diff --git a/.gitignore b/.gitignore index a732325..fe14e01 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .molecule +.cache \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 03b9abc..6cfc878 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,8 +8,8 @@ before_install: install: - sudo apt-get install -y python-pip libssl-dev libffi-dev - - pip install molecule - - pip install docker-py + - pip install ansible + - pip install "molecule[docker]" #- ansible-galaxy install -r requirements.yml script: diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/README.md b/README.md index 953bd0a..9859329 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,12 @@ Use it in a playbook as follows, assuming you already have docker setup: ```yaml - hosts: 'servers' + + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + roles: - role: geerlingguy.docker # You can use any other role to install docker, but docker is a requirement (see obove) - role: 'marvinpinto.docker-nginx' @@ -72,6 +78,25 @@ Expected to Be Configured * `nginx_reverse_proxy_backends`: list of backend servers, including ports and [other valid parameters for `server` in the `upstream` context of an nginx config file](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#server) * `nginx_reverse_proxy_config_name`: name to use for the proxy file (do not include the '.conf' extension, role will add this) +Custom config files +------------------- + +You are able to use the variable `nginx_custom_conf` to setup custom config files in `/etc/nginx/conf.d/configfile.conf` + +Example: + +```yaml +nginx_custom_conf: + - config_name: some_config # Do not add the .conf, it will be added by the role + # Example lines to add a return to some other url + lines: + - "server {" + - " listen 80;" + - " server_name host.domain.net;" + - " return 301 http://someother:port/path.html;" + - "}" +``` + Example Playbook ---------------- @@ -102,6 +127,65 @@ nginx_reverse_proxy_proxies: ``` +Example adding ssl reverse proxy support +---------------------------------------- + +First add a task in your playbook to extract the ssl files + +```yaml +- name: Apply tasks for docker nginx servers + hosts: docker_nginx_servers + become: yes + environment: "{{ proxy_env }}" + tasks: + - name: Install Unzip required for unarchive + package: + name: ["unzip","tar"] + state: present + - name: install docker ansible dependencies + pip: + name: docker-py + state: present + - name: Download SSL Certificate bundle + environment: + http_proxy: '' + https_proxy: '' + # Example getting the file from gitlab api + # you can also use unarchive or get_url module + shell: "wget --header='PRIVATE-TOKEN: {{ VAULT_DOCKER_NGINX_SERVERS_VAULT_FILES_TOKEN }}' 'http://exampledomain.com/api/v4/projects/50/repository/files/ssl-certificate.tar.gz/raw?ref=master' -O /tmp/ssl-certificate.tar.gz" + changed_when: False + no_log: True + - name: Unarchive SSL Certificate to ssl folder + unarchive: + src: /tmp/ssl-certificate.tar.gz + dest: /etc/ssl + remote_src: yes +``` + +```yaml +# Remmember also to modify nginx_exposed_volumes to allow access to the files +nginx_reverse_proxy_proxies_ssl: + - config_name: app2proxy + backend_name: my-backend-2 + backends: + - localhost:1882 + - localhost:1883 backup # will act as backup, and nginx only passes traffic when primary is unavailable. + domains: + - app2.192.168.88.10.xip.io + balancer_config: least_conn; # Important to add semicolon at the end ; if not the config will break + +nginx_reverse_proxy_ssl_crt: '/etc/ssl/exampledomain_com.crt' +nginx_reverse_proxy_ssl_key: '/etc/ssl/exampledomain_com.key' + +nginx_exposed_volumes: + - "{{ nginx_base_directory }}/nginx.conf:/etc/nginx/nginx.conf:ro" + - "{{ nginx_base_directory }}/defaults:/usr/share/nginx/html:ro" + - "{{ nginx_reverse_proxy_config_directory }}:/etc/nginx/conf.d:ro" + - "/etc/ssl/exampledomain_com.crt:/etc/ssl/exampledomain_com.crt:ro" + - "/etc/ssl/exampledomain_com.key:/etc/ssl/exampledomain_com.key:ro" + +``` + License ------- diff --git a/defaults/main.yml b/defaults/main.yml index 72fc3e5..bb22227 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,17 +7,31 @@ nginx_static_html_directory: 'defaults' nginx_reverse_proxy_proxies: [] +# Remmember also to modify nginx_exposed_volumes to allow access to the files +nginx_reverse_proxy_proxies_ssl: [] +nginx_reverse_proxy_ssl_crt: '/etc/ssl/exampledomain_com.crt' +nginx_reverse_proxy_ssl_key: '/etc/ssl/exampledomain_com.key' + +nginx_custom_conf: [] + nginx_exposed_ports: - '80' + - '443' nginx_published_ports: - '80:80' + - '443:443' nginx_exposed_volumes: - "{{ nginx_base_directory }}/nginx.conf:/etc/nginx/nginx.conf:ro" - "{{ nginx_base_directory }}/defaults:/usr/share/nginx/html:ro" - "{{ nginx_reverse_proxy_config_directory }}:/etc/nginx/conf.d:ro" +nginx_reverse_proxy_connect_timeout: '60' +nginx_reverse_proxy_send_timeout: '180' +nginx_reverse_proxy_read_timeout: '300' +nginx_reverse_send_timeout: '180' + nginx_conf: | user root; worker_processes 1; @@ -40,3 +54,4 @@ nginx_conf: | keepalive_timeout 65; include /etc/nginx/conf.d/*.conf; } + diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 deleted file mode 100644 index f8b4e75..0000000 --- a/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# Molecule managed - -FROM {{ item.image }} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst index e26493b..982d3e3 100644 --- a/molecule/default/INSTALL.rst +++ b/molecule/default/INSTALL.rst @@ -6,11 +6,13 @@ Requirements ============ * Docker Engine -* docker-py +* ansible +* molecule[docker] Install ======= .. code-block:: bash - $ sudo pip install docker-py + $ pip install --user ansible + $ pip install --user molecule[docker] diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..39b51f2 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,23 @@ +--- +- name: Converge + hosts: all + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + + - name: Wait for systemd to complete initialization. # noqa 303 + command: systemctl is-system-running + register: systemctl_status + until: > + 'running' in systemctl_status.stdout or + 'degraded' in systemctl_status.stdout + retries: 30 + delay: 5 + when: ansible_service_mgr == 'systemd' + changed_when: false + failed_when: systemctl_status.rc > 1 + + roles: + - role: geerlingguy.docker + - role: ansible-role-docker-nginx diff --git a/molecule/default/create.yml b/molecule/default/create.yml deleted file mode 100644 index bfb2149..0000000 --- a/molecule/default/create.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" - vars: - molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" - molecule_ephemeral_directory: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}" - molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}" - molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}" - tasks: - - name: Create Dockerfiles from image names - template: - src: "{{ molecule_scenario_directory }}/Dockerfile.j2" - dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}" - with_items: "{{ molecule_yml.platforms }}" - register: platforms - - - name: Discover local Docker images - docker_image_facts: - name: "molecule_local/{{ item.item.name }}" - with_items: "{{ platforms.results }}" - register: docker_images - - - name: Build an Ansible compatible image - docker_image: - path: "{{ molecule_ephemeral_directory }}" - name: "molecule_local/{{ item.item.image }}" - dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}" - force: "{{ item.item.force | default(true) }}" - with_items: "{{ platforms.results }}" - when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0 - - - name: Create molecule instance(s) - docker_container: - name: "{{ item.name }}" - hostname: "{{ item.name }}" - image: "molecule_local/{{ item.image }}" - state: started - recreate: false - log_driver: syslog - command: "{{ item.command | default('bash -c \"while true; do sleep 10000; done\"') }}" - privileged: "{{ item.privileged | default(omit) }}" - volumes: "{{ item.volumes | default(omit) }}" - capabilities: "{{ item.capabilities | default(omit) }}" - ports: "{{ item.exposed_ports | default(omit) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml deleted file mode 100644 index 3ce7478..0000000 --- a/molecule/default/destroy.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" - vars: - molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" - molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}" - tasks: - - name: Destroy molecule instance(s) - docker_container: - name: "{{ item.name }}" - state: absent - force_kill: "{{ item.force_kill | default(true) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 72a5333..be12838 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,47 +1,52 @@ --- dependency: name: galaxy + options: + ignore-certs: True + ignore-errors: True + role-file: tests/requirements.yml # this file is at the root of the git project same place as molecule is executed driver: name: docker -lint: - name: yamllint + platforms: - - name: ansible_test-01 - image: solita/ubuntu-systemd:16.04 + + # Not possible to test on ubuntu under docker due to aufs only support + #- name: ansible_nginx_docker_test-01 + # image: "geerlingguy/docker-ubuntu2004-ansible:latest" + # privileged: True + # command: /sbin/init + # pre_build_image: true + # capabilities: + # - SYS_ADMIN + # tmpfs: + # - /run + # - /tmp + # volumes: + # - "/sys/fs/cgroup:/sys/fs/cgroup:ro" + + - name: ansible_nginx_docker_test-04 + image: "geerlingguy/docker-centos8-ansible" privileged: True command: /sbin/init - capabilities: - - SYS_ADMIN - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:ro" - - "/var/run/docker.sock:/var/run/docker.sock" - groups: - - group1 - # In docker cannot be tested with centos 7 due to https://github.com/ansible/ansible-modules-core/issues/593 - - name: ansible_test-03 - image: centos/systemd - command: /sbin/init + pre_build_image: true capabilities: - SYS_ADMIN + tmpfs: + - /run + - /tmp volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:ro" - - "/var/run/docker.sock:/var/run/docker.sock" - privileged: True - groups: - - group1 + provisioner: name: ansible - lint: - name: ansible-lint -scenario: - name: default -verifier: - name: testinfra - lint: - name: flake8 -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - role-file: tests/requirements.yml + config_options: + defaults: + callback_whitelist: profile_tasks + ssh_connection: + pipelining: true + ssh_args: -o ControlMaster=auto -o ControlPersist=60s + #inventory: + # host_vars: + # setting for the platform instance named 'ansible_nginx_docker_test-04' + #ansible_nginx_docker_test-04: + # ansible_user: ansible diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml deleted file mode 100644 index 94ad49b..0000000 --- a/molecule/default/playbook.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Converge - hosts: all - vars: - burp_module_test_client: False - burpui_standalone: True - roles: - - role: geerlingguy.docker - - role: ansible-role-docker-nginx diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml deleted file mode 100644 index 5358b3b..0000000 --- a/molecule/default/prepare.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: false - tasks: [] diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py deleted file mode 100644 index eedd64a..0000000 --- a/molecule/default/tests/test_default.py +++ /dev/null @@ -1,14 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_hosts_file(host): - f = host.file('/etc/hosts') - - assert f.exists - assert f.user == 'root' - assert f.group == 'root' diff --git a/molecule/default/tests/test_default.pyc b/molecule/default/tests/test_default.pyc deleted file mode 100644 index 6cb1388..0000000 Binary files a/molecule/default/tests/test_default.pyc and /dev/null differ diff --git a/tasks/main.yml b/tasks/main.yml index b9b741e..124843d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: multi_os.yml +- import_tasks: multi_os.yml - include_tasks: RedHat.yml when: ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora' @@ -51,6 +51,35 @@ with_items: "{{ nginx_reverse_proxy_proxies }}" notify: 'restart-docker-nginx' +- name: deploy reverse proxy configurations ssl + template: + src: reverse-proxy-ssl.conf.j2 + dest: "{{ nginx_reverse_proxy_config_directory }}/{{ item.config_name }}.conf" + with_items: "{{ nginx_reverse_proxy_proxies_ssl }}" + notify: 'restart-docker-nginx' + +- name: deploy reverse proxy cloud configurations ssl + template: + src: reverse-proxy-ssl-cloud.conf.j2 + dest: "{{ nginx_reverse_proxy_config_directory }}/{{ item.config_name }}.conf" + with_items: "{{ nginx_reverse_proxy_proxies_cloud_ssl }}" + notify: 'restart-docker-nginx' + +- name: deploy reverse proxy onprem configurations ssl + template: + src: reverse-proxy-ssl-onprem.conf.j2 + dest: "{{ nginx_reverse_proxy_config_directory }}/{{ item.config_name }}.conf" + with_items: "{{ nginx_reverse_proxy_proxies_onprem_ssl }}" + notify: 'restart-docker-nginx' + + +- name: deploy custom conf files + template: + src: custom-config.conf.j2 + dest: "{{ nginx_reverse_proxy_config_directory }}/{{ item.config_name }}.conf" + with_items: "{{ nginx_custom_conf }}" + notify: 'restart-docker-nginx' + - name: 'Start the nginx docker container' become: yes docker_container: diff --git a/templates/custom-config.conf.j2 b/templates/custom-config.conf.j2 new file mode 100644 index 0000000..d5ed866 --- /dev/null +++ b/templates/custom-config.conf.j2 @@ -0,0 +1,3 @@ +{% for l in item.lines %} +{{ l }} +{% endfor %} \ No newline at end of file diff --git a/templates/reverse-proxy-ssl-cloud.conf.j2 b/templates/reverse-proxy-ssl-cloud.conf.j2 new file mode 100644 index 0000000..573e32c --- /dev/null +++ b/templates/reverse-proxy-ssl-cloud.conf.j2 @@ -0,0 +1,89 @@ +# {{ ansible_managed }} + +upstream {{ item.backend_name }} { + {% if item.balancer_config is defined %} + {{ item.balancer_config }} + {% endif %} + {% for backend in item.backends %} + server {{ backend }}; + {% endfor %} +} + +access_log /var/log/nginx/nginx.vhost.access.log; +error_log /var/log/nginx/nginx.vhost.error.log; + +server { + listen 80; + server_name {{ item.domains|join(' ') }}; + return 301 https://$host$request_uri; + +} + +server { + listen 443 ssl; + server_name {{ item.domains|join(' ') }}; + ssl_certificate {{ nginx_reverse_proxy_cloud_ssl_crt }}; + ssl_certificate_key {{ nginx_reverse_proxy_cloud_ssl_key }}; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + proxy_next_upstream error timeout http_404 http_500 http_502 http_503; + + access_log /var/log/nginx/nginx.vhost.access.log; + error_log /var/log/nginx/nginx.vhost.error.log; + +{% if item.root_redirect_location is defined %} + location / { + include /etc/nginx/mime.types; + return 301 https://$host{{ item.root_redirect_location }}; + } +{% else %} + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {% if item.skip_ssl_verify | default(false) %} + proxy_pass https://{{ item.backend_name }}$request_uri; + proxy_ssl_verify off; + {% else %} + proxy_pass http://{{ item.backend_name }}$request_uri; + {% endif %} + + proxy_connect_timeout {{ nginx_reverse_proxy_connect_timeout }}; + proxy_send_timeout {{ nginx_reverse_proxy_send_timeout }}; + proxy_read_timeout {{ nginx_reverse_proxy_read_timeout }}; + send_timeout {{ nginx_reverse_send_timeout }}; + + + include /etc/nginx/mime.types; + } +{% endif %} + +{% if item.locations is defined %} +{% for location in item.locations %} + # refs: https://superuser.com/questions/689885/make-nginx-reverse-proxy-302-redirect-to-a-uri-sub-folder-instead-of-root + location ^~ {{ location }} { + proxy_pass http://{{ item.backend_name }}{{ location }}; + proxy_redirect default; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffer_size 128k; + proxy_buffers 8 128k; + proxy_busy_buffers_size 256k; + + proxy_connect_timeout {{ nginx_reverse_proxy_connect_timeout }}; + proxy_send_timeout {{ nginx_reverse_proxy_send_timeout }}; + proxy_read_timeout {{ nginx_reverse_proxy_read_timeout }}; + send_timeout {{ nginx_reverse_send_timeout }}; + + } +{% endfor %} +{% endif %} + +} diff --git a/templates/reverse-proxy-ssl-onprem.conf.j2 b/templates/reverse-proxy-ssl-onprem.conf.j2 new file mode 100644 index 0000000..572e220 --- /dev/null +++ b/templates/reverse-proxy-ssl-onprem.conf.j2 @@ -0,0 +1,89 @@ +# {{ ansible_managed }} + +upstream {{ item.backend_name }} { + {% if item.balancer_config is defined %} + {{ item.balancer_config }} + {% endif %} + {% for backend in item.backends %} + server {{ backend }}; + {% endfor %} +} + +access_log /var/log/nginx/nginx.vhost.access.log; +error_log /var/log/nginx/nginx.vhost.error.log; + +server { + listen 80; + server_name {{ item.domains|join(' ') }}; + return 301 https://$host$request_uri; + +} + +server { + listen 443 ssl; + server_name {{ item.domains|join(' ') }}; + ssl_certificate {{ nginx_reverse_proxy_onprem_ssl_crt }}; + ssl_certificate_key {{ nginx_reverse_proxy_onprem_ssl_key }}; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + proxy_next_upstream error timeout http_404 http_500 http_502 http_503; + + access_log /var/log/nginx/nginx.vhost.access.log; + error_log /var/log/nginx/nginx.vhost.error.log; + +{% if item.root_redirect_location is defined %} + location / { + include /etc/nginx/mime.types; + return 301 https://$host{{ item.root_redirect_location }}; + } +{% else %} + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {% if item.skip_ssl_verify | default(false) %} + proxy_pass https://{{ item.backend_name }}$request_uri; + proxy_ssl_verify off; + {% else %} + proxy_pass http://{{ item.backend_name }}$request_uri; + {% endif %} + + proxy_connect_timeout {{ nginx_reverse_proxy_connect_timeout }}; + proxy_send_timeout {{ nginx_reverse_proxy_send_timeout }}; + proxy_read_timeout {{ nginx_reverse_proxy_read_timeout }}; + send_timeout {{ nginx_reverse_send_timeout }}; + + + include /etc/nginx/mime.types; + } +{% endif %} + +{% if item.locations is defined %} +{% for location in item.locations %} + # refs: https://superuser.com/questions/689885/make-nginx-reverse-proxy-302-redirect-to-a-uri-sub-folder-instead-of-root + location ^~ {{ location }} { + proxy_pass http://{{ item.backend_name }}{{ location }}; + proxy_redirect default; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffer_size 128k; + proxy_buffers 8 128k; + proxy_busy_buffers_size 256k; + + proxy_connect_timeout {{ nginx_reverse_proxy_connect_timeout }}; + proxy_send_timeout {{ nginx_reverse_proxy_send_timeout }}; + proxy_read_timeout {{ nginx_reverse_proxy_read_timeout }}; + send_timeout {{ nginx_reverse_send_timeout }}; + + } +{% endfor %} +{% endif %} + +} diff --git a/templates/reverse-proxy-ssl.conf.j2 b/templates/reverse-proxy-ssl.conf.j2 new file mode 100644 index 0000000..a8a16d5 --- /dev/null +++ b/templates/reverse-proxy-ssl.conf.j2 @@ -0,0 +1,89 @@ +# {{ ansible_managed }} + +upstream {{ item.backend_name }} { + {% if item.balancer_config is defined %} + {{ item.balancer_config }} + {% endif %} + {% for backend in item.backends %} + server {{ backend }}; + {% endfor %} +} + +access_log /var/log/nginx/nginx.vhost.access.log; +error_log /var/log/nginx/nginx.vhost.error.log; + +server { + listen 80; + server_name {{ item.domains|join(' ') }}; + return 301 https://$host$request_uri; + +} + +server { + listen 443 ssl; + server_name {{ item.domains|join(' ') }}; + ssl_certificate {{ nginx_reverse_proxy_ssl_crt }}; + ssl_certificate_key {{ nginx_reverse_proxy_ssl_key }}; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + proxy_next_upstream error timeout http_404 http_500 http_502 http_503; + + access_log /var/log/nginx/nginx.vhost.access.log; + error_log /var/log/nginx/nginx.vhost.error.log; + +{% if item.root_redirect_location is defined %} + location / { + include /etc/nginx/mime.types; + return 301 https://$host{{ item.root_redirect_location }}; + } +{% else %} + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {% if item.skip_ssl_verify | default(false) %} + proxy_pass https://{{ item.backend_name }}$request_uri; + proxy_ssl_verify off; + {% else %} + proxy_pass http://{{ item.backend_name }}$request_uri; + {% endif %} + + proxy_connect_timeout {{ nginx_reverse_proxy_connect_timeout }}; + proxy_send_timeout {{ nginx_reverse_proxy_send_timeout }}; + proxy_read_timeout {{ nginx_reverse_proxy_read_timeout }}; + send_timeout {{ nginx_reverse_send_timeout }}; + + + include /etc/nginx/mime.types; + } +{% endif %} + +{% if item.locations is defined %} +{% for location in item.locations %} + # refs: https://superuser.com/questions/689885/make-nginx-reverse-proxy-302-redirect-to-a-uri-sub-folder-instead-of-root + location ^~ {{ location }} { + proxy_pass http://{{ item.backend_name }}{{ location }}; + proxy_redirect default; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffer_size 128k; + proxy_buffers 8 128k; + proxy_busy_buffers_size 256k; + + proxy_connect_timeout {{ nginx_reverse_proxy_connect_timeout }}; + proxy_send_timeout {{ nginx_reverse_proxy_send_timeout }}; + proxy_read_timeout {{ nginx_reverse_proxy_read_timeout }}; + send_timeout {{ nginx_reverse_send_timeout }}; + + } +{% endfor %} +{% endif %} + +} diff --git a/templates/reverse-proxy.conf.j2 b/templates/reverse-proxy.conf.j2 index 4095578..167e84c 100644 --- a/templates/reverse-proxy.conf.j2 +++ b/templates/reverse-proxy.conf.j2 @@ -40,8 +40,14 @@ server { proxy_buffer_size 128k; proxy_buffers 8 128k; proxy_busy_buffers_size 256k; + + nginx_reverse_proxy_connect_timeout {{ proxy_connect_timeout }}; + nginx_reverse_proxy_send_timeout {{ proxy_send_timeout }}; + nginx_reverse_proxy_read_timeout {{ proxy_read_timeout }}; + nginx_reverse_send_timeout {{ send_timeout }}; + } {% endfor %} {% endif %} -} \ No newline at end of file +} diff --git a/tests/requirements.yml b/tests/requirements.yml index 8745e39..2b08d54 100644 --- a/tests/requirements.yml +++ b/tests/requirements.yml @@ -1,5 +1,5 @@ --- -- src: geerlingguy.docker +# - src: https://github.com/geerlingguy/ansible-role-docker +- src: https://github.com/CoffeeITWorks/ansible-role-docker-1.git name: geerlingguy.docker - diff --git a/vars/Centos-7.yml b/vars/Centos-7.yml new file mode 100644 index 0000000..f3d6c82 --- /dev/null +++ b/vars/Centos-7.yml @@ -0,0 +1,8 @@ +--- + +docker_py_deps: + - "python-devel" + - "python-pip" + - "openssl-devel" + - "libffi-devel" + - "libselinux-python" diff --git a/vars/Debian.yml b/vars/Debian.yml index 58d371f..fb9a14c 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,7 +1,7 @@ --- docker_py_deps: - - "python-dev" - - "python-pip" + - "python3-dev" + - "python3-pip" - "libssl-dev" - "libffi-dev" diff --git a/vars/RedHat.yml b/vars/RedHat.yml index f3d6c82..572c947 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,8 +1,8 @@ --- docker_py_deps: - - "python-devel" - - "python-pip" + - "python3-devel" + - "python3-pip" - "openssl-devel" - "libffi-devel" - - "libselinux-python" + - "python3-libselinux" diff --git a/vars/Ubuntu-16.yml b/vars/Ubuntu-16.yml new file mode 100644 index 0000000..58d371f --- /dev/null +++ b/vars/Ubuntu-16.yml @@ -0,0 +1,7 @@ +--- + +docker_py_deps: + - "python-dev" + - "python-pip" + - "libssl-dev" + - "libffi-dev"