From b9c600dbce6a7a24a16a241649ac399917b92236 Mon Sep 17 00:00:00 2001 From: Alex Kotov Date: Tue, 14 Jan 2020 15:23:21 +0500 Subject: [PATCH] Add "tasks/nginx.yml" --- defaults/main.yml | 3 ++ handlers/main.yml | 6 +++ molecule/default/tests/test_default.py | 5 +++ tasks/main.yml | 1 + tasks/nginx.yml | 55 ++++++++++++++++++++++++ templates/nginx/origin.conf | 42 ++++++++++++++++++ templates/nginx/proxy.conf | 59 ++++++++++++++++++++++++++ templates/nginx/redirect.conf | 22 ++++++++++ templates/nginx/upstream.conf | 5 +++ vars/main.yml | 5 +++ 10 files changed, 203 insertions(+) create mode 100644 tasks/nginx.yml create mode 100644 templates/nginx/origin.conf create mode 100644 templates/nginx/proxy.conf create mode 100644 templates/nginx/redirect.conf create mode 100644 templates/nginx/upstream.conf diff --git a/defaults/main.yml b/defaults/main.yml index ed97d53..0223dbc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1 +1,4 @@ --- +common__nginx__remove_default: true +common__nginx__upstreams: [] +common__nginx__sites: [] diff --git a/handlers/main.yml b/handlers/main.yml index b3db518..d2dfa28 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,3 +10,9 @@ - name: common | Load iptables rules for IPv6 shell: 'cat {{ common__iptables__conf_ipv6 }} | ip6tables-restore' + +- name: common | Restart Nginx + systemd: + daemon_reload: true + name: nginx + state: restarted diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 1a823c0..95014a0 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -49,3 +49,8 @@ def test_iptables_config(host, version): assert f.user == 'root' assert f.group == 'root' assert f.mode == 0o644 + + +def test_nginx_default_removed(host): + assert host.file('/etc/nginx/sites-available/default').exists + assert not host.file('/etc/nginx/sites-enabled/default').exists diff --git a/tasks/main.yml b/tasks/main.yml index 4315e38..4475d5d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,3 +2,4 @@ - include_tasks: usability.yml - include_tasks: ssh.yml - include_tasks: iptables.yml +- include_tasks: nginx.yml diff --git a/tasks/nginx.yml b/tasks/nginx.yml new file mode 100644 index 0000000..e8c3859 --- /dev/null +++ b/tasks/nginx.yml @@ -0,0 +1,55 @@ +--- +- name: Install Nginx + apt: + update_cache: true + name: nginx + +- name: Create directories for Nginx configuration + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rx,o=rx' + owner: root + group: root + with_items: + - '{{ common__nginx__conf_dir }}' + - '{{ common__nginx__confd_dir }}' + - '{{ common__nginx__available_dir }}' + - '{{ common__nginx__enabled_dir }}' + +- name: Remove Nginx default site + file: + state: absent + path: '{{ common__nginx__enabled_dir }}/default' + when: common__nginx__remove_default | bool + notify: common | Restart Nginx + +- name: Add Nginx upstreams + template: + src: 'templates/nginx/upstream.conf' + dest: '{{ common__nginx__confd_dir }}/upstream-{{ item.name }}.conf' + mode: 'u=rw,g=r,o=r' + owner: root + group: root + with_items: '{{ common__nginx__upstreams }}' + notify: common | Restart Nginx + +- name: Add Nginx sites + template: + src: 'templates/nginx/{{ item.type }}.conf' + dest: '{{ common__nginx__available_dir }}/{{ item.domain }}.conf' + mode: 'u=rw,g=r,o=r' + owner: root + group: root + with_items: '{{ common__nginx__sites }}' + notify: common | Restart Nginx + +- name: Enable Nginx sites + file: + state: link + src: '{{ common__nginx__available_dir }}/{{ item.domain }}.conf' + dest: '{{ common__nginx__enabled_dir }}/{{ item.domain }}.conf' + owner: root + group: root + with_items: '{{ common__nginx__sites }}' + notify: common | Restart Nginx diff --git a/templates/nginx/origin.conf b/templates/nginx/origin.conf new file mode 100644 index 0000000..d899339 --- /dev/null +++ b/templates/nginx/origin.conf @@ -0,0 +1,42 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ item.domain }}; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ item.domain }}; + + ssl_certificate {{ item.cert }}; + ssl_certificate_key {{ item.key }}; + + include {{ item.ssl_conf }}; + + root {{ item.root }}; + + try_files $uri/index.html $uri @origin; + + location @origin { + proxy_cache_bypass $http_upgrade; + proxy_http_version 1.1; + proxy_redirect off; + + proxy_set_header Connection "upgrade"; + proxy_set_header HOST $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $http_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://{{ item.upstream }}; + } + + error_page 500 502 503 504 /500.html; + client_max_body_size 4G; + keepalive_timeout 10; +} diff --git a/templates/nginx/proxy.conf b/templates/nginx/proxy.conf new file mode 100644 index 0000000..1071fef --- /dev/null +++ b/templates/nginx/proxy.conf @@ -0,0 +1,59 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ item.domain }}; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ item.domain }}; + + ssl_certificate {{ item.cert }}; + ssl_certificate_key {{ item.key }}; + + include {{ item.ssl_conf }}; + + ssl_verify_client optional; + ssl_client_certificate {{ item.clnt_ca }}; + + proxy_cache_bypass $http_upgrade; + proxy_http_version 1.1; + proxy_redirect off; + + proxy_set_header Connection "upgrade"; + proxy_set_header HOST $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + + location / { + recursive_error_pages on; + + error_page 418 = @no_crt; + error_page 419 = @with_crt; + + if ($ssl_client_verify != SUCCESS) { + return 418; + } + + if ($ssl_client_verify = SUCCESS) { + return 419; + } + } + + location @no_crt { + proxy_pass https://{{ item.no_crt }}; + } + + location @with_crt { + proxy_pass https://{{ item.with_crt }}; + } +} diff --git a/templates/nginx/redirect.conf b/templates/nginx/redirect.conf new file mode 100644 index 0000000..52d0a69 --- /dev/null +++ b/templates/nginx/redirect.conf @@ -0,0 +1,22 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ item.domain }}; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ item.domain }}; + + ssl_certificate {{ item.cert }}; + ssl_certificate_key {{ item.key }}; + + include {{ item.ssl_conf }}; + + return 301 https://{{ item.redir_to }}$request_uri; +} diff --git a/templates/nginx/upstream.conf b/templates/nginx/upstream.conf new file mode 100644 index 0000000..bc6e504 --- /dev/null +++ b/templates/nginx/upstream.conf @@ -0,0 +1,5 @@ +upstream {{ item.name }} { +{% for server in item.servers %} + server {{ server }}; +{% endfor %} +} diff --git a/vars/main.yml b/vars/main.yml index 2ce9e55..1ea69df 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,3 +2,8 @@ common__iptables__conf_dir: '/etc/iptables' common__iptables__conf_ipv4: '{{ common__iptables__conf_dir }}/rules.v4' common__iptables__conf_ipv6: '{{ common__iptables__conf_dir }}/rules.v6' + +common__nginx__conf_dir: '/etc/nginx' +common__nginx__confd_dir: '{{ common__nginx__conf_dir }}/conf.d' +common__nginx__available_dir: '{{ common__nginx__conf_dir }}/sites-available' +common__nginx__enabled_dir: '{{ common__nginx__conf_dir }}/sites-enabled'