/ansible-nginx-drupal

Ansible role to configure Nginx for running Drupal using perusio's configuration

Primary LanguageNginxApache License 2.0Apache-2.0

Nginx Drupal

Ansible role to configure Nginx for running Drupal using perusio's configuration.

This role only configure Nginx to run Drupal sites, it will not install PHP, Nginx, Drupal, MySQL, etc. It will however, override the entire content of the Nginx configuration directory. You can still add file to the Nginx configuration directory after this role.

Requirements

  • Git
  • A reload nginx handler is used to reload Nginx after configuration changes and must be defined in your playbook.

Role Variables

The following variables are available to configure the role:

  • nginx_drupal_git
    • repo: The URL of the Git repository to checkout the base configuration from, defaults to https://github.com/perusio/drupal-with-nginx.git
    • version: The version of the version of the repository to check out. This can be the full 40-character SHA-1 hash, the literal string HEAD, a branch name, or a tag name. Defaults to 'D7'.
    • force_checkout: True to always do a git checkout. Defaults to False.
  • nginx_drupal_config_path: The path to Nginx configuration folder, defaults to "/etc/nginx".
  • nginx_drupal_log_path: The path to Nginx log files, defaults to "/var/log/nginx"
  • nginx_drupal_php_handling: The PHP handling method, one of "php-fpm", "php-cgi" or "proxy", defaults to "php-fpm".
  • nginx_drupal_escape_uri: Whether or not to escaped URIs, defaults to false.
  • nginx_drupal_use_boost: Whether or not Boost is used, defaults to false.
  • nginx_drupal_use_drush: Whether or not Drush is used, defaults to true.
  • nginx_drupal_allow_install: Whether or not to allow access to the install.php file, defaults to false.
  • nginx_drupal_use_spdy: Whether or not to use SPDY, defaults to false.
  • nginx_drupal_nginx_status_allowed_hosts: The list of host allowed to access Nginx status page, defaults to ["127.0.0.1", "192.168.1.0/24"].
  • nginx_drupal_php_fpm_status_allowed_hosts: The list of host allowed to access PHP-FPM status page, defaults to ["127.0.0.1", "192.168.1.0/24"].
  • nginx_drupal_hotlinking_protection: Whether or not to prevent image hotlinking, defaults to false.
  • nginx_drupal_admin_basic_auth: Whether or not to protect access to admin pages (/admin/*) using HTTP auth, defaults to false.
  • nginx_drupal_microcache: Whether or not to use microcaching, defaults to true.
  • nginx_drupal_microcache_auth: Whether or not to use microcaching for authenticated users, defaults to false.
  • nginx_drupal_upload_progress: Whether or not to use upload progress (this require the filefield_nginx_progress Drupal module and nginx_uploadprogress_module included in your Nginx build.
  • nginx_drupal_aio: Whether or not to use AIO to server video and audio file, defaults to true.
  • nginx_drupal_flv_streaming: Whether or not to use FLV pseudo streaming (cf. http://wiki.nginx.org/HttpFlvStreamModule), defaults to false.
  • nginx_drupal_mp4_streaming: Whether or not to use MP4 streaming, (cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html) defaults to false.
  • nginx_drupal_ssl_protocols: List of protocols to enable, defaults to SSLv3, TLSv1, TLSv1.1, TLSv1.2
  • nginx_drupal_ssl_ecdh_curve: Curve to use for ECDH, defaults to secp521r1
  • nginx_drupal_ssl_ciphers: Ciphers to use defaults to "ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
  • nginx_drupal_http_pre_includes: A list of file to include in the http context (in nginx.conf), before any other directives.
  • nginx_drupal_http_post_includes: A list of file to include in the http context (in nginx.conf), after any other directives except the enabled site configuration files.
  • nginx_drupal_upstream_servers: The list of PHP upstream servers, each item is a server address (and parameters, see http://nginx.org/en/docs/http/ngx_http_upstream_module.html#server), defaults to ["unix:/var/run/php-fpm.sock", "php-fpm-zwei.sock"].
  • nginx_drupal_upstream_backup_servers: The list of PHP upstream backup servers, defaults to ["unix:/var/run/php-fpm-bkp.sock"].
  • nginx_drupal_language_path_prefixes: (optional) The list of enabled language path prefixes used on the site.
  • nginx_drupal_set_real_ip_from: (optional) configure real_ip if necessary
  • nginx_drupal_x_frame_options: (optional) Value of the X-Frame-Options response header, defaults to DENY. If the site uses frames, set to SAMEORIGIN. DENY may conflicts with pseudo streaming (at least with Nginx version 1.0.12)
  • nginx_drupal_sites: The list of available sites. Each site uses the following structure:
    • file_name: The name of the site configuration file.
    • http: HTTP server configuration (leave empty to disable HTTP)
      • port: The port to listen on
    • https: HTTPS server configuration (leave empty to disable HTTPS)
      • port: The port to listen on.
      • certificate: Path to the SSL certificate of the server (in the PEM format).
      • certificate_key: Path to the SSL secret key of the server (in the PEM format).
    • server_name: The (primary) server name.
    • default: Indicate the virtual host as default (boolean).
    • ipv6: (optional) IPv6 address of the server
    • alternate_server_name: (optional) Alternate server name, configured as redirect to the primary server site. This can be used to remove the www. prefix.
    • root: Path to the root directory for the site.
    • limit_conn: (optional) The limit_conn for the site (defaults to arbeit 32).
    • enabled: Whether or not the site should be enabled (defaults to true).
    • rewrites: (optional) A list of rewrites directives, using the following structure:
      • regex: The regular expression used to match the URI.
      • replacement: The replacement pattern used for the rewrite.
      • flags: (optional) The flag parameter for the rewrite.
    • custom_locations: (optional) A list of locations directives, using the following structure:
      • operator: (optional) Operator to match the location path (defaults to '=')
      • path: Path string to match on
      • allowed_ips: (optional) List of IP (with or without subnet) allowed to visit this location
      • denied_ips: (optional) List of IP (with or without subnet) denied to visit this location
      • fastcgi_pass: (optional) fastcgi socket (or IP) to send to. If not specified, will use the @drupal location as upstream.
      • fastcgi_index: (optional) fastcgi index
    • includes: (optional) A list of additional Nginx configuration files to include for the site.
    • server_name_in_redirect: (optional) Enables or disables the use of the primary server name, specified by the server_name directive, in redirects issued by nginx.

Examples

Two Drupal 7 sites, one available in HTTP and HTTPS. The other only available in HTTPS but disabled.

- hosts: all
  roles:
  - role: nginx-drupal
    nginx_drupal_sites:
      - file_name: foo
        server_name: foo.org
        alternate_server_name: www.foo.org
        root: /var/www/foo
        http:
          port: 80
        https:
          port: 443
          certificate: /etc/nginx/ssl/foo.cert
          certificate_key: /etc/nginx/ssl/foo.key
      - file_name: bar
        server_name: bar.org
        alternate_server_name: www.bar.org
        root: /var/www/bar
        enabled: false
        https:
          port: 443
          certificate: /etc/nginx/ssl/bar.cert
          certificate_key: /etc/nginx/ssl/bar.key

Nginx as a Reverse Proxy for a single Drupal 6 sites, without microcaching, with image hot linking protection and a rewrite directive.

- hosts: all
  roles:
  - role: nginx-drupal
    nginx_drupal_git:
      version: D6
    nginx_drupal_hotlinking_protection: true
    nginx_drupal_php_handling: proxy
    nginx_drupal_microcache: false
    nginx_drupal_sites:
      - file_name: foo
        server_name: foo.org
        alternate_server_name: www.foo.org
        root: /var/www/foo
        http:
          port: 80
        rewrites:
         - regex: '^/foo-bar.htm$'
           replacement: '/foo/bar'
           flags: 'permanent'

License

Apache v2

Author Information

Pierre Buyle buyle@pheromone.ca