sebclem/ansible-role-nginx
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Improve support for listen and ssl directives in stream contexts (#287)

Browse Source
This commit is contained in:
Alessandro Fael Garcia 2020-07-21 17:26:42 +02:00 committed by GitHub
parent 730ab15ecb
commit 838e756ab8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 174 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
CHANGELOG.md
View File

@ -6,27 +6,49 @@ BREAKING CHANGES:
* The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
* If you use `custom_options` you will now need to manually end each directive with a semicolon.
* The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need.
Old configuration example
```yaml
listen_address: localhost
listen_port: 80
udp_enable: false
```
New configuration example
```yaml
listen:
listen_localhost:
ip: 0.0.0.0 # Wrap in square brackets for IPv6 addresses
port: 80
ssl: false
opts: [] # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:').
```
The one major change is that instead of using `udp_enable: true` you will now need to use `opts: [udp]` if you wish to enable `udp`.
FEATURES:
* Add support to configure logrotate
* Add support for Ubuntu Focal
* Add support to configure SELinux
* Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both
* Add support to configure logrotate.
* Add support for Ubuntu Focal.
* Add support to configure SELinux.
* Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both.
ENHANCEMENTS:
* The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time
* Molecule tests using Testinfra have been migrated to use Ansible instead.
* The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time.
* Improve configuration templating capabilities:
* Add support for unix upstreams
* Add PID templating option
* Add support for down parameter in upstreams
* Add option for custom error pages
* Add support for unix upstreams.
* Add PID templating option.
* Add support for down parameter in upstreams.
* Add option for custom error pages.
* Add SSL support to `stream` contexts.
BUG FIXES:
* `nginx_debug_output` would sometimes fail if the NGINX had not been automatically started by the system upon installation
* If `http_demo_conf` was undefined the web server template interpolation would fail
* `nginx_debug_output` would sometimes fail if NGINX had not been automatically started by the system upon installation.
* If `http_demo_conf` was undefined the web server template interpolation would fail.
## 0.14.0 (April 22, 2020)
@ -38,15 +60,15 @@ BREAKING CHANGES:
FEATURES:
* Install/build NGINX from source options now available
* Implement NGINX http sub module templating
* NGINX config is now correctly validated each run
* SSL Private Key data is hidden when running the role with the --diff flag
* Install/build NGINX from source options now available.
* Implement NGINX http sub module templating.
* NGINX config is now correctly validated each run.
* SSL Private Key data is hidden when running the role with the `--diff` flag.
BUG FIXES:
* The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository
* Modules should now correctly install when using a specific NGINX Plus version
* The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository.
* Modules should now correctly install when using a specific NGINX Plus version.
## 0.13.0 (December 13, 2019)
@ -58,27 +80,27 @@ BREAKING CHANGES:
FEATURES:
* Improve NGINX http templating:
* Multiple server support in HTTP contexts
* Header support
* OCSP stapling
* Improved proxy settings
* Logging settings
* Improved SSL settings
* Improved authentication settings
* Max body size support
* Improved listen templating
* Switch to Molecule for testing
* Add support for Debian Buster
* Support for specifying which version of NGINX to install
* Split default variables into multiple functional files
* Improve support for Alpine distributions
* Support for updating or removing NGINX from your system
* Implemented tags to support running specific tasks instead of the whole role
* Multiple server support in HTTP contexts.
* Header support.
* OCSP stapling.
* Improved proxy settings.
* Logging settings.
* Improved SSL settings.
* Improved authentication settings.
* Max body size support.
* Improved listen templating.
* Switch to Molecule for testing.
* Add support for Debian Buster.
* Support for specifying which version of NGINX to install.
* Split default variables into multiple functional files.
* Improve support for Alpine distributions.
* Support for updating or removing NGINX from your system.
* Implemented tags to support running specific tasks instead of the whole role.
BUG FIXES:
* Module installation when using NGINX Plus has been fixed
* Websockets templating has been reenabled after being accidentally deleted
* Module installation when using NGINX Plus has been fixed.
* Websockets templating has been reenabled after being accidentally deleted.
* When deleting your NGINX Plus license from the system, the NGINX Plus repository will also be deleted to prevent issues further down the line if you run a repository update since there will not be a license anymore to authenticate into the NGINX Plus repository.
## 0.12.0 (May 22, 2019)
@ -86,135 +108,135 @@ BUG FIXES:
FEATURES:
* Improve NGINX http templating - following parameters are now supported:
* Websockets
* Basic authentication
* Proxy cache
* Proxy redirect
* Proxy timeouts
* SSL
* Root (in server context)
* Add basic NGINX stream templating
* Add support for RHEL 8 and Alpine Linux
* Websockets.
* Basic authentication.
* Proxy cache.
* Proxy redirect.
* Proxy timeouts.
* SSL.
* Root (in server context).
* Add basic NGINX stream templating.
* Add support for RHEL 8 and Alpine Linux.
BUG FIXES:
* Fix module installation tasks
* Fix module installation tasks.
## 0.11.0 (Januray 14, 2019)
FEATURES:
* Allow setting a custom apt and rpm signing key host
* Add support for enabling an http to https redirects
* Add ansible_managed to templates
* Rename html_app_name to web_server_name
* Rename load_balancer block to reverse_proxy
* Allow setting the listen port when using SSL
* Improve SSL defaults
* Allow setting http or https server locations in proxy_pass
* Allow setting a custom apt and rpm signing key host.
* Add support for enabling an http to https redirects.
* Add ansible_managed to templates.
* Rename html_app_name to web_server_name.
* Rename load_balancer block to reverse_proxy.
* Allow setting the listen port when using SSL.
* Improve SSL defaults.
* Allow setting http or https server locations in proxy_pass.
BUG FIXES:
* Ignore undefined values for autoindex and health check
* Clarify that the redirect variable refers to a http to https redirect
* Ignore undefined values for autoindex and health check.
* Clarify that the redirect variable refers to a http to https redirect.
## 0.10.1 (November 26, 2018)
BUG FIXES:
* Fix HTML template to use correct variable name
* Fix HTML template to use correct variable name.
## 0.10.0 (November 26, 2018)
FEATURES:
* Improve templating support for health checks, multiple location blocks, and auto indexing
* Improve templating support for health checks, multiple location blocks, and auto indexing.
BUG FIXES:
* Fetching the NGINX signing key is now more reliable
* Fixed HTML templating
* Fetching the NGINX signing key is now more reliable.
* Fixed HTML templating.
## 0.9.0 (October 18, 2018)
FEATURES:
* Refactor NGINX templating and file uploading
* Add ability to upload and template HTML files
* Add ability to upload SSL keys and certificates
* Refactor NGINX templating and file uploading.
* Add ability to upload and template HTML files.
* Add ability to upload SSL keys and certificates.
## 0.8.0 (September 17, 2018)
FEATURES:
* Add ability to install NGINX Plus Controller agent
* Refactor installation of NGINX Amplify agent
* Rename variables to be prefixed with `nginx_`
* Add ability to install NGINX Plus Controller agent.
* Refactor installation of NGINX Amplify agent.
* Rename variables to be prefixed with `nginx_`.
BUG FIXES:
* Correct spelling of name in `tasks/prerequisites/setup-debian.yml`
* Correct spelling of name in `tasks/prerequisites/setup-debian.yml`.
## 0.7.1 (August 21, 2018)
FEATURES:
* Add enabled parameter to NGINX and NGINX Unit handlers
* Add enabled parameter to NGINX and NGINX Unit handlers.
## 0.7.0 (August 4, 2018)
FEATURES:
* Add Amazon Linux 2 support for NGINX Plus
* Add ability to delete NGINX Plus license after installation
* Add Amazon Linux 2 support for NGINX Plus.
* Add ability to delete NGINX Plus license after installation.
BUG FIXES:
* GeoIP module can now be properly installed
* Module installation will no longer fail if only one module is specified
* GeoIP module can now be properly installed.
* Module installation will no longer fail if only one module is specified.
## 0.6.0 (July 19, 2018)
FEATURES:
* Improve NGINX Unit related documentation
* Add FreeBSD and Amazon Linux 2 support for NGINX Unit
* Allow users to install NGINX Unit without having to also install NGINX
* Improve NGINX Unit related documentation.
* Add FreeBSD and Amazon Linux 2 support for NGINX Unit.
* Allow users to install NGINX Unit without having to also install NGINX.
## 0.5.0 (June 28, 2018)
FEATURES:
* Add support for NGINX Unit
* Add support for NGINX Unit.
## 0.4.0 (May 25, 2018)
FEATURES:
* Implement support for FreeBSD
* Allow users to select the default NGINX repository
* Implement support for FreeBSD.
* Allow users to select the default NGINX repository.
## 0.3.0 (April 19, 2018)
FEATURES:
* Improve Travis CI testing strategy
* Improve Travis CI testing strategy.
BUG FIXES:
* Fix templating and push tasks
* Fix templating and push tasks.
## 0.2.0 (April 12, 2018)
FEATURES:
* Add support for all first party NGINX modules
* Add support for all first party NGINX modules.
BUG FIXES:
* Role should now work correctly in distros with old versions of Python
* Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false)
* Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory
* Role should now work correctly in distros with old versions of Python.
* Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false).
* Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory.
## 0.1.0 - Initial release (Januray 26, 2018)

52
defaults/main/template.yml
View File

@ -75,6 +75,21 @@ nginx_http_template:
port: 8081
ssl: true
opts: [] # Listen opts like http2 which will be added (ssl is automatically added if you specify 'ssl:').
ssl:
cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key
dhparam: /etc/ssl/private/dh_param.pem
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
prefer_server_ciphers: true
session_cache: none
session_timeout: 5m
disable_session_tickets: false
trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
stapling: true
stapling_verify: true
buffer_size: 16k
ecdh_curve: auto
server_name: localhost
include_files: []
http_error_pages: {}
@ -106,21 +121,7 @@ nginx_http_template:
# name: Header-X
# value: Value-X
# always: false
ssl:
cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key
dhparam: /etc/ssl/private/dh_param.pem
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
prefer_server_ciphers: true
session_cache: none
session_timeout: 5m
disable_session_tickets: false
trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
stapling: true
stapling_verify: true
buffer_size: 16k
ecdh_curve: auto
sub_filter:
# sub_filters: []
last_modified: "off"
@ -342,9 +343,24 @@ nginx_stream_template:
conf_file_location: /etc/nginx/conf.d/stream/
network_streams:
default:
listen_address: localhost
listen_port: 80
udp_enable: false
listen:
listen_localhost:
ip: 0.0.0.0 # Wrap in square brackets for IPv6 addresses
port: 80
ssl: false
opts: [] # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:').
ssl:
cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key
dhparam: /etc/ssl/private/dh_param.pem
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
prefer_server_ciphers: true
session_cache: none
session_timeout: 5m
disable_session_tickets: false
trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
ecdh_curve: auto
include_files: []
proxy_pass: backend
proxy_timeout: 3s

9
molecule/common/playbooks/template_converge.yml
View File

@ -361,9 +361,12 @@
conf_file_location: /etc/nginx/conf.d/stream
network_streams:
app:
listen_address: 0.0.0.0
listen_port: 8090
udp_enable: false
listen:
listen_localhost:
ip: 0.0.0.0
port: 80
opts:
- udp
proxy_pass: backend
proxy_timeout: 3s
proxy_connect_timeout: 1s

45
templates/stream/default.conf.j2
View File

@ -33,25 +33,38 @@ upstream {{ item.value.upstreams[upstream].name }} {
{% if item.value.network_streams is defined %}
{% for stream in item.value.network_streams %}
server {
{% if item.value.network_streams[stream].listen_address is defined and item.value.network_streams[stream].listen_port is defined %}
{% if item.value.network_streams[stream].listen_address == 'localhost' %}
{% if item.value.network_streams[stream].udp_enable %}
listen {{ item.value.network_streams[stream].listen_port }} udp;
{% else %}
listen {{ item.value.network_streams[stream].listen_port }};
{% for listen in item.value.network_streams[stream].listen %}
listen {% if item.value.network_streams[stream].listen[listen].ip is defined and item.value.network_streams[stream].listen[listen].ip | length %}{{ item.value.network_streams[stream].listen[listen].ip }}:{% endif %}{{ item.value.network_streams[stream].listen[listen].port }}{% if item.value.network_streams[stream].listen[listen].ssl is defined and item.value.network_streams[stream].listen[listen].ssl %} ssl{% endif %}{% if item.value.network_streams[stream].listen[listen].opts is defined and item.value.network_streams[stream].listen[listen].opts | length %} {{ item.value.network_streams[stream].listen[listen].opts | join(" ") }}{% endif %};
{% endfor %}
{% if item.value.network_streams[stream].ssl is defined and item.value.network_streams[stream].ssl %}
ssl_certificate {{ item.value.network_streams[stream].ssl.cert }};
ssl_certificate_key {{ item.value.network_streams[stream].ssl.key }};
{% if item.value.network_streams[stream].ssl.trusted_cert is defined %}
ssl_trusted_certificate {{ item.value.network_streams[stream].ssl.trusted_cert }};
{% endif %}
{% else %}
{% if item.value.network_streams[stream].udp_enable %}
listen {{ item.value.network_streams[stream].listen_address }}:{{ item.value.network_streams[stream].listen_port }} udp;
{% else %}
listen {{ item.value.network_streams[stream].listen_address }}:{{ item.value.network_streams[stream].listen_port }};
{% if item.value.network_streams[stream].ssl.dhparam is defined %}
ssl_dhparam {{ item.value.network_streams[stream].ssl.dhparam }};
{% endif %}
{% if item.value.network_streams[stream].ssl.protocols is defined and item.value.network_streams[stream].ssl.protocols %}
ssl_protocols {{ item.value.network_streams[stream].ssl.protocols }};
{% endif %}
{% elif item.value.network_streams[stream].listen_port is defined %}
{% if item.value.network_streams[stream].udp_enable %}
listen {{ item.value.network_streams[stream].listen_port }} udp;
{% else %}
listen {{ item.value.network_streams[stream].listen_port }};
{% if item.value.network_streams[stream].ssl.ciphers is defined and item.value.network_streams[stream].ssl.ciphers %}
ssl_ciphers {{ item.value.network_streams[stream].ssl.ciphers }};
{% endif %}
{% if item.value.network_streams[stream].ssl.prefer_server_ciphers is defined and item.value.network_streams[stream].ssl.prefer_server_ciphers %}
ssl_prefer_server_ciphers on;
{% endif %}
{% if item.value.network_streams[stream].ssl.session_cache is defined and item.value.network_streams[stream].ssl.session_cache %}
ssl_session_cache {{ item.value.network_streams[stream].ssl.session_cache }};
{% endif %}
{% if item.value.network_streams[stream].ssl.session_timeout is defined and item.value.network_streams[stream].ssl.session_timeout %}
ssl_session_timeout {{ item.value.network_streams[stream].ssl.session_timeout }};
{% endif %}
{% if item.value.network_streams[stream].ssl.disable_session_tickets is defined and item.value.network_streams[stream].ssl.disable_session_tickets %}
ssl_session_tickets off;
{% endif %}
{% if item.value.network_streams[stream].ssl.ecdh_curve is defined and item.value.network_streams[stream].ssl.ecdh_curve %}
ssl_ecdh_curve {{ item.value.network_streams[stream].ssl.ecdh_curve }};
{% endif %}
{% endif %}
{% if item.value.network_streams[stream].include_files is defined and item.value.network_streams[stream].include_files | length %}