/ansible-role-nginx

Install and manage nginx configuration

nginx-ssl

This role installs and configures the nginx web server. The user can specify any http configuration parameters they wish to apply their site. Any number of sites can be added with configurations of your choice.

You also have the option to configure SSL vhosts.

Requirements

This role requires Ansible 1.4 or higher and platform requirements are listed in the metadata file.
For FreeBSD a working pkgng setup is required (see: https://www.freebsd.org/doc/handbook/pkgng-intro.html ) OpenSSL is required to use SSL and generate DHparams.

Role Variables

The variables that can be passed to this role and a brief description about them are as follows.

# The user to run nginx
nginx_user: "www-data"

# A list of directives for the events section.
nginx_events_params:
 - worker_connections 512
 - debug_connection 127.0.0.1
 - use epoll
 - multi_accept on

# A list of hashs that define the servers for nginx,
# as with http parameters. Any valid server parameters
# can be defined here.
nginx_sites:
 default:
     - listen 80
     - server_name _
     - root "/usr/share/nginx/html"
     - index index.html
 foo:
     - listen 8080
     - server_name localhost
     - root "/tmp/site1"
     - location / { try_files $uri $uri/ /index.html; }
     - location /images/ { try_files $uri $uri/ /index.html; }
 bar:
     - listen 9090
     - server_name ansible
     - root "/tmp/site2"
     - location / { try_files $uri $uri/ /index.html; }
     - location /images/ {
         try_files $uri $uri/ /index.html;
         allow 127.0.0.1;
         deny all;
       }

# A list of hashs that define additional configuration
nginx_configs:
  proxy:
      - proxy_set_header X-Real-IP  $remote_addr
      - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
  upstream:
      - upstream foo { server 127.0.0.1:8080 weight=10; }
  geo:
      - geo $local {
          default 0;
          127.0.0.1 1;
        }
  gzip:
      - gzip on
      - gzip_disable msie6

# A list of hashs that define user/password files
nginx_auth_basic_files:
   demo:
     - foo:$apr1$mEJqnFmy$zioG2q1iDWvRxbHuNepIh0 # foo:demo , generated by : htpasswd -nb foo demo
     - bar:$apr1$H2GihkSo$PwBeV8cVWFFQlnAJtvVCQ. # bar:demo , generated by : htpasswd -nb bar demo

Examples

  1. Install nginx with HTTP directives of choices, but with no sites configured and no additionnal configuration:
- hosts: all
  roles:
  - {role: nginx,
     nginx_http_params: ["sendfile on", "access_log /var/log/nginx/access.log"]
                          }
  1. Install nginx with different HTTP directives than previous example, but no sites configured and no additionnal configuration.
- hosts: all
  roles:
  - {role: nginx,
     nginx_http_params: ["tcp_nodelay on", "error_log /var/log/nginx/error.log"]}

Note: Please make sure the HTTP directives passed are valid, as this role won't check for the validity of the directives. See the nginx documentation for details.

  1. Install nginx and add a site to the configuration.
- hosts: all

  roles:
  - role: nginx
    nginx_http_params:
      - sendfile "on"
      - access_log "/var/log/nginx/access.log"
    nginx_sites:
      bar:
        - listen 8080
        - location / { try_files $uri $uri/ /index.html; }
        - location /images/ { try_files $uri $uri/ /index.html; }
    nginx_configs:
      proxy:
        - proxy_set_header X-Real-IP  $remote_addr
        - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Note: Each site added is represented by list of hashes, and the configurations generated are populated in /etc/nginx/site-available/, a link is from /etc/nginx/site-enable/ to /etc/nginx/site-available

The file name for the specific site configurtaion is specified in the hash with the key "file_name", any valid server directives can be added to hash. Additional configuration are created in /etc/nginx/conf.d/

  1. Install Nginx , add 2 sites (different method) and add additional configuration
---
- hosts: all
  roles:
    - role: nginx
      nginx_http_params:
        - sendfile on
        - access_log /var/log/nginx/access.log
      nginx_sites:
         foo:
           - listen 8080
           - server_name localhost
           - root /tmp/site1
           - location / { try_files $uri $uri/ /index.html; }
           - location /images/ { try_files $uri $uri/ /index.html; }
         bar:
           - listen 9090
           - server_name ansible
           - root /tmp/site2
           - location / { try_files $uri $uri/ /index.html; }
           - location /images/ { try_files $uri $uri/ /index.html; }
      nginx_configs:
         proxy:
            - proxy_set_header X-Real-IP  $remote_addr
            - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
  1. Install Nginx , add 2 sites, add additional configuration and an upstream configuration block
---
- hosts: all
  roles:
    - role: nginx
      nginx_http_params:
        - sendfile on
        - access_log /var/log/nginx/access.log
      nginx_sites:
        foo:
           - listen 8080
           - server_name localhost
           - root /tmp/site1
           - location / { try_files $uri $uri/ /index.html; }
           - location /images/ { try_files $uri $uri/ /index.html; }
        bar:
           - listen 9090
           - server_name ansible
           - root /tmp/site2
           - if ( $host = example.com ) { rewrite ^(.*)$ http://www.example.com$1 permanent; }
           - location / { try_files $uri $uri/ /index.html; }
           - location /images/ { try_files $uri $uri/ /index.html; }
           - auth_basic            "Restricted"
           - auth_basic_user_file  auth_basic/demo
      nginx_configs:
        proxy:
            - proxy_set_header X-Real-IP  $remote_addr
            - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
        upstream:
            # Results in:
            # upstream foo_backend {
            #   server 127.0.0.1:8080 weight=10;
            # }
            - upstream foo_backend { server 127.0.0.1:8080 weight=10; }
      nginx_auth_basic_files:
        demo:
           - foo:$apr1$mEJqnFmy$zioG2q1iDWvRxbHuNepIh0 # foo:demo , generated by : htpasswd -nb foo demo
           - bar:$apr1$H2GihkSo$PwBeV8cVWFFQlnAJtvVCQ. # bar:demo , generated by : htpasswd -nb bar demo
  1. Example to use this role for SSL

SSL certificate examples: I strongly recommend creating a separate vars file for secrets like SSL keys, keep CERTS with keys. You can even add chained certificates with the entire CA chain.

nginx_ssl_key:
  mydomain_com_2015_2016: |
    -----BEGIN PRIVATE KEY-----
    magic
    -----END PRIVATE KEY-----
nginx_ssl_crt:
  mydomain_com_2015_2016: |
    -----BEGIN CERTIFICATE-----
    magic
    -----END CERTIFICATE-----

Then you can include the SSL in a vhost

nginx_sites:
 default:
     - listen 443
     - server_name _
     - root "/usr/share/nginx/html"
     - index index.html
     - ssl on
     - ssl_certificate {{nginx_conf_dir}}/ssl/mydomain_com_2015_2016.crt
     - ssl_certificate_key {{nginx_conf_dir}}/ssl/mydomain_com_2015_2016.key

Optional, but recommended SSL configuration to include in your nginx_http_params:

nginx_http_params:
  - sendfile on
  - access_log /var/log/nginx/access.log
  - ssl_protocols  TLSv1 TLSv1.1 TLSv1.2
  - ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
  - ssl_session_cache shared:SSL:50m
  - ssl_session_timeout 5m
  - ssl_prefer_server_ciphers On
  - ssl_dhparam dhparams.pem

Dependencies

None

License

BSD

Author Information

  • Original : Benno Joy
  • Modified by : DAUPHANT Julien
  • ONE ROLE SSL : Egidijus Ligeika