fix redirect https : show port only if not 443

Bug fix : redirect https with many names
On a multiple name vhost with redirect_https, redirection is done with the origin name not the main name.
2026-02-28 09:22:10 +07:00 · 2017-04-13 15:16:53 +02:00 · 2017-04-13 14:21:14 +02:00 · 2017-03-14 11:21:35 +01:00 · 2017-03-13 10:19:07 +01:00 · 2017-03-13 09:53:29 +01:00
9 changed files with 63 additions and 22 deletions
--- a/README.md
+++ b/README.md
@@ -55,6 +55,11 @@ FreeBSD:
 - `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
 - `nginx_dyn_modules`: dynamic module list to load
 About modules
 -------------
 Last updates from Debian backports loads modules from /etc/nginx/modules-enabled directory. Disabling/Enabling is not supported anymore. Please wait further update.
 Fine configuration
 ------------------
--- a/doc/vhost.md
+++ b/doc/vhost.md
@@ -23,7 +23,7 @@ Common
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
 - `override_try_files`: (O) overrides default try\_files defined in template
 - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature.
- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
+- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost. Set "false" to disable.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
--- a/tasks/dyn_modules.yml
+++ b/tasks/dyn_modules.yml
@@ -13,4 +13,13 @@
  with_items: "{{ nginx_dyn_modules }}"
  when:  ansible_distribution == 'Debian'
 - name: FILE | Creates modules directories
  file: >
    path="{{ nginx_etc_dir}}/{{ item }}"
    state=directory
    mode=0755
    owner=root
    group=root
  with_items: ['modules-available', 'modules-enabled']
 # TODO: manage freebsd
--- a/tasks/htpasswd.yml
+++ b/tasks/htpasswd.yml
@@ -6,6 +6,7 @@
    state=absent
  with_items: "{{ nginx_htpasswd }}"
  when: item.state is defined and item.state == 'absent'
  no_log: true
 - name: HTPASSWD | Manage files
  htpasswd: >
--- a/templates/etc/nginx/nginx.conf.j2
+++ b/templates/etc/nginx/nginx.conf.j2
@@ -6,9 +6,7 @@ user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
 pid {{ nginx_pid }};
 {% if nginx_version.stdout | version_compare('1.9.11', 'ge') %}
-{% for module in nginx_dyn_modules -%}
+include {{ nginx_etc_dir }}/modules-enabled/*.conf;
 load_module "modules/ngx_{{ module }}_module.so";
 {% endfor %}
 {% endif %}
 events {
--- a/templates/etc/nginx/sites-available/_base.j2
+++ b/templates/etc/nginx/sites-available/_base.j2
@@ -5,14 +5,16 @@
 {% set __http_proxy_protocol_port = item.http_proxy_protocol_port | default([]) %}
 {% set __https_proxy_protocol_port = item.https_proxy_protocol_port | default([]) %}
 {% set __location = item.location | default({}) %}
-{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
+{% set __headers = item.headers | default(nginx_servers_default_headers) %}
 {% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
 {% set __location_order = item.location_order | default(__location.keys()) %}
 {% macro htpasswd(htpasswd_name, indent=1) -%}
-{% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
+{%- if htpasswd_name != false %}
 {%- for ht in nginx_htpasswd if ht.name == htpasswd_name %}
 {{ "\t" * indent }}auth_basic "{{ ht.description }}";
 {{ "\t" * indent }}auth_basic_user_file {{ nginx_htpasswd_dir }}/{{ ht.name }};
-{% endfor%}
+{%- endfor %}
 {%- endif %}
 {%- endmacro %}
 {% macro ssl(ssl_name) %}
 {% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
@@ -20,6 +22,16 @@
 	ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
 {% endfor %}
 {%- endmacro %}
 {% macro httpsredirect(name) %}
 server {
 {% for port in __listen %}
 	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 	server_name {{ name }};
 	return 301 https://{{ name }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
 }
 {% endmacro %}
 #
 # {{ ansible_managed }}
 #
@@ -69,7 +81,7 @@ server {
 {% block template_headers %}
 	# --> Custom headers
 {% for key, value in __headers.iteritems() %}
-	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endfor %}
 	# <-- Custom headers
 {% endblock %}
@@ -140,15 +152,14 @@ server {
 #
 # Redirect HTTP to HTTPS
 #
-server {
+{% if item.name is string %}
-{% for port in __listen %}
+{{ httpsredirect(item.name) }}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
+{% else %}
 {% for i in item.name %}
 {{ httpsredirect(i) }}
 {% endfor %}
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t" }}{{ item.name | join("\n\t\t") }}{% endif %};
 	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
 }
 {% endif %}
-
+{% endif %}
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
--- a/templates/etc/nginx/sites-available/_nagios3.j2
+++ b/templates/etc/nginx/sites-available/_nagios3.j2
@@ -16,9 +16,9 @@
 {% for key, value in __headers.iteritems() %}
 {% if key == "X-Frame-Options" %}
 	# X-Frame-Options forced by Ansible
-	add_header {{ key }} SAMEORIGIN{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+	add_header {{ key }} "SAMEORIGIN"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% else %}
-	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endif %}
 {% endfor %}
 	# <-- Custom headers
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -147,6 +147,8 @@
        location:
          '/hello':
            - htpasswd: 'hello'
          '/public':
            - htpasswd: false
        use_error_log: true
      - name: 'test-htpasswd-all.local'
        template: '_base'
@@ -210,6 +212,14 @@
        template: '_base'
        ssl_name: 'test-ssl.local'
        redirect_https: true
      - name:
          - 'test-ssl-redirect-many.local'
          - 'test-ssl-redirect-many2.local'
        listen_ssl: [8443]
        proto: ['https']
        template: '_base'
        ssl_name: 'test-ssl.local'
        redirect_https: true
      - name: 'test-ssl-proxy-protocol.local'
        proto: ['http', 'https']
        listen: [80, 20080]
@@ -372,14 +382,16 @@
        - 'test-ssl-predeployed.local'
        - 'test-ssl.local'
    - name: -- VERIFY SSL REDIRECT --
-      command: "curl -v --insecure -H 'Host: {{ item }}' http://127.0.0.1/"
+      command: "curl -v -H 'Host: {{ item.name }}' http://127.0.0.1/"
      changed_when: false
      register: sslredirok
-      failed_when: >
+      failed_when: "'< Location: https://{{ item.name }}{{ ':' + item.port if item.port is defined else '' }}/' not in sslredirok.stderr"
        sslredirok.stderr.find('< Location') == -1 and
        sslredirok.stderr.find('https://{{ item }}/') == -1
      with_items:
-        - 'test-ssl-redirect.local'
+        - name: 'test-ssl-redirect.local'
        - name: 'test-ssl-redirect-many.local'
          port: '8443'
        - name: 'test-ssl-redirect-many2.local'
          port: '8443'
 # --------------------------------
 # Default vhosts
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -39,5 +39,10 @@ nginx_templates_no_dir:
  - '_owncloud'
  - '_proxy'
 nginx_servers_default_headers:
  'X-Frame-Options': 'DENY always'
  'X-Content-Type-Options': 'nosniff always'
  'X-XSS-Protection': '1; mode=block'
 nginx_upstream_php56: 'php56'
 nginx_upstream_php70: 'php70'
Author	SHA1	Message	Date
Emilien Mantel	a60e81cc1f	fix redirect https : show port only if not 443	2017-04-13 15:16:53 +02:00
Emilien Mantel	f1af8991fd	Bug fix : redirect https with many names On a multiple name vhost with redirect_https, redirection is done with the origin name not the main name.	2017-04-13 14:21:14 +02:00
Emilien Mantel	fcb59fd331	no_log when deleting htpasswd files	2017-03-14 11:21:35 +01:00
Emilien Mantel	2aa9e8b6b9	load modules uses pattern *.conf	2017-03-13 10:19:07 +01:00
Emilien Mantel	7892626fc0	Load module from {{nginx_dir}}/etc/modules-enabled	2017-03-13 09:53:29 +01:00
Emilien Mantel	ae167d3317	Disabling htpasswd by setting false	2017-03-08 11:10:14 +01:00
Emilien Mantel	d8f241f79c	Fix headers quotes on nagios	2017-02-09 12:30:13 +01:00
Emilien Mantel	0e33d1b372	Auto quote headers values	2017-02-09 12:03:14 +01:00
Emilien Mantel	2cd559b87a	Fix X-XSS-Protection with quotes	2017-02-09 11:59:33 +01:00
Emilien Mantel	d550f1bab1	Read-only var: nginx_servers_default_headers	2017-02-08 16:16:19 +01:00
Emilien Mantel	021ca4e173	Auto add "X-XSS-Protection" header to servers	2017-02-08 15:59:02 +01:00