginx_events`: key/value in events block
+- `nginx_pid`: daemon pid file
-  - `nginx_http`: key/value in http block
+- `nginx_events_*`: all variables in events block
+- `nginx_http_*`: all variables in http block
+- `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
 
-### Vhost management
+Fine configuration
+------------------
 
-You can see many examples in: [tests/test.yml](tests/test.yml).
+[Vhost configuration](doc/vhost.md)
 
-  - `nginx_vhosts`: List of dict. A vhost has few keys. See bellow.
+[PHP configuration](doc/php.md)
 
-#### Common
+[Upstream Configuration](doc/upstream.md)
 
-  - `name`: (M) List of domain used. The first occurence is the most important!
+[Vhost configuration](doc/vhost.md)
-  - `template`: (M) template used to create vhost
-  - `enable`: (O) Enable the vhost (default is true)
-  - `delete`: (O) Delete the vhost (default is false)
-  - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
-  - `location`: (O) Add new custom locations (it does not overwrite!)
-  - `more`: (O) Add more custom infos.
-  - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
 
-(O) : Optional
+[SSL/TLS Configuration](doc/ssl.md)
-(M) : Mandatory
 
-#### Templates
+[Basic Auth](doc/auth.md)
 
-  - `base`: static template
-  - `php`: PHP base template. Can work with many frameworks/tools.
-  - `wordpress`
-  - `dokuwiki`
-  - `proxy`
-
-Templates works as parent-child.
-
-#### About proxy template
-
-Proxy template allow you to use Nginx as reverse proxy. Usefull when you have application serveur such as Redmine, Jenkins...
-
-You have many key added to vhost key:
-
-  - `upstream_name`: (O) upstream name used to pass proxy
-  - `proxy_params`: (M) list of raw params passed to the vhost
-
-(O) : Optional
-(M) : Mandatory
-
-
-### Upstream management
-
-  - `nginx_upstreams`: List of dict. An upstream has few keys. See bellow.
-
-Note: Few params are unavailable on old Nginx version. But this role don't put it if your version is too old!
-
-#### Upstream params
-
-- `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name*
-- `params`: list of param (hash, zone...)
-- `servers`: each upstream MUST have at least 1 server
-
-#### Server params
-
-You must set a `path`. For example: *192.168.0.50:8080* or *unix:/tmp/my.sock*.
-
-All this params are optional. You should see [Nginx upstream doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
-
-  - `weight`
-  - `max`fails`
-  - `fail`timeout`
-  - `backup`
-  - `down`
-  - `route`
-  - `slow`start`
 
 Dependencies
 ------------
@@ -122,9 +68,7 @@ None
 Example Playbook
 ----------------
 
-    - hosts: servers
+See [tests/test.yml](tests/test.yml).
-      roles:
-         - { role: HanXHX.nginx }
 
 License
 -------
@@ -134,6 +78,5 @@ GPLv2
 Author Information
 ------------------
 
-  - You can find many other roles in my GitHub "lab": https://github.com/HanXHX/my-ansible-playbooks
+- Twitter: [@hanxhx_](https://twitter.com/hanxhx_)
-  - All issues, pull-request are welcome :)
 

Vagrantfile

@@ -7,7 +7,8 @@ Vagrant.configure("2") do |config|
 
   vms = [
     [ "debian-wheezy", "deb/wheezy-amd64" , "192.168.33.27" ],
-    [ "debian-jessie", "deb/jessie-amd64", "192.168.33.28" ]
+    [ "debian-jessie", "deb/jessie-amd64", "192.168.33.28" ],
+    [ "debian-stretch", "sharlak/debian_stretch_64", "192.168.33.29" ]
   ]
 
   config.vm.provider "virtualbox" do |v|

defaults/main.yml

@@ -1,20 +1,28 @@
 ---
 
 nginx_apt_package: nginx-full
+nginx_backports: false
 
 #
 # Nginx shared variables
 #
 nginx_root: "/srv/www"
 nginx_log_dir: '/var/log/nginx'
-nginx_ssl_dir: '/etc/nginx/ssl'
+nginx_pid: '/run/nginx.pid'
-nginx_resolver:
+nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4']
-  hosts: ['208.67.222.222', '208.67.220.220'] # OpenDNS
+nginx_resolver_valid: '300s'
-  valid: '300'
+nginx_resolver_timeout: '5s'
-  timeout: '5'
 nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
-nginx_dh_length: 2048
+nginx_auto_config_httpv2: true
+nginx_default_vhost: null
+nginx_default_vhost_ssl: null
 
+#
+# Nginx directories
+#
+nginx_htpasswd_dir: '/etc/nginx/htpasswd'
+nginx_ssl_dir: '/etc/nginx/ssl'
+nginx_helper_dir: '/etc/nginx/helper'
 
 #
 # Load upstream
@@ -24,6 +32,7 @@ nginx_dh_length: 2048
 nginx_php: false
 nginx_php_sockets:
   - unix_socket: "/var/run/php5-fpm.sock"
+nginx_upstreams: []
 
 #
 # Nginx configuration
@@ -31,43 +40,69 @@ nginx_php_sockets:
 nginx_user: 'www-data'
 nginx_worker_processes: '{{ ansible_processor_vcpus }}'
 
-nginx_events:
+#
-  worker_connections: '512'
+# Nginx events
-  multi_accept: 'on'
+#
-  use: 'epoll'
+nginx_events_worker_connections: '512'
+nginx_events_multi_accept: 'on'
+nginx_events_use: 'epoll'
 
 #
 # Nginx HTTP
 #
-nginx_http:
+nginx_http_types_hash_max_size: 2048
-  access_log: 'off'
+nginx_http_default_type: 'application/octet-stream'
-  error_log: 'off'
+nginx_http_access_log: 'off'
-  client_body_buffer_size: '1M'
+nginx_http_error_log: 'off'
-  client_header_buffer_size: '1M'
+nginx_http_client_body_buffer_size: '1M'
-  client_max_body_size: '10M'
+nginx_http_client_header_buffer_size: '1M'
-  large_client_header_buffers: '8 8k'
+nginx_http_client_max_body_size: '10M'
-  client_body_timeout: '60'
+nginx_http_large_client_header_buffers: '8 8k'
-  client_header_timeout: '60'
+nginx_http_client_body_timeout: '60'
-  keepalive_timeout: '30 30'
+nginx_http_client_header_timeout: '60'
-  send_timeout: '120'
+nginx_http_keepalive_timeout: '30 30'
-  ignore_invalid_headers: 'on'
+nginx_http_send_timeout: '120'
-  keepalive_requests: '100'
+nginx_http_ignore_invalid_headers: 'on'
-  recursive_error_pages: 'on'
+nginx_http_keepalive_requests: '100'
-  sendfile: 'on'
+nginx_http_recursive_error_pages: 'on'
-  server_name_in_redirect: 'off'
+nginx_http_sendfile: 'on'
-  server_tokens: 'off'
+nginx_http_server_name_in_redirect: 'off'
-  tcp_nodelay: 'on'
+nginx_http_server_tokens: 'off'
-  tcp_nopush: 'on'
+nginx_http_tcp_nodelay: 'on'
-  reset_timedout_connection: 'on'
+nginx_http_tcp_nopush: 'on'
-  gzip: 'on'
+nginx_http_reset_timedout_connection: 'on'
-  gzip_buffers: '16 8k'
+nginx_http_gzip: 'on'
-  gzip_comp_level: '9'
+nginx_http_gzip_buffers: '16 8k'
-  gzip_http_version: '1.0'
+nginx_http_gzip_comp_level: '9'
-  gzip_min_length: '0'
+nginx_http_gzip_http_version: '1.0'
-  gzip_types: 'text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml'
+nginx_http_gzip_min_length: '0'
-  gzip_vary: 'on'
+nginx_http_gzip_types: 'text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml'
-  gzip_disable: '"msie6"'
+nginx_http_gzip_vary: 'on'
-#  etag: 'off'
+nginx_http_gzip_disable: '"msie6"'
 
+#
+# nginx_http_custom
+#
+nginx_http_custom: []
+
+#
+# Vhosts
+#
 nginx_vhosts: []
-nginx_upstreams: []
+
+#
+# htpasswd
+#
+nginx_htpasswd: []
+
+#
+# SSL pairs
+#
+nginx_ssl_pairs: []
+
+#
+# Diffie-Hellman
+#
+nginx_dh: null
+nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
+nginx_dh_length: 2048

doc/auth.md

@@ -0,0 +1,41 @@
+Auth Basic management
+=====================
+
+Description
+-----------
+
+Auth basic is managed in a separate list. Each auth file can be shared between locations or vhosts.
+
+Each htpasswd has few keys:
+
+- `name`: (M) used to create file and as pointee
+- `description`: (M) Used for the message box :)
+- `users`: each users is composed with 3 keys: `name` (M), `password` (M) and `state` present/absent (default: present)
+- `state`: (O) present or absent. Default: present
+
+`nginx_htpasswd` should be placed in a vaut file.
+
+Example
+-------
+
+```
+nginx_vhosts:
+# htpasswd on all vhost
+  - name: test.local
+    htpasswd: 'hello'    
+    template: '_base'
+
+# htpasswd only in /hello
+  - name: test-location.local
+    template: '_base'
+    location:
+      '/hello':
+        - htpasswd: 'hello'    
+
+nginx_htpasswd:
+  - name: 'hello'
+    description: 'Please login!'
+    users:
+      - name: 'bob'
+        password: 'my_pass'
+```

doc/php.md

@@ -0,0 +1,18 @@
+PHP
+===
+
+- `nginx_php`: boolean if you need to preconfigure PHP (default: false)
+- `nginx_php_sockets`: list of sockets (see bellow)
+
+You should see [Nginx upstream module doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
+
+Each socket have:
+
+- `unix_socket`
+- `host`
+- `port`
+- `weight`
+- `max_fails`
+- `fail_timeout`
+
+With default configuration, it works fine with PHP-FPM. But if you install PHP7 with Dotdeb, path changed between version, you must set well this list.

doc/ssl.md

@@ -0,0 +1,67 @@
+SSL/TLS Management
+==================
+
+You can put all this variables in a separated vault file.
+
+Variables
+---------
+
+- `nginx_dh`: DH content
+- `nginx_dh_length`: DH key length (default is 2048)
+- `nginx_dh_path`: file localation
+- `nginx_ssl_dir`: directory where you install your SSL/TLS keys
+- `nginx_ssl_pairs`
+
+Cert/Key pairs
+--------------
+
+This list have 3 mandatory keys:
+
+- `name`: MUST be unique 
+
+- `key`: content of the private key
+- `cert`: content of the public key
+
+OR
+
+- `dest_cert`: remote path where certificate is located
+- `dest_key`: remote path where key is located
+
+
+Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
+
+Tips
+----
+
+Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
+
+If you set all, you can deploy your key everywhere with wanted data!
+
+
+Diffie-Hellman
+--------------
+
+If you do not specify any dh param, this role auto generates it.
+
+Example
+-------
+
+```
+nginx_vhosts;
+  - name: 'test-ssl.local'
+    proto: ['http', 'https']
+    template: '_base'
+    ssl_name: 'mysuperkey'
+
+nginx_ssl_pairs:
+  - name: mysuperkey
+    key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      ....(snip)....
+      -----END RSA PRIVATE KEY-----
+    cert: |
+      -----BEGIN CERTIFICATE-----
+      ....(snip)....
+      -----END CERTIFICATE-----
+```
+

doc/upstream.md

@@ -0,0 +1,29 @@
+Upstream management
+===================
+
+`nginx_upstreams`: List of dict. An upstream has few keys. See bellow.
+
+Note: Few params are unavailable on old Nginx version. But this role do _not_ put it if your version is too old!
+
+Upstream params
+---------------
+
+- `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name*
+- `params`: list of param (hash, zone...)
+- `servers`: each upstream MUST have at least 1 server
+
+Server params
+-------------
+
+You must set a `path`. For example: *192.168.0.50:8080* or *unix:/tmp/my.sock*.
+
+All this params are optional. You should see [Nginx upstream doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
+
+- `weight`
+- `max_fails`
+- `fail_timeout`
+- `backup`
+- `down`
+- `route`
+- `slow`start`
+

doc/vhost.md

@@ -0,0 +1,65 @@
+Vhost management
+================
+
+You can see many examples in: [tests/test.yml](../tests/test.yml).
+
+`nginx_vhosts`: List of dict. A vhost has few keys. See bellow.
+
+Common
+------
+
+- `name`: (M) Domain or list of domain used.
+- `template`: (D) template used to create vhost. Optional if you set `delete` to true or using `redirect_tor`.
+- `enable`: (O) Enable the vhost (default is true)
+- `delete`: (O) Delete the vhost (default is false)
+- `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
+- `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
+- `redirect_to_code`: Redirect code (default: 302)
+- `location`: (O) Add new custom locations (it does not overwrite!)
+- `more`: (O) Add more custom infos.
+- `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
+- `override_try_files`: (O) overrides default try\_files defined in template
+- `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature.
+- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
+- `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
+- `ssl_name`: (D) name of the key used when using TLS/SSL. Mandatory when `proto` contains "https"
+
+(O): Optional
+(M): Mandatory
+(D): Depends other keys...
+
+Templates
+---------
+
+- `_base`: static template
+- `_backuppc`: access to [BackupPC](http://backuppc.sourceforge.net/) (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap))
+- `_dokuwiki`
+- `_redirect`: should not be called explicitly
+- `_nagios3`: access to Nagios3 (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap))
+- `_phalcon`: Phalcon PHP Framework
+- `_php`: PHP base template. Can work with many frameworks/tools
+- `_php_index`: Same as above. But you can only run index.php
+- `_proxy`
+- `_wordpress`
+
+Templates works as parent-child.
+
+About proxy template
+--------------------
+
+Proxy template allow you to use Nginx as reverse proxy. Usefull when you have an application service such as Redmine, Jenkins...
+
+You have many key added to vhost key:
+
+- `upstream_name`: (O) upstream name used to pass proxy
+- `proxy_params`: (M) list of raw params passed to the vhost
+
+(O) : Optional
+
+Default vhosts
+--------------
+
+You can manage default vhost by setting domain name to these variables.
+
+- `nginx_default_vhost`
+- `nginx_default_vhost_ssl`

handlers/main.yml

@@ -1,6 +1,4 @@
 ---
-- name: restart nginx
-  action: service name=nginx state=restarted enabled=yes
 
 - name: reload nginx
   action: service name=nginx state=reloaded enabled=yes

meta/main.yml

@@ -4,7 +4,7 @@ galaxy_info:
   description: Nginx for Debian 
   company:
   license: GPLv2 
-  min_ansible_version: 1.2
+  min_ansible_version: 2.0
   platforms:
   - name: Debian
     versions:

tasks/config.yml

@@ -0,0 +1,21 @@
+---
+
+- name: TEMPLATE | Deploy nginx.conf
+  template: >
+    src=etc/nginx/nginx.conf.j2
+    dest=/etc/nginx/nginx.conf
+  notify: reload nginx
+
+- name: TEMPLATE | Deploy all helpers
+  template: >
+    src={{ item }}
+    dest={{ nginx_helper_dir }}/{{ item | basename | regex_replace('\.j2$','') }}
+  with_fileglob: '../templates/etc/nginx/helper/*.j2'
+  notify: reload nginx
+
+- name: TEMPLATE | Deploy custom http configuration
+  template: >
+    src=etc/nginx/conf.d/custom.conf.j2
+    dest=/etc/nginx/conf.d/custom.conf
+  notify: reload nginx
+

tasks/htpasswd.yml

@@ -0,0 +1,19 @@
+---
+
+- name: FILE | Delete htpasswd file
+  file: >
+    path={{ nginx_htpasswd_dir }}/{{ item.name }}
+    state=absent
+  with_items: nginx_htpasswd
+  when: item.state is defined and item.state == 'absent'
+
+- name: HTPASSWD | Manage files
+  htpasswd: >
+    name={{ item.1.name }}
+    password={{ item.1.password }}
+    state={{ item.1.state | default('present') }}
+    path={{ nginx_htpasswd_dir }}/{{ item.0.name }}
+  with_subelements:
+    - nginx_htpasswd
+    - users
+  when: item.0.state is not defined or item.0.state == 'present' 

tasks/install.yml

@@ -0,0 +1,13 @@
+---
+
+- name: APT | Install nginx and dependencies
+  apt: >
+    pkg={{ nginx_apt_package }}
+    state=present
+    update_cache=yes
+    cache_valid_time=3600
+    default_release={{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}
+
+- name: APT | Install python-passlib
+  apt: pkg=python-passlib state=present
+

tasks/main.yml

@@ -1,40 +1,23 @@
 ---
 
-- name: APT | Install nginx
+- name: INCLUDE | Install
-  apt: pkg={{ nginx_apt_package }} state=latest update_cache=yes cache_valid_time=3600
+  include: install.yml
 
-- name: SHELL | Get Nginx version
+- name: INCLUDE | Prepare
-  shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
+  include: prepare.yml
-  register: nginx_version
-  changed_when: false
 
-- name: TEMPLATE | Deploy nginx.conf
+- name: INCLUDE | Install
-  template: src=etc/nginx/nginx.conf.j2 dest=/etc/nginx/nginx.conf validate= "nginx -t"
+  include: config.yml
-  notify: restart nginx
-
-- name: FILE | Create /etc/nginx/helpers
-  file: dest=/etc/nginx/helpers owner=root mode=0755 state=directory
-
-- name: FILE | Create /etc/nginx/ssl
-  file: dest=/etc/nginx/ssl owner=root mode=0755 state=directory
-
-#- name: COMMAND | Creates DH file
-#  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
-#  args:
-#    creates: "{{ nginx_dh_path }}"
-
-- name: TEMPLATE | Deploy all helpers
-  template: src={{ item }} dest=/etc/nginx/helpers/{{ item | basename | regex_replace('\.j2$','') }}
-  with_fileglob: '../templates/etc/nginx/helpers/*.j2'
-  notify: reload nginx
 
 - name: INCLUDE | Upstream configuration
   include: upstream.yml
-  when: nginx_php
+
+- name: INCLUDE | htpasswd configuration
+  include: htpasswd.yml
+
+- name: INCLUDE | SSL configuration
+  include: ssl.yml
 
 - name: INCLUDE | Vhosts configuration
   include: vhost.yml
 
-# TODO:
-# - Python
-# - Ruby (SHIT!)

tasks/prepare.yml

@@ -0,0 +1,16 @@
+---
+
+- name: SHELL | Get Nginx version
+  shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
+  register: nginx_version
+  changed_when: false
+
+- name: SHELL | Get module list
+  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed -r 's/_module\s*$//g' |sort
+  register: nginx_modules
+  changed_when: false
+
+- name: FILE | Create folders
+  file: dest={{ item }} owner=root mode=0755 state=directory
+  with_items: "{{ nginx_dirs }}"
+

tasks/ssl.yml

@@ -0,0 +1,39 @@
+---
+
+- name: COMMAND | Generate DH file
+  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
+  args:
+    creates: "{{ nginx_dh_path }}"
+  when: nginx_dh is not string
+  notify: reload nginx
+
+- name: COPY | Deploy DH file from vars
+  copy: >
+    content="{{ nginx_dh }}"
+    dest="{{ nginx_dh_path }}"
+  when: nginx_dh is string
+  notify: reload nginx
+
+- name: FILE | Create SSL directories
+  file: >
+    path="{{ nginx_ssl_dir + '/' + item.name }}"
+    state=directory
+  with_items: nginx_ssl_pairs
+  when: item.dest_key is not defined or item.dest_cert is not defined
+
+- name: COPY | Deploy SSL keys
+  copy: >
+    content="{{ item.key }}"
+    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
+  with_items: nginx_ssl_pairs
+  when: item.key is defined
+  notify: reload nginx
+
+- name: COPY | Deploy SSL certs
+  copy: >
+    content="{{ item.cert }}"
+    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
+  with_items: nginx_ssl_pairs
+  when: item.cert is defined
+  notify: reload nginx
+

tasks/upstream.yml

@@ -2,6 +2,7 @@
 
 - name: TEMPLATE | Deploy PHP upstream to Nginx
   template: src=etc/nginx/upstream/php.conf.j2 dest=/etc/nginx/conf.d/php.conf
+  when: nginx_php
   notify: reload nginx
 
 - name: TEMPLATE | Deploy other upstreams

tasks/vhost.yml

@@ -1,19 +1,50 @@
 ---
 
+- name: FAIL | Check vhost and SSL/TLS support
+  fail: msg="Missmatch configuration for vhost {{ item.name if item.name is string else item.name[0] }}"
+  when: >
+    item.proto is defined and
+    'https' in item.proto and
+    item.ssl_name is not defined
+  with_items: nginx_vhosts
+
+- name: FILE | Create root directory
+  file: >
+    path={{ nginx_root }}
+    state=directory
+
 - name: FILE | Create root folders (foreach nginx_vhosts)
   file: >
-    path={{ nginx_root }}/{{ item.name[0] }}/public
+    path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}
     state=directory
     owner={{ item.owner | default('www-data') }}
     group={{ item.group | default('www-data') }}
     mode={{ item.mode | default('0755') }}
   with_items: nginx_vhosts
-  when: item.root is not defined and item.template != '_proxy'
+  when: >
+    item.root is not defined and
+    (item.template is defined and item.template not in nginx_templates_no_dir) and
+    (item.delete is not defined or not item.delete) and
+    item.redirect_to is not defined
+
+- name: FILE | Create root public folders (foreach nginx_vhosts)
+  file: >
+    path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}/public
+    state=directory
+    owner={{ item.owner | default('www-data') }}
+    group={{ item.group | default('www-data') }}
+    mode={{ item.mode | default('0755') }}
+  with_items: nginx_vhosts
+  when: >
+    item.root is not defined and
+    (item.template is defined and item.template not in nginx_templates_no_dir) and
+    (item.delete is not defined or not item.delete) and
+    item.redirect_to is not defined
 
 - name: TEMPLATE | Create vhosts
   template: >
-    src=etc/nginx/sites-available/{{ item.template }}.j2
+    src=etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2
-    dest=/etc/nginx/sites-available/{{ item.name[0] }}
+    dest=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
   with_items: nginx_vhosts
   notify: reload nginx
   when: item.delete is not defined or not item.delete
@@ -23,16 +54,15 @@
 #  with_fileglob: "web/*"
 
 - name: FILE | Delete vhosts
-  file: dest=/etc/nginx/sites-enabled/{{ item.name[0] }} state=absent
+  file: path=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }} state=absent
-  file: dest=/etc/nginx/sites-available/{{ item.name[0] }} state=absent
   with_items: nginx_vhosts
   notify: reload nginx
   when: item.delete is defined and item.delete
 
 - name: FILE | Enable vhosts
   file: >
-    src=/etc/nginx/sites-available/{{ item.name[0] }}
+    src=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
-    dest=/etc/nginx/sites-enabled/{{ item.name[0] }}
+    dest=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }}
     state=link
   with_items: nginx_vhosts
   notify: reload nginx
@@ -42,24 +72,22 @@
     (item.delete is not defined or not item.delete)
 
 - name: FILE | Disable vhosts
-  file: dest=/etc/nginx/sites-enabled/{{ item.name[0] }} state=absent
+  file: path=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }} state=absent
   with_items: nginx_vhosts
   notify: reload nginx
-  when: item.enable is defined and not item.enable
+  when: (item.enable is defined and not item.enable) or (item.delete is defined and item.delete)
 
-#- name: FILE | Create ssl dir per vhost (if needed)
+- name: FILE | Delete default vhost when explicitely defined
-#  file: dest=/etc/nginx/ssl/{{ item.name }} owner=root mode=0750 state=directory
+  file: >
-#  with_items: nginx_vhosts
+    path=/etc/nginx/sites-enabled/default
-#  when: item.ssl.use is defined and item.ssl.use
+    state=absent
-
+  notify: reload nginx
-# TODO...
+  when: nginx_default_vhost is not none
-#- name: COPY | Deploy SSL keys if needed
-#  copy: src=keys/{{ item.name }}/{{ item.name }}.crt dest=/etc/nginx/ssl/{{ item.name }} mode=660
-#  copy: src=keys/{{ item.name }}/{{ item.name }}.key dest=/etc/nginx/ssl/{{ item.name }} mode=660
-#  with_items: nginx_vhosts
-#  when: item.ssl.use and not generatekey
-
-# TODO:
-# - deploy defaults files (index.html/index.php) allready in files/
-# - work with role "ssl_autosign"
 
+- name: FILE | Auto set default vhost
+  file: >
+    src=/etc/nginx/sites-available/default
+    dest=/etc/nginx/sites-enabled/default
+    state=link
+  notify: reload nginx
+  when: nginx_default_vhost is none

templates/etc/nginx/conf.d/custom.conf.j2

@@ -0,0 +1,7 @@
+#
+# {{ ansible_managed }}
+#
+
+{% for i in nginx_custom_http %}
+{{ i }}
+{% endfor %}

templates/etc/nginx/helper/ssl-legacy.j2

@@ -9,10 +9,12 @@ ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
+{% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
-resolver {{ nginx_resolver.hosts | default(['208.67.222.222', '208.67.220.220']) | join(' ') }} valid={{ nginx_resolver.valid}}s;
+{% endif %}
-resolver_timeout {{ nginx_resolver.timeout }}s;
+resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
-
+resolver_timeout {{ nginx_resolver_timeout }};
+ssl_dhparam {{ nginx_dh_path }};
 
 # vim:filetype=nginx

templates/etc/nginx/helper/ssl-strong.j2

@@ -9,10 +9,12 @@ ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
+{% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
-resolver {{ nginx_resolver.hosts | default(['208.67.222.222', '208.67.220.220']) | join(' ') }} valid={{ nginx_resolver.valid}}s;
+{% endif %}
-resolver_timeout {{ nginx_resolver.timeout }}s;
+resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
-
+resolver_timeout {{ nginx_resolver_timeout }};
+ssl_dhparam {{ nginx_dh_path }};
 
 # vim:filetype=nginx

templates/etc/nginx/nginx.conf.j2

@@ -4,24 +4,46 @@
 
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
-pid /run/nginx.pid;
+pid {{ nginx_pid }};
 
 events {
-{% for key, value in nginx_events.iteritems() %}
+	worker_connections {{ nginx_events_worker_connections }};
-{{ "\t%-30s %s" | format(key, value) }};
+	multi_accept {{ nginx_events_multi_accept }};
-{% endfor %}
+	use {{ nginx_events_use }};
 }
 
 http {
-	types_hash_max_size 2048;
+	types_hash_max_size {{ nginx_http_types_hash_max_size }};
 	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
 
-	# From Ansible
+	default_type {{ nginx_http_default_type }};
-{% for key, value in nginx_http.iteritems() %}
+	access_log {{ nginx_http_access_log }};
-{{ "\t%-30s %s" | format(key, value) }};
+	error_log {{ nginx_http_error_log }};
-{% endfor %}
+	client_body_buffer_size {{ nginx_http_client_body_buffer_size }};
-	# /From Ansible
+	client_header_buffer_size {{ nginx_http_client_header_buffer_size }};
+	client_max_body_size {{ nginx_http_client_max_body_size }};
+	large_client_header_buffers {{ nginx_http_large_client_header_buffers }};
+	client_body_timeout {{ nginx_http_client_body_timeout }};
+	client_header_timeout {{ nginx_http_client_header_timeout }};
+	keepalive_timeout {{ nginx_http_keepalive_timeout }};
+	send_timeout {{ nginx_http_send_timeout }};
+	ignore_invalid_headers {{ nginx_http_ignore_invalid_headers }};
+	keepalive_requests {{ nginx_http_keepalive_requests }};
+	recursive_error_pages {{ nginx_http_recursive_error_pages }};
+	sendfile {{ nginx_http_sendfile }};
+	server_name_in_redirect {{ nginx_http_server_name_in_redirect }};
+	server_tokens {{ nginx_http_server_tokens }};
+	tcp_nodelay {{ nginx_http_tcp_nodelay }};
+	tcp_nopush {{ nginx_http_tcp_nopush }};
+	reset_timedout_connection {{ nginx_http_reset_timedout_connection }};
+	gzip {{ nginx_http_gzip }};
+	gzip_buffers {{ nginx_http_gzip_buffers }};
+	gzip_comp_level {{ nginx_http_gzip_comp_level }};
+	gzip_http_version {{ nginx_http_gzip_http_version }};
+	gzip_min_length {{ nginx_http_gzip_min_length }};
+	gzip_types {{ nginx_http_gzip_types }};
+	gzip_vary {{ nginx_http_gzip_vary }};
+	gzip_disable {{ nginx_http_gzip_disable }};
 
 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;

templates/etc/nginx/sites-available/_backuppc.j2

@@ -0,0 +1,33 @@
+{% extends "_base.j2" %}
+
+{% block root %}
+	root /usr/share/backuppc/cgi-bin;
+{% endblock %}
+
+{% block template_try_files %}
+{% endblock %}
+
+{% block template_index %}
+	index index.cgi;
+{% endblock %}
+
+{% block template_local_content %}
+	location ~ /\.ht {
+		deny all;
+	}
+
+	location /backuppc/image {
+		alias /usr/share/backuppc/image;
+		expires 60d;
+	}
+{% endblock %}
+
+{% block template_upstream_location %}
+	location ~ \.cgi$ {
+		gzip off;
+		include /etc/nginx/fastcgi_params;
+		fastcgi_pass unix:/var/run/fcgiwrap.socket;
+		fastcgi_index BackupPC_Admin;
+		fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;
+	}
+{% endblock %}

templates/etc/nginx/sites-available/_base.j2

@@ -1,6 +1,20 @@
+{% set __proto = item.proto | default(['http']) %}
+{% set __main_name =  item.name if item.name is string else item.name[0] %}
 {% set __listen = item.listen | default(['80']) %}
 {% set __listen_ssl = item.listen_ssl | default(['443']) %}
 {% set __location = item.location | default({}) %}
+{% macro htpasswd(htpasswd_name, indent=1) -%}
+{% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
+{{ "\t" * indent }}auth_basic "{{ ht.description }}";
+{{ "\t" * indent }}auth_basic_user_file {{ nginx_htpasswd_dir }}/{{ ht.name }};
+{% endfor%}
+{%- endmacro %}
+{% macro ssl(ssl_name) %}
+{% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
+	ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' if sn.dest_cert is not defined else sn.dest_cert }};
+	ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
+{% endfor %}
+{%- endmacro %}
 #
 # {{ ansible_managed }}
 #
@@ -9,15 +23,26 @@
 # HTTP
 #
 server {
+{% if 'http' in __proto %}
 {% for port in __listen %}
-	listen {{ port }};
+	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
 {% endfor %}
-	server_name {{ item.name | join(' ') }};
+{% endif %}
+{% if 'https' in __proto %}
+{% for port in __listen_ssl %}
+	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules.stdout_lines %}http2{% endif %};
+{% endfor %}
+{{ ssl(item.ssl_name) }}
+	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
+{% endif %}
+	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
+{% block root %}
 {% if item.root is defined %}
 	root {{ item.root }};
 {% else %}
-	root {{ nginx_root }}/{{ item.name[0] }}/public;
+	root {{ nginx_root }}/{{ __main_name }}/public;
 {% endif %}
+{% endblock %}
 {% block template_index %}
 	index {{ item.index | default('index.html index.htm') }};
 {% endblock %}
@@ -28,22 +53,29 @@ server {
 {% endfor %}
 {% endif %}
 
+{% if item.htpasswd is defined %}
+{{ htpasswd(item.htpasswd, 1) }}
+{% endif %}
+
+{% if not __location.has_key('/') %}
 	location / {
 {% block template_try_files %}
-		try_files $uri $uri/ =404;
+		try_files {{ override_try_files | default('$uri $uri/ =404') }};
 {% endblock %}
 	}
+{% endif %}
 
 {% block template_upstream_location %}
 {% endblock %}
 {% block template_custom_location %}
 {% endblock %}
 
+{% block template_local_content %}
+{% if item.manage_local_content is not defined or item.manage_local_content %}
 	location ~ /\.ht {
 		deny all;
 	}
 
-{% block template_local_content %}
 	location = /favicon.ico {
 		expires 30d;
 		access_log off;
@@ -54,6 +86,7 @@ server {
 		expires 30d;
 		log_not_found off;
 	}
+{% endif %}
 {% endblock %}
 
 {% if __location is iterable and __location | length > 0 %}
@@ -61,36 +94,26 @@ server {
 {% for location, opts in __location.iteritems() %}
 	location {{ location }} {
 {% for opt in opts %}
+{% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
 		{{ opt }}
+{% endif %}
 {% endfor  %}
 	}
 {% endfor %}	# <-- Custom locations
 {% endif %}
 
 {% if item.use_access_log is defined and item.use_access_log %}
-	access_log {{ nginx_log_dir }}/{{ item.name[0] }}_access.log combined;
+	access_log {{ nginx_log_dir }}/{{ __main_name }}_access.log combined;
 {% else %}
 	access_log off;
 {% endif %}
 {% if item.use_error_log is defined and item.use_error_log %}
-	error_log {{ nginx_log_dir }}/{{ item.name[0] }}_error.log {{ nginx_error_log_level }};
+	error_log {{ nginx_log_dir }}/{{ __main_name }}_error.log {{ nginx_error_log_level }};
 {% else %}
 	error_log off;
 {% endif %}
 }
 
-{#
-ssl on;
-ssl_certificate {{ nginx_ssl_dir }}/{{ item.name }}/{{ item.name }}.crt;
-ssl_certificate_key {{ nginx_ssl_dir }}/{{ item.name }}/{{ item.name }}.key;
-include /etc/nginx/helpers/ssl-{{ item.ssl.template | default('strong') }};
-#}
-
-
-# HTTPS
-#server {
-#}
-
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
 # Redirect from
@@ -100,7 +123,7 @@ server {
 	listen {{ port }};
 {% endfor %}
 	server_name {{ item.redirect_from | join(' ') }};
-	return 301 $scheme://{{ item.name[0] }}$request_uri;
+	return 301 $scheme://{{ __main_name }}$request_uri;
 }
 {% endif %}
 

templates/etc/nginx/sites-available/_nagios3.j2

@@ -0,0 +1,47 @@
+{% extends "_base.j2" %}
+
+{% block root %}
+	root /usr/share/nagios3/htdocs;
+{% endblock %}
+
+{% block template_try_files %}
+{% endblock %}
+
+{% block template_index %}
+	index index.php index.html;
+{% endblock %}
+
+{% block template_local_content %}
+	location ~ /\.ht {
+		deny all;
+	}
+
+	location /stylesheets {
+		alias /etc/nagios3/stylesheets;
+		expires 60d;
+	}
+{% endblock %}
+
+{% block template_upstream_location %}
+	location /cgi-bin/nagios3 {
+		root /usr/lib;
+		try_files $uri =404;
+{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
+		include fastcgi_params;
+{% else %}
+		include fastcgi.conf;
+{% endif %}
+		fastcgi_pass unix:/var/run/fcgiwrap.socket;
+		fastcgi_param AUTH_USER $remote_user;
+		fastcgi_param REMOTE_USER $remote_user;
+	}
+	location ~ \.php$ {
+		fastcgi_pass php;
+		fastcgi_index index.php;
+{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
+		include fastcgi_params;
+{% else %}
+		include fastcgi.conf;
+{% endif %}
+	}
+{% endblock %}

templates/etc/nginx/sites-available/_php.j2

@@ -4,7 +4,7 @@
 {% endblock %}
 
 {% block template_try_files %}
-		try_files $uri $uri/ /index.php;
+		try_files {{ override_try_files | default('$uri $uri/ /index.php') }};
 {% endblock %}
 
 {% block template_upstream_location %}

templates/etc/nginx/sites-available/_php_index.j2

@@ -0,0 +1,24 @@
+{% extends "_php.j2" %}
+
+{% block template_upstream_location %}
+	location = /index.php {
+		fastcgi_pass php;
+		fastcgi_index index.php;
+{% if item.upstream_params is defined and item.upstream_params is iterable %}
+{% for param in item.upstream_params %}
+		{{ param }}
+{% endfor %}
+{% endif %}
+{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
+		include fastcgi_params;
+{% else %}
+		include fastcgi.conf;
+{% endif %}
+	}
+{% endblock %}
+
+{% block template_custom_location %}
+	location ~ \.(php\d?|phtml)$ {
+		return 403;
+	}
+{% endblock %}

templates/etc/nginx/sites-available/_proxy.j2

@@ -1,16 +1,14 @@
 {% extends "_base.j2" %}
 
+{% block root %}
+{% if item.root is defined %}
+	root {{ item.root }};
+{% endif %}
+{% endblock %}
+
 {% block template_try_files %}
-		proxy_set_header Host $host;
+		include /etc/nginx/proxy_params;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto $scheme;
-		
 		proxy_pass http://{{ item.upstream_name }};
-		proxy_read_timeout 90;
-		
-		{#proxy_redirect http://{{ upstream.name }} https://jenkins.domain.tld;#}
-
 {% if item.proxy_params is defined and item.proxy_params is iterable %}
 {% for param in item.proxy_params %}
 		{{ param }}

templates/etc/nginx/sites-available/_redirect.j2

@@ -0,0 +1,14 @@
+{% extends "_base.j2" %}
+
+{% block root %}
+{% endblock %}
+
+{% block template_index %}
+{% endblock %}
+
+{% block template_try_files %}
+		return {{ item.redirect_to_code | default('302') }} {{ item.redirect_to }}$request_uri;
+{% endblock %}
+
+{% block template_local_content %}
+{% endblock %}

tests/debian-jessie.Dockerfile

@@ -2,5 +2,3 @@ FROM williamyeh/ansible:debian8-onbuild
 
 RUN apt-get update
 CMD ["sh", "tests/test.sh"]
-
-EXPOSE 6379

tests/debian-wheezy.Dockerfile

@@ -2,5 +2,3 @@ FROM williamyeh/ansible:debian7-onbuild
 
 RUN apt-get update
 CMD ["sh", "tests/test.sh"]
-
-EXPOSE 6379

tests/file/test.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIJAJzUwbFlhyxIMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV
+BAMMGnRlc3Qtc3NsLXByZWRlcGxveWVkLmxvY2FsMB4XDTE2MDExMjE2MDUxNVoX
+DTI2MDEwOTE2MDUxNVowJTEjMCEGA1UEAwwadGVzdC1zc2wtcHJlZGVwbG95ZWQu
+bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDm4q94vffiU89G
+GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
+L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
+d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
+xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
+PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
+9iPxkkRNAgMBAAGjUDBOMB0GA1UdDgQWBBSzXW5UY02/S0xrrobZCVOhas6VeDAf
+BgNVHSMEGDAWgBSzXW5UY02/S0xrrobZCVOhas6VeDAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQC0+Tr0w9aG4f3LG3+WRGKfMopKICNEkA7JrPrvVUq8
+7UgtdrpOUZAL5AKxVVo1rHDdoL/VpjdqHdhyPzaSUl8hppCFsWmdQh4wLKGoyvcN
+AqSGpXTeLSoFJ357F2OIQpXm2lfT2fVGebwyCNFkwpp7klFnmOusSl2/v5Y5cz+A
+WvWrDg3jsNglx3mNLVcjbOSnen2PsZSmcVo27D0el6oDju8jjstyJ+Dvu0WP+CDL
+s/VolFdbei7d4r2dj86OZ/BCZurltyc0wI3NMOdUuA7q4f1MPTRu7qr/ua5ItK92
+Avc+Gjn/Y/aIhzKpPicJQDK6FzxjfhCc8xtk0EjB4IpP
+-----END CERTIFICATE-----

tests/file/test.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm4q94vffiU89G
+GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
+L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
+d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
+xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
+PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
+9iPxkkRNAgMBAAECggEAEEeZkczrRpUcP1gQuKEZbFMJFqUhevKkk+V6JAN1pGje
+GK65j1ZFNX2nBo9Hetvsq5doYidvOat+RuMpAvbQIDlBoBzJDN8YWiC7UoAocm9q
+VOdrr4btEO13MogQRuefH/xE8/vMGfKcBvFFNDw6UvxJQ7hVRIWPECf7sLj/vPOC
+OpMKghxcabQqidMPKyyHVPhQjuIvqW/SqBFpD+Ul0Ja1QGdx+p+/EwVmXnei6Kr8
+/ypULreHqIlBLD6McfFehxDV0m5U7qXb5xK3zdUurIhZixKLjbdRrorNInfEvlOh
+vDy+hsF5GSzvn9dRrMAy/QcRPpXU47VNYZ5BfdCBTQKBgQD8VCbdpG5siXSlIjZd
+xypgK1ttp8udTPWC1trnAc+Ku9O+cGmvABxYJA1iR/GDpSfMxglB7OhSecywKrr+
+S7Yjs9e/dyBmvF7U15JJaGp+db2Ct64z7MvqkwSJ5a0qrrZJRFetDdqdH9FPvURs
+B147jbKsPiGcljjXbZlOBHJH9wKBgQDqPqoA3VqYOmvR7Ei8/skY2EOpFpOhSNko
+ARFwUsDNHRk677URH97TCHq5UrwubfCeIcIptXHrMfaTsfq8vPLPykReIMRaknxf
+DULJPHSoeBLrCAZmaWF1JVyYhrLhHNAzQ3u7a/kYIJm87FEZy3Ml6FSZmIGbRBqx
+zqZYKoHs2wKBgQD469tbk7cLg556uYGAidYYAS20w29uwlkAtgxFD9g6OIjuud7I
+MQfFO+uoJOjwwaC9ti+zxY56roVq1PybmP0Zw3T3AQIJ15KFzhQWLte/4U8PATzt
+JJEV2+sCTn3COZDCPpVvttcPYjAOxdwV5j7j6Sl2GeT2oIt6mjg+asyCiQKBgQDk
+LPxu8TBRfv8OMqs8Jrf/EpL9/7b48bxOwpOZJZMXelPcXCm1r6TfTrA1HAmg9Ijh
+kKLQ/CUm5Ll7b3B+L1Qa4r2sLyD11SF/eaxn2BMPFD/hYCTT160ObsF+9h8DN4z7
+kq3RiMDRJth69nuds9fLwj++ipcdhr62G0VgNq/u5wKBgCz/I5J3tPNjrU9YampR
+0gNnUkUfJWbiVMsG9uwL9l0L/ZzQHvELJ523QXQ0v/e/szHCyoX319u8HEQlC0Jw
+Twlj81HDZzruDUB/mcH6Ee3zHKOmmF6ma+CgoYJJElKW89MUttPdmkH2J1QqLz+7
+EGREwqjr8/wm22DzKNiyDXJ0
+-----END PRIVATE KEY-----

tests/test.yml

@@ -2,11 +2,34 @@
 
 - hosts: all
   pre_tasks:
-    - apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+    - name: APT_REPOSITORY | Install backports
+      apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
+    - name: APT | Install needed packages
+      apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
       with_items:
         - php5-fpm
         - curl
+        - fcgiwrap
+    - name: SERVICE | Force start services
+      service: name={{ item }} state=started
+      register: sf
+      with_items:
+        - php5-fpm
+        - fcgiwrap
+    - name: PAUSE | Prevent bugs (CGI not fully loaded)
+      pause: seconds=5
+      when: sf.changed
+    - name: FILE | Create an internal SSL dir
+      file: path={{ int_ansible_ssl_dir }} state=directory
+    - name: COPY | Deploy test certificate
+      copy: src=file/test.crt dest={{ int_ansible_ssl_dir }}/test.crt
+    - name: COPY | Deploy test key
+      copy: src=file/test.key dest={{ int_ansible_ssl_dir }}/test.key
   vars:
+# Internal vars
+    int_ansible_ssl_dir: '/etc/ansible-ssl'
+# Role vars
+    nginx_backports: true
     nginx_php: true
     nginx_upstreams:
       - name: 'test'
@@ -15,50 +38,291 @@
             max_conns: 150
             weight: 10
             down: false
+    nginx_htpasswd:
+      - name: 'hello'
+        description: 'Please login!'
+        users:
+          - name: 'hx'
+            password: 'asdfg'
+            state: 'absent'
+          - name: 'hanx'
+            password: 'qwerty'
+      - name: 'nagios'
+        description: 'Please login to Nagios!'
+        users:
+          - name: 'nagiosadmin'
+            password: 'nagios'
+      - name: 'deleteme'
+        description: 'Please login!'
+        users: []
+        state: 'absent'
+    nginx_ssl_pairs:
+      - name: 'test-ssl-predeployed.local'
+        dest_key: "{{ int_ansible_ssl_dir }}/test.key"
+        dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
+      - name: 'test-ssl.local'
+        key: |
+          -----BEGIN RSA PRIVATE KEY-----
+          MIIEpAIBAAKCAQEAvavrJWFp3Al2VwRgKx+4Y2mbRRvoxvyd2pyN0xMJ/tCJscaG
+          8s60v6WZ9FcCOeMkSI2DXsk4z7pbQdQn0h2GDr/5MOJkPAVWSWEN46tpaLZ3v0zp
+          88ZIbnEk1G0PsdFuW/pnLsakPlAMrl1VArFsV6YsatLt30UIYYcRO97StkoOehCx
+          A5w+XqtfHZeQZ0/DS81633gwYUcMuSTUFZ60r7ge1/m77DTSKg3rTVk5sebP8cjS
+          +aWHvxP/GyvvDsT+3gjRJx2/5O3JkfH0zaOsaU2Avj0PR0c5rhynrNO/l1k+GJJB
+          cbBrM+yA8Ofzp4oXUrCfaIq3RuL3Pd+khcKsiwIDAQABAoIBAQCPpAMQ7BUfbosQ
+          m1+5SOx7XR8Z12kSSX3CcY12rJSFRakB2TeZ6rE38lIFmV82N67iw0kaH4nGx3sU
+          /3aoyXMc+IXfX5RJYEFYkQfTw5ywkH9fgQAsfZ2dBlK+DVo1cEYDoj9CTW1VQ4pX
+          Ape+0l8agd5hiBxdWgpe0ctbbARnx584viLiA/iPBDNxKi9zEYw+WP7hSj5QWahr
+          a09tubcC4L6tjvv8CoZTRSKfCW64vWRDvE6vmA+zJN9Arc1WTYzF1KO1Gybwf8h7
+          stJb191smAgGDFhKo0j58ncyAnrS1k4mapm86QQhlfIA6DKvvC0qm3KdQns5b7HM
+          PyzW0hwBAoGBAO2mTVTOsziom9vtBwM0nRMMEgynR2X3EKMJz2mjcCf66f1F+aQ5
+          DvQFM2V8S2s1nGnPh8NKKZ8DxW1NKuR4qx82zeAXpUs9ibHxOnw4YRC485zqc2Wt
+          fSO1OEDYeKyzWP1nGGtCntYUXzJnWn/wz0mBGKzLKTuLwyFIKx1b7bybAoGBAMxR
+          N+lT57rX6d4GUqcgNOuWMZ/D8egnE5+hsoiFnHOisRLOgUgBBSy4rwAZx+rdHYT+
+          RO11L1PLYEzyvnO0f13R+N7aqKwNXDSzZGA+jb4pjkVidIC2smG/JYKJH5Z+kakw
+          mwMKP0wdRZJsCaMgScHmWJS8d6Ox/XJJoWrTWTbRAoGAWJlEgVaiaIArwz1F/QLz
+          gHNik0cWDkSi9jWlFxwwpycbbypUXM5M7dq2g6JoN6sACk6trbgLdlYgl5RKZm06
+          VuPGs0H9hOSHXkix5jfasDJT2G9r4D9ixRo9w6cwriobBjYWW3612tgzeYYgrkwn
+          655uhZUkZSfA8rqGIGbyZfsCgYAf5WH8G+wmIATTc1s92epJCOZwUY+XNVp75itP
+          4sPczX4lOHW4PuiG5cH0GxI5mRE9rNAn3c5on2xGNvMCbyAfDmNyruH8Eg3d8E9w
+          MvO/xw79x/P2EA9i8QszCKMUxGeK6RqZ6+SbxkoRJKqQe77n9UTI228179hoGhSH
+          77ySsQKBgQC8SSZn6a8PpSIIFXB9WCFMwfGFYbUz0wvpaeZP8GKx3BEzMeJqSUaJ
+          hrQgpwQXkueeamlCQcvV3AUCoBRWTYRLDrWiUIXuIgikDWBFp6TBvTnVRI7iktly
+          fNED7jXOSjJqnFmdkZlAI5V8dM++mVYVykJD6jcaVRQvxqFLrhSaRg==
+          -----END RSA PRIVATE KEY-----
+        cert: |
+          -----BEGIN CERTIFICATE-----
+          MIIDBTCCAe2gAwIBAgIJALKJfbk5vuieMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
+          BAMMDnRlc3Qtc3NsLmxvY2FsMB4XDTE2MDExMTE2NDI0NFoXDTI2MDEwODE2NDI0
+          NFowGTEXMBUGA1UEAwwOdGVzdC1zc2wubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA
+          A4IBDwAwggEKAoIBAQC9q+slYWncCXZXBGArH7hjaZtFG+jG/J3anI3TEwn+0Imx
+          xobyzrS/pZn0VwI54yRIjYNeyTjPultB1CfSHYYOv/kw4mQ8BVZJYQ3jq2lotne/
+          TOnzxkhucSTUbQ+x0W5b+mcuxqQ+UAyuXVUCsWxXpixq0u3fRQhhhxE73tK2Sg56
+          ELEDnD5eq18dl5BnT8NLzXrfeDBhRwy5JNQVnrSvuB7X+bvsNNIqDetNWTmx5s/x
+          yNL5pYe/E/8bK+8OxP7eCNEnHb/k7cmR8fTNo6xpTYC+PQ9HRzmuHKes07+XWT4Y
+          kkFxsGsz7IDw5/OnihdSsJ9oirdG4vc936SFwqyLAgMBAAGjUDBOMB0GA1UdDgQW
+          BBRaSF1L+ivPhmIVGQjtviBqZWDS9DAfBgNVHSMEGDAWgBRaSF1L+ivPhmIVGQjt
+          viBqZWDS9DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCjrgB9+Zuq
+          Rx7T2mRUl4jf75dLabuBQD0ePALTtvNyBSghhzSr90mE7GlFOYAv0JsmEa3R1LVF
+          wLPIdrIhNHpt7hN0PkhUlfgmxBnRSCfhpiq4xxsDVFM7ehtDz4+dv1LUDMXo07+E
+          f24g9aqmypiFzHisUQrYIhtQmHxRpKyGp6kDAW9qNxg6k/Um00aHdYfuD9ER4ksR
+          f8Hto7f+vssKxCRY2OZXqq13PxEwC5+hgAUkTdrycA/moXFuHJi3lCnCND7sSzvG
+          tXBggOusyFZFC4bs2m+V+Z+RN+tK2c/c0nq5HR8MV5HwIm4Z8GoT2/0BfJ00cgWL
+          lVz0gDBfdH8f
+          -----END CERTIFICATE-----
+    nginx_custom_http:
+      - 'add_header X-ansible 1;'
+    nginx_default_vhost: 'test.local'
+    nginx_default_vhost_ssl: 'test-ssl-predeployed.local'
     nginx_vhosts:
       - name:
           - 'test.local'
           - 'test-alias.local'
           - 'test2-alias.local'
         template: '_base'
+        override_try_files: '$uri $uri index.htm index.html'
+        manage_local_content: false
         more:
           - 'autoindex off;'
+          - 'add_header X-ansible-default 1;'
         location:
           '/test':
             - 'return 403;'
           '/gunther':
             - 'return 404;'
-      - name:
+      - name: 'test-htpasswd.local'
-          - 'test-php.local'
+        template: '_base'
+        location:
+          '/hello':
+            - htpasswd: 'hello'
+            - 'default_type "text/html; charset=UTF-8";'
+            - 'echo hello;'
+      - name: 'test-htpasswd-all.local'
+        template: '_base'
+        htpasswd: 'hello'
+      - name: 'test-location.local'
+        template: '_base'
+        location:
+          '/':
+            - 'alias /var/tmp;'
+      - name: 'test-php.local'
         upstream_params:
           - 'fastcgi_param FOO bar;'
         redirect_from:
           - 'www.test-php.local'
         template: '_php'
-      - name:
+      - name: 'test-php-index.local'
-          - 'test-proxy.local'
+        template: '_php_index'
+      - name: 'test-proxy.local'
         listen:
           - 8080
         template: '_proxy'
         upstream_name: 'test'
-      - name:
+        more:
-          - 'deleted.local'
+          - 'add_header X-proxyfied 1;'
-        template: '_base'
+      - name: 'deleted.local'
         delete: true
+      - name: 'redirect-to.local'
+        redirect_to: 'http://test.local'
+      - name: 'backuppc.local'
+        template: '_backuppc'
+        htpasswd: 'hello'
+      - name: 'nagios3.local'
+        template: '_nagios3'
+        htpasswd: 'nagios'
+      - name: 'test-ssl.local'
+        proto: ['http', 'https']
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+      - name: 'test-ssl-predeployed.local'
+        proto: ['http', 'https']
+        template: '_base'
+        ssl_name: 'test-ssl-predeployed.local'
+        more:
+          - 'add_header X-ansible-default 1;'
+    nginx_dh_length: 1024
   roles:
     - ../../
   post_tasks:
+# --------------------------------
+# Apps
+# --------------------------------
+    - name: APT | Install web apps
+      apt: pkg={{ item }} state=present
+      with_items:
+        - nagios3
+        - backuppc
+    - name: SERVICE | Ensure backuppc is started
+      service: name=backuppc state=started
+
+# --------------------------------
+# Deploy index files
+# --------------------------------
     - name: -- Add PHP file --
-      copy: dest="{{ nginx_root }}/test-php.local/public/index.php" content="<?php phpinfo();"
+      copy: dest="{{ nginx_root }}/{{ item }}/public/index.php" content="<?php phpinfo();"
+      with_items: ['test-php.local', 'test-php-index.local']
     - name: -- Add HTML file --
-      copy: dest="{{ nginx_root }}/test.local/public/index.html" content="Index HTML test OK\n"
+      copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
+      with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
+
+# --------------------------------
+# Simple vhosts tests
+# --------------------------------
     - name: -- VERIFY VHOSTS --
-      shell: "curl -H 'Host: {{ item.name[0] }}' http://127.0.0.1{% if item.listen is defined and item.listen is iterable %}:{{ item.listen[0] }}{% endif %}/"
+      command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
       with_items: nginx_vhosts
       when: item.delete is undefined or not item.delete
       changed_when: false
+    - name: -- VERIFY FORBIDDEN --
+      command: "curl -H 'Host: test-php-index.local' http://127.0.0.1/phpinfo.php"
+      register: f
+      failed_when: f.stdout.find('403 Forbidden') == -1
+      changed_when: false
     - name: -- VERIFY REDIRECT VHOSTS --
-      shell: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
+      command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
       with_items: nginx_vhosts
       when: item.redirect_from is defined and (item.delete is undefined or not item.delete)
       changed_when: false
+      register: r
+      failed_when: r.stdout.find('301 Moved Permanently') == -1
+
+# --------------------------------
+# PHP
+# --------------------------------
+    - name: -- VERIFY PHP VHOSTS --
+      command: "curl -H 'Host: {{ item }}' http://127.0.0.1/"
+      register: p
+      changed_when: false
+      failed_when: p.stdout.find('PHP Version') == -1
+      with_items: ['test-php.local', 'test-php-index.local']
+
+# --------------------------------
+# Basic Auth
+# --------------------------------
+    - name: -- VERIFY AUTH BASIC NONE --
+      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      changed_when: false
+      register: authnone
+      failed_when: authnone.stdout.find('401 Authorization Required') == -1
+    - name: -- VERIFY AUTH BASIC FAIL --
+      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      changed_when: false
+      register: authfail
+      failed_when: authfail.stdout.find('401 Authorization Required') == -1
+    - name: -- VERIFY AUTH BASIC OK --
+      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      changed_when: false
+      register: authok
+      failed_when: authok.stdout.find('hello') == -1
+    - name: -- VERIFY AUTH BASIC FAIL GLOBAL --
+      command: "curl -u fail:fail -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
+      changed_when: false
+      register: authgfail
+      failed_when: authgfail.stdout.find('401 Authorization Required') == -1
+    - name: -- VERIFY AUTH BASIC OK --
+      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
+      changed_when: false
+      register: authgok
+      failed_when: authgok.stdout.find('401 Authorization Required') != -1
+
+# --------------------------------
+# BackupPC
+# --------------------------------
+    - name: -- VERIFY BACKUPPC --
+      command: "curl -u hanx:qwerty -H 'Host: backuppc.local' http://127.0.0.1/"
+      changed_when: false
+      register: authbpc
+      failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
+
+# --------------------------------
+# Nagios
+# --------------------------------
+    - name: -- VERIFY NAGIOS3 PHP --
+      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/side.php"
+      changed_when: false
+      register: nagios_php
+      failed_when: nagios_php.stdout.find('Nagios Core') == -1
+    - name: -- VERIFY NAGIOS3 CGI --
+      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin/nagios3/summary.cgi"
+      changed_when: false
+      register: nagios_cgi
+      failed_when: nagios_cgi.stdout.find('Nagios Event Summary') == -1
+
+# --------------------------------
+# SSL
+# --------------------------------
+    - name: -- VERIFY SSL --
+      command: "curl --insecure -H 'Host: {{ item }}' https://127.0.0.1/"
+      changed_when: false
+      register: sslok
+      failed_when: sslok.stdout.find('Index HTML test OK') == -1
+      with_items:
+        - 'test-ssl-predeployed.local'
+        - 'test-ssl.local'
+
+# --------------------------------
+# Default vhosts
+# --------------------------------
+    - name: -- VERIFY DEFAULT VHOST --
+      command: "curl -v http://127.0.0.1/"
+      changed_when: false
+      register: vdefault
+      failed_when: >
+        vdefault.stdout.find('Index HTML test OK') == -1 or
+        vdefault.stderr.find('X-ansible-default') == -1
+    - name: -- VERIFY DEFAULT SSL VHOST --
+      command: "curl --insecure -v https://127.0.0.1/"
+      changed_when: false
+      register: defaultssl
+      failed_when: >
+        defaultssl.stdout.find('Index HTML test OK') == -1 or
+        defaultssl.stderr.find('X-ansible-default') == -1
+    - name: -- VERIFY NOT DEFAULT VHOST --
+      command: "curl -v -H 'Host: test-php.local' http://127.0.0.1/"
+      changed_when: false
+      register: vphp
+      failed_when: vphp.stderr.find('X-ansible-default') != -1
+    - name: -- VERIFY NOT DEFAULT SSL VHOST --
+      command: "curl --insecure -v -H 'Host: test-ssl.local' https://127.0.0.1/"
+      changed_when: false
+      register: notdefaultssl
+      failed_when: notdefaultssl.stderr.find('X-ansible-default') != -1

vars/main.yml

@@ -1,5 +1,3 @@
-nginx_dh_path: /etc/nginx/ssl/dhparams.pem
-
 nginx_upstream_server_params:
   - key: 'weight'
     default: 1
@@ -23,3 +21,13 @@ nginx_upstream_server_params:
 #  - key: 'resolve'
 #    is_bool: true
 #    min_version: '1.5.12'
+
+nginx_dirs:
+  - "{{ nginx_htpasswd_dir }}"
+  - "{{ nginx_ssl_dir }}"
+  - "{{ nginx_helper_dir }}"
+
+nginx_templates_no_dir:
+  - '_proxy'
+  - '_nagios3'
+  - '_backuppc'