mirror of
https://github.com/HanXHX/ansible-nginx.git
synced 2026-02-28 09:22:10 +07:00
Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4c63efa588 | ||
|
|
3e228d0812 | ||
|
|
1e7a0fc855 | ||
|
|
93b90c748f | ||
|
d8f6088362 | ||
|
|
8c3b1c7f13 |
@@ -16,7 +16,9 @@ sudo: required
|
|||||||
dist: trusty
|
dist: trusty
|
||||||
|
|
||||||
language: python
|
language: python
|
||||||
python: 2.7
|
python:
|
||||||
|
- 2.7
|
||||||
|
- 3.6
|
||||||
|
|
||||||
services:
|
services:
|
||||||
- docker
|
- docker
|
||||||
|
|||||||
@@ -55,6 +55,7 @@ FreeBSD:
|
|||||||
- `nginx_error_log_level`: default log level
|
- `nginx_error_log_level`: default log level
|
||||||
- `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
|
- `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
|
||||||
- `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
|
- `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
|
||||||
|
- `nginx_default_hsts`: string, default header sent for HSTS
|
||||||
|
|
||||||
### Nginx Configuration
|
### Nginx Configuration
|
||||||
|
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ nginx_auto_config_httpv2: true
|
|||||||
nginx_default_site: null
|
nginx_default_site: null
|
||||||
nginx_default_site_ssl: null
|
nginx_default_site_ssl: null
|
||||||
nginx_fastcgi_fix_realpath: true
|
nginx_fastcgi_fix_realpath: true
|
||||||
|
nginx_default_hsts: 'max-age=63072000; includeSubDomains'
|
||||||
|
|
||||||
#
|
#
|
||||||
# Nginx directories
|
# Nginx directories
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ Common
|
|||||||
- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
|
- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
|
||||||
- `listen_proxy_protocol` (O) Enable proxy protocol on http port.
|
- `listen_proxy_protocol` (O) Enable proxy protocol on http port.
|
||||||
- `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port.
|
- `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port.
|
||||||
|
- `hsts` (O) overwrite default header for hsts
|
||||||
|
|
||||||
(O): Optional
|
(O): Optional
|
||||||
(M): Mandatory
|
(M): Mandatory
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
def nginx_site_filename(site):
|
def nginx_site_filename(site):
|
||||||
if site.has_key('filename'):
|
if 'filename' in site:
|
||||||
return site['filename']
|
return site['filename']
|
||||||
else:
|
else:
|
||||||
return nginx_site_name(site)
|
return nginx_site_name(site)
|
||||||
@@ -14,13 +14,13 @@ def nginx_ssl_dir(pair, ssl_dir):
|
|||||||
return ssl_dir + '/' + nginx_site_filename(pair)
|
return ssl_dir + '/' + nginx_site_filename(pair)
|
||||||
|
|
||||||
def nginx_key_path(pair, ssl_dir):
|
def nginx_key_path(pair, ssl_dir):
|
||||||
if pair.has_key('dest_key'):
|
if 'dest_key' in pair:
|
||||||
return pair['dest_key']
|
return pair['dest_key']
|
||||||
else:
|
else:
|
||||||
return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.key'
|
return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.key'
|
||||||
|
|
||||||
def nginx_cert_path(pair, ssl_dir):
|
def nginx_cert_path(pair, ssl_dir):
|
||||||
if pair.has_key('dest_cert'):
|
if 'dest_cert' in pair:
|
||||||
return pair['dest_cert']
|
return pair['dest_cert']
|
||||||
else:
|
else:
|
||||||
return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.crt'
|
return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.crt'
|
||||||
@@ -32,7 +32,7 @@ def nginx_all_site_names(site):
|
|||||||
else:
|
else:
|
||||||
all_sites.append(site['name'])
|
all_sites.append(site['name'])
|
||||||
|
|
||||||
if site.has_key('redirect_from'):
|
if 'redirect_from' in site:
|
||||||
if isinstance(site['redirect_from'], list):
|
if isinstance(site['redirect_from'], list):
|
||||||
all_sites = all_sites + site['redirect_from']
|
all_sites = all_sites + site['redirect_from']
|
||||||
else:
|
else:
|
||||||
@@ -41,9 +41,14 @@ def nginx_all_site_names(site):
|
|||||||
return all_sites
|
return all_sites
|
||||||
|
|
||||||
def nginx_search_by_ssl_name(sites, ssl_name):
|
def nginx_search_by_ssl_name(sites, ssl_name):
|
||||||
|
if isinstance(ssl_name, list):
|
||||||
|
comp_ssl_name = ssl_name[0]
|
||||||
|
else:
|
||||||
|
comp_ssl_name = ssl_name
|
||||||
|
|
||||||
res = None
|
res = None
|
||||||
for site in sites:
|
for site in sites:
|
||||||
if site.has_key('ssl_name') and site['ssl_name'] == ssl_name:
|
if 'ssl_name' in site and site['ssl_name'] == comp_ssl_name:
|
||||||
res = site
|
res = site
|
||||||
break
|
break
|
||||||
return res
|
return res
|
||||||
|
|||||||
@@ -23,7 +23,7 @@
|
|||||||
|
|
||||||
- name: APT | Install python-passlib
|
- name: APT | Install python-passlib
|
||||||
apt:
|
apt:
|
||||||
pkg: python-passlib
|
pkg: "python{% if ansible_python_version is version('3', '>=') %}3{% endif %}-passlib"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: STAT | Check acme.sh is installed
|
- name: STAT | Check acme.sh is installed
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
- block:
|
- block:
|
||||||
|
|
||||||
- name: STAT | Get info ajout DH file
|
- name: STAT | Get info about DH file
|
||||||
stat:
|
stat:
|
||||||
path: "{{ nginx_dh_path }}"
|
path: "{{ nginx_dh_path }}"
|
||||||
get_checksum: no
|
get_checksum: no
|
||||||
|
|||||||
@@ -9,7 +9,6 @@ ssl_session_cache shared:SSL:10m;
|
|||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
|
||||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||||
resolver_timeout {{ nginx_resolver_timeout }};
|
resolver_timeout {{ nginx_resolver_timeout }};
|
||||||
ssl_dhparam {{ nginx_dh_path }};
|
ssl_dhparam {{ nginx_dh_path }};
|
||||||
|
|||||||
@@ -11,7 +11,6 @@ ssl_session_cache shared:SSL:10m;
|
|||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
|
||||||
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
|
||||||
resolver_timeout {{ nginx_resolver_timeout }};
|
resolver_timeout {{ nginx_resolver_timeout }};
|
||||||
ssl_dhparam {{ nginx_dh_path }};
|
ssl_dhparam {{ nginx_dh_path }};
|
||||||
|
|||||||
@@ -43,7 +43,7 @@
|
|||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- endmacro %}
|
{%- endmacro %}
|
||||||
{% macro ssl(ssl_name) %}
|
{% macro ssl(ssl_name) %}
|
||||||
{% for sn in nginx_ssl_pairs if (sn.name is defined and sn.name == ssl_name) %}
|
{% for sn in nginx_ssl_pairs if (sn.name is defined and (sn | nginx_site_name) == ssl_name) %}
|
||||||
ssl_certificate {{ sn | nginx_cert_path(nginx_ssl_dir) }};
|
ssl_certificate {{ sn | nginx_cert_path(nginx_ssl_dir) }};
|
||||||
ssl_certificate_key {{ sn | nginx_key_path(nginx_ssl_dir) }};
|
ssl_certificate_key {{ sn | nginx_key_path(nginx_ssl_dir) }};
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
@@ -89,6 +89,7 @@ server {
|
|||||||
{{ ssl(__ssl_name) }}
|
{{ ssl(__ssl_name) }}
|
||||||
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
||||||
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
||||||
|
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
server_name {{ server_name(item.name) }};
|
server_name {{ server_name(item.name) }};
|
||||||
@@ -117,7 +118,7 @@ server {
|
|||||||
|
|
||||||
{% block template_headers %}
|
{% block template_headers %}
|
||||||
# --> Custom headers
|
# --> Custom headers
|
||||||
{% for key, value in __headers.iteritems() %}
|
{% for key, value in __headers.items() %}
|
||||||
add_header {{ key }} "{{ value | regex_replace('\s+always$', '') }}"{% if value | regex_search('\s+always$') %} always{% endif %};
|
add_header {{ key }} "{{ value | regex_replace('\s+always$', '') }}"{% if value | regex_search('\s+always$') %} always{% endif %};
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
# <-- Custom headers
|
# <-- Custom headers
|
||||||
@@ -125,7 +126,7 @@ server {
|
|||||||
|
|
||||||
{{ locations(__location_before, __location_order_before) }}
|
{{ locations(__location_before, __location_order_before) }}
|
||||||
|
|
||||||
{% if not __location.has_key('/') %}
|
{% if not '/' in __location %}
|
||||||
location / {
|
location / {
|
||||||
{% block template_try_files %}
|
{% block template_try_files %}
|
||||||
try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
|
try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
|
||||||
@@ -209,14 +210,15 @@ server {
|
|||||||
{% if 'https' in __proto %}
|
{% if 'https' in __proto %}
|
||||||
server {
|
server {
|
||||||
{% for port in __listen_ssl %}
|
{% for port in __listen_ssl %}
|
||||||
listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if __http2 %} http2{% endif %};
|
listen {{ port }} ssl{% if __http2 %} http2{% endif %};
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% for port in __listen_proxy_protocol_ssl %}
|
{% for port in __listen_proxy_protocol_ssl %}
|
||||||
listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if __http2 %} http2{% endif %} proxy_protocol;
|
listen {{ port }} ssl{% if __http2 %} http2{% endif %} proxy_protocol;
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{{ ssl(__ssl_name) }}
|
{{ ssl(__ssl_name) }}
|
||||||
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
||||||
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
||||||
|
add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
server_name {{ server_name(item.redirect_from) }};
|
server_name {{ server_name(item.redirect_from) }};
|
||||||
location / {
|
location / {
|
||||||
|
|||||||
@@ -83,7 +83,9 @@
|
|||||||
- name: 'test-ssl-selfsigned.local'
|
- name: 'test-ssl-selfsigned.local'
|
||||||
self_signed: true
|
self_signed: true
|
||||||
force: false
|
force: false
|
||||||
- name: 'test-ssl-predeployed.local'
|
- name:
|
||||||
|
- 'test-ssl-predeployed.local'
|
||||||
|
- 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme
|
||||||
dest_key: "{{ int_ansible_ssl_dir }}/test.key"
|
dest_key: "{{ int_ansible_ssl_dir }}/test.key"
|
||||||
dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
|
dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
|
||||||
- name: 'test-ssl.local'
|
- name: 'test-ssl.local'
|
||||||
@@ -238,6 +240,7 @@
|
|||||||
- 'www.test-ssl-selfsigned.local'
|
- 'www.test-ssl-selfsigned.local'
|
||||||
proto: ['http', 'https']
|
proto: ['http', 'https']
|
||||||
template: '_base'
|
template: '_base'
|
||||||
|
hsts: 'max-age=1664;'
|
||||||
- name: 'test-ssl-predeployed.local'
|
- name: 'test-ssl-predeployed.local'
|
||||||
proto: ['http', 'https']
|
proto: ['http', 'https']
|
||||||
template: '_base'
|
template: '_base'
|
||||||
|
|||||||
Reference in New Issue
Block a user