Update cipher list (from https://cipherli.st/)

Freebsd support

.gitignore

@@ -1,2 +1,3 @@
 .vagrant*
 *.swp
+*.retry

.travis.yml

@@ -11,3 +11,6 @@ services:
 
 script:
   - docker build -f tests/$PLATFORM.Dockerfile -t test-$PLATFORM . && docker run --name $PLATFORM test-$PLATFORM
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -1,9 +1,9 @@
-Nginx for Debian Ansible role
-=============================
+Nginx for Debian/FreeBSD Ansible role
+=====================================
 
 [![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/list#/roles/4399) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
 
-Install and configure Nginx on Debian.
+Install and configure Nginx on Debian/FreeBSD.
 
 Features:
 
@@ -24,9 +24,15 @@ Role Variables
 
 ### Packaging
 
+Debian:
+
 - `nginx_apt_package`: APT nginx package (try: apt-cache search ^nginx)
 - `nginx_backports`: Install nginx from backport repository (bool)
 
+FreeBSD:
+
+- `nginx_pkgng_package`: PKGNG nginx package (should be "nginx" or "nginx-devel")
+
 ### Shared
 
 - `nginx_root`: root directory where you want to have your files
@@ -57,6 +63,15 @@ Fine configuration
 
 [Basic Auth](doc/auth.md)
 
+[FreeBSD](doc/freebsd.md)
+
+
+Note
+----
+
+- Active support for Debian.
+- FreeBSD support is experimental (no Travis). I only test (for the moment) 10.2 (but it can work on other versions).
+- I don't manage BackupPC for FreeBSD (PR welcome).
 
 Dependencies
 ------------

Vagrantfile

@@ -5,10 +5,14 @@
 
 Vagrant.configure("2") do |config|
 
-  vms = [
-    [ "debian-wheezy", "deb/wheezy-amd64" , "192.168.33.27" ],
-    [ "debian-jessie", "deb/jessie-amd64", "192.168.33.28" ],
-    [ "debian-stretch", "sharlak/debian_stretch_64", "192.168.33.29" ]
+  vms_debian = [
+    [ "debian-wheezy", "debian/wheezy64" ],
+    [ "debian-jessie", "debian/jessie64" ],
+    [ "debian-stretch", "sharlak/debian_stretch_64" ],
+  ]
+
+  vms_freebsd = [
+    [ "freebsd-10.2", "freebsd/FreeBSD-10.2-STABLE" ]
   ]
 
   config.vm.provider "virtualbox" do |v|
@@ -16,11 +20,10 @@ Vagrant.configure("2") do |config|
     v.memory = 256
   end
 
-  vms.each do |vm|
+  vms_debian.each do |vm|
     config.vm.define vm[0] do |m|
       m.vm.box = vm[1]
-      m.vm.network "private_network", ip: vm[2]
-
+      m.vm.network "private_network", type: "dhcp"
       m.vm.provision "ansible" do |ansible|
         ansible.playbook = "tests/test.yml"
         ansible.groups = { "test" => [ vm[0] ] }
@@ -29,4 +32,25 @@ Vagrant.configure("2") do |config|
       end
     end
   end
+  # See: https://forums.freebsd.org/threads/52717/
+  vms_freebsd.each do |vm|
+    config.vm.define vm[0] do |m|
+      m.vm.box = vm[1]
+      m.vm.network "private_network", type: "dhcp"
+      m.vm.guest = :freebsd
+      m.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
+      m.ssh.shell = "sh"
+      m.vm.base_mac = "080027D14C66"
+      m.vm.provision "shell", inline: "pkg install -y python bash"
+      m.vm.provision "ansible" do |ansible|
+        ansible.playbook = "tests/test.yml"
+        ansible.groups = { "test" => [ vm[0] ] }
+        ansible.verbose = 'vv'
+        ansible.sudo = true
+        ansible.extra_vars = {
+          ansible_python_interpreter: '/usr/local/bin/python'
+        }
+      end
+    end
+  end
 end

defaults/main.yml

@@ -1,14 +1,16 @@
 ---
 
+# Debian
 nginx_apt_package: nginx-full
 nginx_backports: false
+# FreeBSD
+nginx_pkgng_package: nginx
 
 #
 # Nginx shared variables
 #
 nginx_root: "/srv/www"
 nginx_log_dir: '/var/log/nginx'
-nginx_pid: '/run/nginx.pid'
 nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4']
 nginx_resolver_valid: '300s'
 nginx_resolver_timeout: '5s'
@@ -20,9 +22,9 @@ nginx_default_vhost_ssl: null
 #
 # Nginx directories
 #
-nginx_htpasswd_dir: '/etc/nginx/htpasswd'
-nginx_ssl_dir: '/etc/nginx/ssl'
-nginx_helper_dir: '/etc/nginx/helper'
+nginx_htpasswd_dir: '{{ nginx_etc_dir }}/htpasswd'
+nginx_ssl_dir: '{{ nginx_etc_dir }}/ssl'
+nginx_helper_dir: '{{ nginx_etc_dir}}/helper'
 
 #
 # Load upstream
@@ -45,7 +47,6 @@ nginx_worker_processes: '{{ ansible_processor_vcpus }}'
 #
 nginx_events_worker_connections: '512'
 nginx_events_multi_accept: 'on'
-nginx_events_use: 'epoll'
 
 #
 # Nginx HTTP

doc/auth.md

@@ -10,19 +10,19 @@ Each htpasswd has few keys:
 
 - `name`: (M) used to create file and as pointee
 - `description`: (M) Used for the message box :)
-- `users`: each users is composed with 3 keys: `name` (M), `password` (M) and `state` present/absent (default: present)
+- `users`: each users is composed with 3 keys: `name` (M), `password` (M) and `state` (O) present/absent (default: present)
 - `state`: (O) present or absent. Default: present
 
-`nginx_htpasswd` should be placed in a vaut file.
+`nginx_htpasswd` should be placed in a vault file.
 
 Example
 -------
 
-```
+```yaml
 nginx_vhosts:
 # htpasswd on all vhost
   - name: test.local
-    htpasswd: 'hello'    
+    htpasswd: 'hello'
     template: '_base'
 
 # htpasswd only in /hello
@@ -30,7 +30,7 @@ nginx_vhosts:
     template: '_base'
     location:
       '/hello':
-        - htpasswd: 'hello'    
+        - htpasswd: 'hello'
 
 nginx_htpasswd:
   - name: 'hello'

doc/freebsd.md

@@ -0,0 +1,4 @@
+Freebsd
+=======
+
+Due to Ansible + FreeBSD limitations (`ansible_processor_vcpus`), You must explicitely set `nginx_worker_processes`.

doc/ssl.md

@@ -17,7 +17,7 @@ Cert/Key pairs
 
 This list have 3 mandatory keys:
 
-- `name`: MUST be unique 
+- `name`: MUST be unique
 
 - `key`: content of the private key
 - `cert`: content of the public key
@@ -27,7 +27,6 @@ OR
 - `dest_cert`: remote path where certificate is located
 - `dest_key`: remote path where key is located
 
-
 Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
 
 Tips
@@ -35,9 +34,6 @@ Tips
 
 Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
 
-If you set all, you can deploy your key everywhere with wanted data!
-
-
 Diffie-Hellman
 --------------
 
@@ -46,7 +42,7 @@ If you do not specify any dh param, this role auto generates it.
 Example
 -------
 
-```
+```yaml
 nginx_vhosts;
   - name: 'test-ssl.local'
     proto: ['http', 'https']

doc/upstream.md

@@ -25,5 +25,17 @@ All this params are optional. You should see [Nginx upstream doc](http://nginx.o
 - `backup`
 - `down`
 - `route`
-- `slow`start`
+- `slow_start`
 
+Example
+-------
+
+```yaml
+nginx_upstreams:
+  - name: 'proxy_apache'
+    servers:
+      - path: '127.0.0.1:80'
+        max_conns: 150
+        weight: 10
+        down: false
+```

doc/vhost.md

@@ -10,11 +10,14 @@ Common
 
 - `name`: (M) Domain or list of domain used.
 - `template`: (D) template used to create vhost. Optional if you set `delete` to true or using `redirect_tor`.
+- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword).
 - `enable`: (O) Enable the vhost (default is true)
 - `delete`: (O) Delete the vhost (default is false)
 - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
 - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
+- `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
 - `redirect_to_code`: Redirect code (default: 302)
+- `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```.
 - `location`: (O) Add new custom locations (it does not overwrite!)
 - `more`: (O) Add more custom infos.
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
@@ -23,6 +26,7 @@ Common
 - `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Mandatory when `proto` contains "https"
+- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false". 
 
 (O): Optional
 (M): Mandatory

files/web/index.html

@@ -1 +0,0 @@
-<h1>HTML works</h1>

files/web/index.php

@@ -1,3 +0,0 @@
-<?php
-
-echo "<h1>PHP works!</h1>";

handlers/main.yml

@@ -1,4 +1,9 @@
 ---
 
+# Reload wrapper
 - name: reload nginx
-  action: service name=nginx state=reloaded enabled=yes
+  command: nginx -t
+  notify: real-reload nginx
+
+- name: real-reload nginx
+  service: name=nginx state=reloaded

meta/main.yml

@@ -1,16 +1,27 @@
 ---
 galaxy_info:
   author: Emilien Mantel
-  description: Nginx for Debian 
+  description: Nginx for Debian
   company:
-  license: GPLv2 
+  license: GPLv2
   min_ansible_version: 2.0
   platforms:
   - name: Debian
     versions:
     - wheezy
     - jessie
-  categories:
+  - name: FreeBSD
+    versions:
+    - 10.2
+  galaxy_tags:
   - web
+  - proxy
+  - http
+  - http2
+  - https
+  - ssl
+  - tls
+  - nginx
+  - cdn
 dependencies: []
- 
+

tasks/config.yml

@@ -3,7 +3,7 @@
 - name: TEMPLATE | Deploy nginx.conf
   template: >
     src=etc/nginx/nginx.conf.j2
-    dest=/etc/nginx/nginx.conf
+    dest="{{ nginx_etc_dir }}/nginx.conf"
   notify: reload nginx
 
 - name: TEMPLATE | Deploy all helpers
@@ -16,6 +16,6 @@
 - name: TEMPLATE | Deploy custom http configuration
   template: >
     src=etc/nginx/conf.d/custom.conf.j2
-    dest=/etc/nginx/conf.d/custom.conf
+    dest="{{ nginx_etc_dir }}/conf.d/custom.conf"
   notify: reload nginx
 

tasks/htpasswd.yml

@@ -4,7 +4,7 @@
   file: >
     path={{ nginx_htpasswd_dir }}/{{ item.name }}
     state=absent
-  with_items: nginx_htpasswd
+  with_items: "{{ nginx_htpasswd }}"
   when: item.state is defined and item.state == 'absent'
 
 - name: HTPASSWD | Manage files
@@ -14,6 +14,6 @@
     state={{ item.1.state | default('present') }}
     path={{ nginx_htpasswd_dir }}/{{ item.0.name }}
   with_subelements:
-    - nginx_htpasswd
+    - "{{ nginx_htpasswd }}"
     - users
-  when: item.0.state is not defined or item.0.state == 'present' 
+  when: item.0.state is not defined or item.0.state == 'present'

tasks/install_Debian.yml

@@ -1,11 +1,14 @@
 ---
 
+- name: APT | Update cache
+  apt: >
+    update_cache=yes
+    cache_valid_time=3600
+
 - name: APT | Install nginx and dependencies
   apt: >
     pkg={{ nginx_apt_package }}
     state=present
-    update_cache=yes
-    cache_valid_time=3600
     default_release={{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}
 
 - name: APT | Install python-passlib

tasks/install_FreeBSD.yml

@@ -0,0 +1,35 @@
+---
+
+- name: PKGNG | Install nginx and related tools
+  pkgng: name={{ item }} state=present
+  with_items:
+    - "{{ nginx_pkgng_package }}"
+    - py27-passlib
+    - curl
+
+- name: FILE | Create configuration dir (like Debian)
+  file: path="{{ nginx_etc_dir }}/{{ item }}" state=directory
+  with_items:
+    - conf.d
+    - sites-available
+    - sites-enabled
+
+- name: STAT | Check fastcgi.conf
+  stat: path={{ nginx_etc_dir }}/fastcgi.conf
+  register: conf
+
+- name: COPY | config
+  command: "cp {{ nginx_etc_dir }}/fastcgi_params {{ nginx_etc_dir }}/fastcgi.conf"
+  when: not conf.stat.exists
+  notify: reload nginx
+
+- name: LINEINFILE | Add fastcgi config
+  lineinfile: >
+    line="fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;"
+    dest="{{ nginx_etc_dir }}/fastcgi.conf"
+  notify: reload nginx
+
+- name: COPY | Populate proxy_params
+  copy: >
+    content="proxy_set_header Host $http_host;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;"
+    dest="{{ nginx_etc_dir }}/proxy_params"

tasks/main.yml

@@ -1,7 +1,11 @@
 ---
 
+
+- name: INCLUDE_VARS | Related to OS
+  include_vars: "{{ ansible_distribution }}.yml"
+
 - name: INCLUDE | Install
-  include: install.yml
+  include: install_{{ ansible_distribution }}.yml
 
 - name: INCLUDE | Prepare
   include: prepare.yml

tasks/prepare.yml

@@ -2,14 +2,22 @@
 
 - name: SHELL | Get Nginx version
   shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
+  args:
+    executable: /bin/sh
   register: nginx_version
   changed_when: false
 
 - name: SHELL | Get module list
-  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed -r 's/_module\s*$//g' |sort
-  register: nginx_modules
+  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed 's/_module[[:space:]]*//g' | sort
+  args:
+    executable: /bin/sh
+  register: shell_modules
   changed_when: false
 
+- name: SET_FACT | Save modules
+  set_fact:
+    nginx_modules: "{{ shell_modules.stdout_lines }}"
+
 - name: FILE | Create folders
   file: dest={{ item }} owner=root mode=0755 state=directory
   with_items: "{{ nginx_dirs }}"

tasks/ssl.yml

@@ -18,14 +18,14 @@
   file: >
     path="{{ nginx_ssl_dir + '/' + item.name }}"
     state=directory
-  with_items: nginx_ssl_pairs
+  with_items: "{{ nginx_ssl_pairs }}"
   when: item.dest_key is not defined or item.dest_cert is not defined
 
 - name: COPY | Deploy SSL keys
   copy: >
     content="{{ item.key }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
-  with_items: nginx_ssl_pairs
+  with_items: "{{ nginx_ssl_pairs }}"
   when: item.key is defined
   notify: reload nginx
 
@@ -33,7 +33,7 @@
   copy: >
     content="{{ item.cert }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
-  with_items: nginx_ssl_pairs
+  with_items: "{{ nginx_ssl_pairs }}"
   when: item.cert is defined
   notify: reload nginx
 

tasks/upstream.yml

@@ -1,11 +1,15 @@
 ---
 
 - name: TEMPLATE | Deploy PHP upstream to Nginx
-  template: src=etc/nginx/upstream/php.conf.j2 dest=/etc/nginx/conf.d/php.conf
+  template: >
+    src=etc/nginx/upstream/php.conf.j2
+    dest="{{ nginx_etc_dir }}/conf.d/php.conf"
   when: nginx_php
   notify: reload nginx
 
 - name: TEMPLATE | Deploy other upstreams
-  template: src=etc/nginx/upstream/upstream.conf.j2 dest=/etc/nginx/conf.d/upstream-{{ item.name }}.conf
-  with_items: nginx_upstreams
+  template: >
+    src=etc/nginx/upstream/upstream.conf.j2
+    dest={{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf
+  with_items: "{{ nginx_upstreams }}"
   notify: reload nginx

tasks/vhost.yml

@@ -1,40 +1,38 @@
 ---
 
+- name: FAIL | Check filenames
+  fail: msg="Forbidden keyword default on vhost {{ item.name if item.name is string else item.name[0] }}"
+  when: item.filename is defined and item.filename == 'default'
+  with_items: "{{ nginx_vhosts }}"
+
 - name: FAIL | Check vhost and SSL/TLS support
   fail: msg="Missmatch configuration for vhost {{ item.name if item.name is string else item.name[0] }}"
   when: >
     item.proto is defined and
     'https' in item.proto and
     item.ssl_name is not defined
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
+
+- name: FAIL | Check HTTPS redir and proto
+  fail: msg="You can't have HTTP proto and HTTPS redirection at the same time"
+  when: >
+    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
+    (item.redirect_http is defined and item.redirect_http)
+  with_items: "{{ nginx_vhosts }}"
 
 - name: FILE | Create root directory
   file: >
     path={{ nginx_root }}
     state=directory
 
-- name: FILE | Create root folders (foreach nginx_vhosts)
-  file: >
-    path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}
-    state=directory
-    owner={{ item.owner | default('www-data') }}
-    group={{ item.group | default('www-data') }}
-    mode={{ item.mode | default('0755') }}
-  with_items: nginx_vhosts
-  when: >
-    item.root is not defined and
-    (item.template is defined and item.template not in nginx_templates_no_dir) and
-    (item.delete is not defined or not item.delete) and
-    item.redirect_to is not defined
-
 - name: FILE | Create root public folders (foreach nginx_vhosts)
   file: >
     path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}/public
     state=directory
-    owner={{ item.owner | default('www-data') }}
-    group={{ item.group | default('www-data') }}
+    owner={{ item.owner | default(nginx_user) }}
+    group={{ item.group | default(nginx_user) }}
     mode={{ item.mode | default('0755') }}
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
   when: >
     item.root is not defined and
     (item.template is defined and item.template not in nginx_templates_no_dir) and
@@ -44,27 +42,23 @@
 - name: TEMPLATE | Create vhosts
   template: >
     src=etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2
-    dest=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
-  with_items: nginx_vhosts
+    dest={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
+  with_items: "{{ nginx_vhosts }}"
   notify: reload nginx
   when: item.delete is not defined or not item.delete
 
-#- name: COPY | Add index.html / index.php
-#  copy: src={{ item }} dest={{ nginx_root }}/{{ item.name }}/public/{{ item }} owner=www-data group=www-data mode=0666
-#  with_fileglob: "web/*"
-
 - name: FILE | Delete vhosts
-  file: path=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }} state=absent
-  with_items: nginx_vhosts
+  file: path={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
+  with_items: "{{ nginx_vhosts }}"
   notify: reload nginx
   when: item.delete is defined and item.delete
 
 - name: FILE | Enable vhosts
   file: >
-    src=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
-    dest=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }}
+    src={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
+    dest={{ nginx_etc_dir }}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
     state=link
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
   notify: reload nginx
   when: >
     ((item.enable is not defined) or
@@ -72,22 +66,22 @@
     (item.delete is not defined or not item.delete)
 
 - name: FILE | Disable vhosts
-  file: path=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }} state=absent
-  with_items: nginx_vhosts
+  file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
+  with_items: "{{ nginx_vhosts }}"
   notify: reload nginx
   when: (item.enable is defined and not item.enable) or (item.delete is defined and item.delete)
 
 - name: FILE | Delete default vhost when explicitely defined
   file: >
-    path=/etc/nginx/sites-enabled/default
+    path={{ nginx_etc_dir }}/sites-enabled/default
     state=absent
   notify: reload nginx
   when: nginx_default_vhost is not none
 
 - name: FILE | Auto set default vhost
   file: >
-    src=/etc/nginx/sites-available/default
-    dest=/etc/nginx/sites-enabled/default
+    src={{ nginx_etc_dir }}/sites-available/default
+    dest={{ nginx_etc_dir }}/sites-enabled/default
     state=link
   notify: reload nginx
   when: nginx_default_vhost is none

templates/etc/nginx/helper/ssl-legacy.j2

@@ -2,13 +2,11 @@
 # {{ ansible_managed }}
 #
 
-ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;

templates/etc/nginx/helper/ssl-strong.j2

@@ -2,13 +2,11 @@
 # {{ ansible_managed }}
 #
 
-ssl_ciphers "AES256+EECDH:AES256+EDH";
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;

templates/etc/nginx/nginx.conf.j2

@@ -14,7 +14,7 @@ events {
 
 http {
 	types_hash_max_size {{ nginx_http_types_hash_max_size }};
-	include /etc/nginx/mime.types;
+	include {{ nginx_etc_dir }}/mime.types;
 
 	default_type {{ nginx_http_default_type }};
 	access_log {{ nginx_http_access_log }};
@@ -45,8 +45,8 @@ http {
 	gzip_vary {{ nginx_http_gzip_vary }};
 	gzip_disable {{ nginx_http_gzip_disable }};
 
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
+	include {{ nginx_etc_dir }}/conf.d/*.conf;
+	include {{ nginx_etc_dir }}/sites-enabled/*;
 }
 
 # vim:filetype=nginx

templates/etc/nginx/sites-available/_backuppc.j2

@@ -25,7 +25,7 @@
 {% block template_upstream_location %}
 	location ~ \.cgi$ {
 		gzip off;
-		include /etc/nginx/fastcgi_params;
+		include {{ nginx_etc_dir }}/fastcgi_params;
 		fastcgi_pass unix:/var/run/fcgiwrap.socket;
 		fastcgi_index BackupPC_Admin;
 		fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;

templates/etc/nginx/sites-available/_base.j2

@@ -3,6 +3,7 @@
 {% set __listen = item.listen | default(['80']) %}
 {% set __listen_ssl = item.listen_ssl | default(['443']) %}
 {% set __location = item.location | default({}) %}
+{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
 {% macro htpasswd(htpasswd_name, indent=1) -%}
 {% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
 {{ "\t" * indent }}auth_basic "{{ ht.description }}";
@@ -30,10 +31,12 @@ server {
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules.stdout_lines %}http2{% endif %};
+	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
 {% endfor %}
 {{ ssl(item.ssl_name) }}
+{% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
+{% endif %}
 {% endif %}
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
 {% block root %}
@@ -57,6 +60,14 @@ server {
 {{ htpasswd(item.htpasswd, 1) }}
 {% endif %}
 
+{% block template_headers %}
+	# --> Custom headers
+{% for key, value in __headers.iteritems() %}
+	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+{% endfor %}
+	# <-- Custom headers
+{% endblock %}
+
 {% if not __location.has_key('/') %}
 	location / {
 {% block template_try_files %}
@@ -102,18 +113,36 @@ server {
 {% endfor %}	# <-- Custom locations
 {% endif %}
 
-{% if item.use_access_log is defined and item.use_access_log %}
+{% if item.use_access_log is defined %}
+{% if item.use_access_log %}
 	access_log {{ nginx_log_dir }}/{{ __main_name }}_access.log combined;
 {% else %}
 	access_log off;
 {% endif %}
-{% if item.use_error_log is defined and item.use_error_log %}
+{% endif %}
+{% if item.use_error_log is defined %}
+{% if item.use_error_log %}
 	error_log {{ nginx_log_dir }}/{{ __main_name }}_error.log {{ nginx_error_log_level }};
 {% else %}
 	error_log off;
 {% endif %}
+{% endif %}
 }
 
+{% if item.redirect_https is defined and item.redirect_https %}
+#
+# Redirect HTTP to HTTPS
+#
+server {
+{% for port in __listen %}
+	listen {{ port }};
+{% endfor %}
+	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
+	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:__listen_ssl[0]{% endif %}$request_uri;
+}
+{% endif %}
+
+
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
 # Redirect from

templates/etc/nginx/sites-available/_nagios3.j2

@@ -1,7 +1,7 @@
 {% extends "_base.j2" %}
 
 {% block root %}
-	root /usr/share/nagios3/htdocs;
+	root {{ nginx_nagios_root }};
 {% endblock %}
 
 {% block template_try_files %}
@@ -11,27 +11,47 @@
 	index index.php index.html;
 {% endblock %}
 
+{% block template_headers %}
+	# --> Custom headers
+{% for key, value in __headers.iteritems() %}
+{% if key == "X-Frame-Options" %}
+	# X-Frame-Options forced by Ansible
+	add_header {{ key }} SAMEORIGIN{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+{% else %}
+	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+{% endif %}
+{% endfor %}
+	# <-- Custom headers
+{% endblock %}
+
+
 {% block template_local_content %}
 	location ~ /\.ht {
 		deny all;
 	}
 
 	location /stylesheets {
-		alias /etc/nagios3/stylesheets;
+{% if nginx_nagios_stylesheets is defined %}
+		alias {{ nginx_nagios_stylesheets }};
+{% endif %}
 		expires 60d;
 	}
 {% endblock %}
 
 {% block template_upstream_location %}
+{% if ansible_distribution == 'Debian' %}
 	location /cgi-bin/nagios3 {
 		root /usr/lib;
+{% elif ansible_distribution == 'FreeBSD' %}
+	location /cgi-bin {
+{% endif %}
 		try_files $uri =404;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
-		fastcgi_pass unix:/var/run/fcgiwrap.socket;
+		fastcgi_pass unix:{{ nginx_fcgiwrap_sock }};
 		fastcgi_param AUTH_USER $remote_user;
 		fastcgi_param REMOTE_USER $remote_user;
 	}

templates/etc/nginx/sites-available/_proxy.j2

@@ -7,7 +7,7 @@
 {% endblock %}
 
 {% block template_try_files %}
-		include /etc/nginx/proxy_params;
+		include {{ nginx_etc_dir }}/proxy_params;
 		proxy_pass http://{{ item.upstream_name }};
 {% if item.proxy_params is defined and item.proxy_params is iterable %}
 {% for param in item.proxy_params %}

tests/includes/post_Debian.yml

@@ -0,0 +1,10 @@
+---
+
+- name: APT | Install web apps
+  apt: pkg={{ item }} state=present
+  with_items:
+    - nagios3
+    - backuppc
+
+- name: SERVICE | Ensure backuppc is started
+  service: name=backuppc state=started

tests/includes/post_FreeBSD.yml

@@ -0,0 +1,31 @@
+---
+
+- name: APT | Install web apps
+  pkgng: pkg={{ item }} state=present
+  with_items:
+    - nagios
+    - backuppc
+
+- name: COMMAND | Activate backuppc config
+  command: >
+    cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl
+    creates=/usr/local/etc/backuppc/config.pl
+
+- name: FILE | Fix backuppc permissions
+  file: >
+    path=/usr/local/etc/backuppc/config.pl
+    owner=backuppc
+    group=backuppc
+
+- name: FILE | Fix fcgiwrap permission
+  file: >
+    path={{ nginx_fcgiwrap_sock }}
+    mode=0640
+    owner={{ nginx_user }}
+    group={{ nginx_user }}
+
+#
+# We don't manage BackupPC on FreeBSD... too dirty. :/
+#
+#- name: SERVICE | Ensure backuppc is started
+#  service: name=backuppc state=started enabled=yes

tests/includes/pre_Debian.yml

@@ -0,0 +1,22 @@
+---
+
+- name: APT_REPOSITORY | Install backports
+  apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
+
+- name: APT | Install needed packages
+  apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+  with_items:
+    - php5-fpm
+    - curl
+    - fcgiwrap
+
+- name: APT | Install nghttp2
+  apt: pkg=nghttp2 state=present
+  when: ansible_distribution_major_version | version_compare(8, 'ge')
+
+- name: SERVICE | Force start services
+  service: name={{ item }} state=started
+  register: sf
+  with_items:
+    - php5-fpm
+    - fcgiwrap

tests/includes/pre_FreeBSD.yml

@@ -0,0 +1,24 @@
+---
+
+- name: SET_FACT | FreeBSD web user
+  set_fact:
+    nginx_pkgng_package: 'nginx-devel'
+    nginx_user: 'www'
+    nginx_php_sockets:
+      - host: '127.0.0.1'
+        port: 9000
+
+- name: PKGNG | Install needed packages
+  pkgng: pkg={{ item }} state=present
+  with_items:
+    - php56
+    - curl
+    - fcgiwrap
+    - nghttp2
+
+- name: SERVICE | Force start services
+  service: name={{ item }} state=started enabled=yes
+  register: sf
+  with_items:
+    - php-fpm
+    - fcgiwrap

tests/test.yml

@@ -2,23 +2,8 @@
 
 - hosts: all
   pre_tasks:
-    - name: APT_REPOSITORY | Install backports
-      apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
-    - name: APT | Install needed packages
-      apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
-      with_items:
-        - php5-fpm
-        - curl
-        - fcgiwrap
-    - name: SERVICE | Force start services
-      service: name={{ item }} state=started
-      register: sf
-      with_items:
-        - php5-fpm
-        - fcgiwrap
-    - name: PAUSE | Prevent bugs (CGI not fully loaded)
-      pause: seconds=5
-      when: sf.changed
+    - name: INCLUDE | Pre_tasks related to OS version
+      include: "includes/pre_{{ ansible_distribution }}.yml"
     - name: FILE | Create an internal SSL dir
       file: path={{ int_ansible_ssl_dir }} state=directory
     - name: COPY | Deploy test certificate
@@ -29,6 +14,7 @@
 # Internal vars
     int_ansible_ssl_dir: '/etc/ansible-ssl'
 # Role vars
+    nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number
     nginx_backports: true
     nginx_php: true
     nginx_upstreams:
@@ -119,23 +105,30 @@
           - 'test-alias.local'
           - 'test2-alias.local'
         template: '_base'
+        filename : 'first-test'
         override_try_files: '$uri $uri index.htm index.html'
+        headers:
+          'X-Frame-Options': 'deny always'
+          'X-ansible-default': '1'
         manage_local_content: false
+        use_error_log: false
         more:
           - 'autoindex off;'
-          - 'add_header X-ansible-default 1;'
         location:
           '/test':
             - 'return 403;'
           '/gunther':
             - 'return 404;'
+          '/status':
+            - 'stub_status on;'
+            - 'access_log off;'
+            - 'allow 127.0.0.1;'
+            - 'deny all;'
       - name: 'test-htpasswd.local'
         template: '_base'
         location:
           '/hello':
             - htpasswd: 'hello'
-            - 'default_type "text/html; charset=UTF-8";'
-            - 'echo hello;'
       - name: 'test-htpasswd-all.local'
         template: '_base'
         htpasswd: 'hello'
@@ -150,6 +143,8 @@
         redirect_from:
           - 'www.test-php.local'
         template: '_php'
+        use_error_log: true
+        use_access_log: true
       - name: 'test-php-index.local'
         template: '_php_index'
       - name: 'test-proxy.local'
@@ -157,8 +152,8 @@
           - 8080
         template: '_proxy'
         upstream_name: 'test'
-        more:
-          - 'add_header X-proxyfied 1;'
+        headers:
+          'X-proxyfied': '1'
       - name: 'deleted.local'
         delete: true
       - name: 'redirect-to.local'
@@ -177,8 +172,14 @@
         proto: ['http', 'https']
         template: '_base'
         ssl_name: 'test-ssl-predeployed.local'
-        more:
-          - 'add_header X-ansible-default 1;'
+        headers:
+          'X-ansible-default': '1'
+        ssl_template: false
+      - name: 'test-ssl-redirect.local'
+        proto: ['https']
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+        redirect_https: true
     nginx_dh_length: 1024
   roles:
     - ../../
@@ -186,14 +187,8 @@
 # --------------------------------
 # Apps
 # --------------------------------
-    - name: APT | Install web apps
-      apt: pkg={{ item }} state=present
-      with_items:
-        - nagios3
-        - backuppc
-    - name: SERVICE | Ensure backuppc is started
-      service: name=backuppc state=started
-
+    - name: INCLUDE | Post_tasks related to OS version
+      include: "includes/post_{{ ansible_distribution }}.yml"
 # --------------------------------
 # Deploy index files
 # --------------------------------
@@ -203,13 +198,16 @@
     - name: -- Add HTML file --
       copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
       with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
-
+    - name: -- Create directory --
+      file: path={{ nginx_root }}/test-htpasswd.local/public/hello state=directory
+    - name: -- Add HTML file hello --
+      copy: dest="{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content="hello\n"
 # --------------------------------
 # Simple vhosts tests
 # --------------------------------
     - name: -- VERIFY VHOSTS --
       command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
-      with_items: nginx_vhosts
+      with_items: "{{ nginx_vhosts }}"
       when: item.delete is undefined or not item.delete
       changed_when: false
     - name: -- VERIFY FORBIDDEN --
@@ -219,7 +217,7 @@
       changed_when: false
     - name: -- VERIFY REDIRECT VHOSTS --
       command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
-      with_items: nginx_vhosts
+      with_items: "{{ nginx_vhosts }}"
       when: item.redirect_from is defined and (item.delete is undefined or not item.delete)
       changed_when: false
       register: r
@@ -239,17 +237,17 @@
 # Basic Auth
 # --------------------------------
     - name: -- VERIFY AUTH BASIC NONE --
-      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
       changed_when: false
       register: authnone
       failed_when: authnone.stdout.find('401 Authorization Required') == -1
     - name: -- VERIFY AUTH BASIC FAIL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
       changed_when: false
       register: authfail
       failed_when: authfail.stdout.find('401 Authorization Required') == -1
     - name: -- VERIFY AUTH BASIC OK --
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
       changed_when: false
       register: authok
       failed_when: authok.stdout.find('hello') == -1
@@ -272,6 +270,7 @@
       changed_when: false
       register: authbpc
       failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
+      when: ansible_distribution != 'FreeBSD'
 
 # --------------------------------
 # Nagios
@@ -282,7 +281,7 @@
       register: nagios_php
       failed_when: nagios_php.stdout.find('Nagios Core') == -1
     - name: -- VERIFY NAGIOS3 CGI --
-      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin/nagios3/summary.cgi"
+      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin{% if ansible_distribution == 'Debian' %}/nagios3{% endif %}/summary.cgi"
       changed_when: false
       register: nagios_cgi
       failed_when: nagios_cgi.stdout.find('Nagios Event Summary') == -1
@@ -298,6 +297,15 @@
       with_items:
         - 'test-ssl-predeployed.local'
         - 'test-ssl.local'
+    - name: -- VERIFY SSL REDIRECT --
+      command: "curl -v --insecure -H 'Host: {{ item }}' http://127.0.0.1/"
+      changed_when: false
+      register: sslredirok
+      failed_when: >
+        sslredirok.stderr.find('< Location') == -1 and
+        sslredirok.stderr.find('https://{{ item }}/') == -1
+      with_items:
+        - 'test-ssl-redirect.local'
 
 # --------------------------------
 # Default vhosts
@@ -326,3 +334,20 @@
       changed_when: false
       register: notdefaultssl
       failed_when: notdefaultssl.stderr.find('X-ansible-default') != -1
+    - name: -- VERIFY DEFAULT VHOST + STUB_STATUS --
+      command: "curl -v http://127.0.0.1/status"
+      changed_when: false
+      register: vdefault_status
+      failed_when: >
+        vdefault_status.stderr.find('X-ansible-default') == -1 or
+        vdefault_status.stdout.find('Active connections') == -1
+
+# --------------------------------
+# Check HTTP2
+# --------------------------------
+    - name: SHELL | Check HTTP2
+      shell: nghttp -nv https://localhost 2> /dev/null | grep -q h2
+      args:
+        executable: /bin/sh
+      changed_when: false
+      when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules

vars/Debian.yml

@@ -0,0 +1,8 @@
+nginx_events_use: 'epoll'
+nginx_pid: '/run/nginx.pid'
+nginx_etc_dir: '/etc/nginx'
+
+# Specific vhosts
+nginx_nagios_root: '/usr/share/nagios3/htdocs'
+nginx_nagios_stylesheets: '/etc/nagios3/stylesheets'
+nginx_fcgiwrap_sock: '/var/run/fcgiwrap.socket'

vars/FreeBSD.yml

@@ -0,0 +1,7 @@
+nginx_events_use: 'kqueue'
+nginx_pid: '/var/run/nginx.pid'
+nginx_etc_dir: '/usr/local/etc/nginx'
+
+# Specific vhosts
+nginx_nagios_root: '/usr/local/www/nagios'
+nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock'