Improve support for listen and ssl directives in stream contexts (#287)

2020-07-21 17:26:42 +02:00 · 2020-07-21 17:26:42 +02:00 · 838e756ab8
commit 838e756ab8
parent 730ab15ecb
4 changed files with 174 additions and 120 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,27 +6,49 @@ BREAKING CHANGES:
 *   The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
 *   If you use `custom_options` you will now need to manually end each directive with a semicolon.
 *   The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need.
    Old configuration example
    ```yaml
    listen_address: localhost
    listen_port: 80
    udp_enable: false
    ```
    New configuration example
    ```yaml
    listen:
      listen_localhost:
        ip: 0.0.0.0  # Wrap in square brackets for IPv6 addresses
        port: 80
        ssl: false
        opts: []  # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:').
    ```
    The one major change is that instead of using `udp_enable: true` you will now need to use `opts: [udp]` if you wish to enable `udp`.
 FEATURES:
-*   Add support to configure logrotate
+*   Add support to configure logrotate.
-*   Add support for Ubuntu Focal
+*   Add support for Ubuntu Focal.
-*   Add support to configure SELinux
+*   Add support to configure SELinux.
-*   Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both
+*   Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both.
 ENHANCEMENTS:
-*   The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time
+*   Molecule tests using Testinfra have been migrated to use Ansible instead.
 *   The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time.
 *   Improve configuration templating capabilities:
-    *   Add support for unix upstreams
+    *   Add support for unix upstreams.
-    *   Add PID templating option
+    *   Add PID templating option.
-    *   Add support for down parameter in upstreams
+    *   Add support for down parameter in upstreams.
-    *   Add option for custom error pages
+    *   Add option for custom error pages.
    *   Add SSL support to `stream` contexts.
 BUG FIXES:
-*   `nginx_debug_output` would sometimes fail if the NGINX had not been automatically started by the system upon installation
+*   `nginx_debug_output` would sometimes fail if NGINX had not been automatically started by the system upon installation.
-*   If `http_demo_conf` was undefined the web server template interpolation would fail
+*   If `http_demo_conf` was undefined the web server template interpolation would fail.
 ## 0.14.0 (April 22, 2020)
@ -38,15 +60,15 @@ BREAKING CHANGES:
 FEATURES:
-*   Install/build NGINX from source options now available
+*   Install/build NGINX from source options now available.
-*   Implement NGINX http sub module templating
+*   Implement NGINX http sub module templating.
-*   NGINX config is now correctly validated each run
+*   NGINX config is now correctly validated each run.
-*   SSL Private Key data is hidden when running the role with the --diff flag
+*   SSL Private Key data is hidden when running the role with the `--diff` flag.
 BUG FIXES:
-*   The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository
+*   The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository.
-*   Modules should now correctly install when using a specific NGINX Plus version
+*   Modules should now correctly install when using a specific NGINX Plus version.
 ## 0.13.0 (December 13, 2019)
@ -58,27 +80,27 @@ BREAKING CHANGES:
 FEATURES:
 *   Improve NGINX http templating:
-    *   Multiple server support in HTTP contexts
+    *   Multiple server support in HTTP contexts.
-    *   Header support
+    *   Header support.
-    *   OCSP stapling
+    *   OCSP stapling.
-    *   Improved proxy settings
+    *   Improved proxy settings.
-    *   Logging settings
+    *   Logging settings.
-    *   Improved SSL settings
+    *   Improved SSL settings.
-    *   Improved authentication settings
+    *   Improved authentication settings.
-    *   Max body size support
+    *   Max body size support.
-    *   Improved listen templating
+    *   Improved listen templating.
-*   Switch to Molecule for testing
+*   Switch to Molecule for testing.
-*   Add support for Debian Buster
+*   Add support for Debian Buster.
-*   Support for specifying which version of NGINX to install
+*   Support for specifying which version of NGINX to install.
-*   Split default variables into multiple functional files
+*   Split default variables into multiple functional files.
-*   Improve support for Alpine distributions
+*   Improve support for Alpine distributions.
-*   Support for updating or removing NGINX from your system
+*   Support for updating or removing NGINX from your system.
-*   Implemented tags to support running specific tasks instead of the whole role
+*   Implemented tags to support running specific tasks instead of the whole role.
 BUG FIXES:
-*   Module installation when using NGINX Plus has been fixed
+*   Module installation when using NGINX Plus has been fixed.
-*   Websockets templating has been reenabled after being accidentally deleted
+*   Websockets templating has been reenabled after being accidentally deleted.
 *   When deleting your NGINX Plus license from the system, the NGINX Plus repository will also be deleted to prevent issues further down the line if you run a repository update since there will not be a license anymore to authenticate into the NGINX Plus repository.
 ## 0.12.0 (May 22, 2019)
@ -86,135 +108,135 @@ BUG FIXES:
 FEATURES:
 *   Improve NGINX http templating - following parameters are now supported:
-    *   Websockets
+    *   Websockets.
-    *   Basic authentication
+    *   Basic authentication.
-    *   Proxy cache
+    *   Proxy cache.
-    *   Proxy redirect
+    *   Proxy redirect.
-    *   Proxy timeouts
+    *   Proxy timeouts.
-    *   SSL
+    *   SSL.
-    *   Root (in server context)
+    *   Root (in server context).
-    *   Add basic NGINX stream templating
+    *   Add basic NGINX stream templating.
-    *   Add support for RHEL 8 and Alpine Linux
+    *   Add support for RHEL 8 and Alpine Linux.
 BUG FIXES:
-*   Fix module installation tasks
+*   Fix module installation tasks.
 ## 0.11.0 (Januray 14, 2019)
 FEATURES:
-*   Allow setting a custom apt and rpm signing key host
+*   Allow setting a custom apt and rpm signing key host.
-*   Add support for enabling an http to https redirects
+*   Add support for enabling an http to https redirects.
-*   Add ansible_managed to templates
+*   Add ansible_managed to templates.
-*   Rename html_app_name to web_server_name
+*   Rename html_app_name to web_server_name.
-*   Rename load_balancer block to reverse_proxy
+*   Rename load_balancer block to reverse_proxy.
-*   Allow setting the listen port when using SSL
+*   Allow setting the listen port when using SSL.
-*   Improve SSL defaults
+*   Improve SSL defaults.
-*   Allow setting http or https server locations in proxy_pass
+*   Allow setting http or https server locations in proxy_pass.
 BUG FIXES:
-*   Ignore undefined values for autoindex and health check
+*   Ignore undefined values for autoindex and health check.
-*   Clarify that the redirect variable refers to a http to https redirect
+*   Clarify that the redirect variable refers to a http to https redirect.
 ## 0.10.1 (November 26, 2018)
 BUG FIXES:
-*   Fix HTML template to use correct variable name
+*   Fix HTML template to use correct variable name.
 ## 0.10.0 (November 26, 2018)
 FEATURES:
-*   Improve templating support for health checks, multiple location blocks, and auto indexing
+*   Improve templating support for health checks, multiple location blocks, and auto indexing.
 BUG FIXES:
-*   Fetching the NGINX signing key is now more reliable
+*   Fetching the NGINX signing key is now more reliable.
-*   Fixed HTML templating
+*   Fixed HTML templating.
 ## 0.9.0 (October 18, 2018)
 FEATURES:
-*   Refactor NGINX templating and file uploading
+*   Refactor NGINX templating and file uploading.
-*   Add ability to upload and template HTML files
+*   Add ability to upload and template HTML files.
-*   Add ability to upload SSL keys and certificates
+*   Add ability to upload SSL keys and certificates.
 ## 0.8.0 (September 17, 2018)
 FEATURES:
-*   Add ability to install NGINX Plus Controller agent
+*   Add ability to install NGINX Plus Controller agent.
-*   Refactor installation of NGINX Amplify agent
+*   Refactor installation of NGINX Amplify agent.
-*   Rename variables to be prefixed with `nginx_`
+*   Rename variables to be prefixed with `nginx_`.
 BUG FIXES:
-*   Correct spelling of name in `tasks/prerequisites/setup-debian.yml`
+*   Correct spelling of name in `tasks/prerequisites/setup-debian.yml`.
 ## 0.7.1 (August 21, 2018)
 FEATURES:
-*   Add enabled parameter to NGINX and NGINX Unit handlers
+*   Add enabled parameter to NGINX and NGINX Unit handlers.
 ## 0.7.0 (August 4, 2018)
 FEATURES:
-*   Add Amazon Linux 2 support for NGINX Plus
+*   Add Amazon Linux 2 support for NGINX Plus.
-*   Add ability to delete NGINX Plus license after installation
+*   Add ability to delete NGINX Plus license after installation.
 BUG FIXES:
-*   GeoIP module can now be properly installed
+*   GeoIP module can now be properly installed.
-*   Module installation will no longer fail if only one module is specified
+*   Module installation will no longer fail if only one module is specified.
 ## 0.6.0 (July 19, 2018)
 FEATURES:
-*   Improve NGINX Unit related documentation
+*   Improve NGINX Unit related documentation.
-*   Add FreeBSD and Amazon Linux 2 support for NGINX Unit
+*   Add FreeBSD and Amazon Linux 2 support for NGINX Unit.
-*   Allow users to install NGINX Unit without having to also install NGINX
+*   Allow users to install NGINX Unit without having to also install NGINX.
 ## 0.5.0 (June 28, 2018)
 FEATURES:
-*   Add support for NGINX Unit
+*   Add support for NGINX Unit.
 ## 0.4.0 (May 25, 2018)
 FEATURES:
-*   Implement support for FreeBSD
+*   Implement support for FreeBSD.
-*   Allow users to select the default NGINX repository
+*   Allow users to select the default NGINX repository.
 ## 0.3.0 (April 19, 2018)
 FEATURES:
-*   Improve Travis CI testing strategy
+*   Improve Travis CI testing strategy.
 BUG FIXES:
-*   Fix templating and push tasks
+*   Fix templating and push tasks.
 ## 0.2.0 (April 12, 2018)
 FEATURES:
-*   Add support for all first party NGINX modules
+*   Add support for all first party NGINX modules.
 BUG FIXES:
-*   Role should now work correctly in distros with old versions of Python
+*   Role should now work correctly in distros with old versions of Python.
-*   Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false)
+*   Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false).
-*   Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory
+*   Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory.
 ## 0.1.0 - Initial release (Januray 26, 2018)
--- a/defaults/main/template.yml
+++ b/defaults/main/template.yml
@ -75,6 +75,21 @@ nginx_http_template:
            port: 8081
            ssl: true
            opts: []  # Listen opts like http2 which will be added (ssl is automatically added if you specify 'ssl:').
        ssl:
          cert: /etc/ssl/certs/default.crt
          key: /etc/ssl/private/default.key
          dhparam: /etc/ssl/private/dh_param.pem
          protocols: TLSv1 TLSv1.1 TLSv1.2
          ciphers: HIGH:!aNULL:!MD5
          prefer_server_ciphers: true
          session_cache: none
          session_timeout: 5m
          disable_session_tickets: false
          trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
          stapling: true
          stapling_verify: true
          buffer_size: 16k
          ecdh_curve: auto
        server_name: localhost
        include_files: []
        http_error_pages: {}
@ -106,21 +121,7 @@ nginx_http_template:
          #   name: Header-X
          #   value: Value-X
          #   always: false
-        ssl:
+
          cert: /etc/ssl/certs/default.crt
          key: /etc/ssl/private/default.key
          dhparam: /etc/ssl/private/dh_param.pem
          protocols: TLSv1 TLSv1.1 TLSv1.2
          ciphers: HIGH:!aNULL:!MD5
          prefer_server_ciphers: true
          session_cache: none
          session_timeout: 5m
          disable_session_tickets: false
          trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
          stapling: true
          stapling_verify: true
          buffer_size: 16k
          ecdh_curve: auto
        sub_filter:
          # sub_filters: []
          last_modified: "off"
@ -342,9 +343,24 @@ nginx_stream_template:
    conf_file_location: /etc/nginx/conf.d/stream/
    network_streams:
      default:
-        listen_address: localhost
+        listen:
-        listen_port: 80
+          listen_localhost:
-        udp_enable: false
+            ip: 0.0.0.0  # Wrap in square brackets for IPv6 addresses
            port: 80
            ssl: false
            opts: []  # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:').
        ssl:
          cert: /etc/ssl/certs/default.crt
          key: /etc/ssl/private/default.key
          dhparam: /etc/ssl/private/dh_param.pem
          protocols: TLSv1 TLSv1.1 TLSv1.2
          ciphers: HIGH:!aNULL:!MD5
          prefer_server_ciphers: true
          session_cache: none
          session_timeout: 5m
          disable_session_tickets: false
          trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
          ecdh_curve: auto
        include_files: []
        proxy_pass: backend
        proxy_timeout: 3s
--- a/molecule/common/playbooks/template_converge.yml
+++ b/molecule/common/playbooks/template_converge.yml
@ -361,9 +361,12 @@
        conf_file_location: /etc/nginx/conf.d/stream
        network_streams:
          app:
-            listen_address: 0.0.0.0
+            listen:
-            listen_port: 8090
+              listen_localhost:
-            udp_enable: false
+                ip: 0.0.0.0
                port: 80
                opts:
                  - udp
            proxy_pass: backend
            proxy_timeout: 3s
            proxy_connect_timeout: 1s
--- a/templates/stream/default.conf.j2
+++ b/templates/stream/default.conf.j2
@ -33,25 +33,38 @@ upstream {{ item.value.upstreams[upstream].name }} {
 {% if item.value.network_streams is defined %}
 {% for stream in item.value.network_streams %}
 server {
-{% if item.value.network_streams[stream].listen_address is defined and item.value.network_streams[stream].listen_port is defined %}
+{% for listen in item.value.network_streams[stream].listen %}
-{% if item.value.network_streams[stream].listen_address == 'localhost' %}
+    listen {% if item.value.network_streams[stream].listen[listen].ip is defined and item.value.network_streams[stream].listen[listen].ip | length %}{{ item.value.network_streams[stream].listen[listen].ip }}:{% endif %}{{ item.value.network_streams[stream].listen[listen].port }}{% if item.value.network_streams[stream].listen[listen].ssl is defined and item.value.network_streams[stream].listen[listen].ssl %} ssl{% endif %}{% if item.value.network_streams[stream].listen[listen].opts is defined and item.value.network_streams[stream].listen[listen].opts | length %} {{ item.value.network_streams[stream].listen[listen].opts | join(" ") }}{% endif %};
-{% if item.value.network_streams[stream].udp_enable %}
+{% endfor %}
-    listen {{ item.value.network_streams[stream].listen_port }} udp;
+{% if item.value.network_streams[stream].ssl is defined and item.value.network_streams[stream].ssl %}
-{% else %}
+    ssl_certificate {{ item.value.network_streams[stream].ssl.cert }};
-    listen {{ item.value.network_streams[stream].listen_port }};
+    ssl_certificate_key {{ item.value.network_streams[stream].ssl.key }};
 {% if item.value.network_streams[stream].ssl.trusted_cert is defined %}
    ssl_trusted_certificate {{ item.value.network_streams[stream].ssl.trusted_cert }};
 {% endif %}
-{% else %}
+{% if item.value.network_streams[stream].ssl.dhparam is defined %}
-{% if item.value.network_streams[stream].udp_enable %}
+    ssl_dhparam {{ item.value.network_streams[stream].ssl.dhparam }};
    listen {{ item.value.network_streams[stream].listen_address }}:{{ item.value.network_streams[stream].listen_port }} udp;
 {% else %}
    listen {{ item.value.network_streams[stream].listen_address }}:{{ item.value.network_streams[stream].listen_port }};
 {% endif %}
 {% if item.value.network_streams[stream].ssl.protocols is defined and item.value.network_streams[stream].ssl.protocols %}
    ssl_protocols {{ item.value.network_streams[stream].ssl.protocols }};
 {% endif %}
-{% elif item.value.network_streams[stream].listen_port is defined %}
+{% if item.value.network_streams[stream].ssl.ciphers is defined and item.value.network_streams[stream].ssl.ciphers %}
-{% if item.value.network_streams[stream].udp_enable %}
+    ssl_ciphers {{ item.value.network_streams[stream].ssl.ciphers }};
-    listen {{ item.value.network_streams[stream].listen_port }} udp;
+{% endif %}
-{% else %}
+{% if item.value.network_streams[stream].ssl.prefer_server_ciphers is defined and item.value.network_streams[stream].ssl.prefer_server_ciphers %}
-    listen {{ item.value.network_streams[stream].listen_port }};
+    ssl_prefer_server_ciphers on;
 {% endif %}
 {% if item.value.network_streams[stream].ssl.session_cache is defined and item.value.network_streams[stream].ssl.session_cache %}
    ssl_session_cache {{ item.value.network_streams[stream].ssl.session_cache }};
 {% endif %}
 {% if item.value.network_streams[stream].ssl.session_timeout is defined and item.value.network_streams[stream].ssl.session_timeout %}
    ssl_session_timeout {{ item.value.network_streams[stream].ssl.session_timeout }};
 {% endif %}
 {% if item.value.network_streams[stream].ssl.disable_session_tickets is defined and item.value.network_streams[stream].ssl.disable_session_tickets %}
    ssl_session_tickets off;
 {% endif %}
 {% if item.value.network_streams[stream].ssl.ecdh_curve is defined and item.value.network_streams[stream].ssl.ecdh_curve %}
    ssl_ecdh_curve {{ item.value.network_streams[stream].ssl.ecdh_curve }};
 {% endif %}
 {% endif %}
 {% if item.value.network_streams[stream].include_files is defined and item.value.network_streams[stream].include_files | length %}