fix redirect https : show port only if not 443

On a multiple name vhost with redirect_https, redirection is done with
the origin name not the main name.

README.md

@@ -14,6 +14,8 @@ Features:
 - Preconfigured vhost templates (should work on many app)
 - Auto-configure HTTP2 on SSL/TLS vhosts
 - Manage dynamic modules (install and loading)
+- Deploy custom facts.d with sites config
+- Can listen with proxy protocol
 
 Requirements
 ------------
@@ -53,6 +55,11 @@ FreeBSD:
 - `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
 - `nginx_dyn_modules`: dynamic module list to load
 
+About modules
+-------------
+
+Last updates from Debian backports loads modules from /etc/nginx/modules-enabled directory. Disabling/Enabling is not supported anymore. Please wait further update.
+
 Fine configuration
 ------------------
 

doc/vhost.md

@@ -23,11 +23,13 @@ Common
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
 - `override_try_files`: (O) overrides default try\_files defined in template
 - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature.
-- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
+- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost. Set "false" to disable.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
 - `php_version` (O) Sepecify PHP version (5 or 7)
+- `http_proxy_protocol_port` (O) Enable proxy protocol on http port.
+- `https_proxy_protocol_port` (O) Enable proxy protocol on https port.
 
 (O): Optional
 (M): Mandatory

tasks/dyn_modules.yml

@@ -13,4 +13,13 @@
   with_items: "{{ nginx_dyn_modules }}"
   when:  ansible_distribution == 'Debian'
 
+- name: FILE | Creates modules directories
+  file: >
+    path="{{ nginx_etc_dir}}/{{ item }}"
+    state=directory
+    mode=0755
+    owner=root
+    group=root
+  with_items: ['modules-available', 'modules-enabled']
+
 # TODO: manage freebsd

tasks/htpasswd.yml

@@ -6,6 +6,7 @@
     state=absent
   with_items: "{{ nginx_htpasswd }}"
   when: item.state is defined and item.state == 'absent'
+  no_log: true
 
 - name: HTPASSWD | Manage files
   htpasswd: >

tasks/install_Debian.yml

@@ -4,6 +4,7 @@
   apt: >
     update_cache=yes
     cache_valid_time=3600
+  changed_when: false
 
 - name: APT | Force OpenSSL from backports (fix dependency break)
   apt: >
@@ -20,4 +21,3 @@
 
 - name: APT | Install python-passlib
   apt: pkg=python-passlib state=present
-

tasks/prepare.yml

@@ -19,6 +19,8 @@
     nginx_modules: "{{ shell_modules.stdout_lines }}"
 
 - name: FILE | Create folders
-  file: dest={{ item }} owner=root mode=0755 state=directory
+  file: dest="{{ item.dir }}" owner="{{ item.owner }}" mode="{{ item.mode }}" state=directory
   with_items: "{{ nginx_dirs }}"
 
+- name: FILE | Create ansible facts dir
+  file: path=/etc/ansible/facts.d state=directory

tasks/ssl.yml

@@ -6,6 +6,8 @@
     creates: "{{ nginx_dh_path }}"
   when: nginx_dh is not string
   notify: reload nginx
+  async: 1000
+  register: dh
 
 - name: COPY | Deploy DH file from vars
   copy: >
@@ -20,11 +22,13 @@
     state=directory
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.dest_key is not defined or item.dest_cert is not defined
+  no_log: true
 
 - name: COPY | Deploy SSL keys
   copy: >
     content="{{ item.key }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
+    mode=0640
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.key is defined
   notify: reload nginx
@@ -34,7 +38,15 @@
   copy: >
     content="{{ item.cert }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
+    mode=0644
   with_items: "{{ nginx_ssl_pairs }}"
   when: item.cert is defined
   notify: reload nginx
+  no_log: true
 
+- name: Check DH command status
+  async_status: jid={{ dh.ansible_job_id }}
+  register: job_result
+  until: job_result.finished
+  retries: 30
+  when: nginx_dh is not string

tasks/vhost.yml

@@ -61,7 +61,7 @@
   file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
   with_items: "{{ nginx_vhosts }}"
   notify: ['reload nginx', 'restart nginx freebsd']
-  when: item.state is defined and item.state == 'disabled' 
+  when: item.state is defined and item.state == 'disabled'
 
 - name: FILE | Delete default vhost when explicitely defined
   file: >
@@ -77,3 +77,14 @@
     state=link
   notify: ['reload nginx', 'restart nginx freebsd']
   when: nginx_default_vhost is none
+
+- name: TEMPLATE | Deploy facts
+  template:
+    src=etc/ansible/facts.d/nginx.fact.j2
+    dest=/etc/ansible/facts.d/nginx.fact
+    mode=0644
+  register: fact
+
+- name: SETUP
+  action: setup
+  when: fact.changed

templates/etc/ansible/facts.d/nginx.fact.j2

@@ -0,0 +1,4 @@
+{
+       "fact_nginx_vhosts":
+       {{ nginx_vhosts | to_nice_json(indent=8) }}
+}

templates/etc/nginx/nginx.conf.j2

@@ -6,9 +6,7 @@ user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
 pid {{ nginx_pid }};
 {% if nginx_version.stdout | version_compare('1.9.11', 'ge') %}
-{% for module in nginx_dyn_modules -%}
-load_module "modules/ngx_{{ module }}_module.so";
-{% endfor %}
+include {{ nginx_etc_dir }}/modules-enabled/*.conf;
 {% endif %}
 
 events {

templates/etc/nginx/sites-available/_base.j2

@@ -1,16 +1,20 @@
 {% set __proto = item.proto | default(['http']) %}
 {% set __main_name =  item.filename | default(item.name if item.name is string else item.name[0]) %}
-{% set __listen = item.listen | default(['80']) %}
-{% set __listen_ssl = item.listen_ssl | default(['443']) %}
+{% set __listen = item.listen | default([80]) %}
+{% set __listen_ssl = item.listen_ssl | default([443]) %}
+{% set __http_proxy_protocol_port = item.http_proxy_protocol_port | default([]) %}
+{% set __https_proxy_protocol_port = item.https_proxy_protocol_port | default([]) %}
 {% set __location = item.location | default({}) %}
-{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
+{% set __headers = item.headers | default(nginx_servers_default_headers) %}
 {% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
 {% set __location_order = item.location_order | default(__location.keys()) %}
 {% macro htpasswd(htpasswd_name, indent=1) -%}
-{% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
+{%- if htpasswd_name != false %}
+{%- for ht in nginx_htpasswd if ht.name == htpasswd_name %}
 {{ "\t" * indent }}auth_basic "{{ ht.description }}";
 {{ "\t" * indent }}auth_basic_user_file {{ nginx_htpasswd_dir }}/{{ ht.name }};
-{% endfor%}
+{%- endfor %}
+{%- endif %}
 {%- endmacro %}
 {% macro ssl(ssl_name) %}
 {% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
@@ -18,6 +22,16 @@
 	ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
 {% endfor %}
 {%- endmacro %}
+{% macro httpsredirect(name) %}
+server {
+{% for port in __listen %}
+	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
+{% endfor %}
+	server_name {{ name }};
+	return 301 https://{{ name }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
+}
+{% endmacro %}
+
 #
 # {{ ansible_managed }}
 #
@@ -28,12 +42,12 @@
 server {
 {% if 'http' in __proto %}
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
+	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
@@ -67,7 +81,7 @@ server {
 {% block template_headers %}
 	# --> Custom headers
 {% for key, value in __headers.iteritems() %}
-	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endfor %}
 	# <-- Custom headers
 {% endblock %}
@@ -138,15 +152,14 @@ server {
 #
 # Redirect HTTP to HTTPS
 #
-server {
-{% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+{% if item.name is string %}
+{{ httpsredirect(item.name) }}
+{% else %}
+{% for i in item.name %}
+{{ httpsredirect(i) }}
 {% endfor %}
-	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t" }}{{ item.name | join("\n\t\t") }}{% endif %};
-	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
-}
 {% endif %}
-
+{% endif %}
 
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
@@ -154,7 +167,7 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }};
+	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
 	return 301 $scheme://{{ __main_name }}$request_uri;

templates/etc/nginx/sites-available/_nagios3.j2

@@ -16,9 +16,9 @@
 {% for key, value in __headers.iteritems() %}
 {% if key == "X-Frame-Options" %}
 	# X-Frame-Options forced by Ansible
-	add_header {{ key }} SAMEORIGIN{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+	add_header {{ key }} "SAMEORIGIN"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% else %}
-	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endif %}
 {% endfor %}
 	# <-- Custom headers

tests/test.yml

@@ -147,6 +147,9 @@
         location:
           '/hello':
             - htpasswd: 'hello'
+          '/public':
+            - htpasswd: false
+        use_error_log: true
       - name: 'test-htpasswd-all.local'
         template: '_base'
         htpasswd: 'hello'
@@ -185,7 +188,7 @@
         headers:
           'X-proxyfied': '1'
       - name: 'deleted.local'
-        state: 'absent' 
+        state: 'absent'
       - name: 'redirect-to.local'
         redirect_to: 'http://test.local'
       - name: 'backuppc.local'
@@ -209,9 +212,23 @@
         template: '_base'
         ssl_name: 'test-ssl.local'
         redirect_https: true
-#      - name: 'owncloud.local'
-#        template: '_owncloud'
-    nginx_dh_length: 1024
+      - name:
+          - 'test-ssl-redirect-many.local'
+          - 'test-ssl-redirect-many2.local'
+        listen_ssl: [8443]
+        proto: ['https']
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+        redirect_https: true
+      - name: 'test-ssl-proxy-protocol.local'
+        proto: ['http', 'https']
+        listen: [80, 20080]
+        listen_ssl: [443, 20443]
+        http_proxy_protocol_port: [20080]
+        https_proxy_protocol_port: [20443]
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+    nginx_dh_length: 2048
   roles:
     - ../../
   post_tasks:
@@ -228,12 +245,18 @@
       with_items: ['test-php.local', 'test-php-index.local']
     - name: -- Add HTML file --
       copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
-      with_items: ['{{ nginx_root }}/first-test/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
+      with_items: ['{{ nginx_root }}/first-test/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public', '{{ nginx_root }}/test-ssl-proxy-protocol.local/public']
     - name: -- Create directory --
       file: path={{ nginx_root }}/test-htpasswd.local/public/hello state=directory
     - name: -- Add HTML file hello --
       copy: dest="{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content="hello\n"
 # --------------------------------
+# Test custom facts
+# --------------------------------
+    - name: -- CHECK FACTS --
+      assert:
+        that: "'{{ ansible_local.nginx.fact_nginx_vhosts[0].name[0] }}' == 'test.local'"
+# --------------------------------
 # Simple vhosts tests
 # --------------------------------
     - name: -- VERIFY VHOSTS --
@@ -359,14 +382,16 @@
         - 'test-ssl-predeployed.local'
         - 'test-ssl.local'
     - name: -- VERIFY SSL REDIRECT --
-      command: "curl -v --insecure -H 'Host: {{ item }}' http://127.0.0.1/"
+      command: "curl -v -H 'Host: {{ item.name }}' http://127.0.0.1/"
       changed_when: false
       register: sslredirok
-      failed_when: >
-        sslredirok.stderr.find('< Location') == -1 and
-        sslredirok.stderr.find('https://{{ item }}/') == -1
+      failed_when: "'< Location: https://{{ item.name }}{{ ':' + item.port if item.port is defined else '' }}/' not in sslredirok.stderr"
       with_items:
-        - 'test-ssl-redirect.local'
+        - name: 'test-ssl-redirect.local'
+        - name: 'test-ssl-redirect-many.local'
+          port: '8443'
+        - name: 'test-ssl-redirect-many2.local'
+          port: '8443'
 
 # --------------------------------
 # Default vhosts

vars/main.yml

@@ -23,9 +23,15 @@ nginx_upstream_server_params:
 #    min_version: '1.5.12'
 
 nginx_dirs:
-  - "{{ nginx_htpasswd_dir }}"
-  - "{{ nginx_ssl_dir }}"
-  - "{{ nginx_helper_dir }}"
+  - dir: "{{ nginx_htpasswd_dir }}"
+    mode: "0750"
+    owner: "{{ nginx_user }}"
+  - dir: "{{ nginx_ssl_dir }}"
+    mode: "0750"
+    owner: "root"
+  - dir: "{{ nginx_helper_dir }}"
+    mode: "0755"
+    owner: "root"
 
 nginx_templates_no_dir:
   - '_backuppc'
@@ -33,5 +39,10 @@ nginx_templates_no_dir:
   - '_owncloud'
   - '_proxy'
 
+nginx_servers_default_headers:
+  'X-Frame-Options': 'DENY always'
+  'X-Content-Type-Options': 'nosniff always'
+  'X-XSS-Protection': '1; mode=block'
+
 nginx_upstream_php56: 'php56'
 nginx_upstream_php70: 'php70'