Fix deprecations (#35 )

* Drop Nagios support * Fix start PHP-FPM on Docker * Fix deprecations on Ansible 2.7 - with_ -> loop - fix filters as test - test version_compare -> version - set min_version to 2.5
Add Ansible 2.5 + 2.6 to travis
2026-02-28 09:22:10 +07:00 · 2019-01-24 11:05:46 +01:00 · 2018-10-03 14:09:20 +02:00 · 2018-04-20 09:32:46 +02:00 · 2018-04-20 09:20:39 +02:00 · 2018-03-22 20:35:51 +01:00
57 changed files with 1460 additions and 627 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .vagrant*
 *.swp
 *.retry
 *.pyc
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,16 +1,48 @@
 env:
-  - PLATFORM=debian-wheezy
+  - PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.5,<2.6'
-  - PLATFORM=debian-jessie
+  - PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.5,<2.6'
  - PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.5,<2.6'
  - PLATFORM='docker-debian-stretch'          ANSIBLE_VERSION='ansible>=2.5,<2.6'
  - PLATFORM='docker-debian-stretch-sury'     ANSIBLE_VERSION='ansible>=2.5,<2.6'
  - PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.6,<2.7'
  - PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.6,<2.7'
  - PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.6,<2.7'
  - PLATFORM='docker-debian-stretch'          ANSIBLE_VERSION='ansible>=2.6,<2.7'
  - PLATFORM='docker-debian-stretch-sury'     ANSIBLE_VERSION='ansible>=2.6,<2.7'
  - PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.7,<2.8'
  - PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.7,<2.8'
  - PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.7,<2.8'
  - PLATFORM='docker-debian-stretch'          ANSIBLE_VERSION='ansible>=2.7,<2.8'
  - PLATFORM='docker-debian-stretch-sury'     ANSIBLE_VERSION='ansible>=2.7,<2.8'
 matrix:
  fast_finish: true
 sudo: required
 dist: trusty
 language: python
 services:
  - docker
 before_install:
  - wget https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_x86_64.deb
  - sudo dpkg -i vagrant_2.0.1_x86_64.deb
 install:
  - pip install "$ANSIBLE_VERSION"
 script:
-  - docker build -f tests/$PLATFORM.Dockerfile -t test-$PLATFORM . && docker run --name $PLATFORM test-$PLATFORM
+  - VAGRANT_DEFAULT_PROVIDER=docker vagrant up $PLATFORM
  - >
    VAGRANT_DEFAULT_PROVIDER=docker vagrant provision $PLATFORM
    | grep -q 'changed=0.*failed=0'
    && (echo 'Idempotence test: pass' && exit 0)
    || (echo 'Idempotence test: fail' && exit 1)
  - VAGRANT_DEFAULT_PROVIDER=docker vagrant status
 notifications:
  webhooks: https://galaxy.ansible.com/api/v1/notifications/
--- a/README.md
+++ b/README.md
@@ -1,23 +1,36 @@
 Nginx for Debian/FreeBSD Ansible role
 =====================================
-[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/list#/roles/4399) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
+[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
 Install and configure Nginx on Debian/FreeBSD.
 Features:
 - SSL/TLS "hardened" support
- Manage basic auth on vhost / location
+- Manage basic auth on site / location
 - Proxy + Upstream
 - Fast PHP configuration
- Preconfigured vhost templates (should work on many app)
+- Preconfigured site templates (should work on many app)
- Auto-configure HTTP2 on SSL/TLS vhosts
+- Auto-configure HTTP2 on SSL/TLS sites
 - Manage dynamic modules (install and loading)
 - Deploy custom facts.d with sites config
 - Can listen with proxy protocol
 - Generate certificates with acme.sh (let's encrypt) -- *EXPERIMENTAL*
 Supported OS:
 | OS                 | Working | Stable (active support) |
 | ------------------ | ------- | ----------------------- |
 | Debian Jessie (8)  | Yes     | Yes                     |
 | Debian Stretch (9) | Yes     | Yes                     |
 | FreeBSD 11         | Yes     | No                      |
 | FreeBSD 12         | Yes     | No                      |
 Requirements
 ------------
-None. If you set true to `nginx_backports`, you must install backports repository before lauching this role.
+Ansible 2.5+. If you set true to `nginx_backports`, you must install backports repository before lauching this role.
 Role Variables
 --------------
@@ -40,6 +53,7 @@ FreeBSD:
 - `nginx_resolver`: list of DNS resolver (default: OpenDNS)
 - `nginx_error_log_level`: default log level
 - `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
 - `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
 ### Nginx Configuration
@@ -49,11 +63,22 @@ FreeBSD:
 - `nginx_events_*`: all variables in events block
 - `nginx_http_*`: all variables in http block
 - `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
 - `nginx_module_packages`: package list module to install (Debian)
 - `nginx_load_modules`: module list to load (full path), should be used only on FreeBSD
 ### Misc
 - `nginx_debug_role`: set _true_ if you need to see output of no\_log tasks 
 About modules
 -------------
 Last updates from Debian backports loads modules from /etc/nginx/modules-enabled directory. Disabling/Enabling is not supported anymore. Please wait further update.
 Fine configuration
 ------------------
-[Vhost configuration](doc/vhost.md)
+[Site configuration](doc/site.md)
 [PHP configuration](doc/php.md)
@@ -65,6 +90,7 @@ Fine configuration
 [FreeBSD](doc/freebsd.md)
 [acme.sh](doc/acme.md)
 Note
 ----
@@ -88,6 +114,19 @@ License
 GPLv2
 Donation
 --------
 If this code helped you, or if you’ve used them for your projects, feel free to buy me some :beers:
 - Bitcoin: `1BQwhBeszzWbUTyK4aUyq3SRg7rBSHcEQn`
 - Ethereum: `63abe6b2648fd892816d87a31e3d9d4365a737b5`
 - Litecoin: `LeNDw34zQLX84VvhCGADNvHMEgb5QyFXyD`
 - Monero: `45wbf7VdQAZS5EWUrPhen7Wo4hy7Pa7c7ZBdaWQSRowtd3CZ5vpVw5nTPphTuqVQrnYZC72FXDYyfP31uJmfSQ6qRXFy3bQ`
 No crypto-currency? :star: the project is also a way of saying thank you! :sunglasses:
 Author Information
 ------------------
--- a/79
+++ b/79
@@ -6,51 +6,78 @@
 Vagrant.configure("2") do |config|
  vms_debian = [
-    [ "debian-wheezy", "debian/wheezy64" ],
+    { :name => "debian-jessie", :box => "debian/jessie64", :vars => { "nginx_php": [{"version": "5.6"}] }},
-    [ "debian-jessie", "debian/jessie64" ],
+    { :name => "debian-jessie-backports", :box => "debian/jessie64", :vars => { "nginx_php": [{"version": "5.6"}], "nginx_backports": true }},
-    [ "debian-stretch", "sharlak/debian_stretch_64" ],
+    { :name => "debian-jessie-dotdeb", :box => "debian/jessie64", :vars => { "nginx_php": [{"version": "7.0"}, {"version": "5.6", "upstream_name": "legacy"} ], "dotdeb": true }},
    { :name => "debian-stretch", :box => "debian/stretch64", :vars => { "nginx_php": [{"version": "7.0"}] }},
    { :name => "debian-stretch-sury", :box => "debian/stretch64", :vars => { "nginx_php": [{"version": "7.1"}], "sury": true }}
  ]
  vms_freebsd = [
-    [ "freebsd-10.2", "freebsd/FreeBSD-10.2-STABLE" ]
+    { :name => "freebsd-11", :box => "freebsd/FreeBSD-11.1-STABLE",  :vars => {} },
    { :name => "freebsd-12", :box => "freebsd/FreeBSD-12.0-CURRENT", :vars => {} }
  ]
-  config.vm.provider "virtualbox" do |v|
+  conts = [
    { :name => "docker-debian-jessie", :docker => "hanxhx/vagrant-ansible:debian8", :vars => { "nginx_php" => [{"version" => "5.6"}] }},
    { :name => "docker-debian-jessie-backports", :docker => "hanxhx/vagrant-ansible:debian8", :vars => { "nginx_php": [{"version": "5.6"}], "nginx_backports": true }},
    { :name => "docker-debian-jessie-dotdeb", :docker => "hanxhx/vagrant-ansible:debian8", :vars => { "nginx_php": [{"version": "7.0"}, {"version": "5.6", "upstream_name": "legacy"} ], "dotdeb": true }},
    { :name => "docker-debian-stretch", :docker => "hanxhx/vagrant-ansible:debian9", :vars => { "nginx_php": [{"version": "7.0"}] }},
    { :name => "docker-debian-stretch-sury", :docker => "hanxhx/vagrant-ansible:debian9", :vars => { "nginx_php": [{"version": "7.1"}], "sury": true }}
  ]
  config.vm.network "private_network", type: "dhcp"
  config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
  conts.each do |opts|
    config.vm.define opts[:name] do |m|
      m.vm.provider "docker" do |d|
        d.image = opts[:docker]
        d.remains_running = true
        d.has_ssh = true
      end
      m.vm.provision "ansible" do |ansible|
        ansible.playbook = "tests/test.yml"
        ansible.verbose = 'vv'
        ansible.become = true
        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true })
      end
    end
  end
  vms_debian.each do |opts|
    config.vm.define opts[:name] do |m|
      m.vm.box = opts[:box]
      m.vm.provider "virtualbox" do |v|
        v.cpus = 1
        v.memory = 256
      end
  vms_debian.each do |vm|
    config.vm.define vm[0] do |m|
      m.vm.box = vm[1]
      m.vm.network "private_network", type: "dhcp"
      m.vm.provision "ansible" do |ansible|
        ansible.playbook = "tests/test.yml"
        ansible.groups = { "test" => [ vm[0] ] }
        ansible.verbose = 'vv'
-        ansible.sudo = true
+        ansible.become = true
        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true })
      end
    end
  end
-  # See: https://forums.freebsd.org/threads/52717/
+
-  vms_freebsd.each do |vm|
+  vms_freebsd.each do |opts|
-    config.vm.define vm[0] do |m|
+    config.vm.base_mac = "080027D14C66"
-      m.vm.box = vm[1]
+    config.vm.define opts[:name] do |m|
-      m.vm.network "private_network", type: "dhcp"
+      m.vm.box = opts[:box]
-      m.vm.guest = :freebsd
+      m.vm.provider "virtualbox" do |v, override|
-      m.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
+        override.ssh.shell = "csh"
-      m.ssh.shell = "sh"
+        v.cpus = 2
-      m.vm.base_mac = "080027D14C66"
+        v.memory = 512
      end
      m.vm.provision "shell", inline: "pkg install -y python bash"
      m.vm.provision "ansible" do |ansible|
        ansible.playbook = "tests/test.yml"
        ansible.groups = { "test" => [ vm[0] ] }
        ansible.verbose = 'vv'
-        ansible.sudo = true
+        ansible.become = true
-        ansible.extra_vars = {
+        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, "ansible_python_interpreter": '/usr/local/bin/python' })
          ansible_python_interpreter: '/usr/local/bin/python'
        }
      end
    end
  end
 end
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -16,8 +16,9 @@ nginx_resolver_valid: '300s'
 nginx_resolver_timeout: '5s'
 nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
 nginx_auto_config_httpv2: true
-nginx_default_vhost: null
+nginx_default_site: null
-nginx_default_vhost_ssl: null
+nginx_default_site_ssl: null
 nginx_fastcgi_fix_realpath: true
 #
 # Nginx directories
@@ -31,10 +32,7 @@ nginx_helper_dir: '{{ nginx_etc_dir}}/helper'
 #
 # PHP
-nginx_php: false
+nginx_php: []
 nginx_php_sockets:
  - unix_socket: "/var/run/php5-fpm.sock"
 nginx_upstreams: []
 #
 # Nginx configuration
@@ -87,9 +85,14 @@ nginx_http_gzip_disable: '"msie6"'
 nginx_custom_http: []
 #
-# Vhosts
+# Sites
 #
-nginx_vhosts: []
+nginx_sites: []
 #
 # Upstreams
 #
 nginx_upstreams: []
 #
 # htpasswd
@@ -101,9 +104,28 @@ nginx_htpasswd: []
 #
 nginx_ssl_pairs: []
 #
 # Dynamic modules
 #
 nginx_module_packages: []
 nginx_load_modules: []
 #
 # Diffie-Hellman
 #
 nginx_dh: null
 nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
 nginx_dh_length: 2048
 #
 # acme.sh
 #
 nginx_acmesh: false
 nginx_acmesh_dir: "/opt/acme.sh"
 nginx_acmesh_git_dir: "/tmp/acme.sh"
 nginx_acmesh_test: false
 #
 # Debug
 #
 nginx_debug_role: false
--- a/doc/acme.md
+++ b/doc/acme.md
@@ -0,0 +1,15 @@
 acme.sh
 =======
 Notes
 -----
 This feature is experimental.
 Variables
 ---------
 - `nginx_acmesh`: (bool) Enable/Disable acme.sh feature
 - `nginx_acmesh_dir`: (string) Install directory
 - `nginx_acmesh_git_dir`: (string) Git directory (removed after install)
 - `nginx_acmesh_test`: (bool) If set to true (default false), uses test mode
--- a/doc/auth.md
+++ b/doc/auth.md
@@ -1,10 +1,15 @@
 Auth Basic management
 =====================
 IMPORTANT
 ---------
 If you use this feature with Debian Stretch, you *MUST* use ansible >= 2.3.2! See: [https://github.com/HanXHX/ansible-nginx/issues/28](#28).
 Description
 -----------
-Auth basic is managed in a separate list. Each auth file can be shared between locations or vhosts.
+Auth basic is managed in a separate list. Each auth file can be shared between locations or sites.
 Each htpasswd has few keys:
@@ -19,8 +24,8 @@ Example
 -------
 ```yaml
-nginx_vhosts:
+nginx_sites:
-# htpasswd on all vhost
+# htpasswd on all site
  - name: test.local
    htpasswd: 'hello'
    template: '_base'
--- a/doc/freebsd.md
+++ b/doc/freebsd.md
@@ -1,4 +1,17 @@
 Freebsd
 =======
 Limitations
 -----------
 Due to Ansible + FreeBSD limitations (`ansible_processor_vcpus`), You must explicitely set `nginx_worker_processes`.
 About modules
 -------------
 Dynamic modules must be set with full path (see `nginx_load_modules` path).
 Sites not tested
 ----------------
 - BackupPC
--- a/doc/php.md
+++ b/doc/php.md
@@ -1,18 +1,23 @@
 PHP
 ===
- `nginx_php`: boolean if you need to preconfigure PHP (default: false)
+`nginx_php`:
- `nginx_php_sockets`: list of sockets (see bellow)
+  - `version`: (M) PHP version
  - `upstream_name` (O)
  - `sockets`: (O) socket list
 If `sockets` is not provided, if uses local unix socket (based on PHP version).
 You should see [Nginx upstream module doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
 Each socket have:
- `unix_socket`
+- `unix`
 XOR
 - `host`
 - `port`
 - `weight`
 - `max_fails`
 - `fail_timeout`
 With default configuration, it works fine with PHP-FPM. But if you install PHP7 with Dotdeb, path changed between version, you must set well this list.
--- a/doc/vhost.md
+++ b/doc/vhost.md
@@ -1,32 +1,35 @@
-Vhost management
+Site management
-================
+===============
 You can see many examples in: [tests/test.yml](../tests/test.yml).
-`nginx_vhosts`: List of dict. A vhost has few keys. See bellow.
+`nginx_sites`: List of dict. A site has few keys. See bellow.
 Common
 ------
 - `name`: (M) Domain or list of domain used.
- `template`: (D) template used to create vhost. Optional if you set `delete` to true or using `redirect_tor`.
+- `template`: (D) template used to create site. Optional if you set `state`=`absent` or using `redirect_to`.
- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword).
+- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword). It will be used for log filenames and directories creation.
- `enable`: (O) Enable the vhost (default is true)
+- `state`: (O) Site status. Can be "present" (default), "absent" and "disabled".
 - `delete`: (O) Delete the vhost (default is false)
 - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
 - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
 - `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
 - `redirect_to_code`: Redirect code (default: 302)
 - `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```.
 - `location`: (O) Add new custom locations (it does not overwrite!)
 - `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [tests/test.yml](../tests/test.yml)).
 - `more`: (O) Add more custom infos.
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
 - `override_try_files`: (O) overrides default try\_files defined in template
 - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature.
- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
+- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all site. Set "false" to disable.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
- `ssl_name`: (D) name of the key used when using TLS/SSL. Mandatory when `proto` contains "https"
+- `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
 - `php_version` (O) Sepecify PHP version (5 or 7)
 - `http_proxy_protocol_port` (O) Enable proxy protocol on http port.
 - `https_proxy_protocol_port` (O) Enable proxy protocol on https port.
 (O): Optional
 (M): Mandatory
@@ -39,7 +42,6 @@ Templates
 - `_backuppc`: access to [BackupPC](http://backuppc.sourceforge.net/) (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap))
 - `_dokuwiki`
 - `_redirect`: should not be called explicitly
 - `_nagios3`: access to Nagios3 (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap))
 - `_phalcon`: Phalcon PHP Framework
 - `_php`: PHP base template. Can work with many frameworks/tools
 - `_php_index`: Same as above. But you can only run index.php
@@ -53,17 +55,17 @@ About proxy template
 Proxy template allow you to use Nginx as reverse proxy. Usefull when you have an application service such as Redmine, Jenkins...
-You have many key added to vhost key:
+You have many key added to site key:
 - `upstream_name`: (O) upstream name used to pass proxy
- `proxy_params`: (M) list of raw params passed to the vhost
+- `proxy_params`: (M) list of raw params passed to the site
 (O) : Optional
-Default vhosts
+Default sites
 --------------
-You can manage default vhost by setting domain name to these variables.
+You can manage default site by setting domain name to these variables.
- `nginx_default_vhost`
+- `nginx_default_site`
- `nginx_default_vhost_ssl`
+- `nginx_default_site_ssl`
--- a/doc/ssl.md
+++ b/doc/ssl.md
@@ -15,24 +15,42 @@ Variables
 Cert/Key pairs
 --------------
-This list have 3 mandatory keys:
+Each pair must have a `name`.
 Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
- `name`: MUST be unique
+### Content mode
 Key/Cert content is stored in variable. Usefull with vault.
 - `key`: content of the private key
 - `cert`: content of the public key
-OR
+### Remote file
 You can use these variables if you use another task/role to manages your certificates.
 - `dest_cert`: remote path where certificate is located
 - `dest_key`: remote path where key is located
-Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
+### Self signed
 Create a self-signed pair and deploy it. Do not use this feature in production.
 - `self_signed`: set true to use this featrure
 - `force`: optional feature (default: false), force regen pair (not idempotent)
 ### Acme
 Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this feature for standalone servers.
 - `acme`: set true to use this feature. It uses `name` (can be a string or string list).
 Have a look to [acme configuratuion](acme.md configuration).
 Tips
 ----
-Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
+- In `nginx_sites`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with site `name` (first in list if it's a list).  
 Diffie-Hellman
 --------------
@@ -43,11 +61,21 @@ Example
 -------
 ```yaml
-nginx_vhosts;
+nginx_sites;
  - name: 'test-ssl.local'
    proto: ['http', 'https']
    template: '_base'
    ssl_name: 'mysuperkey'
  - name: 'test-ssl2.local'
    proto: ['http', 'https']
    template: '_base'
  - name: 'test-ssl3.local'
    proto: ['http', 'https']
    template: '_base'
  - name: 'test-self-signed.local'
    proto: ['http', 'https']
    template: '_base'
    ssl_name: 'this.is.self.signed'
 nginx_ssl_pairs:
  - name: mysuperkey
@@ -59,5 +87,10 @@ nginx_ssl_pairs:
      -----BEGIN CERTIFICATE-----
      ....(snip)....
      -----END CERTIFICATE-----
  - name: test-ssl2.local
    acme: true
  - name: this.is.self.signed
    self_signed: true
    force: false
 ```
--- a/doc/upstream.md
+++ b/doc/upstream.md
@@ -8,9 +8,10 @@ Note: Few params are unavailable on old Nginx version. But this role do _not_ pu
 Upstream params
 ---------------
- `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name*
+- `name`: upstream name. Can be use in site with *proxy_pass http://upstream_name*
 - `params`: list of param (hash, zone...)
 - `servers`: each upstream MUST have at least 1 server
 - `state`: Optional. Can be 'absent' or 'present'
 Server params
 -------------
@@ -38,4 +39,5 @@ nginx_upstreams:
        max_conns: 150
        weight: 10
        down: false
    state: 'present'
 ```
--- a/filter_plugins/nginx.py
+++ b/filter_plugins/nginx.py
@@ -0,0 +1,20 @@
 def nginx_site_filename(site):
    if site.has_key('filename'):
        return site['filename']
    else:
        return nginx_site_name(site)
 def nginx_site_name(site):
    if isinstance(site['name'], list):
        return site['name'][0]
    else:
        return site['name']
 class FilterModule(object):
    ''' Nginx module '''
    def filters(self):
        return {
            'nginx_site_filename': nginx_site_filename,
            'nginx_site_name': nginx_site_name
        }
--- a/filter_plugins/php.py
+++ b/filter_plugins/php.py
@@ -0,0 +1,25 @@
 def php_default_upstream_socket(php_version):
    if php_version == '5.6':
        return '/run/php5-fpm.sock'
    else:
        return '/run/php/php%s-fpm.sock' % php_version
 def php_default_upstream_name(php_version):
    return 'default_php_%s' % php_version
 def php_fpm_service(php_version):
    if php_version == '5.6':
        return 'php5-fpm'
    else:
        return 'php%s-fpm' % php_version
 class FilterModule(object):
    ''' PHP module '''
    def filters(self):
        return {
            'php_default_upstream_socket': php_default_upstream_socket,
            'php_default_upstream_name': php_default_upstream_name,
            'php_fpm_service': php_fpm_service,
            'php_fpm_package': php_fpm_service
        }
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,9 +1,42 @@
 ---
 # Reload wrapper
 - name: reload nginx
  command: nginx -t
-  notify: real-reload nginx
+  notify:
    - real-reload nginx
    - docker reload nginx
 - name: restart nginx
  command: nginx -t
  notify:
    - real-restart nginx
    - docker restart nginx
 - name: real-reload nginx
-  service: name=nginx state=reloaded
+  service:
    name: nginx
    state: reloaded
  when: ansible_virtualization_type != 'docker'
 - name: real-restart nginx
  service:
    name: nginx
    state: restarted
  when: ansible_virtualization_type != 'docker'
 - name: docker reload nginx
  command: service nginx reload
  when: ansible_virtualization_type == 'docker'
 - name: docker restart nginx
  command: service nginx restart
  when: ansible_virtualization_type == 'docker'
 - name: restart nginx freebsd
  service:
    name: nginx
    state: restarted
  when: ansible_distribution == "FreeBSD"
 - name: setup
  action: setup
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,18 +1,20 @@
 ---
 galaxy_info:
  author: Emilien Mantel
-  description: Nginx for Debian
+  description: Nginx for Debian / FreeBSD
  company:
  license: GPLv2
-  min_ansible_version: 2.0
+  min_ansible_version: 2.5
  platforms:
  - name: Debian
    versions:
    - wheezy
    - jessie
    - stretch
  - name: FreeBSD
    versions:
-    - 10.2
+    - 11.0
    - 11.1
    - 12.0
  galaxy_tags:
  - web
  - proxy
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -1,21 +1,45 @@
 ---
 - name: TEMPLATE | Deploy nginx.conf
-  template: >
+  template:
-    src=etc/nginx/nginx.conf.j2
+    src: "etc/nginx/nginx.conf.j2"
-    dest="{{ nginx_etc_dir }}/nginx.conf"
+    dest: "{{ nginx_etc_dir }}/nginx.conf"
  notify: reload nginx
 - name: TEMPLATE | Deploy all helpers
-  template: >
+  template:
-    src={{ item }}
+    src: "{{ item }}"
-    dest={{ nginx_helper_dir }}/{{ item | basename | regex_replace('\.j2$','') }}
+    dest: "{{ nginx_helper_dir }}/{{ item | basename | regex_replace('.j2$','') }}"
  with_fileglob: '../templates/etc/nginx/helper/*.j2'
  notify: reload nginx
 - name: TEMPLATE | Deploy custom http configuration
-  template: >
+  template:
-    src=etc/nginx/conf.d/custom.conf.j2
+    src: "etc/nginx/conf.d/custom.conf.j2"
-    dest="{{ nginx_etc_dir }}/conf.d/custom.conf"
+    dest: "{{ nginx_etc_dir }}/conf.d/custom.conf"
  notify: reload nginx
 - name: LINEINFILE | Fix path
  lineinfile:
    regexp: '{{ item.0.regexp }}'
    line: '{{ item.0.line }}'
    dest: '{{ item.1 }}'
  loop: "{{ list_one | product(list_two) | list }}"
  vars:
    list_one:
      - regexp: '^fastcgi_param  SCRIPT_FILENAME'
        line: 'fastcgi_param  SCRIPT_FILENAME    $realpath_root$fastcgi_script_name;'
      - regexp: '^fastcgi_param  DOCUMENT_ROOT'
        line: 'fastcgi_param  DOCUMENT_ROOT      $realpath_root;'
    list_two:
      - '{{ nginx_etc_dir }}/fastcgi.conf'
  when: nginx_fastcgi_fix_realpath
 - name: COPY | Add modules manually
  copy:
    content: |
      {% for m in nginx_load_modules %}
      load_module {{ m }};
      {% endfor %}
    dest: "{{ nginx_etc_dir }}/modules-enabled/000-modules.conf"
  notify: reload nginx
--- a/tasks/htpasswd.yml
+++ b/tasks/htpasswd.yml
@@ -1,19 +1,21 @@
 ---
 - name: FILE | Delete htpasswd file
-  file: >
+  file:
-    path={{ nginx_htpasswd_dir }}/{{ item.name }}
+    path: "{{ nginx_htpasswd_dir }}/{{ item.name }}"
-    state=absent
+    state: absent
  with_items: "{{ nginx_htpasswd }}"
  when: item.state is defined and item.state == 'absent'
  no_log: not nginx_debug_role
 - name: HTPASSWD | Manage files
-  htpasswd: >
+  htpasswd:
-    name={{ item.1.name }}
+    name: "{{ item.1.name }}"
-    password={{ item.1.password }}
+    password: "{{ item.1.password }}"
-    state={{ item.1.state | default('present') }}
+    state: "{{ item.1.state | default('present') }}"
-    path={{ nginx_htpasswd_dir }}/{{ item.0.name }}
+    path: "{{ nginx_htpasswd_dir }}/{{ item.0.name }}"
  with_subelements:
    - "{{ nginx_htpasswd }}"
    - users
  when: item.0.state is not defined or item.0.state == 'present'
  no_log: not nginx_debug_role
--- a/tasks/install_Debian.yml
+++ b/tasks/install_Debian.yml
@@ -1,16 +1,58 @@
 ---
 - name: APT | Update cache
-  apt: >
+  apt:
-    update_cache=yes
+    update_cache: yes
-    cache_valid_time=3600
+    cache_valid_time: 3600
  changed_when: false
 - name: APT | Force OpenSSL from backports (fix dependency break)
  apt:
    pkg: openssl
    state: latest
    default_release: "{{ ansible_distribution_release + '-backports' }}"
  when: nginx_backports
 - name: APT | Install nginx and dependencies
-  apt: >
+  apt:
-    pkg={{ nginx_apt_package }}
+    pkg: "{{ nginx_apt_package }}"
-    state=present
+    state: present
-    default_release={{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}
+    default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}"
 - name: APT | Install nginx modules
  apt:
    pkg: "{{ nginx_module_packages }}"
    state: present
  when:
    ansible_distribution_major_version is version('9', 'ge') or
    nginx_backports
 - name: APT | Install python-passlib
-  apt: pkg=python-passlib state=present
+  apt:
    pkg: python-passlib
    state: present
 - name: STAT | Check acme.sh is installed
  stat:
    path: "{{ nginx_acmesh_dir }}"
  register: acme
 - block:
  - name: APT | Install git
    apt:
      pkg: git
  - name: GIT | Get acme.sh
    git:
      repo: 'https://github.com/Neilpang/acme.sh.git'
      dest: '{{ nginx_acmesh_git_dir }}'
      update: no
  - name: SHELL | Install acme.sh
    shell: ./acme.sh --install --home {{ nginx_acmesh_dir }} --cert-home {{ nginx_acmesh_dir }}
    args:
      chdir: "{{ nginx_acmesh_git_dir }}"
      creates: "{{ nginx_acmesh_dir }}"
  when: not acme.stat.exists
--- a/tasks/install_FreeBSD.yml
+++ b/tasks/install_FreeBSD.yml
@@ -1,35 +1,59 @@
 ---
 - name: PKGNG | Install nginx and related tools
-  pkgng: name={{ item }} state=present
+  pkgng:
    name: "{{ item }}"
    state: present
  with_items:
    - acme.sh
    - "{{ nginx_pkgng_package }}"
    - py27-passlib
    - curl
 #
 # Bypass https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224166#c1
 #
 - block:
    - name: COMMAND | Create /usr/local/etc/fdfs/http.conf
      command: touch /usr/local/etc/fdfs/http.conf
      args:
        creates: /usr/local/etc/fdfs/http.conf
      register: fd1
    - name: LINEINFILE | Tune fdfs
      lineinfile:
        regexp: ^load_fdfs_parameters_from_tracker
        line: load_fdfs_parameters_from_tracker=false
        path: /usr/local/etc/fdfs/mod_fastdfs.conf
      register: fd2
    - name: SERVICE | Restart nginx when fdfs is tuned
      service:
        name: nginx
        state: restarted
      when: fd1.changed or fd2.changed
  when: true
 - name: FILE | Create configuration dir (like Debian)
-  file: path="{{ nginx_etc_dir }}/{{ item }}" state=directory
+  file:
    path: "{{ nginx_etc_dir }}/{{ item }}"
    state: directory
  with_items:
    - conf.d
    - sites-available
    - sites-enabled
- name: STAT | Check fastcgi.conf
+- name: FILE | Create log directory
-  stat: path={{ nginx_etc_dir }}/fastcgi.conf
+  file:
-  register: conf
+    path: "{{ nginx_log_dir }}"
    owner: "{{ nginx_user }}"
    group: wheel
    mode: 0755
    state: directory
- name: COPY | config
+- name: SERVICE | Enable nginx
-  command: "cp {{ nginx_etc_dir }}/fastcgi_params {{ nginx_etc_dir }}/fastcgi.conf"
+  service:
-  when: not conf.stat.exists
+    name: nginx
-  notify: reload nginx
+    enabled: yes
 - name: LINEINFILE | Add fastcgi config
  lineinfile: >
    line="fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;"
    dest="{{ nginx_etc_dir }}/fastcgi.conf"
  notify: reload nginx
 - name: COPY | Populate proxy_params
  copy: >
    content="proxy_set_header Host $http_host;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;"
    dest="{{ nginx_etc_dir }}/proxy_params"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,14 +1,16 @@
 ---
 - name: INCLUDE_VARS | Related to OS
  include_vars: "{{ ansible_distribution }}.yml"
  tags: ['nginx::site', 'nginx::ssl']
 - name: INCLUDE | Install
-  include: install_{{ ansible_distribution }}.yml
+  include: "install_{{ ansible_distribution }}.yml"
  tags: ['nginx::site', 'nginx::ssl']
 - name: INCLUDE | Prepare
  include: prepare.yml
  tags: ['nginx::site', 'nginx::ssl']
 - name: INCLUDE | Install
  include: config.yml
@@ -20,8 +22,9 @@
  include: htpasswd.yml
 - name: INCLUDE | SSL configuration
-  include: ssl.yml
+  include: ssl/main.yml
-
+  tags: ['nginx::ssl']
 - name: INCLUDE | Vhosts configuration
  include: vhost.yml
 - name: INCLUDE | Sites configuration
  include: site.yml
  tags: ['nginx::site']
--- a/tasks/prepare.yml
+++ b/tasks/prepare.yml
@@ -6,19 +6,29 @@
    executable: /bin/sh
  register: nginx_version
  changed_when: false
  check_mode: no
 - name: SHELL | Get module list
-  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed 's/_module[[:space:]]*//g' | sort
+  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed -r 's/_module//g; s/\s+//g' | sort
  args:
    executable: /bin/sh
  register: shell_modules
  changed_when: false
  check_mode: no
 - name: SET_FACT | Save modules
  set_fact:
    nginx_modules: "{{ shell_modules.stdout_lines }}"
 - name: FILE | Create folders
-  file: dest={{ item }} owner=root mode=0755 state=directory
+  file:
    dest: "{{ item.dir }}"
    owner: "{{ item.owner }}"
    mode: "{{ item.mode }}"
    state: directory
  with_items: "{{ nginx_dirs }}"
 - name: FILE | Create ansible facts dir
  file:
    path: /etc/ansible/facts.d
    state: directory
--- a/tasks/site.yml
+++ b/tasks/site.yml
@@ -0,0 +1,106 @@
 ---
 - name: FAIL | Check filenames
  fail:
    msg: "Forbidden keyword default on site {{ item | nginx_site_name }}"
  when: item.filename is defined and item.filename == 'default'
  with_items: "{{ nginx_sites }}"
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FAIL | Check HTTPS redir and proto
  fail:
    msg: "You can't have HTTP proto and HTTPS redirection at the same time"
  when:
    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
    (item.redirect_http is defined and item.redirect_http)
  with_items: "{{ nginx_sites }}"
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Create root directory
  file:
    path: "{{ nginx_root }}"
    state: directory
 - name: FILE | Create root public folders (foreach nginx_sites)
  file:
    path: "{{ nginx_root }}/{{ item | nginx_site_filename }}/public"
    state: directory
    owner: "{{ item.owner | default(nginx_user) }}"
    group: "{{ item.group | default(nginx_user) }}"
    mode: "{{ item.mode | default('0755') }}"
  loop: "{{ nginx_sites }}"
  when: >
    item.root is not defined and
    (item.template is defined and item.template not in nginx_templates_no_dir) and
    (item.state is not defined or not item.state != 'absent') and
    item.redirect_to is not defined
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: TEMPLATE | Create sites
  template:
    src: "etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2"
    dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.state is not defined or item.state != 'absent'
  loop: "{{ nginx_sites }}"
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Delete sites
  file:
    path: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
    state: absent
  with_nested:
    - "{{ nginx_sites }}"
    - ['sites-available', 'sites-enabled']
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.0.state is defined and item.0.state == 'absent'
  loop_control:
    label: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
 - name: FILE | Enable sites
  file:
    src: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
    state: link
  with_items: "{{ nginx_sites }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: >
    item.state is not defined or item.state == 'present'
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Disable sites
  file:
    path: "{{ nginx_etc_dir}}/sites-enabled/{{ item | nginx_site_filename }}"
    state: absent
  with_items: "{{ nginx_sites }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.state is defined and item.state == 'disabled'
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Delete default site when explicitely defined
  file:
    path: "{{ nginx_etc_dir }}/sites-enabled/default"
    state: absent
  notify: ['reload nginx', 'restart nginx freebsd']
  when: nginx_default_site is not none
 - name: FILE | Auto set default site
  file:
    src: "{{ nginx_etc_dir }}/sites-available/default"
    dest: "{{ nginx_etc_dir }}/sites-enabled/default"
    state: link
  notify: ['reload nginx', 'restart nginx freebsd']
  when: nginx_default_site is none
 - name: TEMPLATE | Deploy facts
  template:
    src: etc/ansible/facts.d/nginx.fact.j2
    dest: /etc/ansible/facts.d/nginx.fact
    mode: 0644
  notify: ['setup']
--- a/tasks/ssl.yml
+++ b/tasks/ssl.yml
@@ -1,39 +0,0 @@
 ---
 - name: COMMAND | Generate DH file
  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
  args:
    creates: "{{ nginx_dh_path }}"
  when: nginx_dh is not string
  notify: reload nginx
 - name: COPY | Deploy DH file from vars
  copy: >
    content="{{ nginx_dh }}"
    dest="{{ nginx_dh_path }}"
  when: nginx_dh is string
  notify: reload nginx
 - name: FILE | Create SSL directories
  file: >
    path="{{ nginx_ssl_dir + '/' + item.name }}"
    state=directory
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.dest_key is not defined or item.dest_cert is not defined
 - name: COPY | Deploy SSL keys
  copy: >
    content="{{ item.key }}"
    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.key is defined
  notify: reload nginx
 - name: COPY | Deploy SSL certs
  copy: >
    content="{{ item.cert }}"
    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.cert is defined
  notify: reload nginx
--- a/tasks/ssl/acme.yml
+++ b/tasks/ssl/acme.yml
@@ -0,0 +1,72 @@
 ---
 - name: SET_FACT | Assign default..
  set_fact:
    acme_create: []
 - name: STAT | Check if certificates are already installed
  stat:
    path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.crt"
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.acme is defined and item.acme
  register: acme_installed_certs
 - name: SET_FACT | Assign var with certificates to create
  set_fact:
    acme_create: "{{ acme_create | default([]) + [ (item.item) ] }}"
  with_items: "{{ acme_installed_certs.results }}"
  when: item.skipped is not defined and not item.stat.exists
 - name: TEMPLATE | Create fake site
  template:
    src: "etc/nginx/conf.d/FAKESITE.conf.j2"
    dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
  with_items: "{{ acme_create }}"
  register: fake_site
 - name: FILE | Delete current site if needed
  file:
    path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}"
    state: absent
  with_items: "{{ acme_create }}"
  when: fake_site.changed
 - name: SERVICE | Restart nginx
  service:
    name: nginx
    state: restarted
  when: fake_site.changed and ansible_virtualization_type != 'docker'
 - name: COMMAND | Restart nginx
  command: service nginx restart
  args:
    warn: false
  when: fake_site.changed and ansible_virtualization_type == 'docker'
 - name: SHELL | Get certificates
  shell: '{{ nginx_acmesh_bin }} --issue{% if item.name is string %} -d {{ item.name }}{% else %}{% for name in item.name %} -d {{ name }}{% endfor %}{% endif %} --nginx {% if nginx_acmesh_test %}--test{% endif %}'
  args:
    creates: "/root/.acme.sh/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key"
  with_items: "{{ acme_create }}"
  register: acme_get
  failed_when: acme_get.rc != 0 and acme_get.rc != 2
  no_log: not nginx_debug_role
 - name: FILE | Create SSL dir per site
  file:
    path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}"
  with_items: "{{ acme_create }}"
 - name: SHELL | Install certificates
  shell: '{{ nginx_acmesh_bin }} --install-cert -d {{ item | nginx_site_name }} --fullchain-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.crt --key-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key --reloadcmd "service nginx restart"'
  args:
    creates: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key"
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.acme is defined and item.acme
  notify: restart nginx
 - name: FILE | Delete fake sites
  file:
    path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
    state: absent
  with_items: "{{ acme_create }}"
--- a/tasks/ssl/main.yml
+++ b/tasks/ssl/main.yml
@@ -0,0 +1,8 @@
 ---
 - name: INCLUDE | standard.yml
  include: standard.yml
 - name: INCLUDE | acme.yml
  include: acme.yml
  when: nginx_acmesh
--- a/tasks/ssl/standard.yml
+++ b/tasks/ssl/standard.yml
@@ -0,0 +1,63 @@
 ---
 - name: COMMAND | Generate DH file
  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
  args:
    creates: "{{ nginx_dh_path }}"
  when: nginx_dh is not string
  notify: restart nginx
  async: 1000
  register: dh
 - name: COPY | Deploy DH file from vars
  copy:
    content: "{{ nginx_dh }}"
    dest: "{{ nginx_dh_path }}"
  when: nginx_dh is string
  notify: restart nginx
 - name: FILE | Create SSL directories
  file:
    path: "{{ nginx_ssl_dir + '/' + item | nginx_site_name }}"
    state: directory
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.dest_key is not defined or item.dest_cert is not defined
  no_log: not nginx_debug_role
 - name: COPY | Deploy SSL keys
  copy:
    content: "{{ item.key }}"
    dest: "{{ nginx_ssl_dir + '/' + item | nginx_site_name + '/' + item | nginx_site_name + '.key' if item.dest_key is not defined else item.dest_key }}"
    mode: 0640
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.key is defined
  notify: restart nginx
  no_log: not nginx_debug_role
 - name: COPY | Deploy SSL certs
  copy:
    content: "{{ item.cert }}"
    dest: "{{ nginx_ssl_dir + '/' + item | nginx_site_name + '/' + item | nginx_site_name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
    mode: 0644
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.cert is defined
  notify: restart nginx
  no_log: not nginx_debug_role
 - name: COMMAND | Create self-signed certificates
  command: "openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -subj '/CN={{ item | nginx_site_name }}' -keyout {{ item | nginx_site_name + '.key' }} -out {{ item | nginx_site_name + '.crt' }}"
  args:
    chdir: "{{ nginx_ssl_dir + '/' + item | nginx_site_name }}"
    creates: "{% if item.force is defined and item.force %}/tmp/dummy{% else %}{{ nginx_ssl_dir + '/' + item | nginx_site_name + '/' + item | nginx_site_name + '.crt' }}{% endif %}"
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.self_signed is defined
  notify: restart nginx
  no_log: not nginx_debug_role
 - name: Check DH command status
  async_status:
    jid: "{{ dh.ansible_job_id }}"
  register: job_result
  until: job_result.finished
  retries: 30
  when: not ansible_check_mode and nginx_dh is not string
--- a/tasks/upstream.yml
+++ b/tasks/upstream.yml
@@ -1,15 +1,30 @@
 ---
 - name: TEMPLATE | Deploy PHP upstream to Nginx
-  template: >
+  template:
-    src=etc/nginx/upstream/php.conf.j2
+    src: "etc/nginx/conf.d/php.conf.j2"
-    dest="{{ nginx_etc_dir }}/conf.d/php.conf"
+    dest: "{{ nginx_etc_dir }}/conf.d/php.conf"
-  when: nginx_php
+  when: nginx_php | length > 0
  notify: reload nginx
 - name: FILE | Delete PHP upstream
  file:
    path: "{{ nginx_etc_dir }}/conf.d/php.conf"
    state: absent
  when: nginx_php | length == 0
 - name: TEMPLATE | Deploy other upstreams
-  template: >
+  template:
-    src=etc/nginx/upstream/upstream.conf.j2
+    src: "etc/nginx/conf.d/_upstream.conf.j2"
-    dest={{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf
+    dest: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
-  with_items: "{{ nginx_upstreams }}"
+  loop: "{{ nginx_upstreams }}"
  when: item.state is not defined or item.state == 'present'
  notify: reload nginx
 - name: FILE | Delete other upstreams
  file:
    path: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
    state: absent
  with_items: "{{ nginx_upstreams }}"
  when: item.state is defined and item.state == 'absent'
  notify: reload nginx
--- a/tasks/vhost.yml
+++ b/tasks/vhost.yml
@@ -1,87 +0,0 @@
 ---
 - name: FAIL | Check filenames
  fail: msg="Forbidden keyword default on vhost {{ item.name if item.name is string else item.name[0] }}"
  when: item.filename is defined and item.filename == 'default'
  with_items: "{{ nginx_vhosts }}"
 - name: FAIL | Check vhost and SSL/TLS support
  fail: msg="Missmatch configuration for vhost {{ item.name if item.name is string else item.name[0] }}"
  when: >
    item.proto is defined and
    'https' in item.proto and
    item.ssl_name is not defined
  with_items: "{{ nginx_vhosts }}"
 - name: FAIL | Check HTTPS redir and proto
  fail: msg="You can't have HTTP proto and HTTPS redirection at the same time"
  when: >
    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
    (item.redirect_http is defined and item.redirect_http)
  with_items: "{{ nginx_vhosts }}"
 - name: FILE | Create root directory
  file: >
    path={{ nginx_root }}
    state=directory
 - name: FILE | Create root public folders (foreach nginx_vhosts)
  file: >
    path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}/public
    state=directory
    owner={{ item.owner | default(nginx_user) }}
    group={{ item.group | default(nginx_user) }}
    mode={{ item.mode | default('0755') }}
  with_items: "{{ nginx_vhosts }}"
  when: >
    item.root is not defined and
    (item.template is defined and item.template not in nginx_templates_no_dir) and
    (item.delete is not defined or not item.delete) and
    item.redirect_to is not defined
 - name: TEMPLATE | Create vhosts
  template: >
    src=etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2
    dest={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
  with_items: "{{ nginx_vhosts }}"
  notify: reload nginx
  when: item.delete is not defined or not item.delete
 - name: FILE | Delete vhosts
  file: path={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
  with_items: "{{ nginx_vhosts }}"
  notify: reload nginx
  when: item.delete is defined and item.delete
 - name: FILE | Enable vhosts
  file: >
    src={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
    dest={{ nginx_etc_dir }}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
    state=link
  with_items: "{{ nginx_vhosts }}"
  notify: reload nginx
  when: >
    ((item.enable is not defined) or
    (item.enable is defined and item.enable)) and
    (item.delete is not defined or not item.delete)
 - name: FILE | Disable vhosts
  file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
  with_items: "{{ nginx_vhosts }}"
  notify: reload nginx
  when: (item.enable is defined and not item.enable) or (item.delete is defined and item.delete)
 - name: FILE | Delete default vhost when explicitely defined
  file: >
    path={{ nginx_etc_dir }}/sites-enabled/default
    state=absent
  notify: reload nginx
  when: nginx_default_vhost is not none
 - name: FILE | Auto set default vhost
  file: >
    src={{ nginx_etc_dir }}/sites-available/default
    dest={{ nginx_etc_dir }}/sites-enabled/default
    state=link
  notify: reload nginx
  when: nginx_default_vhost is none
--- a/templates/etc/ansible/facts.d/nginx.fact.j2
+++ b/templates/etc/ansible/facts.d/nginx.fact.j2
@@ -0,0 +1,4 @@
 {
       "fact_nginx_sites":
       {{ nginx_sites | to_nice_json(indent=8) }}
 }
--- a/templates/etc/nginx/conf.d/FAKESITE.conf.j2
+++ b/templates/etc/nginx/conf.d/FAKESITE.conf.j2
@@ -0,0 +1,10 @@
 server {
 	listen {{ item.acme_port | default('80') }};
 	listen [::]:{{ item.acme_port | default('80') }};
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(" ") }}{% endif %}{% if item.redirect_from is defined %} {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ item.redirect_from | join(" ") }}{% endif %}{% endif %};
 	location / {
 		return 503;
 	}
 }
--- a/templates/etc/nginx/upstream/upstream.conf.j2
+++ b/templates/etc/nginx/upstream/upstream.conf.j2
@@ -1,5 +1,5 @@
 {%- macro s(key, value, is_bool, min_version) %}
-{% if nginx_version.stdout | version_compare(min_version, 'ge') %}
+{% if nginx_version.stdout is version(min_version, 'ge') %}
 {% if is_bool and value %} {{ key }}{% elif not is_bool %} {{ key }}={{ value }}{% endif %}
 {% endif %}
 {%- endmacro -%}
--- a/templates/etc/nginx/conf.d/php.conf.j2
+++ b/templates/etc/nginx/conf.d/php.conf.j2
@@ -0,0 +1,20 @@
 #
 # {{ ansible_managed }}
 #
 {% for php in nginx_php %}
 upstream {{ php.upstream_name | default((php.version | php_default_upstream_name)) }} {
 {% for sock in php.sockets | default([]) %}
 {% if sock.host is defined %}
    server {{ sock.host }}:{{ sock.port }} weight={{ sock.weight | default('1') }} max_fails={{ sock.max_fails | default('5') }} fail_timeout={{ sock.fail_timeout | default('10s') }};
 {% else %}
    server unix:{{ sock.unix | default((php.version | php_default_upstream_socket)) }} weight={{ sock.weight | default('1') }};
 {% endif %}
 {% else %}
    server unix:{{ php.version | php_default_upstream_socket }} weight=1;
 {% endfor %}
 }
 {% endfor %}
 # vim:filetype=nginx
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@@ -3,14 +3,12 @@
 #
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout is version('1.7.5', 'ge') %} always{% endif %};
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
 {% endif %}
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@@ -3,14 +3,12 @@
 #
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout is version('1.7.5', 'ge') %} always{% endif %};
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
 {% endif %}
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
--- a/templates/etc/nginx/nginx.conf.j2
+++ b/templates/etc/nginx/nginx.conf.j2
@@ -5,6 +5,9 @@
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
 pid {{ nginx_pid }};
 {% if nginx_version.stdout is version('1.9.11', 'ge') %}
 include {{ nginx_etc_dir }}/modules-enabled/*.conf;
 {% endif %}
 events {
 	worker_connections {{ nginx_events_worker_connections }};
--- a/templates/etc/nginx/sites-available/_backuppc.j2
+++ b/templates/etc/nginx/sites-available/_backuppc.j2
@@ -25,7 +25,7 @@
 {% block template_upstream_location %}
 	location ~ \.cgi$ {
 		gzip off;
-		include {{ nginx_etc_dir }}/fastcgi_params;
+		include fastcgi.conf;
 		fastcgi_pass unix:/var/run/fcgiwrap.socket;
 		fastcgi_index BackupPC_Admin;
 		fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;
--- a/templates/etc/nginx/sites-available/_base.j2
+++ b/templates/etc/nginx/sites-available/_base.j2
@@ -1,21 +1,39 @@
 {% set __proto = item.proto | default(['http']) %}
-{% set __main_name =  item.name if item.name is string else item.name[0] %}
+{% set __main_name =  item | nginx_site_filename %}
-{% set __listen = item.listen | default(['80']) %}
+{% set __listen = item.listen | default(['80', '[::]:80']) %}
-{% set __listen_ssl = item.listen_ssl | default(['443']) %}
+{% set __listen_ssl = item.listen_ssl | default(['443', '[::]:443']) %}
 {% set __http_proxy_protocol_port = item.http_proxy_protocol_port | default([]) %}
 {% set __https_proxy_protocol_port = item.https_proxy_protocol_port | default([]) %}
 {% set __location = item.location | default({}) %}
-{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
+{% set __headers = item.headers | default(nginx_servers_default_headers) %}
 {% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
 {% set __location_order = item.location_order | default(__location.keys()) %}
 {% macro htpasswd(htpasswd_name, indent=1) -%}
-{% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
+{%- if htpasswd_name != false %}
 {%- for ht in nginx_htpasswd if ht.name == htpasswd_name %}
 {{ "\t" * indent }}auth_basic "{{ ht.description }}";
 {{ "\t" * indent }}auth_basic_user_file {{ nginx_htpasswd_dir }}/{{ ht.name }};
-{% endfor%}
+{%- endfor %}
 {%- endif %}
 {%- endmacro %}
 {% macro ssl(ssl_name) %}
-{% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
+{% for sn in nginx_ssl_pairs if ((sn.name is string and sn.name == ssl_name) or (sn.name.0 == ssl_name)) %}
 	ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' if sn.dest_cert is not defined else sn.dest_cert }};
 	ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
 {% endfor %}
 {%- endmacro %}
 {% macro httpsredirect(name) %}
 server {
 {% for port in __listen %}
 	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 	server_name {{ name }};
 	location / {
 		return 301 https://{{ name }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
 	}
 }
 {% endmacro %}
 #
 # {{ ansible_managed }}
 #
@@ -26,19 +44,19 @@
 server {
 {% if 'http' in __proto %}
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+	listen {{ port }}{% if nginx_default_site == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
+	listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
-{{ ssl(item.ssl_name) }}
+{{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
 {% endif %}
 {% endif %}
-	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
+	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t"  }}{{ item.name | join("\n\t\t") }}{% endif %};
 {% block root %}
 {% if item.root is defined %}
 	root {{ item.root }};
@@ -50,11 +68,13 @@ server {
 	index {{ item.index | default('index.html index.htm') }};
 {% endblock %}
 {% block template_more %}
 {% if item.more is defined and item.more is iterable %}
 {% for line in item.more %}
 	{{ line }}
 {% endfor %}
 {% endif %}
 {% endblock %}
 {% if item.htpasswd is defined %}
 {{ htpasswd(item.htpasswd, 1) }}
@@ -63,7 +83,7 @@ server {
 {% block template_headers %}
 	# --> Custom headers
 {% for key, value in __headers.iteritems() %}
-	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout is version('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endfor %}
 	# <-- Custom headers
 {% endblock %}
@@ -81,6 +101,20 @@ server {
 {% block template_custom_location %}
 {% endblock %}
 {% if __location_order | length > 0 %}
 	# --> Custom locations
 {% for location in __location_order %}
 	location {{ location }} {
 {% set opts = __location[location] %}
 {% for opt in opts %}
 {% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
 		{{ opt }}
 {% endif %}
 {% endfor  %}
 	}
 {% endfor %}	# <-- Custom locations
 {% endif %}
 {% block template_local_content %}
 {% if item.manage_local_content is not defined or item.manage_local_content %}
 	location ~ /\.ht {
@@ -100,19 +134,6 @@ server {
 {% endif %}
 {% endblock %}
 {% if __location is iterable and __location | length > 0 %}
 	# --> Custom locations
 {% for location, opts in __location.iteritems() %}
 	location {{ location }} {
 {% for opt in opts %}
 {% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
 		{{ opt }}
 {% endif %}
 {% endfor  %}
 	}
 {% endfor %}	# <-- Custom locations
 {% endif %}
 {% if item.use_access_log is defined %}
 {% if item.use_access_log %}
 	access_log {{ nginx_log_dir }}/{{ __main_name }}_access.log combined;
@@ -133,15 +154,14 @@ server {
 #
 # Redirect HTTP to HTTPS
 #
-server {
+{% if item.name is string %}
-{% for port in __listen %}
+{{ httpsredirect(item.name) }}
-	listen {{ port }};
+{% else %}
 {% for i in item.name %}
 {{ httpsredirect(i) }}
 {% endfor %}
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
 	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:__listen_ssl[0]{% endif %}$request_uri;
 }
 {% endif %}
-
+{% endif %}
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
@@ -149,11 +169,30 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }};
+	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
-	server_name {{ item.redirect_from | join(' ') }};
+	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
-	return 301 $scheme://{{ __main_name }}$request_uri;
+	location / {
 		return 301 $scheme://{{ item.name if item.name is string else item.name[0] }}$request_uri;
 	}
 }
 {% if 'https' in __proto %}
 server {
 {% for port in __listen_ssl %}
 	listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
 {% endif %}
 	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
 	location / {
 		return 301 https://{{ item.name if item.name is string else item.name[0] }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
 	}
 }
 {% endif %}
 {% endif %}
 # vim:filetype=nginx
--- a/templates/etc/nginx/sites-available/_nagios3.j2
+++ b/templates/etc/nginx/sites-available/_nagios3.j2
@@ -1,67 +0,0 @@
 {% extends "_base.j2" %}
 {% block root %}
 	root {{ nginx_nagios_root }};
 {% endblock %}
 {% block template_try_files %}
 {% endblock %}
 {% block template_index %}
 	index index.php index.html;
 {% endblock %}
 {% block template_headers %}
 	# --> Custom headers
 {% for key, value in __headers.iteritems() %}
 {% if key == "X-Frame-Options" %}
 	# X-Frame-Options forced by Ansible
 	add_header {{ key }} SAMEORIGIN{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% else %}
 	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endif %}
 {% endfor %}
 	# <-- Custom headers
 {% endblock %}
 {% block template_local_content %}
 	location ~ /\.ht {
 		deny all;
 	}
 	location /stylesheets {
 {% if nginx_nagios_stylesheets is defined %}
 		alias {{ nginx_nagios_stylesheets }};
 {% endif %}
 		expires 60d;
 	}
 {% endblock %}
 {% block template_upstream_location %}
 {% if ansible_distribution == 'Debian' %}
 	location /cgi-bin/nagios3 {
 		root /usr/lib;
 {% elif ansible_distribution == 'FreeBSD' %}
 	location /cgi-bin {
 {% endif %}
 		try_files $uri =404;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 		fastcgi_pass unix:{{ nginx_fcgiwrap_sock }};
 		fastcgi_param AUTH_USER $remote_user;
 		fastcgi_param REMOTE_USER $remote_user;
 	}
 	location ~ \.php$ {
 		fastcgi_pass php;
 		fastcgi_index index.php;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_php.j2
+++ b/templates/etc/nginx/sites-available/_php.j2
@@ -1,25 +1,34 @@
 {% extends "_base.j2" %}
 {% if item.php_version is defined %}
 {% set php_info = 'Explicit PHP version on site' %}
 {% set php_upstream = (nginx_php|selectattr('version', 'equalto', item.php_version)|first).upstream_name | default(item.php_version | php_default_upstream_name) %}
 {% elif item.php_upstream is defined %}
 {% set php_info = 'Explicit Nginx/PHP upstream on site' %}
 {% set php_upstream = item.php_upstream %}
 {% else %}
 {% set php_info = 'Warning: using first PHP version on config' %}
 {% set php_upstream = nginx_php.0.upstream_name | default(nginx_php.0.version | php_default_upstream_name) %}
 {% endif %}
 {% block template_index %}
 	index {{ item.index | default('index.html index.htm index.php') }};
 {% endblock %}
 {% block template_try_files %}
-		try_files {{ override_try_files | default('$uri $uri/ /index.php') }};
+		try_files {{ override_try_files | default('$uri $uri/ =404') }};
 {% endblock %}
 {% block template_upstream_location %}
 	location ~ \.php$ {
-		fastcgi_pass php;
+		# {{ php_info }}
 		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_php_index.j2
+++ b/templates/etc/nginx/sites-available/_php_index.j2
@@ -2,18 +2,15 @@
 {% block template_upstream_location %}
 	location = /index.php {
-		fastcgi_pass php;
+		# {{ php_info }}
 		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_php_index2.j2
+++ b/templates/etc/nginx/sites-available/_php_index2.j2
@@ -0,0 +1,19 @@
 {% extends "_php.j2" %}
 {% block template_try_files %}
 		try_files {{ override_try_files | default('$uri $uri/ /index.php') }};
 {% endblock %}
 {% block template_upstream_location %}
 	location = /index.php {
 		# {{ php_info }}
 		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
 		include fastcgi.conf;
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_wordpress.j2
+++ b/templates/etc/nginx/sites-available/_wordpress.j2
@@ -3,3 +3,9 @@
 {% block template_try_files %}
 	try_files $uri $uri/ /index.php?$args;
 {% endblock %}
 {% block template_custom_location %}
 	location ~* /(?:uploads|files)/.*\.php$ {
 		deny all;
 	}
 {% endblock %}
--- a/templates/etc/nginx/upstream/php.conf.j2
+++ b/templates/etc/nginx/upstream/php.conf.j2
@@ -1,15 +0,0 @@
 #
 # {{ ansible_managed }}
 #
 upstream php {
 {% for item in nginx_php_sockets %}
 {% if item.unix_socket is defined %}
 	server unix:{{ item.unix_socket }} weight={{ item.weight | default('1') }};
 {% else %}
 	server {{ item.host }}:{{ item.port }} weight={{ item.weight | default('1') }} max_fails={{ item.max_fails | default('5') }} fail_timeout={{ item.fail_timeout | default('10s') }};
 {% endif %}
 {% endfor %}
 }
 # vim:filetype=nginx
--- a/tests/debian-jessie.Dockerfile
+++ b/tests/debian-jessie.Dockerfile
@@ -1,4 +0,0 @@
 FROM williamyeh/ansible:debian8-onbuild
 RUN apt-get update
 CMD ["sh", "tests/test.sh"]
--- a/tests/debian-wheezy.Dockerfile
+++ b/tests/debian-wheezy.Dockerfile
@@ -1,4 +0,0 @@
 FROM williamyeh/ansible:debian7-onbuild
 RUN apt-get update
 CMD ["sh", "tests/test.sh"]
--- a/tests/includes/post_Debian.yml
+++ b/tests/includes/post_Debian.yml
@@ -1,10 +1,15 @@
 ---
- name: APT | Install web apps
+- name: APT | Install webapps
-  apt: pkg={{ item }} state=present
+  apt:
-  with_items:
+    pkg: "{{ packages }}"
-    - nagios3
+    state: present
    install_recommends: no
  vars:
    packages:
      - backuppc
 - name: SERVICE | Ensure backuppc is started
-  service: name=backuppc state=started
+  service:
    name: backuppc
    state: started
--- a/tests/includes/post_FreeBSD.yml
+++ b/tests/includes/post_FreeBSD.yml
@@ -1,29 +1,23 @@
 ---
- name: APT | Install web apps
+#- name: APT | Install web apps
-  pkgng: pkg={{ item }} state=present
+#  pkgng:
-  with_items:
+#    pkg: "{{ item }}"
-    - nagios
+#    state: present
-    - backuppc
+#  with_items:
-
+#    - backuppc
- name: COMMAND | Activate backuppc config
+#
-  command: >
+#- name: COMMAND | Activate backuppc config
-    cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl
+#  command: >
-    creates=/usr/local/etc/backuppc/config.pl
+#    cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl
-
+#    creates=/usr/local/etc/backuppc/config.pl
- name: FILE | Fix backuppc permissions
+#
-  file: >
+#- name: FILE | Fix backuppc permissions
-    path=/usr/local/etc/backuppc/config.pl
+#  file:
-    owner=backuppc
+#    path: /usr/local/etc/backuppc/config.pl
-    group=backuppc
+#    owner: backuppc
-
+#    group: backuppc
- name: FILE | Fix fcgiwrap permission
+#
  file: >
    path={{ nginx_fcgiwrap_sock }}
    mode=0640
    owner={{ nginx_user }}
    group={{ nginx_user }}
 #
 # We don't manage BackupPC on FreeBSD... too dirty. :/
 #
--- a/tests/includes/pre_Debian.yml
+++ b/tests/includes/pre_Debian.yml
@@ -1,22 +1,102 @@
 ---
 - name: APT_REPOSITORY | Install backports
-  apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
+  apt_repository:
    repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main'
    state: present
  when: nginx_backports
 - block:
  - name: APT | Install DotDeb key
    apt_key:
      url: 'http://www.dotdeb.org/dotdeb.gpg'
      state: present
  - name: APT_REPOSITORY | Install dotdeb (PHP 7)
    apt_repository:
      repo: 'deb http://packages.dotdeb.org {{ ansible_distribution_release }} all'
      state: present
  - name: LINEFILEFILE | Dotdeb priority (prevent install nginx from dotdeb)
    copy:
      content: "Package: *\nPin: release o=packages.dotdeb.org\nPin-Priority: 100"
      dest: /etc/apt/preferences
  when: ansible_distribution_release == 'jessie' and dotdeb | default(false)
 - block:
  - name: APT | Install apt-transport-https
    apt:
      pkg: apt-transport-https
      update_cache: yes
      cache_valid_time: 3600
  - name: APT_KEY | Install GPG key
    apt_key:
      url: 'https://packages.sury.org/php/apt.gpg'
  - name: APT_REPOSITORY | Add APT repository
    apt_repository:
      repo: 'deb https://packages.sury.org/php {{ ansible_distribution_release }} main'
  when: sury | default(false)
 - name: APT | Install needed packages
-  apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+  apt:
-  with_items:
+    pkg: "{{ packages }}"
-    - php5-fpm
+    update_cache: yes
    cache_valid_time: 3600
    state: present
  vars:
    packages:
      - cron
      - curl
      - fcgiwrap
      - jq
      - nghttp2
      - strace
      - vim
      - unzip
- name: APT | Install nghttp2
+- name: APT | Install daemonize from Stretch
-  apt: pkg=nghttp2 state=present
+  apt:
-  when: ansible_distribution_major_version | version_compare(8, 'ge')
+    deb: http://ftp.us.debian.org/debian/pool/main/d/daemonize/daemonize_1.7.7-1+b1_amd64.deb
- name: SERVICE | Force start services
+- name: APT | Install PHP
-  service: name={{ item }} state=started
+  apt:
-  register: sf
+    pkg: "{{ item.version | php_fpm_package }}"
-  with_items:
+    update_cache: yes
-    - php5-fpm
+    cache_valid_time: 3600
-    - fcgiwrap
+    state: present
  loop: "{{ nginx_php }}"
  register: apt_php
 - name: SERVICE | Force start fcgiwrap
  service:
    name: "fcgiwrap"
    state: started
 # Bypasses Ansible+Docker issue. With service module... php is not really started!
 - name: COMMAND | Force start PHP
  command: "service {{ item.version | php_fpm_service }} start"
  args:
    creates: "{{ item.version | php_default_upstream_socket }}"
    warn: false
  loop: "{{ nginx_php }}"
 - name: GET_URL | Download ngrok
  get_url:
    url: "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip"
    dest: "/tmp/ngrok.zip"
 - name: UNARCHIVE | Uncompress ngrok
  unarchive:
    src: "/tmp/ngrok.zip"
    dest: "/tmp"
    remote_src: yes
 - name: SET_FACT | ngrok_path
  set_fact:
    ngrok_path: '/tmp/ngrok'
--- a/tests/includes/pre_FreeBSD.yml
+++ b/tests/includes/pre_FreeBSD.yml
@@ -2,23 +2,65 @@
 - name: SET_FACT | FreeBSD web user
  set_fact:
-    nginx_pkgng_package: 'nginx-devel'
+    nginx_pkgng_package: 'nginx-full'
    nginx_user: 'www'
-    nginx_php_sockets:
+    nginx_php:
      - version: '7.2'
        sockets:
          - host: '127.0.0.1'
            port: 9000
    nginx_load_modules:
      - /usr/local/libexec/nginx/ngx_http_geoip_module.so
    ngrok_path: '/usr/local/bin/ngrok'
 - name: PKGNG | Install needed packages
-  pkgng: pkg={{ item }} state=present
+  pkgng:
-  with_items:
+    pkg: "{{ packages }}"
-    - php56
+    state: present
  vars:
    packages:
      - curl
      - daemonize
      - fcgiwrap
      - GeoIP
      - jq
      - nghttp2
      - php72
      - vim
 - name: COMMAND | Get geoip database
  command: geoipupdate.sh
  args:
    creates: /usr/local/share/GeoIP/GeoIP.dat
 - name: SERVICE | Force start services
-  service: name={{ item }} state=started enabled=yes
+  service:
    name: "{{ item }}"
    state: started
    enabled: yes
  register: sf
-  with_items:
+  loop:
    - php-fpm
    - fcgiwrap
 - name: STAT | Check ports
  stat:
    path: /usr/ports
  register: ports
 - block:
    - name: COMMAND | Get ports
      command: portsnap fetch --interactive
    - name: COMMAND | Extract ports
      command: portsnap extract
      no_log: true
  when: not ports.stat.exists
 - name: SHELL | Install ngrok
  shell: make install clean DISABLE_LICENSES=yes
  args:
    chdir: /usr/ports/security/ngrok
    creates: "{{ ngrok_path }}"
--- a/tests/includes/pre_common.yml
+++ b/tests/includes/pre_common.yml
@@ -0,0 +1,29 @@
 ---
 - name: SHELL | Start ngrok
  shell: daemonize -l /tmp/ngrok.lock {{ ngrok_path }} http 8888 -bind-tls=false
  failed_when: false
  changed_when: ngrok.stderr.find("Can't lock the lock file") == -1
  register: ngrok
 - name: WAIT_FOR | ngrok started
  wait_for:
    delay: 2
    port: 4040
  when: ngrok.changed
 - name: SHELL | Get ngrok public address
  shell: curl 'http://127.0.0.1:4040/api/tunnels/command_line' | jq '.public_url' | grep -oE '[[:alnum:]]+\.ngrok\.io'
  args:
    warn: false
  register: ngrok
  changed_when: false
 - name: LINEINFILE | Tune vimrc
  lineinfile:
    line: "set mouse="
    dest: "{{ item }}/.vimrc"
    create: yes
  loop:
    - /root
    - /home/vagrant
--- a/tests/inventory
+++ b/tests/inventory
@@ -1 +0,0 @@
 localhost
--- a/tests/test.sh
+++ b/tests/test.sh
@@ -1,21 +0,0 @@
 #!/bin/sh
 # Thanks to https://servercheck.in/blog/testing-ansible-roles-travis-ci-github
 DIR=$( dirname $0 )
 INVENTORY_FILE="$DIR/inventory"
 PLAYBOOK="$DIR/test.yml"
 set -ev
 # Check syntax
 ansible-playbook -i $INVENTORY_FILE -c local --syntax-check -vv $PLAYBOOK
 # Check role
 ansible-playbook -i $INVENTORY_FILE -c local --sudo -vv $PLAYBOOK
 # Check indempotence
 ansible-playbook -i $INVENTORY_FILE -c local --sudo -vv $PLAYBOOK \
 | grep -q 'changed=0.*failed=0' \
 && (echo 'Idempotence test: pass' && exit 0) \
 || (echo 'Idempotence test: fail' && exit 1)
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -4,19 +4,39 @@
  pre_tasks:
    - name: INCLUDE | Pre_tasks related to OS version
      include: "includes/pre_{{ ansible_distribution }}.yml"
    - name: INCLUDE | Pre_tasks common
      include: "includes/pre_common.yml"
    - name: FILE | Create an internal SSL dir
-      file: path={{ int_ansible_ssl_dir }} state=directory
+      file:
        path: "{{ int_ansible_ssl_dir }}"
        state: directory
    - name: COPY | Deploy test certificate
-      copy: src=file/test.crt dest={{ int_ansible_ssl_dir }}/test.crt
+      copy:
        src: "file/test.crt"
        dest: "{{ int_ansible_ssl_dir }}/test.crt"
    - name: COPY | Deploy test key
-      copy: src=file/test.key dest={{ int_ansible_ssl_dir }}/test.key
+      copy:
        src: "file/test.key"
        dest: "{{ int_ansible_ssl_dir }}/test.key"
    - name: LINEINFILE | Add all hosts in /etc/hosts
      lineinfile:
        line: "127.0.0.1\tlocalhost {% for s in nginx_sites %}{% if s.name is string %}{{ s.name }}{% else %}{% for n in s.name %}{{ n }} {% endfor %}{% endif %} {% if s.redirect_from is defined %}{% for rf in s.redirect_from %}{{ rf }} {% endfor %}{% endif %}{% endfor %}"
        regexp: '^127\.0\.0\.1'
        dest: "/etc/hosts"
        unsafe_writes: yes
  vars:
 # Internal vars
    int_ansible_ssl_dir: '/etc/ansible-ssl'
 # Role vars
    nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number
-    nginx_backports: true
+    nginx_apt_package: 'nginx-extras'
-    nginx_php: true
+    nginx_module_packages: ['libnginx-mod-http-headers-more-filter']
    nginx_upstreams:
      - name: 'test'
        servers:
@@ -24,6 +44,13 @@
            max_conns: 150
            weight: 10
            down: false
      - name: 'test-absent'
        servers:
          - path: '127.0.0.1:80'
            max_conns: 150
            weight: 10
            down: false
        state: 'absent'
    nginx_htpasswd:
      - name: 'hello'
        description: 'Please login!'
@@ -33,16 +60,20 @@
            state: 'absent'
          - name: 'hanx'
            password: 'qwerty'
      - name: 'nagios'
        description: 'Please login to Nagios!'
        users:
          - name: 'nagiosadmin'
            password: 'nagios'
      - name: 'deleteme'
        description: 'Please login!'
        users: []
        state: 'absent'
    nginx_acmesh: true
    nginx_acmesh_test: true
    nginx_ssl_pairs:
      - name:
          - '{{ ngrok.stdout }}'
        acme: true
        acme_port: 8888
      - name: 'test-ssl-selfsigned.local'
        self_signed: true
        force: false
      - name: 'test-ssl-predeployed.local'
        dest_key: "{{ int_ansible_ssl_dir }}/test.key"
        dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
@@ -97,9 +128,16 @@
          -----END CERTIFICATE-----
    nginx_custom_http:
      - 'add_header X-ansible 1;'
-    nginx_default_vhost: 'test.local'
+      - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
-    nginx_default_vhost_ssl: 'test-ssl-predeployed.local'
+      - 'map $geoip_country_code $allowed_country {'
-    nginx_vhosts:
+      - '    default yes;'
      - '    MA no;'
      - '    DZ no;'
      - '    TN no;'
      - '}'
    nginx_default_site: 'first-test'
    nginx_default_site_ssl: 'test-ssl-predeployed.local'
    nginx_sites:
      - name:
          - 'test.local'
          - 'test-alias.local'
@@ -111,7 +149,7 @@
          'X-Frame-Options': 'deny always'
          'X-ansible-default': '1'
        manage_local_content: false
-        use_error_log: false
+        use_error_log: true
        more:
          - 'autoindex off;'
        location:
@@ -129,6 +167,9 @@
        location:
          '/hello':
            - htpasswd: 'hello'
          '/public':
            - htpasswd: false
        use_error_log: true
      - name: 'test-htpasswd-all.local'
        template: '_base'
        htpasswd: 'hello'
@@ -137,7 +178,19 @@
        location:
          '/':
            - 'alias /var/tmp;'
          '/a':
            - 'alias /var/tmp;'
          '/b':
            - 'alias /var/tmp;'
          '/c':
            - 'alias /var/tmp;'
        location_order:
          - '/'
          - '/a'
          - '/b'
          - '/c'
      - name: 'test-php.local'
        php_version: "{{ nginx_php.1.version if nginx_php.1 is defined else nginx_php.0.version }}"
        upstream_params:
          - 'fastcgi_param FOO bar;'
        redirect_from:
@@ -147,6 +200,8 @@
        use_access_log: true
      - name: 'test-php-index.local'
        template: '_php_index'
      - name: 'test-php-index2.local'
        template: '_php_index2'
      - name: 'test-proxy.local'
        listen:
          - 8080
@@ -155,19 +210,18 @@
        headers:
          'X-proxyfied': '1'
      - name: 'deleted.local'
-        delete: true
+        state: 'absent'
      - name: 'redirect-to.local'
        redirect_to: 'http://test.local'
      - name: 'backuppc.local'
        template: '_backuppc'
        htpasswd: 'hello'
      - name: 'nagios3.local'
        template: '_nagios3'
        htpasswd: 'nagios'
      - name: 'test-ssl.local'
        proto: ['http', 'https']
        template: '_base'
-        ssl_name: 'test-ssl.local'
+      - name: 'test-ssl-selfsigned.local'
        proto: ['http', 'https']
        template: '_base'
      - name: 'test-ssl-predeployed.local'
        proto: ['http', 'https']
        template: '_base'
@@ -180,6 +234,31 @@
        template: '_base'
        ssl_name: 'test-ssl.local'
        redirect_https: true
      - name:
          - 'test-ssl-redirect-many.local'
          - 'test-ssl-redirect-many2.local'
        listen_ssl: [8443]
        proto: ['https']
        template: '_base'
        ssl_name: 'test-ssl.local'
        redirect_https: true
        redirect_from:
          - 'www.test-ssl-redirect-many.local'
          - 'www.test-ssl-redirect-many2.local'
      - name: 'test-ssl-proxy-protocol.local'
        proto: ['http', 'https']
        listen: [80, 20080]
        listen_ssl: [443, 20443]
        http_proxy_protocol_port: [20080]
        https_proxy_protocol_port: [20443]
        template: '_base'
        ssl_name: 'test-ssl.local'
      - name: '{{ ngrok.stdout }}'
        proto: ['http', 'https']
        template: '_base'
        ssl_name: '{{ ngrok.stdout }}'
        headers:
          'X-acme': '1'
    nginx_dh_length: 1024
  roles:
    - ../../
@@ -189,158 +268,235 @@
 # --------------------------------
    - name: INCLUDE | Post_tasks related to OS version
      include: "includes/post_{{ ansible_distribution }}.yml"
 # --------------------------------
 # Deploy index files
 # --------------------------------
    - name: -- Add PHP file --
-      copy: dest="{{ nginx_root }}/{{ item }}/public/index.php" content="<?php phpinfo();"
+      copy:
-      with_items: ['test-php.local', 'test-php-index.local']
+        dest: "{{ nginx_root }}/{{ item }}/public/index.php"
        content: "<?php phpinfo();"
      loop:
        - 'test-php.local'
        - 'test-php-index.local'
        - 'test-php-index2.local'
    - name: -- Add HTML file --
-      copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
+      copy:
-      with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
+        dest: "{{ item }}/index.html"
        content: "Index HTML test OK\n"
      loop:
        - '{{ nginx_root }}/first-test/public'
        - '/var/tmp'
        - '{{ nginx_root }}/test-htpasswd-all.local/public'
        - '{{ nginx_root }}/test-ssl.local/public'
        - '{{ nginx_root }}/test-ssl-selfsigned.local/public'
        - '{{ nginx_root }}/test-ssl-predeployed.local/public'
        - '{{ nginx_root }}/test-ssl-proxy-protocol.local/public'
        - '{{ nginx_root }}/{{ ngrok.stdout }}/public'
    - name: -- Create directory --
-      file: path={{ nginx_root }}/test-htpasswd.local/public/hello state=directory
+      file:
        path: "{{ nginx_root }}/test-htpasswd.local/public/hello"
        state: directory
    - name: -- Add HTML file hello --
-      copy: dest="{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content="hello\n"
+      copy:
        dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html"
        content: "hello\n"
 # --------------------------------
-# Simple vhosts tests
+# Test custom facts
 # --------------------------------
-    - name: -- VERIFY VHOSTS --
+    - name: -- CHECK FACTS --
-      command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
+      assert:
-      with_items: "{{ nginx_vhosts }}"
+        that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'"
-      when: item.delete is undefined or not item.delete
+# --------------------------------
 # Simple sites tests
 # --------------------------------
    - name: -- VERIFY SITES --
      uri:
        url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
        status_code: '200,301,302,401,403'
        follow_redirects: none
      loop: "{{ nginx_sites }}"
      when: item.state is undefined or item.state != "absent"
      changed_when: false
    - name: -- VERIFY FORBIDDEN --
-      command: "curl -H 'Host: test-php-index.local' http://127.0.0.1/phpinfo.php"
+      uri:
-      register: f
+        url: "http://test-php-index.local/phpinfo.php"
-      failed_when: f.stdout.find('403 Forbidden') == -1
+        status_code: 403
    - name: -- VERIFY REDIRECT SITES --
      uri:
        url: "http://{{ item.redirect_from[0] }}/"
        status_code: 301
        follow_redirects: none
      loop: "{{ nginx_sites }}"
      when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and (item.proto is not defined or 'https' not in item.proto)
      changed_when: false
-    - name: -- VERIFY REDIRECT VHOSTS --
+
-      command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
+    - name: -- VERIFY REDIRECT HTTPS SITES --
-      with_items: "{{ nginx_vhosts }}"
+      uri:
-      when: item.redirect_from is defined and (item.delete is undefined or not item.delete)
+        url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/"
        status_code: 301
        follow_redirects: none
        validate_certs: no
      loop: "{{ nginx_sites }}"
      when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and item.proto is defined and 'https' in item.proto
      changed_when: false
      register: r
      failed_when: r.stdout.find('301 Moved Permanently') == -1
 # --------------------------------
 # PHP
 # --------------------------------
-    - name: -- VERIFY PHP VHOSTS --
+    - name: -- VERIFY PHP SITES --
-      command: "curl -H 'Host: {{ item }}' http://127.0.0.1/"
+      uri:
        url: "http://{{ item.name}}/"
        return_content: yes
      register: p
-      changed_when: false
+      loop: "{{ nginx_sites }}"
-      failed_when: p.stdout.find('PHP Version') == -1
+      when: >
-      with_items: ['test-php.local', 'test-php-index.local']
+        item.template is defined and
        (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2')
      failed_when: p.content.find('PHP Version ' + item.php_version if 'php_version' in item else nginx_php.0.version) == -1
    - name: -- VERIFY INDEX2 --
      uri:
        url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet"
        return_content: yes
      register: p2
      failed_when: p2.content.find('PHP Version') == -1
 # --------------------------------
 # Basic Auth
 # --------------------------------
    - name: -- VERIFY AUTH BASIC NONE --
-      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
+      uri:
-      changed_when: false
+        url: "http://test-htpasswd.local/hello/"
-      register: authnone
+        status_code: 401
-      failed_when: authnone.stdout.find('401 Authorization Required') == -1
+
    - name: -- VERIFY AUTH BASIC FAIL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
+      uri:
-      changed_when: false
+        url: "http://test-htpasswd.local/hello/"
-      register: authfail
+        status_code: 401
-      failed_when: authfail.stdout.find('401 Authorization Required') == -1
+        user: "fail"
        password: "fail"
        force_basic_auth: yes
    - name: -- VERIFY AUTH BASIC OK --
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
+      uri:
-      changed_when: false
+        url: "http://test-htpasswd.local/hello/"
-      register: authok
+        user: "hanx"
-      failed_when: authok.stdout.find('hello') == -1
+        password: "qwerty"
        force_basic_auth: yes
    - name: -- VERIFY AUTH BASIC FAIL GLOBAL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
+      uri:
-      changed_when: false
+        url: "http://test-htpasswd-all.local/"
-      register: authgfail
+        status_code: 401
-      failed_when: authgfail.stdout.find('401 Authorization Required') == -1
+        user: "fail"
-    - name: -- VERIFY AUTH BASIC OK --
+        password: "fail"
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
+        force_basic_auth: yes
-      changed_when: false
+
-      register: authgok
+    - name: -- VERIFY AUTH BASIC OK GLOBAL --
-      failed_when: authgok.stdout.find('401 Authorization Required') != -1
+      uri:
        url: "http://test-htpasswd-all.local/"
        user: "hanx"
        password: "qwerty"
        force_basic_auth: yes
 # --------------------------------
 # BackupPC
 # --------------------------------
    - name: -- VERIFY BACKUPPC --
-      command: "curl -u hanx:qwerty -H 'Host: backuppc.local' http://127.0.0.1/"
+      uri:
-      changed_when: false
+        url: "http://backuppc.local/"
        user: "hanx"
        password: "qwerty"
        force_basic_auth: yes
        return_content: yes
      register: authbpc
      failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
      when: ansible_distribution != 'FreeBSD'
-
+      failed_when: authbpc.content.find('BackupPC Server Status') == -1
 # --------------------------------
 # Nagios
 # --------------------------------
    - name: -- VERIFY NAGIOS3 PHP --
      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/side.php"
      changed_when: false
      register: nagios_php
      failed_when: nagios_php.stdout.find('Nagios Core') == -1
    - name: -- VERIFY NAGIOS3 CGI --
      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin{% if ansible_distribution == 'Debian' %}/nagios3{% endif %}/summary.cgi"
      changed_when: false
      register: nagios_cgi
      failed_when: nagios_cgi.stdout.find('Nagios Event Summary') == -1
 # --------------------------------
 # SSL
 # --------------------------------
    - name: -- VERIFY SSL --
-      command: "curl --insecure -H 'Host: {{ item }}' https://127.0.0.1/"
+      uri:
-      changed_when: false
+        url: "https://{{ item }}/"
        return_content: yes
        validate_certs: no
      register: sslok
-      failed_when: sslok.stdout.find('Index HTML test OK') == -1
+      failed_when: sslok.content.find('Index HTML test OK') == -1
-      with_items:
+      loop:
        - 'test-ssl-predeployed.local'
        - 'test-ssl-selfsigned.local'
        - 'test-ssl.local'
        - '{{ ngrok.stdout }}'
    - name: -- VERIFY SSL REDIRECT --
-      command: "curl -v --insecure -H 'Host: {{ item }}' http://127.0.0.1/"
+      uri:
-      changed_when: false
+        url: "http://{{ item.name }}/"
        validate_certs: no
        status_code: 301
        return_content: yes
        follow_redirects: none
      register: sslredirok
-      failed_when: >
+      failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location'
-        sslredirok.stderr.find('< Location') == -1 and
+      loop:
-        sslredirok.stderr.find('https://{{ item }}/') == -1
+        - name: 'test-ssl-redirect.local'
-      with_items:
+        - name: 'test-ssl-redirect-many.local'
-        - 'test-ssl-redirect.local'
+          port: '8443'
        - name: 'test-ssl-redirect-many2.local'
          port: '8443'
 # --------------------------------
-# Default vhosts
+# Default sites
 # --------------------------------
-    - name: -- VERIFY DEFAULT VHOST --
+    - name: -- VERIFY DEFAULT SITE --
-      command: "curl -v http://127.0.0.1/"
+      uri:
-      changed_when: false
+        url: 'http://127.0.0.1/'
        return_content: yes
      register: vdefault
      failed_when: >
-        vdefault.stdout.find('Index HTML test OK') == -1 or
+        vdefault.content.find('Index HTML test OK') == -1 or
-        vdefault.stderr.find('X-ansible-default') == -1
+        vdefault.x_ansible_default is not defined
-    - name: -- VERIFY DEFAULT SSL VHOST --
+
-      command: "curl --insecure -v https://127.0.0.1/"
+    - name: -- VERIFY DEFAULT SITE + STUB STATUS--
-      changed_when: false
+      uri:
-      register: defaultssl
+        url: 'http://127.0.0.1/status'
-      failed_when: >
+        return_content: yes
        defaultssl.stdout.find('Index HTML test OK') == -1 or
        defaultssl.stderr.find('X-ansible-default') == -1
    - name: -- VERIFY NOT DEFAULT VHOST --
      command: "curl -v -H 'Host: test-php.local' http://127.0.0.1/"
      changed_when: false
      register: vphp
      failed_when: vphp.stderr.find('X-ansible-default') != -1
    - name: -- VERIFY NOT DEFAULT SSL VHOST --
      command: "curl --insecure -v -H 'Host: test-ssl.local' https://127.0.0.1/"
      changed_when: false
      register: notdefaultssl
      failed_when: notdefaultssl.stderr.find('X-ansible-default') != -1
    - name: -- VERIFY DEFAULT VHOST + STUB_STATUS --
      command: "curl -v http://127.0.0.1/status"
      changed_when: false
      register: vdefault_status
      failed_when: >
-        vdefault_status.stderr.find('X-ansible-default') == -1 or
+        vdefault_status.content.find('Active connections') == -1 or
-        vdefault_status.stdout.find('Active connections') == -1
+        vdefault_status.x_ansible_default is not defined
    - name: -- VERIFY DEFAULT SSL SITE --
      uri:
        url: 'https://127.0.0.1/'
        return_content: yes
        validate_certs: no
      register: vdefault
      failed_when: >
        vdefault.content.find('Index HTML test OK') == -1 or
        vdefault.x_ansible_default is not defined
    - name: -- VERIFY NOT DEFAULT SITE --
      uri:
        url: 'http://test-php.local/'
        return_content: yes
      register: vphp
      failed_when: vphp.x_ansible_default is defined
    - name: -- VERIFY NOT DEFAULT SSL SITE --
      uri:
        url: 'https://test-ssl.local/'
        return_content: yes
        validate_certs: no
      register: notdefaultssl
      failed_when: notdefaultssl.x_ansible_default is defined
 # --------------------------------
 # Check HTTP2
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -2,7 +2,5 @@ nginx_events_use: 'epoll'
 nginx_pid: '/run/nginx.pid'
 nginx_etc_dir: '/etc/nginx'
-# Specific vhosts
+# Specific sites
 nginx_nagios_root: '/usr/share/nagios3/htdocs'
 nginx_nagios_stylesheets: '/etc/nagios3/stylesheets'
 nginx_fcgiwrap_sock: '/var/run/fcgiwrap.socket'
--- a/vars/FreeBSD.yml
+++ b/vars/FreeBSD.yml
@@ -2,6 +2,7 @@ nginx_events_use: 'kqueue'
 nginx_pid: '/var/run/nginx.pid'
 nginx_etc_dir: '/usr/local/etc/nginx'
-# Specific vhosts
+# Specific sites
 nginx_nagios_root: '/usr/local/www/nagios'
 nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock'
 nginx_acmesh_bin: '/usr/local/sbin/acme.sh'
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -23,11 +23,29 @@ nginx_upstream_server_params:
 #    min_version: '1.5.12'
 nginx_dirs:
-  - "{{ nginx_htpasswd_dir }}"
+  - dir: "{{ nginx_htpasswd_dir }}"
-  - "{{ nginx_ssl_dir }}"
+    mode: "0750"
-  - "{{ nginx_helper_dir }}"
+    owner: "{{ nginx_user }}"
  - dir: "{{ nginx_ssl_dir }}"
    mode: "0750"
    owner: "root"
  - dir: "{{ nginx_helper_dir }}"
    mode: "0755"
    owner: "root"
  - dir: "{{ nginx_etc_dir }}/modules-available"
    mode: "0755"
    owner: "root"
  - dir: "{{ nginx_etc_dir }}/modules-enabled"
    mode: "0755"
    owner: "root"
 nginx_templates_no_dir:
  - '_proxy'
  - '_nagios3'
  - '_backuppc'
  - '_proxy'
 nginx_servers_default_headers:
  'X-Frame-Options': 'DENY always'
  'X-Content-Type-Options': 'nosniff always'
  'X-XSS-Protection': '1; mode=block'
 nginx_acmesh_bin: "{{ nginx_acmesh_dir }}/acme.sh"
Author	SHA1	Message	Date
Emilien M	8218e5c972	Fix deprecations (#35 ) * Drop Nagios support * Fix start PHP-FPM on Docker * Fix deprecations on Ansible 2.7 - with_ -> loop - fix filters as test - test version_compare -> version - set min_version to 2.5	2019-01-24 11:05:46 +01:00
Emilien Mantel	87c1c68949	Add Ansible 2.5 + 2.6 to travis	2018-10-03 14:09:20 +02:00
Emilien Mantel	817929beca	Add self-signed cert feature	2018-04-20 09:32:46 +02:00
Emilien Mantel	678dff9a1a	Tune vimrc (mouse is boring on stretch)	2018-04-20 09:20:39 +02:00
Emilien Mantel	3da65983bd	Fix acme create	2018-03-22 20:35:51 +01:00
Emilien Mantel	3fb8f092fb	Fake site + force IPv6	2018-03-22 20:30:10 +01:00
Emilien Mantel	19a85ca381	Autoconfigure ipv6 on fakesite	2018-03-22 19:48:41 +01:00
Emilien Mantel	2bab49221a	Autoconfigure IPv6 on each server	2018-03-22 19:47:30 +01:00
Emilien Mantel	6e877c070e	Configure nginx restart with acme.sh	2018-03-22 19:03:33 +01:00
Emilien Mantel	c165f88126	Manage multiple names with acme.sh	2018-03-22 18:43:44 +01:00
Emilien Mantel	59dd3997de	Acme uses light fake sites	2018-03-22 18:39:10 +01:00
Emilien Mantel	ae6dc88bc4	Delete current site when playing with acme.sh	2018-03-22 17:49:02 +01:00
Emilien Mantel	6719b415ab	Fix playbook crash whith acme and multiple domain	2018-03-22 17:47:53 +01:00
Emilien Mantel	fd21603a4d	Fix FreeBSD version for galaxy	2018-03-18 12:37:27 +01:00
Emilien Mantel	f52be2bbf3	Add FreeBSD in meta/main.yml	2018-03-17 14:52:14 +01:00
Emilien Mantel	a4aeec0a94	Drop check legacy nginx version	2018-03-17 14:08:48 +01:00
Emilien Mantel	713a2241de	Drop owncloud code	2018-03-17 14:04:48 +01:00
Emilien Mantel	6cae501266	Drop fastcgi_params supprort	2018-03-17 14:02:08 +01:00
Emilien Mantel	dd7834e8ce	Fix daemonize lock file (ngrok) It overwrited ngrok binary on Debian	2018-03-17 14:01:07 +01:00
Emilien Mantel	cb031c4014	Force shell for FreeBSD	2018-03-17 14:00:01 +01:00
Emilien Mantel	db97fe84f8	Add doc for FreeBSD	2018-03-17 12:54:57 +01:00
Emilien Mantel	c9629e385f	Working on FreeBSD 11/12	2018-03-17 12:24:19 +01:00
Emilien Mantel	5843d695b3	Manage FreeBSD 11	2018-03-16 21:56:15 +01:00
Emilien Mantel	8c7d581131	Fix php upstream with TCP socket	2018-03-16 18:53:53 +01:00
Emilien Mantel	0b85d81991	Better redirect management Fixes renew with letsencrypt (always redirect and never handle challenge)	2018-03-15 18:30:01 +01:00
Emilien Mantel	7fe08beb9a	Enable TLSv1.3 on nginx v1.13.0	2018-03-15 18:13:13 +01:00
Emilien Mantel	33ef161623	Ansible 2.4 must not fail now	2018-03-15 18:07:36 +01:00
Emilien Mantel	c2685732a4	Manages Ansible 2.4+ with Docker Closes #30	2018-03-15 18:06:38 +01:00
Emilien Mantel	737dfbeb30	Add debug mode	2018-03-15 16:10:37 +01:00
Emilien Mantel	def13392a7	Add Ansible 2.5 on travis	2018-03-15 12:56:12 +01:00
Emilien Mantel	6897f66344	redirect_from manages now https sites	2018-03-15 12:54:12 +01:00
Emilien Mantel	552999c782	Install modules on Debian 9+ or 8 with backports	2018-01-15 22:36:53 +01:00
Emilien Mantel	fe32f8d40a	Revert "minor fix" This reverts commit `5d46daaba8`.	2018-01-15 22:33:55 +01:00
Emilien Mantel	5d46daaba8	minor fix	2018-01-15 19:12:22 +01:00
Emilien Mantel	4ca8f9e319	Check nginx_version before install modules	2018-01-15 18:41:17 +01:00
Emilien Mantel	d3d9b5c296	Install modules OK	2017-12-14 20:06:29 +01:00
Emilien Mantel	45886ca9cc	Install modules just after nginx	2017-12-14 19:41:05 +01:00
Emilien Mantel	bb74ac804e	Donation	2017-12-09 17:05:02 +01:00
Emilien Mantel	2a5a1701f3	Try fix travis: php service not started	2017-12-07 12:40:16 +01:00
Emilien Mantel	a1866f806f	Fix test php_index2, fallback in /index.php	2017-12-07 11:14:19 +01:00
Emilien Mantel	0788b6c84f	Delete PHP upstream when nginx_php is empty Closes #31	2017-12-07 11:09:44 +01:00
Emilien Mantel	222998839c	Fix site.state == absent - Site is deleted now - Doc updated	2017-12-06 12:05:46 +01:00
Emilien Mantel	d00f3301e1	_php template, do not go to /index.php as fallback	2017-12-05 10:40:21 +01:00
Emilien Mantel	8f76b9c68c	acme.sh : no_log + fix check created	2017-12-03 02:15:48 +01:00
Emilien Mantel	8dca6c8404	Fix acme when acme_port is not defined	2017-12-03 02:08:32 +01:00
Emilien Mantel	a01f6cd5ea	Let's encript certificate with acme.sh	2017-12-03 01:32:56 +01:00
Emilien Mantel	609e4f013d	Fix crash when nginx_upstream is not set	2017-11-27 13:43:28 +01:00
Emilien Mantel	c79d370ad6	Add new site template: _php_index2	2017-11-27 13:34:03 +01:00
Emilien Mantel	45f800fe18	With Vagrant 2.* ansible.sudo -> ansible.become	2017-11-27 13:25:04 +01:00
Emilien Mantel	9fc4838b1b	Fix loop control	2017-11-03 11:06:57 +01:00
Emilien Mantel	3304934227	Add loop_control.label on site tasks	2017-11-03 10:56:18 +01:00
Emilien Mantel	57968b50c0	Restart nginx on SSL file writes	2017-11-03 10:30:24 +01:00
Emilien Mantel	8675d683ec	Tests with uri module (closes #25 )	2017-10-27 15:27:16 +02:00
Emilien Mantel	10bd837f54	Setup is now 'handled'	2017-10-26 15:50:59 +02:00
Emilien Mantel	332e28a9d7	YAML cleaning	2017-10-26 15:47:30 +02:00
Emilien Mantel	4b3b857733	Remove heavy code (nginx filename) using a filter	2017-10-26 15:33:00 +02:00
Emilien Mantel	608784ca55	Fix travis	2017-10-26 11:45:20 +02:00
Emilien Mantel	36652f4742	Move upstream templates to conf.d	2017-10-26 11:09:21 +02:00
Emilien Mantel	463ce45105	New PHP management - New versions (7.x) - PHP upstream name - Sites can use : default PHP version, select first one by PHP version, select by upstream name - Add PHP filter plugin	2017-10-26 11:04:38 +02:00
Emilien Mantel	70283ddcc6	Update .travis.yml Fix failures	2017-10-03 19:57:04 +02:00
Emilien Mantel	de40c07ac5	Better readability	2017-10-03 17:57:35 +02:00
Emilien Mantel	54dd1ef3c0	Remove legacy code	2017-10-03 17:38:06 +02:00
Emilien Mantel	cfe27ef245	Bypasses ansible 2.4.0.0 service issue On Ansible 2.4, it seems the service is not reloaded/restarted. This commit skips errors...	2017-10-03 17:35:35 +02:00
Emilien Mantel	6f098475e5	Remove useless vagrant boxes	2017-10-03 16:52:45 +02:00
Emilien Mantel	090875cbde	Travis changes - drop allow failure for stretch and ansible 2.3 - manages ansible 2.4	2017-09-26 09:44:52 +02:00
Emilien Mantel	b72263f7e5	Fix failures on travis	2017-07-27 14:56:43 +02:00
Emilien Mantel	4751eaa3c1	Add missing cont on Vagrant	2017-07-27 14:31:42 +02:00
Emilien Mantel	e83395271d	Fix tests for Debian Stretch - nagios is not available - curl can use HTTP2 (headers are lowercase) - bypass tests when htpasswd is empty (bypass issue #28)	2017-07-27 14:25:22 +02:00
Emilien Mantel	6935404939	Improve syntax readability	2017-07-27 12:21:10 +02:00
Emilien Mantel	acf8de8f87	Fix warning on when	2017-07-27 12:01:59 +02:00
Emilien Mantel	50e25d45b8	Elegent fail for htpasswd+stretch (#28 related)	2017-07-27 11:50:48 +02:00
Emilien Mantel	adf53b0d95	Fix redirect_to when filename is set	2017-07-25 17:00:34 +02:00
Emilien Mantel	4d819ac2a1	Add tags to ssl and site configuration	2017-07-19 15:57:41 +02:00
Emilien Mantel	af9fa6a2c3	Update stretch vagrant box (virtualbox)	2017-06-29 15:04:59 +02:00
Emilien Mantel	4486bddb19	Add blank lines, spaces... (readability)	2017-06-14 18:00:30 +02:00
Emilien Mantel	0b99a1c28e	Remove ansible 2.3 warnings - fixes #29	2017-06-14 17:54:48 +02:00
Emilien Mantel	d616657f12	travis: missing debian stretch + ansible 2.2	2017-06-09 09:48:24 +02:00
Emilien Mantel	eb0bdcad6f	Travis major changes: - Use Vagrant + Docker - Test multiple Ansible versions	2017-06-06 14:15:03 +02:00
Emilien Mantel	3ae791ec47	Role can be fully called in check mode	2017-06-01 11:38:22 +02:00
Emilien Mantel	cbdfc741ba	Renaming variables vhost -> site Vhost is an Apache configuration, not Nginx. Manages backward compatibility.	2017-04-25 12:27:08 +02:00
Emilien Mantel	a60e81cc1f	fix redirect https : show port only if not 443	2017-04-13 15:16:53 +02:00
Emilien Mantel	f1af8991fd	Bug fix : redirect https with many names On a multiple name vhost with redirect_https, redirection is done with the origin name not the main name.	2017-04-13 14:21:14 +02:00
Emilien Mantel	fcb59fd331	no_log when deleting htpasswd files	2017-03-14 11:21:35 +01:00
Emilien Mantel	2aa9e8b6b9	load modules uses pattern *.conf	2017-03-13 10:19:07 +01:00
Emilien Mantel	7892626fc0	Load module from {{nginx_dir}}/etc/modules-enabled	2017-03-13 09:53:29 +01:00
Emilien Mantel	ae167d3317	Disabling htpasswd by setting false	2017-03-08 11:10:14 +01:00
Emilien Mantel	d8f241f79c	Fix headers quotes on nagios	2017-02-09 12:30:13 +01:00
Emilien Mantel	0e33d1b372	Auto quote headers values	2017-02-09 12:03:14 +01:00
Emilien Mantel	2cd559b87a	Fix X-XSS-Protection with quotes	2017-02-09 11:59:33 +01:00
Emilien Mantel	d550f1bab1	Read-only var: nginx_servers_default_headers	2017-02-08 16:16:19 +01:00
Emilien Mantel	021ca4e173	Auto add "X-XSS-Protection" header to servers	2017-02-08 15:59:02 +01:00
Emilien Mantel	38a8354754	Bind proxy_protocol on port	2017-01-03 12:07:31 +01:00
Emilien Mantel	1b06fe273f	Add html file to test-ssl-proxy-protocol.local	2017-01-03 11:32:45 +01:00
Emilien Mantel	684c794566	Manage proxy protocol	2017-01-03 11:16:28 +01:00
Emilien Mantel	f2cfae31b1	Update APT cache should not "change"	2016-12-08 17:34:59 +01:00
Emilien Mantel	481bcd34b1	no_log while creating SSL directories	2016-12-08 09:19:12 +01:00
Emilien Mantel	875c7cfb2e	Async task: generate dh	2016-12-07 07:48:32 +01:00
Emilien Mantel	8caddedc68	Deploy custom facts with nginx_vhosts	2016-11-29 14:32:27 +01:00
Emilien Mantel	4a3aed6974	no_log on task : Deploy SSL certs	2016-11-29 09:35:53 +01:00
Emilien Mantel	8ccc9f521f	Secure files permission	2016-11-25 11:33:20 +01:00
Emilien Mantel	5b0977567c	New feature: provide location order (#24 related)	2016-11-23 11:44:04 +01:00
E Mantel	de71e1bdcc	Better display for server_name	2016-11-16 20:51:03 +01:00
Emilien Mantel	19cdab5ba4	default vhost on HTTPS redirect	2016-11-15 17:15:39 +01:00
Emilien Mantel	999f226838	Delete useless test	2016-11-07 17:40:00 +01:00
Emilien Mantel	40f67fc103	Vhost ssl_name name is now optionnal	2016-11-07 17:22:14 +01:00
Emilien Mantel	6b1366298f	no_log on sensitive data	2016-11-02 14:48:49 +01:00
Emilien Mantel	817d56fb81	Fix redirect https on non standard port	2016-11-02 14:25:27 +01:00
Emilien Mantel	e08401acf8	vhost redirect_from accepts string	2016-11-02 14:23:55 +01:00
Emilien Mantel	0bda544a2f	Revert "nginx -t has no side effect" This reverts commit `2641777abe`.	2016-11-02 14:21:32 +01:00
Emilien Mantel	2641777abe	nginx -t has no side effect	2016-10-27 17:48:57 +02:00
Emilien Mantel	60a368f3e1	Manage many configurations	2016-10-13 11:11:07 +02:00
Emilien Mantel	41a5575627	Dynamic modules starts at version 1.9.11	2016-10-12 18:16:53 +02:00
Emilien Mantel	42bb4a3e2b	Dynamic module management (closes #23 )	2016-10-12 18:13:59 +02:00
Emilien Mantel	ef3440a015	Bug fix: vhost with absent state is not deleted in sites-enabled	2016-10-10 14:35:46 +02:00
Emilien Mantel	eb704da8d8	README improvement pour vhost.filename	2016-10-07 11:01:00 +02:00
Emilien Mantel	64a9ab7c68	Better display in _base.j2 with many server_name	2016-10-07 10:57:26 +02:00
Emilien Mantel	c4ee6eb1a2	vhost.filename used by log and directories creation	2016-10-07 10:50:05 +02:00
Emilien Mantel	8789bd2c9c	Add some security rules for wordpress	2016-09-03 12:43:28 +02:00
Emilien Mantel	a2e6e98436	Add new feature: nginx_fastcgi_fix_realpath	2016-08-30 17:14:34 +02:00
E Mantel	fc44b704cf	Merge pull request #22 from HanXHX/vhost_state Vhost state	2016-08-30 12:28:44 +02:00
Emilien Mantel	cf662acdd7	Fix condition when creating vhosts	2016-08-30 11:18:14 +02:00
Emilien Mantel	34c8d1926f	Vhost state (closes #19 )	2016-08-30 11:06:38 +02:00
Emilien Mantel	634d88874f	Backward compatibility with nginx_php variable	2016-08-30 10:52:28 +02:00
Emilien Mantel	5e254331c4	manage php upstream version (styles) on vhost	2016-08-26 12:14:54 +02:00
Emilien Mantel	3ab8e0391c	Disable tests for owncloud (fix later)	2016-08-25 18:19:07 +02:00
Emilien Mantel	aac33b7376	better vhost for owncloud	2016-08-11 13:03:56 +02:00
Emilien Mantel	88c6c5a043	Manages PHP minor versions	2016-08-11 11:30:26 +02:00
Emilien Mantel	a9ad41b40f	Fix more block for owncloud	2016-08-11 11:09:43 +02:00
Emilien Mantel	d26b2b9a49	Fix owncloud root	2016-08-11 10:59:44 +02:00
Emilien Mantel	b17acac4c4	Tests packages on Debian	2016-08-11 10:48:12 +02:00
Emilien Mantel	c160640c7f	Force latest version of openssl when uses nginx from backports	2016-08-11 10:36:50 +02:00
Emilien Mantel	887219f86c	Force install OpenSSL from backports when nginx uses backports	2016-08-11 10:25:45 +02:00
Emilien Mantel	76c02abf47	Fix owncloud js (from php) and add tests	2016-08-11 09:38:09 +02:00
Emilien Mantel	26c93c9315	Add owncloud and prevent nginx from dotdeb	2016-08-10 21:29:03 +02:00
Emilien Mantel	8fb3829860	Drop Wheezy support in IC	2016-08-09 16:12:54 +02:00
Emilien Mantel	e4b5bb2a32	Support many php versions (php7) + drop wheezy support	2016-08-09 16:02:09 +02:00
Emilien Mantel	af3930a58a	New feature: upstream state (remove upstream if needed)	2016-05-11 17:21:52 +02:00
Emilien Mantel	4dcb5f44c6	Don't need any inventory file for tests	2016-03-23 17:27:59 +01:00
Emilien Mantel	1204dbacd1	[FreeBSD] Enable nginx service	2016-03-15 23:12:17 +01:00
Emilien Mantel	3087154335	[FreeBSD] restart nginx on vhost config changed	2016-03-15 23:00:55 +01:00
Emilien Mantel	72edbe8656	[FreeBSD] Force create log dir	2016-03-15 22:49:19 +01:00
E Mantel	66b2ac238c	README: Change URL in galaxy	2016-03-15 19:48:00 +01:00