complete rework of the role structure

This commit is contained in:
Robert Kaussow 2018-08-11 14:59:43 +02:00
parent ec26de0456
commit 029f70f276
7 changed files with 183 additions and 121 deletions

View File

@ -4,17 +4,60 @@ nginx_user: nginx
nginx_group: nginx nginx_group: nginx
nginx_worker_processes: 1 nginx_worker_processes: 1
nginx_worker_connections: 1024 nginx_worker_connections: 1024
nginx_error_log:
enabled: True
file: /var/log/nginx/error.log
level: error
nginx_access_logfile:
enabled: True
file: /var/log/nginx/access.log
level: info
## nginx buffer sizes
nginx_client_body_buffer_size: 10k
nginx_client_header_buffer_size: 1k
nginx_client_max_body_size: 8m
## nginx timeout settings
nginx_client_body_timeout: 60
nginx_client_header_timeout: 60
nginx_keepalive_timeout: 65
nginx_send_timeout: 60
nginx_reset_timedout_connection: True
## nginx compression
nginx_gzip_enabled: True
nginx_gzip_comp_level: 2
nginx_gzip_min_length: 1000
nginx_gzip_proxied:
- expired
- no-cache
- no-store
- private
- auth
nginx_gzip_types:
- text/plain
- application/x-javascript
- text/xml
- text/css
- application/xml
nginx_open_ports: nginx_open_ports:
- 80 - 80
- 443 - 443
nginx_tls_enabled: False nginx_tls_enabled: False
# nginx_tls_cert: nginx_tls_certs_dir: /etc/pki/tls/certs
# nginx_tls_private_key: nginx_tls_key_dir: /etc/pki/tls/private
# nginx_tls_intermediate_ca: nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem"
nginx_vhosts_dir: /var/www/vhosts nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem"
nginx_pfs_enabled: False nginx_pfs_enabled: False
nginx_dhparam_size: 4069 nginx_dhparam_size: 4069
nginx_dhparam_file: "/etc/pki/tls/certs/dhparam-{{ nginx_dhparam_size }}.pem" nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem"
nginx_tls_cert_file: "/etc/pki/tls/certs/my-chained.crt"
nginx_tls_intermediate_ca_file: "/etc/pki/tls/certs/my-intermediate.crt" nginx_vhosts_dir: /var/www/vhosts
nginx_tls_private_key_file: "/etc/pki/tls/private/my-private.key"
nginx_default_page_enabled: False
nginx_server_names_hash_bucket_size: 32

View File

@ -62,25 +62,31 @@
notify: notify:
- nginx_reload - nginx_reload
- name: Update conf.d files
template:
src: 'etc/nginx/conf.d/{{ item }}.j2'
dest: '/etc/nginx/conf.d/{{ item }}'
owner: root
group: root
mode: 0640
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
with_items:
- header.conf
- tls.conf
notify:
- nginx_reload
- name: Remove default.conf from conf.d - name: Remove default.conf from conf.d
file: file:
path: /etc/nginx/conf.d/default.conf path: /etc/nginx/conf.d/default.conf
state: absent state: absent
- name: Update conf.d files
template:
src: etc/nginx/conf.d/header.conf.j2
dest: /etc/nginx/conf.d/header.conf
owner: root
group: root
mode: 0640
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
notify:
- nginx_reload
- name: Open ports in iptables
iptables_raw:
name: allow_nginx_ports
state: present
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
become: True
become_user: root
- block:
- name: Add default page configuration file - name: Add default page configuration file
template: template:
src: 'etc/nginx/sites-available/default.j2' src: 'etc/nginx/sites-available/default.j2'
@ -100,77 +106,10 @@
state: link state: link
notify: notify:
- nginx_reload - nginx_reload
when: nginx_default_page_enabled
- name: Open ports in iptables
iptables_raw:
name: allow_nginx_ports
state: present
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
become: True become: True
become_user: root become_user: root
- block:
- name: Copy tls certificate
copy:
content: "{{ nginx_tls_cert }}"
dest: "{{ nginx_tls_cert_file }}"
owner: root
group: root
mode: 0644
notify:
- nginx_reload
- name: Copy ssl intermediate cert
copy:
content: "{{ nginx_tls_intermediate_ca }}"
dest: "{{ nginx_tls_intermediate_ca_file }}"
owner: root
group: root
mode: 0644
notify:
- nginx_reload
- name: Copy tls private key
copy:
content: "{{ nginx_tls_private_key }}"
dest: "{{ nginx_tls_private_key_file }}"
owner: root
group: root
mode: 0600
notify:
- nginx_reload
become: True
become_user: root
when: nginx_tls_enabled
- block:
- name: Register dhparam file
stat:
path: "{{ nginx_dhparam_file }}"
register: dh_file
- name: Generate Diffie-Hellman parameter file
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
async: 3600
poll: 60
when: not dh_file.stat.exists
notify:
- nginx_reload
become: True
become_user: root
when: nginx_pfs_enabled
- block:
- name: Add default page
template:
src: 'var/www/vhosts/default/index.html.j2'
dest: '/var/www/vhosts/default/index.html'
owner: nginx
group: nginx
mode: 0750
become: True
become_user: nginx
- name: Enable nginx service - name: Enable nginx service
systemd: systemd:
state: started state: started

61
tasks/tls.yml Normal file
View File

@ -0,0 +1,61 @@
- block:
- name: Copy tls certificate
copy:
content: "{{ nginx_tls_cert }}"
dest: "{{ nginx_tls_cert_file }}"
owner: root
group: root
mode: 0644
notify:
- nginx_reload
- name: Copy ssl intermediate cert
copy:
content: "{{ nginx_tls_intermediate_ca }}"
dest: "{{ nginx_tls_intermediate_ca_file }}"
owner: root
group: root
mode: 0644
notify:
- nginx_reload
- name: Copy tls private key
copy:
content: "{{ nginx_tls_private_key }}"
dest: "{{ nginx_tls_private_key_file }}"
owner: root
group: root
mode: 0600
notify:
- nginx_reload
become: True
become_user: root
when: nginx_tls_enabled
- block:
- name: Register dhparam file
stat:
path: "{{ nginx_dhparam_file }}"
register: dh_file
- name: Generate Diffie-Hellman parameter file
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
async: 3600
poll: 60
when: not dh_file.stat.exists
notify:
- nginx_reload
become: True
become_user: root
when: nginx_pfs_enabled
- block:
- name: Add default page
template:
src: 'var/www/vhosts/default/index.html.j2'
dest: '/var/www/vhosts/default/index.html'
owner: nginx
group: nginx
mode: 0750
become: True
become_user: nginx

View File

@ -1,6 +1,5 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# default header settings # default header settings
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";

View File

@ -1,16 +1,10 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# certificate settings # certificate settings
ssl_certificate_key /etc/pki/tls/private/my-private.key; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA';
ssl_certificate /etc/pki/tls/certs/my-chained.crt;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:10m;
{% if nginx_pfs_enabled and nginx_dhparam_file is defined %}
ssl_dhparam {{ nginx_dhparam_file }}; ssl_dhparam {{ nginx_dhparam_file }};
{% endif %}

View File

@ -2,7 +2,6 @@
user {{ nginx_user }} {{ nginx_group }}; user {{ nginx_user }} {{ nginx_group }};
worker_processes {{ nginx_worker_processes }}; worker_processes {{ nginx_worker_processes }};
error_log /var/log/nginx/error.log;
pid /run/nginx.pid; pid /run/nginx.pid;
events { events {
@ -17,7 +16,16 @@ http {
'$status $body_bytes_sent "$http_referer" ' '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main; {% if nginx_error_log.enabled %}
error_log {{ nginx_error_log.file }} {{ nginx_error_log.level }};
{% else %}
error_log off;
{% endif %}
{% if nginx_access_log.enabled %}
access_log {{ nginx_access_log.file }} {{ nginx_access_log.level }};
{% else %}
access_log off;
{% endif %}
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
@ -26,29 +34,32 @@ http {
server_tokens off; server_tokens off;
## Buffers ## Buffers
client_body_buffer_size 10K; client_body_buffer_size {{ nginx_client_body_buffer_size }};
client_header_buffer_size 1k; client_header_buffer_size {{ nginx_client_header_buffer_size }};
client_max_body_size 8m; client_max_body_size {{ nginx_client_max_body_size }};
## Timeouts ## Timeouts
client_body_timeout 12; client_body_timeout {{ nginx_client_body_timeout }};
client_header_timeout 12; client_header_timeout {{ nginx_client_header_timeout }};
keepalive_timeout 15; keepalive_timeout {{ nginx_keepalive_timeout }};
send_timeout 10; send_timeout {{ nginx_send_timeout }};
{% if nginx_reset_timedout_connection %}
reset_timedout_connection on;
{% endif %}
## Gzip Settings ## Gzip Settings
gzip on; {% if nginx_gzip_enabled %}
gzip_comp_level 2; gzip on;
gzip_min_length 1000; gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_proxied expired no-cache no-store private auth; gzip_min_length {{ nginx_gzip_min_length }};
gzip_types text/plain application/x-javascript text/xml text/css application/xml; gzip_proxied {{ nginx_gzip_proxied | join(" ") }};
gzip_types {{ nginx_gzip_types | join(" ") }};
{% endif %}
# Load modular configuration files from the /etc/nginx/conf.d directory. # Load modular configuration files from the /etc/nginx/conf.d directory
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
## Virtual Host Configs ## Virtual Host Configs
include /etc/nginx/sites-enabled/*; include /etc/nginx/sites-enabled/*;
server_names_hash_bucket_size 64; server_names_hash_bucket_size {{ nginx_server_names_hash_bucket_size }};
} }

View File

@ -3,9 +3,23 @@ server {
listen 80; listen 80;
server_name {{ ansible_fqdn }}; server_name {{ ansible_fqdn }};
{% if nginx_tls_enabled %}
return 301 https://$server_name$request_uri; return 301 https://$server_name$request_uri;
{% else %}
location / {
root /var/www/vhosts/default;
index index.html index.htm;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
{% end if %}
} }
{% if nginx_tls_enabled %}
server { server {
listen 443 ssl; listen 443 ssl;
server_name {{ ansible_fqdn }}; server_name {{ ansible_fqdn }};
@ -21,3 +35,4 @@ server {
root /usr/share/nginx/html; root /usr/share/nginx/html;
} }
} }
{% endif %}