--- - hosts: all pre_tasks: - name: INCLUDE_TASKS | Pre_tasks related to OS version include_tasks: "includes/pre_{{ ansible_distribution }}.yml" - name: IMPORT_TASKS | Pre_tasks common import_tasks: "includes/pre_common.yml" - name: FILE | Create an internal SSL dir file: path: "{{ int_ansible_ssl_dir }}" state: directory - name: COPY | Deploy test certificate copy: src: "file/test.crt" dest: "{{ int_ansible_ssl_dir }}/test.crt" - name: COPY | Deploy test key copy: src: "file/test.key" dest: "{{ int_ansible_ssl_dir }}/test.key" - name: COPY | Add all hosts in /etc/hosts copy: content: | 127.0.0.1 localhost {% for s in nginx_sites %} {% if s.name is string %} 127.0.0.1 {{ s.name }} {% else %} 127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %} {% endif %} {% if s.redirect_from is defined %} 127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %} {% endif %} {% endfor %} dest: "/etc/hosts" unsafe_writes: yes vars: # Internal vars int_ansible_ssl_dir: '/etc/ansible-ssl' # Role vars nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number nginx_apt_package: 'nginx-extras' nginx_module_packages: ['libnginx-mod-http-headers-more-filter'] nginx_upstreams: - name: 'test' servers: - path: '127.0.0.1:80' max_conns: 150 weight: 10 down: false - name: 'test-absent' servers: - path: '127.0.0.1:80' max_conns: 150 weight: 10 down: false state: 'absent' nginx_htpasswd: - name: 'hello' description: 'Please login!' users: - name: 'hx' password: 'asdfg' state: 'absent' - name: 'hanx' password: 'qwerty' - name: 'deleteme' description: 'Please login!' users: [] state: 'absent' nginx_acmesh: true nginx_acmesh_test: true nginx_ssl_pairs: - name: '{{ ngrok.stdout }}' acme: true - name: 'test-ssl-selfsigned.local' self_signed: true force: false - name: - 'test-ssl-predeployed.local' - 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme dest_key: "{{ int_ansible_ssl_dir }}/test.key" dest_cert: "{{ int_ansible_ssl_dir }}/test.crt" - name: 'test-ssl.local' key: | -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAvavrJWFp3Al2VwRgKx+4Y2mbRRvoxvyd2pyN0xMJ/tCJscaG 8s60v6WZ9FcCOeMkSI2DXsk4z7pbQdQn0h2GDr/5MOJkPAVWSWEN46tpaLZ3v0zp 88ZIbnEk1G0PsdFuW/pnLsakPlAMrl1VArFsV6YsatLt30UIYYcRO97StkoOehCx A5w+XqtfHZeQZ0/DS81633gwYUcMuSTUFZ60r7ge1/m77DTSKg3rTVk5sebP8cjS +aWHvxP/GyvvDsT+3gjRJx2/5O3JkfH0zaOsaU2Avj0PR0c5rhynrNO/l1k+GJJB cbBrM+yA8Ofzp4oXUrCfaIq3RuL3Pd+khcKsiwIDAQABAoIBAQCPpAMQ7BUfbosQ m1+5SOx7XR8Z12kSSX3CcY12rJSFRakB2TeZ6rE38lIFmV82N67iw0kaH4nGx3sU /3aoyXMc+IXfX5RJYEFYkQfTw5ywkH9fgQAsfZ2dBlK+DVo1cEYDoj9CTW1VQ4pX Ape+0l8agd5hiBxdWgpe0ctbbARnx584viLiA/iPBDNxKi9zEYw+WP7hSj5QWahr a09tubcC4L6tjvv8CoZTRSKfCW64vWRDvE6vmA+zJN9Arc1WTYzF1KO1Gybwf8h7 stJb191smAgGDFhKo0j58ncyAnrS1k4mapm86QQhlfIA6DKvvC0qm3KdQns5b7HM PyzW0hwBAoGBAO2mTVTOsziom9vtBwM0nRMMEgynR2X3EKMJz2mjcCf66f1F+aQ5 DvQFM2V8S2s1nGnPh8NKKZ8DxW1NKuR4qx82zeAXpUs9ibHxOnw4YRC485zqc2Wt fSO1OEDYeKyzWP1nGGtCntYUXzJnWn/wz0mBGKzLKTuLwyFIKx1b7bybAoGBAMxR N+lT57rX6d4GUqcgNOuWMZ/D8egnE5+hsoiFnHOisRLOgUgBBSy4rwAZx+rdHYT+ RO11L1PLYEzyvnO0f13R+N7aqKwNXDSzZGA+jb4pjkVidIC2smG/JYKJH5Z+kakw mwMKP0wdRZJsCaMgScHmWJS8d6Ox/XJJoWrTWTbRAoGAWJlEgVaiaIArwz1F/QLz gHNik0cWDkSi9jWlFxwwpycbbypUXM5M7dq2g6JoN6sACk6trbgLdlYgl5RKZm06 VuPGs0H9hOSHXkix5jfasDJT2G9r4D9ixRo9w6cwriobBjYWW3612tgzeYYgrkwn 655uhZUkZSfA8rqGIGbyZfsCgYAf5WH8G+wmIATTc1s92epJCOZwUY+XNVp75itP 4sPczX4lOHW4PuiG5cH0GxI5mRE9rNAn3c5on2xGNvMCbyAfDmNyruH8Eg3d8E9w MvO/xw79x/P2EA9i8QszCKMUxGeK6RqZ6+SbxkoRJKqQe77n9UTI228179hoGhSH 77ySsQKBgQC8SSZn6a8PpSIIFXB9WCFMwfGFYbUz0wvpaeZP8GKx3BEzMeJqSUaJ hrQgpwQXkueeamlCQcvV3AUCoBRWTYRLDrWiUIXuIgikDWBFp6TBvTnVRI7iktly fNED7jXOSjJqnFmdkZlAI5V8dM++mVYVykJD6jcaVRQvxqFLrhSaRg== -----END RSA PRIVATE KEY----- cert: | -----BEGIN CERTIFICATE----- MIIDBTCCAe2gAwIBAgIJALKJfbk5vuieMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV BAMMDnRlc3Qtc3NsLmxvY2FsMB4XDTE2MDExMTE2NDI0NFoXDTI2MDEwODE2NDI0 NFowGTEXMBUGA1UEAwwOdGVzdC1zc2wubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC9q+slYWncCXZXBGArH7hjaZtFG+jG/J3anI3TEwn+0Imx xobyzrS/pZn0VwI54yRIjYNeyTjPultB1CfSHYYOv/kw4mQ8BVZJYQ3jq2lotne/ TOnzxkhucSTUbQ+x0W5b+mcuxqQ+UAyuXVUCsWxXpixq0u3fRQhhhxE73tK2Sg56 ELEDnD5eq18dl5BnT8NLzXrfeDBhRwy5JNQVnrSvuB7X+bvsNNIqDetNWTmx5s/x yNL5pYe/E/8bK+8OxP7eCNEnHb/k7cmR8fTNo6xpTYC+PQ9HRzmuHKes07+XWT4Y kkFxsGsz7IDw5/OnihdSsJ9oirdG4vc936SFwqyLAgMBAAGjUDBOMB0GA1UdDgQW BBRaSF1L+ivPhmIVGQjtviBqZWDS9DAfBgNVHSMEGDAWgBRaSF1L+ivPhmIVGQjt viBqZWDS9DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCjrgB9+Zuq Rx7T2mRUl4jf75dLabuBQD0ePALTtvNyBSghhzSr90mE7GlFOYAv0JsmEa3R1LVF wLPIdrIhNHpt7hN0PkhUlfgmxBnRSCfhpiq4xxsDVFM7ehtDz4+dv1LUDMXo07+E f24g9aqmypiFzHisUQrYIhtQmHxRpKyGp6kDAW9qNxg6k/Um00aHdYfuD9ER4ksR f8Hto7f+vssKxCRY2OZXqq13PxEwC5+hgAUkTdrycA/moXFuHJi3lCnCND7sSzvG tXBggOusyFZFC4bs2m+V+Z+RN+tK2c/c0nq5HR8MV5HwIm4Z8GoT2/0BfJ00cgWL lVz0gDBfdH8f -----END CERTIFICATE----- nginx_custom_http: - 'add_header X-ansible 1;' - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};' - 'map $geoip_country_code $allowed_country {' - ' default yes;' - ' MA no;' - ' DZ no;' - ' TN no;' - '}' nginx_default_site: 'test.local' nginx_default_site_ssl: 'test-ssl-predeployed.local' nginx_sites: - name: - 'test.local' - 'test-alias.local' - 'test2-alias.local' template: '_base' filename : 'first-test' override_try_files: '$uri/ $uri =404' headers: 'X-Frame-Options': 'deny always' 'X-ansible-default': '1' manage_local_content: false use_error_log: true more: - 'autoindex off;' location: '/test': - 'return 403;' '/gunther': - 'return 404;' '/status': - 'stub_status on;' - 'access_log off;' - 'allow 127.0.0.1;' - 'deny all;' - name: 'test-htpasswd.local' template: '_base' location_before: '/hello': - htpasswd: 'hello' location: '/public': - htpasswd: false use_error_log: true - name: 'test-htpasswd-all.local' template: '_base' htpasswd: 'hello' - name: 'test-location.local' template: '_base' location_before: '/b': - 'alias /var/tmp;' '/c': - 'alias /var/tmp;' location: '/': - 'alias /var/tmp;' '/a': - 'alias /var/tmp;' location_order_before: - '/b' - '/c' location_order: - '/' - '/a' - name: 'test-php.local' php_upstream: "manual" upstream_params: - 'fastcgi_param FOO bar;' redirect_from: - 'www.test-php.local' template: '_php' use_error_log: true use_access_log: true - name: 'test-php-index.local' template: '_php_index' php_upstream: 'hx_unix' - name: 'test-php-index2.local' template: '_php_index2' php_upstream: 'hx_ip' - name: 'test-proxy.local' listen: - 8080 template: '_proxy' upstream_name: 'test' headers: 'X-proxyfied': '1' - name: 'deleted.local' state: 'absent' - name: 'redirect-to.local' redirect_to: 'http://test.local' - name: 'backuppc.local' template: '_backuppc' htpasswd: 'hello' - name: 'test-ssl.local' proto: ['http', 'https'] template: '_base' - name: - 'test-ssl-selfsigned.local' - 'www.test-ssl-selfsigned.local' proto: ['http', 'https'] template: '_base' hsts: 'max-age=1664;' - name: 'test-ssl-predeployed.local' proto: ['http', 'https'] template: '_base' ssl_name: 'test-ssl-predeployed.local' headers: 'X-ansible-default': '1' ssl_template: false - name: 'test-ssl-redirect.local' proto: ['https'] template: '_base' ssl_name: 'test-ssl.local' redirect_https: true - name: - 'test-ssl-redirect-many.local' - 'test-ssl-redirect-many2.local' listen_ssl: [8443] proto: ['https'] template: '_base' ssl_name: 'test-ssl.local' redirect_https: true redirect_from: - 'www.test-ssl-redirect-many.local' - 'www.test-ssl-redirect-many2.local' - name: 'test-ssl-proxy-protocol.local' proto: ['http', 'https'] listen_proxy_protocol: [20080] listen_proxy_protocol_ssl: [20443] template: '_base' ssl_name: 'test-ssl.local' headers: 'X-Proxy-Protocol': '1' - name: '{{ ngrok.stdout }}' proto: ['http', 'https'] listen_proxy_protocol: [21080] listen_proxy_protocol_ssl: [21443] template: '_base' ssl_name: '{{ ngrok.stdout }}' headers: 'X-acme': '1' nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636' }] }] }}" nginx_dh_length: 1024 roles: - ../../ post_tasks: # -------------------------------- # Apps # -------------------------------- - name: INCLUDE_TASKS | Post_tasks related to OS version include_tasks: "includes/post_{{ ansible_distribution }}.yml" # -------------------------------- # Deploy index files # -------------------------------- - name: -- Add PHP file -- copy: dest: "{{ nginx_root }}/{{ item }}/public/index.php" content: " item.template is defined and (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2') failed_when: p.content.find('PHP Version') == -1 - name: -- VERIFY INDEX2 -- uri: url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet" return_content: yes register: p2 failed_when: p2.content.find('PHP Version') == -1 # -------------------------------- # Basic Auth # -------------------------------- - name: -- VERIFY AUTH BASIC NONE -- uri: url: "http://test-htpasswd.local/hello/" status_code: 401 - name: -- VERIFY AUTH BASIC FAIL -- uri: url: "http://test-htpasswd.local/hello/" status_code: 401 user: "fail" password: "fail" force_basic_auth: yes - name: -- VERIFY AUTH BASIC OK -- uri: url: "http://test-htpasswd.local/hello/" user: "hanx" password: "qwerty" force_basic_auth: yes - name: -- VERIFY AUTH BASIC FAIL GLOBAL -- uri: url: "http://test-htpasswd-all.local/" status_code: 401 user: "fail" password: "fail" force_basic_auth: yes - name: -- VERIFY AUTH BASIC OK GLOBAL -- uri: url: "http://test-htpasswd-all.local/" user: "hanx" password: "qwerty" force_basic_auth: yes # -------------------------------- # BackupPC # -------------------------------- - name: -- VERIFY BACKUPPC -- uri: url: "http://backuppc.local/" user: "hanx" password: "qwerty" force_basic_auth: yes return_content: yes register: authbpc when: ansible_distribution != 'FreeBSD' failed_when: authbpc.content.find('BackupPC Server Status') == -1 # -------------------------------- # SSL # -------------------------------- - name: -- VERIFY SSL -- uri: url: "https://{{ item }}/" return_content: yes validate_certs: no register: sslok failed_when: sslok.content.find('Index HTML test OK') == -1 loop: - 'test-ssl-predeployed.local' - 'test-ssl-selfsigned.local' - 'test-ssl.local' - '{{ ngrok.stdout }}' - name: -- VERIFY SSL REDIRECT -- uri: url: "http://{{ item.name }}/" validate_certs: no status_code: 301 return_content: yes follow_redirects: none register: sslredirok failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location' loop: - name: 'test-ssl-redirect.local' - name: 'test-ssl-redirect-many.local' port: '8443' - name: 'test-ssl-redirect-many2.local' port: '8443' # -------------------------------- # Default sites # -------------------------------- - name: -- VERIFY DEFAULT SITE -- uri: url: 'http://127.0.0.1/' return_content: yes register: vdefault failed_when: > vdefault.content.find('Index HTML test OK') == -1 or vdefault.x_ansible_default is not defined - name: -- VERIFY DEFAULT SITE + STUB STATUS-- uri: url: 'http://127.0.0.1/status' return_content: yes register: vdefault_status failed_when: > vdefault_status.content.find('Active connections') == -1 or vdefault_status.x_ansible_default is not defined - name: -- VERIFY DEFAULT SSL SITE -- uri: url: 'https://127.0.0.1/' return_content: yes validate_certs: no register: vdefault failed_when: > vdefault.content.find('Index HTML test OK') == -1 or vdefault.x_ansible_default is not defined - name: -- VERIFY NOT DEFAULT SITE -- uri: url: 'http://test-php.local/' return_content: yes register: vphp failed_when: vphp.x_ansible_default is defined - name: -- VERIFY NOT DEFAULT SSL SITE -- uri: url: 'https://test-ssl.local/' return_content: yes validate_certs: no register: notdefaultssl failed_when: notdefaultssl.x_ansible_default is defined # -------------------------------- # Check Proxy protocol # -------------------------------- # Note: Debian Stretch doesn't any version of curl with "--haproxy-protocol" argument - block: - name: SHELL | Check HTTP proxy protocol shell: curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' args: executable: /bin/sh warn: no changed_when: false tags: - skip_ansible_lint - name: SHELL | Check HTTPS proxy protocol shell: curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' args: executable: /bin/sh warn: no changed_when: false tags: - skip_ansible_lint when: not (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', 'eq')) # -------------------------------- # Check HTTP2 # -------------------------------- - name: SHELL | Check HTTP2 shell: nghttp -nv https://localhost 2> /dev/null | grep -q h2 args: executable: /bin/sh changed_when: false when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules tags: - skip_ansible_lint