mirror of
https://github.com/HanXHX/ansible-nginx.git
synced 2026-02-28 09:22:10 +07:00
Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4c63efa588 | ||
|
|
3e228d0812 | ||
|
|
1e7a0fc855 | ||
|
|
93b90c748f | ||
|
d8f6088362 | ||
|
|
8c3b1c7f13 |
@@ -16,7 +16,9 @@ sudo: required
|
||||
dist: trusty
|
||||
|
||||
language: python
|
||||
python: 2.7
|
||||
python:
|
||||
- 2.7
|
||||
- 3.6
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
@@ -55,6 +55,7 @@ FreeBSD:
|
||||
- `nginx_error_log_level`: default log level
|
||||
- `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
|
||||
- `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
|
||||
- `nginx_default_hsts`: string, default header sent for HSTS
|
||||
|
||||
### Nginx Configuration
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@ nginx_auto_config_httpv2: true
|
||||
nginx_default_site: null
|
||||
nginx_default_site_ssl: null
|
||||
nginx_fastcgi_fix_realpath: true
|
||||
nginx_default_hsts: 'max-age=63072000; includeSubDomains'
|
||||
|
||||
#
|
||||
# Nginx directories
|
||||
|
||||
@@ -31,6 +31,7 @@ Common
|
||||
- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
|
||||
- `listen_proxy_protocol` (O) Enable proxy protocol on http port.
|
||||
- `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port.
|
||||
- `hsts` (O) overwrite default header for hsts
|
||||
|
||||
(O): Optional
|
||||
(M): Mandatory
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
def nginx_site_filename(site):
|
||||
if site.has_key('filename'):
|
||||
if 'filename' in site:
|
||||
return site['filename']
|
||||
else:
|
||||
return nginx_site_name(site)
|
||||
@@ -14,13 +14,13 @@ def nginx_ssl_dir(pair, ssl_dir):
|
||||
return ssl_dir + '/' + nginx_site_filename(pair)
|
||||
|
||||
def nginx_key_path(pair, ssl_dir):
|
||||
if pair.has_key('dest_key'):
|
||||
if 'dest_key' in pair:
|
||||
return pair['dest_key']
|
||||
else:
|
||||
return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.key'
|
||||
|
||||
def nginx_cert_path(pair, ssl_dir):
|
||||
if pair.has_key('dest_cert'):
|
||||
if 'dest_cert' in pair:
|
||||
return pair['dest_cert']
|
||||
else:
|
||||
return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.crt'
|
||||
@@ -32,7 +32,7 @@ def nginx_all_site_names(site):
|
||||
else:
|
||||
all_sites.append(site['name'])
|
||||
|
||||
if site.has_key('redirect_from'):
|
||||
if 'redirect_from' in site:
|
||||
if isinstance(site['redirect_from'], list):
|
||||
all_sites = all_sites + site['redirect_from']
|
||||
else:
|
||||
@@ -41,9 +41,14 @@ def nginx_all_site_names(site):
|
||||
return all_sites
|
||||
|
||||
def nginx_search_by_ssl_name(sites, ssl_name):
|
||||
if isinstance(ssl_name, list):
|
||||
comp_ssl_name = ssl_name[0]
|
||||
else:
|
||||
comp_ssl_name = ssl_name
|
||||
|
||||
res = None
|
||||
for site in sites:
|
||||
if site.has_key('ssl_name') and site['ssl_name'] == ssl_name:
|
||||
if 'ssl_name' in site and site['ssl_name'] == comp_ssl_name:
|
||||
res = site
|
||||
break
|
||||
return res
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
- name: APT | Install python-passlib
|
||||
apt:
|
||||
pkg: python-passlib
|
||||
pkg: "python{% if ansible_python_version is version('3', '>=') %}3{% endif %}-passlib"
|
||||
state: present
|
||||
|
||||
- name: STAT | Check acme.sh is installed
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
- block:
|
||||
|
||||
- name: STAT | Get info ajout DH file
|
||||
- name: STAT | Get info about DH file
|
||||
stat:
|
||||
path: "{{ nginx_dh_path }}"
|
||||
get_checksum: no
|
||||
|
||||
@@ -9,7 +9,6 @@ ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||
resolver_timeout {{ nginx_resolver_timeout }};
|
||||
ssl_dhparam {{ nginx_dh_path }};
|
||||
|
||||
@@ -11,7 +11,6 @@ ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||
resolver_timeout {{ nginx_resolver_timeout }};
|
||||
ssl_dhparam {{ nginx_dh_path }};
|
||||
|
||||
@@ -43,7 +43,7 @@
|
||||
{%- endif %}
|
||||
{%- endmacro %}
|
||||
{% macro ssl(ssl_name) %}
|
||||
{% for sn in nginx_ssl_pairs if (sn.name is defined and sn.name == ssl_name) %}
|
||||
{% for sn in nginx_ssl_pairs if (sn.name is defined and (sn | nginx_site_name) == ssl_name) %}
|
||||
ssl_certificate {{ sn | nginx_cert_path(nginx_ssl_dir) }};
|
||||
ssl_certificate_key {{ sn | nginx_key_path(nginx_ssl_dir) }};
|
||||
{% endfor %}
|
||||
@@ -89,6 +89,7 @@ server {
|
||||
{{ ssl(__ssl_name) }}
|
||||
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
||||
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
||||
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
server_name {{ server_name(item.name) }};
|
||||
@@ -117,7 +118,7 @@ server {
|
||||
|
||||
{% block template_headers %}
|
||||
# --> Custom headers
|
||||
{% for key, value in __headers.iteritems() %}
|
||||
{% for key, value in __headers.items() %}
|
||||
add_header {{ key }} "{{ value | regex_replace('\s+always$', '') }}"{% if value | regex_search('\s+always$') %} always{% endif %};
|
||||
{% endfor %}
|
||||
# <-- Custom headers
|
||||
@@ -125,7 +126,7 @@ server {
|
||||
|
||||
{{ locations(__location_before, __location_order_before) }}
|
||||
|
||||
{% if not __location.has_key('/') %}
|
||||
{% if not '/' in __location %}
|
||||
location / {
|
||||
{% block template_try_files %}
|
||||
try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
|
||||
@@ -209,14 +210,15 @@ server {
|
||||
{% if 'https' in __proto %}
|
||||
server {
|
||||
{% for port in __listen_ssl %}
|
||||
listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if __http2 %} http2{% endif %};
|
||||
listen {{ port }} ssl{% if __http2 %} http2{% endif %};
|
||||
{% endfor %}
|
||||
{% for port in __listen_proxy_protocol_ssl %}
|
||||
listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if __http2 %} http2{% endif %} proxy_protocol;
|
||||
listen {{ port }} ssl{% if __http2 %} http2{% endif %} proxy_protocol;
|
||||
{% endfor %}
|
||||
{{ ssl(__ssl_name) }}
|
||||
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
||||
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
||||
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
|
||||
{% endif %}
|
||||
server_name {{ server_name(item.redirect_from) }};
|
||||
location / {
|
||||
|
||||
@@ -83,7 +83,9 @@
|
||||
- name: 'test-ssl-selfsigned.local'
|
||||
self_signed: true
|
||||
force: false
|
||||
- name: 'test-ssl-predeployed.local'
|
||||
- name:
|
||||
- 'test-ssl-predeployed.local'
|
||||
- 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme
|
||||
dest_key: "{{ int_ansible_ssl_dir }}/test.key"
|
||||
dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
|
||||
- name: 'test-ssl.local'
|
||||
@@ -238,6 +240,7 @@
|
||||
- 'www.test-ssl-selfsigned.local'
|
||||
proto: ['http', 'https']
|
||||
template: '_base'
|
||||
hsts: 'max-age=1664;'
|
||||
- name: 'test-ssl-predeployed.local'
|
||||
proto: ['http', 'https']
|
||||
template: '_base'
|
||||
|
||||
Reference in New Issue
Block a user