├── .gitignore ├── .travis.yml ├── LICENSE ├── README.md ├── Vagrantfile ├── defaults └── main.yml ├── files ├── index.html ├── mime.types └── naxsi_core.rules ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── configure.yml ├── default_site.yml ├── directories.yml ├── main.yml ├── modules.yml ├── modules │ ├── _authorized_ips.yml │ ├── google_perftools_module.yml │ ├── headers_more_module.yml │ ├── http_auth_request_module.yml │ ├── http_echo_module.yml │ ├── http_geoip_module.yml │ ├── http_gzip_static_module.yml │ ├── http_perl_module.yml │ ├── http_realip_module.yml │ ├── http_spdy_module.yml │ ├── http_ssl_module.yml │ ├── http_stub_status_module.yml │ ├── ipv6_module.yml │ ├── naxsi_module.yml │ ├── ngx_pagespeed.yml │ └── upload_progress_module.yml ├── monit.yml ├── package.yml ├── scripts.yml ├── sites.yml ├── source.yml └── user.yml ├── templates ├── .nginx_compilation_flags.j2 ├── default.site.j2 ├── etc_monit_conf.d_nginx.j2 ├── modules │ ├── authorized_ips.j2 │ ├── http_gzip_static.conf.j2 │ ├── http_realip.conf.j2 │ ├── nginx_status.j2 │ └── upload_progress.j2 ├── nginx.conf.j2 ├── nginx.init.j2 ├── nxdissite.j2 ├── nxensite.j2 └── site.j2 ├── test.yml └── vagrant-inventory /.gitignore: -------------------------------------------------------------------------------- 1 | *.sw[op] 2 | .DS_Store 3 | .AppleDouble 4 | .LSOverride 5 | Icon 6 | ._* 7 | .Spotlight-V100 8 | .Trashes 9 | .vagrant 10 | test 11 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | language: python 4 | python: "2.7" 5 | env: 6 | - INSTALL_METHOD=source ANSIBLE_VERSION=1.9.0.1 7 | - INSTALL_METHOD=source ANSIBLE_VERSION=2.0.0.2 8 | - INSTALL_METHOD=package ANSIBLE_VERSION=1.9.0.1 9 | - INSTALL_METHOD=package ANSIBLE_VERSION=2.0.0.2 10 | 11 | before_install: 12 | - sudo apt-get update -qq 13 | - sudo apt-get install -qq python-apt python-pycurl 14 | install: 15 | - pip install ansible==$ANSIBLE_VERSION 16 | script: 17 | - echo localhost > inventory 18 | - ansible-playbook -i inventory test.yml --syntax-check 19 | - ansible-playbook -i inventory test.yml --connection=local --sudo -e "nginx_install_method=$INSTALL_METHOD" 20 | - > 21 | ansible-playbook -i inventory test.yml --connection=local --sudo -e "nginx_install_method=$INSTALL_METHOD" 22 | | grep -q 'changed=0.*failed=0' 23 | && (echo 'Idempotence test: pass' && exit 0) 24 | || (echo 'Idempotence test: fail' && exit 1) 25 | after_failure: 26 | - cat /etc/nginx/nginx.conf 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2014 Pieterjan Vandaele 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## ANXS - nginx [![Build Status](https://travis-ci.org/ANXS/nginx.svg?branch=master)](https://travis-ci.org/ANXS/nginx) 2 | 3 | Ansible role which installs and configures Nginx, from a package or from source (including a series of optional modules). 4 | 5 | 6 | #### Requirements & Dependencies 7 | 8 | ##### Ansible 9 | 10 | It has been tested on Ansible 1.5 and above, and depends on the following roles: 11 | - ANXS.apt 12 | - ANXS.build-essential 13 | - ANXS.perl 14 | - ANXS.monit (if you want monit protection) 15 | 16 | 17 | ##### Platforms 18 | 19 | Currently it's been developed for, and tested on Ubuntu. It is assumed to work on other Debian distributions as well. 20 | 21 | 22 | #### Variables 23 | 24 | ##### default (nginx.conf) 25 | 26 | - `nginx_install_method` - "source" or "package" 27 | - `nginx_user` - user Nginx will run as 28 | - `nginx_uid` - the uid for this user 29 | - `nginx_group` - Nginx group 30 | - `nginx_gid` - the gid for this group 31 | - `nginx_dir` - location of the Nginx configuration (conf, sites-available, sites-enabled, ...) 32 | - `nginx_www_dir` - location of the www root for Nginx sites 33 | - `nginx_log_dir` - location of the Nginx logs 34 | - `nginx_pid` - location of the Nginx PID file 35 | - `nginx_worker_processes` - sets the number of worker processes 36 | - `nginx_daemon_disable` - whether the daemon should be disabled which can be set to yes or no 37 | - `nginx_worker_rlimit_nofile` - used for config value of `worker_rlimit_nofile`. Can replace any "ulimit -n" command. The value depend on your usage (cache or not) but must always be superior than worker_connections. Set to `null` to ignore 38 | - `nginx_error_log_options` - option flags for the error_log 39 | - `nginx_error_log_filename` - filename for the error log 40 | - `nginx_worker_connections` - sets the number of worker connections 41 | - `nginx_multi_accept` - used for config value of events { multi_accept }. Try to accept() as many connections as possible. Can be set to yes or no 42 | - `nginx_charset` - used to specify an explicit default charset (say, 'utf-8', 'off'…) 43 | - `nginx_disable_access_log` - whether or not to disable the access log, yes or no 44 | - `nginx_access_log_options` - option flags for the access_log 45 | - `nginx_server_tokens` - whether to send the Nginx version number in error pages and Server header, on or off 46 | - `nginx_event` - used for config value of events { use }. Set the event-model. By default nginx looks for the most suitable method for your OS. 47 | - `nginx_sendfile` - directive to activate or deactivate the usage of sendfile(), on or off 48 | - `nginx_keepalive` - option whether to use the timeout options (below). Only the value "on" will include them 49 | - `nginx_keepalive_timeout` - assigns the timeout for keep-alive connections with the client 50 | - `nginx_client_body_timeout` - sets the read timeout for the request body from client 51 | - `nginx_client_header_timeout` - specifies how long to wait for the client to send a request header 52 | - `nginx_send_timeout` - specifies the response timeout to the client; it does not apply to the entire transfer but, rather, only between two subsequent client-read operations 53 | - `nginx_buffers` - option whether to use the buffer options (below). Only the value "on" will include them 54 | - `client_body_buffer_size` - specifies the client request body buffer size 55 | - `client_header_buffer_size` - sets the headerbuffer size for the request header from client 56 | - `client_max_body_size` - specifies the maximum accepted body size of a client request, as indicated by the request header Content-Length. Set to 0 to disable 57 | - `large_client_header_buffers` - assigns the maximum number and size of buffers for large headers to read from client request 58 | - `nginx_server_names_hash_bucket_size` - assigns the size of basket in the hash-tables of the names of servers. This value by default depends on the size of the line of processor cache 59 | - `nginx_types_hash_max_size` - 60 | - `nginx_types_hash_bucket_size` - 61 | - `nginx_proxy_read_timeout` - defines a timeout (between two successive read operations) for reading a response from the proxied server. 62 | - `nginx_enable_rate_limiting` - enable rate limiting, yes or no 63 | - `nginx_rate_limiting_zone_name` - sets the shared memory zone 64 | - `nginx_rate_limiting_backoff` - sets the maximum burst size of requests 65 | - `nginx_rate_limit` - sets the rate (e.g. 1r/s) 66 | - `nginx_access_logs` - a list of access log formats, filenames and options 67 | 68 | nginx_access_logs: 69 | - name: "main" 70 | format: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' 71 | options: null 72 | filename: "access.log" 73 | 74 | #This will generate access_log /var/log/nginx/access.log combined 75 | nginx_access_logs: 76 | - name: "combined" 77 | filename: "access.log" 78 | 79 | - `nginx_default_root` - the directory to place the default site 80 | - `nginx_default_enable` - whether or not to actually enable the defaul site 81 | 82 | ##### source 83 | - `nginx_source_version` - the version of Nginx to install 84 | - `nginx_source_url` - URL for the Nginx source (versioned). By default it will get it from `nginx_source_version` 85 | - `nginx_source_prefix` - prefix for installing nginx from source (versioned) 86 | - `nginx_source_conf_path` - location of the main config file (in `nginx_dir` by default) 87 | - `nginx_source_default_configure_flags` - the default configure flags (before adding the modules). By default, this sets --prefix, --conf-path and --sbin-path 88 | - `nginx_source_modules_included` - see below 89 | - `nginx_source_modules_excluded` - a list of configure flags to exclude modules. Example: ["mail_pop3_module", "mail_imap_module", "mail_smtp_module"] 90 | 91 | `nginx_source_modules_included` is a dictionary (k,v) where k is the module name, and v its accompanying configure flag. All the possible options are given below: 92 | 93 | ```yaml 94 | nginx_source_modules_included: 95 | http_stub_status_module: "--with-http_stub_status_module" 96 | http_ssl_module: "--with-http_ssl_module" 97 | http_gzip_static_module: "--with-http_gzip_static_module" 98 | upload_progress_module: "--add-module=/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}" 99 | headers_more_module: "--add-module=/tmp/headers-more-nginx-module-{{nginx_headers_more_version}}" 100 | http_auth_request_module: "--add-module=/tmp/ngx_http_auth_request_module-{{nginx_auth_request_release}}" 101 | http_echo_module: "--add-module=/tmp/echo-nginx-module-{{nginx_echo_version}}" 102 | google_perftools_module: "--with-google_perftools_module" 103 | ipv6_module: "--with-ipv6" 104 | http_real_ip_module: "--with-http_realip_module" 105 | http_spdy_module: "--with-http_spdy_module" 106 | http_perl_module: "--with-http_perl_module" 107 | naxsi_module: "--add-module=/tmp/naxsi-{{nginx_naxsi_version}}/naxsi_src" 108 | ngx_pagespeed: "--add-module=/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" 109 | http_geoip_module: "--with-http_geoip_module" 110 | ``` 111 | 112 | ##### Sites 113 | 114 | There is a possibility to configure a list of servers to be available (not yet enabled) as well. Just provide a list of dictionaries according to the following format: 115 | 116 | ```yaml 117 | nginx_sites: 118 | - server: 119 | name: foo 120 | listen: 8080 121 | server_name: localhost 122 | location1: 123 | name: "/" 124 | try_files: "$uri $uri/ /index.html" 125 | sendfile: "on" 126 | - server: 127 | name: bar 128 | listen: 8888 129 | server_name: webmail.localhost 130 | location1: 131 | name: / 132 | try_files: "$uri $uri/ /index.html" 133 | location2: 134 | name: /images/ 135 | try_files: "$uri $uri/ /index.html" 136 | ``` 137 | 138 | To enable or disable specific sites you can add prior used `server_name` attribute to the variables `nginx_enabled_sites` and `nginx_disabled_sites`. 139 | 140 | ```yaml 141 | nginx_enabled_sites: 142 | - localhost 143 | ``` 144 | 145 | ```yaml 146 | nginx_disabled_sites: 147 | - webmail.localhost 148 | ``` 149 | 150 | ##### Monit ? 151 | You can put Nginx under monit monitoring protection, by setting `monit_protection: yes` 152 | 153 | 154 | ##### Modules 155 | 156 | ###### gzip module 157 | - 'nginx_gzip' - whether to use gzip, can be "on" or "off" 158 | - 'nginx_gzip_http_version' 159 | - 'nginx_gzip_comp_level' 160 | - 'nginx_gzip_proxied' 161 | - 'nginx_gzip_vary' 162 | - 'nginx_gzip_buffers' 163 | - 'nginx_gzip_min_length' 164 | - 'nginx_gzip_types' 165 | - 'nginx_gzip_disable' 166 | 167 | ###### http_stub_status module 168 | - `nginx_remote_ip_var` 169 | - `nginx_authorized_ips` 170 | 171 | ###### http_gzip_static module 172 | - `nginx_gzip_static` - whether to use gzip_static, can be on or off 173 | 174 | ###### upload_progress module 175 | - `nginx_upload_progress_version` - version of the upload_progress module 176 | - `nginx_upload_progress_javascript_output`- sets output in javascript. The default is true for backwards compatibility 177 | - `nginx_upload_progress_zone_name` - assigns one name which will be used to store the per-connection tracking information. The default is proxied 178 | - `nginx_upload_progress_zone_size` - assigns the zone size in bytes. Default is 1m (1 megabyte) 179 | 180 | ###### headers_more module 181 | - `nginx_headers_more_version` - version of the headers_more module 182 | 183 | ###### http_auth_request module 184 | - `nginx_auth_request_release` - the release number of the http_auth_request module 185 | 186 | ###### http_echo module 187 | - `nginx_echo_version` - version of the http_echo module 188 | 189 | ###### http_realip module 190 | - `nginx_realip_header` - Sets the header to use for the RealIp Module; only accepts "X-Forwarded-For" or "X-Real-IP" 191 | - `nginx_realip_addresses` - Sets the addresses to use for the http_realip configuration 192 | - `nginx_realip_real_ip_recursive` - If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field. Can be on "on" or "off". The default is "off" 193 | 194 | ###### naxsi module 195 | - `nginx_naxsi_version` - version of the naxsi module 196 | 197 | ###### geoip module 198 | - `nginx_geoip: 'on'` 199 | - `nginx_geoip_country: "{{nginx_dir}}/geoip/GeoIP.dat"` 200 | - `nginx_geoip_city: "{{nginx_dir}}/geoip/GeoLiteCity.dat"` 201 | 202 | #### Thanks 203 | 204 | To the contributors: 205 | - [Jean-Denis Vauguet](https://github.com/chikamichi) 206 | 207 | 208 | #### Testing 209 | This project comes with a VagrantFile, this is a fast and easy way to test changes to the role, fire it up with `vagrant up`. 210 | 211 | See [vagrant docs](https://docs.vagrantup.com/v2/) for getting setup with vagrant 212 | 213 | There are two ways to test the install: compiling nginx from source or installing from a package manager. 214 | By default nginx compiles from source, however if desired, we can set a command line variable to install 215 | from the package manager 216 | 217 | export NGINX_INSTALL_METHOD=package 218 | 219 | #### License 220 | 221 | Licensed under the MIT License. See the LICENSE file for details. 222 | 223 | 224 | #### Feedback, bug-reports, requests, ... 225 | 226 | Are [welcome](https://github.com/ANXS/nginx/issues)! 227 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | nginx_install_method = ENV.key?('NGINX_INSTALL_METHOD') ? ENV['NGINX_INSTALL_METHOD'] : 'source' 5 | 6 | Vagrant.configure('2') do |config| 7 | config.vm.define 'anxs' do |c| 8 | c.vm.box = 'ubuntu/trusty64' 9 | c.vm.network :private_network, ip: '192.168.88.16' 10 | c.vm.hostname = 'anxs.local' 11 | c.vm.provision 'ansible' do |ansible| 12 | ansible.playbook = 'test.yml' 13 | ansible.sudo = true 14 | ansible.inventory_path = 'vagrant-inventory' 15 | ansible.host_key_checking = false 16 | ansible.extra_vars = { 17 | nginx_install_method: nginx_install_method 18 | } 19 | end 20 | end 21 | end 22 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/defaults/main.yml 2 | 3 | nginx_install_method: "source" 4 | nginx_source_version: "1.8.0" 5 | nginx: "nginx" 6 | 7 | nginx_user: www-data 8 | nginx_group: www-data 9 | nginx_uid: 33 10 | nginx_gid: 33 11 | 12 | nginx_dir: "/etc/nginx" 13 | nginx_www_dir: "/srv/www" 14 | nginx_log_dir: "/var/log/nginx" 15 | nginx_pid: "/var/run/nginx.pid" 16 | 17 | 18 | # nginx.conf 19 | nginx_worker_processes: 4 20 | nginx_daemon_disable: no 21 | nginx_worker_rlimit_nofile: null 22 | nginx_error_log_options: null 23 | nginx_error_log_filename: 'error.log' 24 | nginx_worker_connections: 1024 25 | nginx_multi_accept: 'on' 26 | nginx_event: null 27 | nginx_charset: null 28 | nginx_disable_access_log: no 29 | nginx_server_tokens: 'off' 30 | nginx_sendfile: 'on' 31 | nginx_keepalive: "on" 32 | nginx_keepalive_timeout: "30" 33 | nginx_client_body_timeout: "10" 34 | nginx_client_header_timeout: "10" 35 | nginx_send_timeout: "10" 36 | nginx_buffers: "on" 37 | nginx_client_body_buffer_size: "1k" 38 | nginx_client_header_buffer_size: "1k" 39 | nginx_client_max_body_size: "2m" 40 | nginx_large_client_header_buffers: "2 1k" 41 | nginx_server_names_hash_bucket_size: 64 42 | nginx_types_hash_max_size: 2048 43 | nginx_types_hash_bucket_size: 64 44 | nginx_proxy_read_timeout: null 45 | nginx_enable_rate_limiting: no 46 | nginx_rate_limiting_zone_name: "default" 47 | nginx_rate_limiting_backoff: "10m" 48 | nginx_rate_limit: "1r/s" 49 | nginx_access_logs: 50 | - name: "main" 51 | format: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' 52 | options: null 53 | filename: "access.log" 54 | 55 | # default site 56 | nginx_default_root: "{{nginx_www_dir}}/default" 57 | nginx_default_enable: yes 58 | 59 | # site inventory 60 | nginx_sites: [] 61 | nginx_enabled_sites: [] 62 | nginx_disabled_sites: [] 63 | 64 | # source 65 | nginx_source_url: "http://nginx.org/download/nginx-{{nginx_source_version}}.tar.gz" 66 | nginx_source_prefix: "/usr/local/nginx/nginx-{{nginx_source_version}}" 67 | nginx_source_conf_path: "{{nginx_dir}}/nginx.conf" 68 | nginx_source_sbin_path: "{{nginx_source_prefix}}/sbin/nginx" 69 | nginx_source_default_configure_flags: "--prefix={{nginx_source_prefix}} --conf-path={{nginx_source_conf_path}} --sbin-path={{nginx_source_sbin_path}}" 70 | 71 | nginx_source_modules_included: 72 | http_stub_status_module: "--with-http_stub_status_module" 73 | http_ssl_module: "--with-http_ssl_module" 74 | openssl: "--with-openssl=/tmp/openssl-{{ openssl_version }}" 75 | http_gzip_static_module: "--with-http_gzip_static_module" 76 | upload_progress_module: "--add-module=/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}" 77 | headers_more_module: "--add-module=/tmp/headers-more-nginx-module-{{nginx_headers_more_version}}" 78 | http_auth_request_module: "--add-module=/tmp/ngx_http_auth_request_module-{{nginx_auth_request_release}}" 79 | http_echo_module: "--add-module=/tmp/echo-nginx-module-{{nginx_echo_version}}" 80 | google_perftools_module: "--with-google_perftools_module" 81 | ipv6_module: "--with-ipv6" 82 | http_real_ip_module: "--with-http_realip_module" 83 | http_spdy_module: "--with-http_spdy_module" 84 | http_perl_module: "--with-http_perl_module" 85 | naxsi_module: "--add-module=/tmp/naxsi-{{nginx_naxsi_version}}/naxsi_src" 86 | ngx_pagespeed: "--add-module=/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" 87 | http_geoip_module: "--with-http_geoip_module" 88 | 89 | nginx_source_modules_excluded: 90 | - mail_pop3_module 91 | - mail_imap_module 92 | - mail_smtp_module 93 | 94 | nginx_source_configure_flags: "{{nginx_source_default_configure_flags}}{% for key, value in nginx_source_modules_included.items() %} {{value}}{% endfor %}{% for item in nginx_source_modules_excluded %} --without-{{item}}{% endfor %}" 95 | 96 | 97 | # gzip_module 98 | nginx_gzip: 'on' 99 | nginx_gzip_http_version: 1.1 100 | nginx_gzip_comp_level: 2 101 | nginx_gzip_proxied: expired no-cache no-store private auth 102 | nginx_gzip_vary: 'on' 103 | nginx_gzip_buffers: null 104 | nginx_gzip_min_length: 10240 105 | nginx_gzip_types: 106 | - text/plain 107 | - text/css 108 | - text/xml 109 | - text/csv 110 | - text/javascript 111 | - application/x-javascript 112 | - application/xml 113 | - application/xml+rss 114 | - application/javascript 115 | - application/postscript 116 | - application/pdf 117 | - application/ecmascript 118 | - application/json 119 | - image/svg+xml 120 | nginx_gzip_disable: "MSIE [1-6]\\." 121 | 122 | # geoip_module 123 | nginx_geoip: 'off' 124 | nginx_geoip_country: "{{nginx_dir}}/geoip/GeoIP.dat" 125 | nginx_geoip_city: "{{nginx_dir}}/geoip/GeoLiteCity.dat" 126 | 127 | # http_stub_status_module configuration 128 | nginx_remote_ip_var: "remote_addr" 129 | nginx_authorized_ips: 130 | - "127.0.0.1/32" 131 | 132 | # http_gzip_static_module configuration 133 | nginx_gzip_static: "off" 134 | 135 | 136 | # upload_progress_module configuration 137 | nginx_upload_progress_version: "0.9.1" 138 | nginx_upload_progress_javascript_output: yes 139 | nginx_upload_progress_zone_name: "proxied" 140 | nginx_upload_progress_zone_size: "1m" 141 | nginx_upload_progress_url: "https://github.com/masterzen/nginx-upload-progress-module/archive/v{{nginx_upload_progress_version}}.tar.gz" 142 | 143 | 144 | # headers_more_module configuration 145 | nginx_headers_more_version: "0.261" 146 | nginx_headers_more_url: "https://github.com/agentzh/headers-more-nginx-module/archive/v{{nginx_headers_more_version}}.tar.gz" 147 | 148 | 149 | # http_auth_request_module configuration 150 | nginx_auth_request_release: "662785733552" 151 | nginx_auth_request_url: "http://mdounin.ru/hg/ngx_http_auth_request_module/archive/{{nginx_auth_request_release}}.tar.gz" 152 | 153 | 154 | # http_echo_module configuration 155 | nginx_echo_version: "0.58" 156 | nginx_echo_url: "https://github.com/agentzh/echo-nginx-module/archive/v{{nginx_echo_version}}.tar.gz" 157 | 158 | 159 | # http_realip_module configuration 160 | nginx_realip_header: "X-Forwarded-For" 161 | nginx_realip_addresses: ["127.0.0.1"] 162 | nginx_realip_real_ip_recursive: "off" 163 | 164 | 165 | # naxsi_module configuration 166 | nginx_naxsi_version: "0.53" 167 | nginx_naxsi_url: "https://github.com/nbs-system/naxsi/archive/{{nginx_naxsi_version}}.tar.gz" 168 | 169 | # ngx_pagespeed_module configuration 170 | nginx_ngx_pagespeed_version: 1.9.32.4 171 | 172 | # OpenSSL configuration 173 | openssl_version: "1.0.2h" 174 | -------------------------------------------------------------------------------- /files/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Welcome to nginx! 5 | 6 | 7 |

Thank you for using ANXS.nginx

8 |

If you see this page then Ansible has properly provisioned your nginx installation and you have not specified a default site with an existing index.html.

9 | 10 |

Additional configuration will likely be neccesary

11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /files/mime.types: -------------------------------------------------------------------------------- 1 | types { 2 | text/html html htm shtml; 3 | text/css css; 4 | text/xml xml; 5 | image/gif gif; 6 | image/jpeg jpeg jpg; 7 | application/x-javascript js; 8 | application/json json; 9 | application/atom+xml atom; 10 | application/rss+xml rss; 11 | text/mathml mml; 12 | text/plain txt; 13 | text/vnd.sun.j2me.app-descriptor jad; 14 | text/vnd.wap.wml wml; 15 | text/x-component htc; 16 | image/png png; 17 | image/tiff tif tiff; 18 | image/vnd.wap.wbmp wbmp; 19 | image/x-icon ico; 20 | image/x-jng jng; 21 | image/x-ms-bmp bmp; 22 | image/svg+xml svg svgz; 23 | image/webp webp; 24 | application/java-archive jar war ear; 25 | application/mac-binhex40 hqx; 26 | application/msword doc; 27 | application/pdf pdf; 28 | application/postscript ps eps ai; 29 | application/rtf rtf; 30 | application/vnd.ms-excel xls; 31 | application/vnd.ms-powerpoint ppt; 32 | application/vnd.wap.wmlc wmlc; 33 | application/vnd.google-earth.kml+xml kml; 34 | application/vnd.google-earth.kmz kmz; 35 | application/x-7z-compressed 7z; 36 | application/x-cocoa cco; 37 | application/x-java-archive-diff jardiff; 38 | application/x-java-jnlp-file jnlp; 39 | application/x-makeself run; 40 | application/x-perl pl pm; 41 | application/x-pilot prc pdb; 42 | application/x-rar-compressed rar; 43 | application/x-redhat-package-manager rpm; 44 | application/x-sea sea; 45 | application/x-shockwave-flash swf; 46 | application/x-stuffit sit; 47 | application/x-tcl tcl tk; 48 | application/x-x509-ca-cert der pem crt; 49 | application/x-xpinstall xpi; 50 | application/xhtml+xml xhtml; 51 | application/zip zip; 52 | application/octet-stream bin exe dll; 53 | application/octet-stream deb; 54 | application/octet-stream dmg; 55 | application/octet-stream eot; 56 | application/octet-stream iso img; 57 | application/octet-stream msi msp msm; 58 | audio/midi mid midi kar; 59 | audio/mpeg mp3; 60 | audio/ogg ogg; 61 | audio/x-m4a m4a; 62 | audio/x-realaudio ra; 63 | video/3gpp 3gpp 3gp; 64 | video/mp4 mp4; 65 | video/mpeg mpeg mpg; 66 | video/quicktime mov; 67 | video/webm webm; 68 | video/x-flv flv; 69 | video/x-m4v m4v; 70 | video/x-mng mng; 71 | video/x-ms-asf asx asf; 72 | video/x-ms-wmv wmv; 73 | video/x-msvideo avi; 74 | } 75 | -------------------------------------------------------------------------------- /files/naxsi_core.rules: -------------------------------------------------------------------------------- 1 | ################################## 2 | ## INTERNAL RULES IDS:1-10 ## 3 | ################################## 4 | #weird_request : 1 5 | #big_body : 2 6 | #no_content_type : 3 7 | 8 | #@MainRule "msg:weird/incorrect request" id:1; 9 | #@MainRule "msg:big request, unparsed" id:2; 10 | #@MainRule "msg:uncommon hex encoding (%00 etc.)" id:10; 11 | #@MainRule "msg:uncommon/empty content-type in POST" id:11; 12 | #@MainRule "msg:uncommon/malformed URL" id:12; 13 | 14 | #MainRule "str:123FREETEXT" "msg:exemple learning test pattern" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:BLOCK" id:0; 15 | 16 | ################################## 17 | ## SQL Injections IDs:1000-1099 ## 18 | ################################## 19 | MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; 20 | MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; 21 | MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; 22 | ## Hardcore rules 23 | MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; 24 | MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; 25 | MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; 26 | MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; 27 | ## end of hardcore rules 28 | MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; 29 | MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; 30 | MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; 31 | MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; 32 | MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; 33 | MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; 34 | MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; 35 | MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; 36 | 37 | ############################### 38 | ## OBVIOUS RFI IDs:1100-1199 ## 39 | ############################### 40 | MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; 41 | MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; 42 | MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; 43 | MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; 44 | MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104; 45 | MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105; 46 | MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106; 47 | MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107; 48 | MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108; 49 | MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109; 50 | 51 | ####################################### 52 | ## Directory traversal IDs:1200-1299 ## 53 | ####################################### 54 | MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; 55 | MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; 56 | MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; 57 | MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; 58 | MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; 59 | #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; 60 | 61 | ######################################## 62 | ## Cross Site Scripting IDs:1300-1399 ## 63 | ######################################## 64 | MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; 65 | MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; 66 | MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; 67 | MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; 68 | MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; 69 | MainRule "str:`" "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; 70 | MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; 71 | 72 | #################################### 73 | ## Evading tricks IDs: 1400-1500 ## 74 | #################################### 75 | MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; 76 | MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; 77 | MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402; 78 | 79 | ############################# 80 | ## File uploads: 1500-1600 ## 81 | ############################# 82 | MainRule "rx:.ph|.asp|.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; 83 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/handlers/main.yml 2 | 3 | - name: restart nginx 4 | service: name=nginx state=restarted 5 | become: yes 6 | when: not nginx_first_start.changed 7 | 8 | - name: reload nginx 9 | service: name=nginx state=reloaded 10 | become: yes 11 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/meta/main.yml 2 | 3 | galaxy_info: 4 | author: pjan vandaele 5 | company: ANXS 6 | description: Install and configure Nginx 7 | min_ansible_version: 1.9 8 | license: MIT 9 | platforms: 10 | - name: Ubuntu 11 | versions: 12 | - all 13 | categories: 14 | - system 15 | 16 | dependencies: 17 | - ANXS.hostname 18 | - ANXS.apt 19 | - role: ANXS.build-essential 20 | when: nginx_install_method is defined and nginx_install_method == "source" 21 | - role: ANXS.perl 22 | when: nginx_install_method is defined and nginx_install_method == "source" 23 | - role: ANXS.monit 24 | when: monit_protection is defined and monit_protection == true 25 | -------------------------------------------------------------------------------- /tasks/configure.yml: -------------------------------------------------------------------------------- 1 | # nginx/tasks/configure.yml 2 | 3 | - name: Nginx | Make sure the mime.types file is up to date 4 | copy: 5 | src: mime.types 6 | dest: "{{nginx_dir}}/mime.types" 7 | owner: root 8 | group: root 9 | mode: 0644 10 | 11 | - name: Nginx | Check for existence of Nginx configuration 12 | stat: 13 | path: "{{nginx_dir}}/nginx.conf" 14 | register: nginx_config 15 | 16 | - name: Nginx | Make sure the Nginx configuration is updated 17 | template: 18 | src: nginx.conf.j2 19 | dest: "{{nginx_dir}}/nginx.conf" 20 | owner: root 21 | group: root 22 | mode: 0644 23 | notify: 24 | - restart nginx 25 | 26 | - name: Nginx | Start Nginx the first time 27 | service: 28 | name: nginx 29 | state: started 30 | register: nginx_first_start 31 | when: not nginx_config.stat.exists -------------------------------------------------------------------------------- /tasks/default_site.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/default_site.yml 2 | 3 | - name: Nginx | Make sure the default site root directory is present 4 | file: 5 | path: "{{nginx_default_root}}" 6 | state: directory 7 | owner: "{{nginx_user}}" 8 | group: "{{nginx_group}}" 9 | mode: 0754 10 | 11 | - name: Nginx | Check for existing index.html 12 | stat: 13 | path: "{{nginx_default_root}}/index.html" 14 | register: nginx_default_index 15 | 16 | - name: Nginx | Copy placeholder index.html 17 | copy: 18 | src: "index.html" 19 | dest: "{{nginx_default_root}}/index.html" 20 | owner: "{{nginx_user}}" 21 | group: "{{nginx_group}}" 22 | mode: 0644 23 | when: not nginx_default_index.stat.exists 24 | 25 | - name: Nginx | Update the default site configuration 26 | template: 27 | src: default.site.j2 28 | dest: "{{nginx_dir}}/sites-available/default" 29 | owner: root 30 | group: root 31 | mode: 0644 32 | 33 | - name: Nginx | Enable the default site 34 | file: 35 | path: "{{nginx_dir}}/sites-enabled/default" 36 | src: "{{nginx_dir}}/sites-available/default" 37 | state: link 38 | when: nginx_default_enable 39 | notify: 40 | - reload nginx 41 | 42 | - name: Nginx | Disable the default site 43 | file: 44 | path: "{{nginx_dir}}/sites-enabled/default" 45 | state: absent 46 | when: not nginx_default_enable 47 | notify: 48 | - reload nginx 49 | 50 | - name: Nginx | Reload if we just created index.html 51 | service: 52 | name: nginx 53 | state: reloaded 54 | when: not nginx_default_index.stat.exists -------------------------------------------------------------------------------- /tasks/directories.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/commons.yml 2 | 3 | - name: Nginx | Make sure the nginx directory exists 4 | file: 5 | path: "{{nginx_dir}}" 6 | owner: root 7 | group: root 8 | mode: 0755 9 | state: directory 10 | 11 | - name: Nginx | Make sure the nginx log directory exists 12 | file: 13 | path: "{{nginx_log_dir}}" 14 | owner: root 15 | group: root 16 | mode: 0755 17 | state: directory 18 | 19 | - name: Nginx | Make sure the sites-available, sites-enabled and conf.d directories exist 20 | file: 21 | path: "{{nginx_dir}}/{{item}}" 22 | owner: root 23 | group: root 24 | mode: 0755 25 | state: directory 26 | with_items: ["sites-available", "sites-enabled", "conf.d"] 27 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/main.yml 2 | 3 | - include: package.yml 4 | when: nginx_install_method == "package" 5 | - include: source.yml 6 | when: nginx_install_method == "source" 7 | - include: scripts.yml 8 | - include: configure.yml 9 | - include: default_site.yml 10 | - include: sites.yml 11 | - include: monit.yml 12 | when: monit_protection is defined and monit_protection == true 13 | -------------------------------------------------------------------------------- /tasks/modules.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules.yml 2 | 3 | - include: modules/http_stub_status_module.yml 4 | when: nginx_source_modules_included.http_stub_status_module is defined 5 | 6 | - include: modules/http_ssl_module.yml 7 | when: nginx_source_modules_included.http_ssl_module is defined 8 | 9 | - include: modules/http_gzip_static_module.yml 10 | when: nginx_source_modules_included.http_gzip_static_module is defined 11 | 12 | - include: modules/upload_progress_module.yml 13 | when: nginx_source_modules_included.upload_progress_module is defined 14 | 15 | - include: modules/headers_more_module.yml 16 | when: nginx_source_modules_included.headers_more_module is defined 17 | 18 | - include: modules/http_auth_request_module.yml 19 | when: nginx_source_modules_included.http_auth_request_module is defined 20 | 21 | - include: modules/http_echo_module.yml 22 | when: nginx_source_modules_included.http_echo_module is defined 23 | 24 | - include: modules/google_perftools_module.yml 25 | when: nginx_source_modules_included.google_perftools_module is defined 26 | 27 | - include: modules/ipv6_module.yml 28 | when: nginx_source_modules_included.ipv6_module is defined 29 | 30 | - include: modules/http_realip_module.yml 31 | when: nginx_source_modules_included.http_realip_module is defined 32 | 33 | - include: modules/http_spdy_module.yml 34 | when: nginx_source_modules_included.http_spdy_module is defined 35 | 36 | - include: modules/naxsi_module.yml 37 | when: nginx_source_modules_included.naxsi_module is defined 38 | 39 | - include: modules/ngx_pagespeed.yml 40 | when: nginx_source_modules_included.ngx_pagespeed is defined 41 | 42 | - include: modules/http_geoip_module.yml 43 | when: nginx_source_modules_included.http_geoip_module is defined 44 | -------------------------------------------------------------------------------- /tasks/modules/_authorized_ips.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/authorized_ips.yml 2 | 3 | - name: Nginx | Modules | Updated the authorized_ip file 4 | template: 5 | src: templates/modules/authorized_ips.j2 6 | dest: "{{nginx_dir}}/authorized_ips" 7 | owner: root 8 | group: root 9 | mode: 0644 10 | -------------------------------------------------------------------------------- /tasks/modules/google_perftools_module.yml: -------------------------------------------------------------------------------- 1 | # file: roles/nginx/tasks/modules/google_perftools_module.yml 2 | # configure flag: --with-google_perftools_module 3 | 4 | - name: Nginx | Modules | Make sure the libgoogle-perftools-dev package is installed 5 | apt: 6 | pkg: libgoogle-perftools-dev 7 | state: present 8 | -------------------------------------------------------------------------------- /tasks/modules/headers_more_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/headers_more_module.yml 2 | # configure flag: --add-module=/tmp/nginx_headers_more 3 | 4 | - name: Nginx | Modules | Download the headers_more_module source 5 | get_url: 6 | url: "{{nginx_headers_more_url}}" 7 | dest: "/tmp/nginx-headers-more-module-{{nginx_headers_more_version}}.tar.gz" 8 | 9 | - name: Nginx | Modules | Unpack the headers_more_module source 10 | command: tar -xvzf /tmp/nginx-headers-more-module-{{nginx_headers_more_version}}.tar.gz 11 | chdir=/tmp creates=/tmp/headers-more-nginx-module-{{nginx_headers_more_version}} 12 | -------------------------------------------------------------------------------- /tasks/modules/http_auth_request_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_auth_request_module.yml 2 | # configure flag: --add-module=/tmp/nginx_auth_request 3 | 4 | - name: Nginx | Modules | Download the http_auth_request_module source 5 | get_url: 6 | url: "{{nginx_auth_request_url}}" 7 | dest: "/tmp/nginx-auth-request-module.tar.gz" 8 | 9 | - name: Nginx | Modules | Unpack the http_auth_request_module source 10 | command: tar -xvzf /tmp/nginx-auth-request-module.tar.gz chdir=/tmp creates=/tmp/ngx_http_auth_request_module-{{nginx_auth_request_release}} 11 | -------------------------------------------------------------------------------- /tasks/modules/http_echo_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_echo_module.yml 2 | # configure flag: --add-module=/tmp/nginx_echo 3 | 4 | - name: Nginx | Modules | Download the http_echo_module source 5 | get_url: 6 | url: "{{nginx_echo_url}}" 7 | dest: "/tmp/nginx-echo-module.tar.gz" 8 | 9 | - name: Nginx | Modules | Unpack the http_echo_module source 10 | command: tar -xvzf /tmp/nginx-echo-module.tar.gz chdir=/tmp creates=/tmp/echo-nginx-module-{{nginx_echo_version}} 11 | -------------------------------------------------------------------------------- /tasks/modules/http_geoip_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_geoip_module.yml 2 | # configure flag: --with-http_geoip_module 3 | 4 | - name: Nginx | Modules | Install GeoIp lib 5 | apt: pkg={{ item }} state=latest 6 | with_items: 7 | - libgeoip1 8 | - libgeoip-dev 9 | when: nginx_source_modules_included.http_geoip_module is defined 10 | 11 | - name: Nginx | Modules | Create directory inside nginx 12 | file: path={{nginx_dir}}/geoip state=directory 13 | when: nginx_source_modules_included.http_geoip_module is defined 14 | 15 | - name: Nginx | Modules | Download GeoIP database files 16 | get_url: url=http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz dest={{nginx_dir}}/geoip/GeoIP.dat.gz 17 | when: nginx_source_modules_included.http_geoip_module is defined 18 | 19 | - name: Nginx | Modules | Download GeoLiteCity database files 20 | get_url: url=http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz dest={{nginx_dir}}/geoip/GeoLiteCity.dat.gz 21 | when: nginx_source_modules_included.http_geoip_module is defined 22 | 23 | - name: Nginx | Modules | Check if the GeoIP file exists 24 | stat: path={{nginx_dir}}/geoip/GeoIP.dat 25 | register: geoip_file 26 | 27 | - name: Nginx | Modules | Unarchive GeoIP files 28 | shell: gunzip -c {{nginx_dir}}/geoip/GeoIP.dat.gz > {{nginx_dir}}/geoip/GeoIP.dat 29 | when: not geoip_file.stat.exists 30 | 31 | - name: Nginx | Modules | Check if the GeoLiteCity file exists 32 | stat: path={{nginx_dir}}/geoip/GeoLiteCity.dat 33 | register: geolitecity_file 34 | 35 | - name: Nginx | Modules | Unarchive GeoLiteCity files 36 | shell: gunzip -c {{nginx_dir}}/geoip/GeoLiteCity.dat.gz > {{nginx_dir}}/geoip/GeoLiteCity.dat 37 | when: not geolitecity_file.stat.exists 38 | -------------------------------------------------------------------------------- /tasks/modules/http_gzip_static_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_gzip_static_module.yml 2 | # configure flag: --with-http_gzip_static_module 3 | 4 | - name: Nginx | Modules | Update the http_gzip_static_module configuration 5 | template: 6 | src: templates/modules/http_gzip_static.conf.j2 7 | dest: "{{nginx_dir}}/conf.d/http_gzip_static.conf" 8 | owner: root 9 | group: root 10 | mode: 0644 11 | -------------------------------------------------------------------------------- /tasks/modules/http_perl_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_perl_module.yml 2 | # configure flag: --with-http_perl_module 3 | 4 | # no contents 5 | -------------------------------------------------------------------------------- /tasks/modules/http_realip_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_realip_module.yml 2 | # configure flag: --with-http_realip_module 3 | 4 | - name: Nginx | Modules | Update the http_realip_module configuration 5 | template: 6 | src: templates/modules/http_realip.conf.j2 7 | dest: "{{nginx_dir}}/conf.d/http_realip.conf" 8 | owner: root 9 | group: root 10 | mode: 0644 11 | -------------------------------------------------------------------------------- /tasks/modules/http_spdy_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_spdy_module.yml 2 | # configure flag: --with-http_spdy_module 3 | 4 | # no contents 5 | -------------------------------------------------------------------------------- /tasks/modules/http_ssl_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_ssl_module.yml 2 | # configure flag: --with-http_ssl_module 3 | 4 | - name: get openssl source 5 | shell: "wget https://www.openssl.org/source/openssl-{{ openssl_version }}.tar.gz" 6 | args: 7 | chdir: /tmp 8 | creates: "/tmp/openssl-{{ openssl_version }}.tar.gz" 9 | when: nginx_source_modules_included.openssl is defined 10 | 11 | #get_url: 12 | # url: "https://www.openssl.org/source/openssl-{{ openssl_version }}.tar.gz" 13 | # dest: "/tmp/openssl-{{ openssl_version }}.tar.gz" 14 | #when: nginx_source_modules_included.openssl is defined 15 | 16 | - name: extract openssl source 17 | command: "tar -xf /tmp/openssl-{{ openssl_version }}.tar.gz" 18 | args: 19 | chdir: /tmp 20 | creates: "/tmp/openssl-{{ openssl_version }}" 21 | when: nginx_source_modules_included.openssl is defined 22 | -------------------------------------------------------------------------------- /tasks/modules/http_stub_status_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/http_stub_status_module.yml 2 | # configure flag: --with-http_stub_status_module 3 | 4 | - include: _authorized_ips.yml 5 | 6 | - name: Nginx | Modules | Make sure the nginx status configuration is updated 7 | template: 8 | src: templates/modules/nginx_status.j2 9 | dest: "{{nginx_dir}}/sites-available/nginx_status" 10 | owner: root 11 | group: root 12 | mode: 0644 13 | 14 | - name: Nginx | Modules | Enable the status stub sites-available 15 | file: 16 | path: "{{nginx_dir}}/sites-enabled/nginx_status" 17 | src: "{{nginx_dir}}/sites-available/nginx_status" 18 | state: link 19 | force: yes 20 | -------------------------------------------------------------------------------- /tasks/modules/ipv6_module.yml: -------------------------------------------------------------------------------- 1 | # file: roles/nginx/tasks/modules/ipv6_module.yml 2 | # configure flag: --with-ipv6 3 | 4 | # no contents 5 | -------------------------------------------------------------------------------- /tasks/modules/naxsi_module.yml: -------------------------------------------------------------------------------- 1 | # file: roles/nginx/tasks/modules/naxsi_module.yml 2 | # configure flag: --add-module=/tmp/naxsi-{{nginx_naxsi_version}}/naxsi_src 3 | 4 | - name: Nginx | Modules | Download the naxsi_module source 5 | get_url: 6 | url: "{{nginx_naxsi_url}}" 7 | dest: "/tmp/nginx-naxsi-module.tar.gz" 8 | 9 | - name: Nginx | Modules | Unpack the naxsi_module source 10 | command: tar -xvzf /tmp/nginx-naxsi-module.tar.gz chdir=/tmp creates=/tmp/naxsi-{{nginx_naxsi_version}} 11 | 12 | - name: Nginx | Modules | Make sure the naxsi_module configuration is up to date 13 | copy: 14 | src: files/naxsi_core.rules 15 | dest: "{{nginx_dir}}/naxsi_core.rules" 16 | owner: root 17 | group: root 18 | mode: 0644 19 | -------------------------------------------------------------------------------- /tasks/modules/ngx_pagespeed.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/ngx_pagespeed.yml 2 | # configure flag: --add-module=/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta 3 | 4 | - name: Nginx | Modules | Make sure the dependences are installed 5 | apt: 6 | pkg: "{{item}}" 7 | with_items: 8 | - zlib1g-dev 9 | - libpcre3 10 | - libpcre3-dev 11 | 12 | - name: Nginx | Modules | Download the ngx_pagespeed source 13 | get_url: 14 | url: "https://github.com/pagespeed/ngx_pagespeed/archive/release-{{nginx_ngx_pagespeed_version}}-beta.tar.gz" 15 | dest: "/tmp/ngx_pagespeed_module.tar.gz" 16 | 17 | - name: Nginx | Modules | Unpack the ngx_pagespeed source 18 | command: tar -xvzf /tmp/ngx_pagespeed_module.tar.gz 19 | args: 20 | chdir: /tmp 21 | creates: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" 22 | 23 | - name: Nginx | Modules | Download the psol source 24 | get_url: 25 | url: "https://dl.google.com/dl/page-speed/psol/{{nginx_ngx_pagespeed_version}}.tar.gz" 26 | dest: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta/psol.tar.gz" 27 | 28 | - name: Nginx | Modules | Unpack the psol source 29 | command: "tar -xvzf /tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta/psol.tar.gz" 30 | args: 31 | chdir: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" 32 | creates: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta/psol" 33 | -------------------------------------------------------------------------------- /tasks/modules/upload_progress_module.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/modules/upload_progress_module.yml 2 | # configure flag: --add-module=/tmp/nginx_upload_progress 3 | 4 | # to be completed... 5 | 6 | - name: Nginx | Modules | Download the upload_progress_module source 7 | get_url: 8 | url: "{{nginx_upload_progress_url}}" 9 | dest: "/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}.tar.gz" 10 | 11 | - name: Nginx | Modules | Unpack the upload_progress_module source 12 | command: tar -xvzf /tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}.tar.gz chdir=/tmp creates=/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}} 13 | 14 | - name: Nginx | Modules | Make sure the upload_progress_module configuration is updated 15 | template: 16 | src: templates/modules/upload_progress.j2 17 | dest: "{{nginx_dir}}/sites-available/upload_progress" 18 | owner: root 19 | group: root 20 | mode: 0644 21 | -------------------------------------------------------------------------------- /tasks/monit.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/monit.yml 2 | 3 | - name: Nginx | | (Monit) Copy the nginx monit service file 4 | template: 5 | src: etc_monit_conf.d_nginx.j2 6 | dest: /etc/monit/conf.d/nginx 7 | notify: 8 | - restart monit 9 | -------------------------------------------------------------------------------- /tasks/package.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/package.yml 2 | 3 | - name: Nginx | Make sure the ansible required dependencies are installed 4 | apt: 5 | pkg: python-pycurl 6 | state: present 7 | 8 | - name: Nginx | Add the nginx repository 9 | apt_repository: 10 | repo: ppa:nginx/stable 11 | 12 | - name: Nginx | Make sure nginx is installed (package) 13 | apt: 14 | pkg: "{{nginx}}" 15 | state: present 16 | notify: 17 | - restart nginx 18 | 19 | - include: directories.yml 20 | -------------------------------------------------------------------------------- /tasks/scripts.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/scripts.yml 2 | 3 | - name: Nginx | Copy the nxensite and nxdissite scripts 4 | template: 5 | src: "{{item}}.j2" 6 | dest: "/usr/sbin/{{item}}" 7 | owner: root 8 | group: root 9 | mode: 0755 10 | with_items: ["nxensite", "nxdissite"] 11 | -------------------------------------------------------------------------------- /tasks/sites.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/sites.yml 2 | 3 | - name: Nginx | Update the configurations for the sites inventory 4 | template: 5 | src: site.j2 6 | dest: "{{nginx_dir}}/sites-available/{{item.server.name}}" 7 | with_items: "{{nginx_sites}}" 8 | when: nginx_sites|lower != 'none' 9 | notify: 10 | - reload nginx 11 | 12 | - name: Nginx | Create virtual sites directories 13 | file: 14 | path: "{{nginx_www_dir}}/{{item.server.name}}" 15 | state: directory 16 | owner: "{{nginx_user}}" 17 | group: "{{nginx_user}}" 18 | mode: 0755 19 | with_items: "{{nginx_sites}}" 20 | 21 | - name: Nginx | Enable sites 22 | file: 23 | path: "{{nginx_dir}}/sites-enabled/{{item}}" 24 | src: "{{nginx_dir}}/sites-available/{{item}}" 25 | state: link 26 | with_items: "{{nginx_enabled_sites}}" 27 | notify: 28 | - reload nginx 29 | when: nginx_enabled_sites|lower != 'none' 30 | 31 | - name: Nginx | Disable sites 32 | file: 33 | path: "{{nginx_dir}}/sites-enabled/{{item}}" 34 | state: absent 35 | with_items: "{{nginx_disabled_sites}}" 36 | notify: 37 | - reload nginx 38 | when: nginx_disabled_sites|lower != 'none' 39 | -------------------------------------------------------------------------------- /tasks/source.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/source.yml 2 | 3 | - include: user.yml 4 | - include: directories.yml 5 | 6 | - name: Nginx | Make sure the Nginx build dependencies are installed 7 | apt: 8 | update_cache: yes 9 | pkg: "{{item}}" 10 | state: present 11 | with_items: 12 | - libpcre3 13 | - libpcre3-dev 14 | - libssl-dev 15 | 16 | - name: Nginx | Download the Nginx source release if not yet present 17 | get_url: 18 | url: "{{nginx_source_url}}" 19 | dest: "/tmp/nginx-{{nginx_source_version}}.tar.gz" 20 | 21 | - include: "modules.yml" 22 | 23 | - name: Nginx | Unpack the compressed Nginx source 24 | command: tar -xvzf /tmp/nginx-{{nginx_source_version}}.tar.gz 25 | chdir=/tmp creates=/tmp/nginx-{{nginx_source_version}}/README 26 | 27 | - name: Nginx | Write out the version and flags used for the build 28 | template: 29 | src: .nginx_compilation_flags.j2 30 | dest: "{{nginx_dir}}/.nginx_compilation_flags" 31 | register: nginx_flags 32 | 33 | - name: Nginx | Kill Nginx (old threads) 34 | command: pkill nginx 35 | ignore_errors: yes 36 | when: nginx_flags.changed 37 | 38 | - name: Nginx | Compile the Nginx source 39 | shell: > 40 | cd /tmp/{{nginx}}-{{nginx_source_version}} && 41 | ./configure {{nginx_source_configure_flags}} && 42 | make && 43 | make install 44 | when: nginx_flags.changed 45 | 46 | - name: Nginx | Update the symbolic link to the nginx install 47 | file: 48 | path: /usr/local/nginx/default 49 | src: "{{nginx_source_prefix}}" 50 | state: link 51 | force: yes 52 | 53 | - name: Nginx | Install the upstart init script 54 | template: 55 | src: nginx.init.j2 56 | dest: /etc/init.d/nginx 57 | owner: root 58 | group: root 59 | mode: 0755 60 | notify: 61 | - restart nginx 62 | 63 | - name: Nginx | Register Nginx as a service 64 | service: 65 | name: nginx 66 | enabled: yes 67 | -------------------------------------------------------------------------------- /tasks/user.yml: -------------------------------------------------------------------------------- 1 | # file: nginx/tasks/user.yml 2 | 3 | - name: Nginx | Make sure the nginx group is present 4 | group: 5 | gid: "{{nginx_gid}}" 6 | name: "{{nginx_group}}" 7 | state: present 8 | 9 | - name: Nginx | Make sure the www directory is present 10 | file: 11 | path: "{{nginx_www_dir}}" 12 | state: directory 13 | 14 | - name: Nginx | Make sure the nginx user is present 15 | user: 16 | name: "{{nginx_user}}" 17 | uid: "{{nginx_uid}}" 18 | group: "{{nginx_group}}" 19 | comment: "Nginx user" 20 | home: "{{nginx_www_dir}}" 21 | shell: /bin/false 22 | state: present 23 | system: yes 24 | 25 | - name: Nginx | Set the right directory permissions for the www directory 26 | file: 27 | path: "{{nginx_www_dir}}" 28 | owner: "{{nginx_user}}" 29 | group: "{{nginx_group}}" 30 | mode: 0755 31 | state: directory 32 | 33 | - name: Nginx | Check the current password expiry 34 | command: grep {{nginx_user}} /etc/shadow 35 | become: yes 36 | register: nginx_old_password 37 | changed_when: false 38 | 39 | - name: Nginx | Set the right expiration on the nginx user 40 | shell: "chage -I -1 -E -1 -m -1 -M -1 -W -1 -E -1 {{nginx_user}} && grep {{nginx_user}} /etc/shadow" 41 | become: yes 42 | register: nginx_new_password 43 | changed_when: nginx_new_password.stdout != nginx_old_password.stdout 44 | -------------------------------------------------------------------------------- /templates/.nginx_compilation_flags.j2: -------------------------------------------------------------------------------- 1 | # This file is used to track the nginx build flags, DO NOT CHANGE MANUALLY 2 | {{nginx_source_version}} 3 | {{nginx_source_configure_flags}} 4 | -------------------------------------------------------------------------------- /templates/default.site.j2: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name {{inventory_hostname}}; 4 | 5 | access_log {{nginx_log_dir}}/default.access.log; 6 | 7 | location / { 8 | root {{nginx_default_root}}; 9 | index index.html index.htm; 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /templates/etc_monit_conf.d_nginx.j2: -------------------------------------------------------------------------------- 1 | check process nginx with pidfile {{nginx_pid}} 2 | group www 3 | start program = "/etc/init.d/nginx start" 4 | stop program = "/etc/init.d/nginx stop" 5 | if failed host localhost port 80 protocol http 6 | with timeout 10 seconds 7 | then restart 8 | if 5 restarts within 5 cycles then timeout 9 | -------------------------------------------------------------------------------- /templates/modules/authorized_ips.j2: -------------------------------------------------------------------------------- 1 | geo ${{nginx_remote_ip_var}} $authorized_ip { 2 | default no; 3 | {% for ip in nginx_authorized_ips %} 4 | {{ip}} yes; 5 | {% endfor %} 6 | } 7 | -------------------------------------------------------------------------------- /templates/modules/http_gzip_static.conf.j2: -------------------------------------------------------------------------------- 1 | gzip_static {{nginx_gzip_static}}; 2 | -------------------------------------------------------------------------------- /templates/modules/http_realip.conf.j2: -------------------------------------------------------------------------------- 1 | {% for address in nginx_realip_addresses %} 2 | set_real_ip_from {{address}}; 3 | {% endfor %} 4 | real_ip_header {{nginx_realip_header}}; 5 | real_ip_recursive {{nginx_realip_real_ip_recursive}}; 6 | -------------------------------------------------------------------------------- /templates/modules/nginx_status.j2: -------------------------------------------------------------------------------- 1 | include authorized_ips; 2 | 3 | server { 4 | listen 8090; 5 | server_name _; 6 | 7 | location /nginx_status { 8 | if ($authorized_ip = no) { 9 | return 404; 10 | } 11 | stub_status on; 12 | access_log off; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /templates/modules/upload_progress.j2: -------------------------------------------------------------------------------- 1 | upload_progress {{nginx_upload_progress_zone_name}} {{nginx_upload_progress_zone_size}}; 2 | {% if nginx_upload_progress_javascript_output %} 3 | upload_progress_java_output; 4 | {% endif %} 5 | -------------------------------------------------------------------------------- /templates/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | user {{nginx_user}}{% if nginx_user != nginx_group%} {{nginx_group}}{% endif %}; 2 | worker_processes {{nginx_worker_processes}}; 3 | {% if nginx_daemon_disable %} 4 | daemon off; 5 | {% endif %} 6 | {% if nginx_worker_rlimit_nofile %} 7 | worker_rlimit_nofile {{nginx_worker_rlimit_nofile}}; 8 | {% endif %} 9 | 10 | error_log {{nginx_log_dir}}/{{nginx_error_log_filename}}{% if nginx_error_log_options %} {{nginx_error_log_options}}{% endif %}; 11 | pid {{nginx_pid}}; 12 | 13 | events { 14 | worker_connections {{nginx_worker_connections}}; 15 | {% if nginx_multi_accept %} 16 | multi_accept on; 17 | {% endif %} 18 | {% if nginx_event %} 19 | use {{nginx_event}}; 20 | {% endif %} 21 | } 22 | 23 | http { 24 | {% if nginx_install_method == "source" %} 25 | {% if nginx_source_modules_included.naxsi_module is defined %} 26 | include {{nginx_dir}}/naxsi_core.rules; 27 | {% endif %} 28 | {% endif %} 29 | 30 | include {{nginx_dir}}/mime.types; 31 | default_type application/octet-stream; 32 | 33 | {% if nginx_charset %} 34 | charset {{nginx_charset}}; 35 | {% endif %} 36 | 37 | {% if nginx_disable_access_log %} 38 | access_log off; 39 | {% else %} 40 | {% for log in nginx_access_logs %} 41 | {% if 'format' in log %} 42 | log_format {{log['name']}} {{log['format']}}; 43 | {% endif %} 44 | access_log {{nginx_log_dir}}/{{log['filename']}} {{log['name']}}{% if 'options' in log and log['options']|lower != 'none' %} {{log['options']}}{% endif %}; 45 | {% endfor %} 46 | {% endif %} 47 | {% if nginx_server_tokens %} 48 | server_tokens {{nginx_server_tokens}}; 49 | {% endif %} 50 | 51 | sendfile {{nginx_sendfile}}; 52 | tcp_nopush on; 53 | tcp_nodelay on; 54 | 55 | {% if nginx_keepalive == 'on' %} 56 | # Timeouts 57 | keepalive_timeout {{nginx_keepalive_timeout}}; 58 | client_body_timeout {{nginx_client_body_timeout}}; 59 | client_header_timeout {{nginx_client_header_timeout}}; 60 | send_timeout {{nginx_send_timeout}}; 61 | {% endif %} 62 | 63 | gzip {{nginx_gzip}}; 64 | {% if nginx_gzip == 'on' %} 65 | gzip_http_version {{nginx_gzip_http_version}}; 66 | gzip_comp_level {{nginx_gzip_comp_level}}; 67 | gzip_proxied {{nginx_gzip_proxied}}; 68 | gzip_vary {{nginx_gzip_vary}}; 69 | {% if nginx_gzip_buffers %} 70 | gzip_buffers {{nginx_gzip_buffers}}; 71 | {% endif %} 72 | gzip_types {{nginx_gzip_types|join(' ')}}; 73 | gzip_min_length {{nginx_gzip_min_length}}; 74 | gzip_disable "{{nginx_gzip_disable}}"; 75 | {% endif %} 76 | 77 | {% if nginx_install_method == "source" %} 78 | {% if nginx_geoip == 'on' %} 79 | geoip_country {{nginx_geoip_country}}; 80 | geoip_city {{nginx_geoip_city}}; 81 | {% endif %} 82 | {% endif %} 83 | 84 | {% if nginx_buffers == 'on' %} 85 | client_body_buffer_size {{nginx_client_body_buffer_size}}; 86 | client_header_buffer_size {{nginx_client_header_buffer_size}}; 87 | client_max_body_size {{nginx_client_max_body_size}}; 88 | large_client_header_buffers {{nginx_large_client_header_buffers}}; 89 | {% endif %} 90 | 91 | server_names_hash_bucket_size {{nginx_server_names_hash_bucket_size}}; 92 | types_hash_max_size {{nginx_types_hash_max_size}}; 93 | types_hash_bucket_size {{nginx_types_hash_bucket_size}}; 94 | {% if nginx_proxy_read_timeout %} 95 | proxy_read_timeout {{nginx_proxy_read_timeout}}; 96 | {% endif %} 97 | 98 | {% if nginx_enable_rate_limiting %} 99 | limit_req_zone $binary_remote_addr zone={{nginx_rate_limiting_zone_name}}:{{nginx_rate_limiting_backoff}} rate={{nginx_rate_limit}}; 100 | {% endif %} 101 | 102 | include {{nginx_dir}}/conf.d/*.conf; 103 | include {{nginx_dir}}/sites-enabled/*; 104 | } 105 | -------------------------------------------------------------------------------- /templates/nginx.init.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ### BEGIN INIT INFO 4 | # Provides: nginx 5 | # Required-Start: $local_fs $remote_fs $network $syslog 6 | # Required-Stop: $local_fs $remote_fs $network $syslog 7 | # Default-Start: 2 3 4 5 8 | # Default-Stop: 0 1 6 9 | # Short-Description: starts the nginx web server 10 | # Description: starts nginx using start-stop-daemon 11 | ### END INIT INFO 12 | 13 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 14 | DAEMON={{nginx_source_prefix}}/sbin/nginx 15 | NAME=nginx 16 | DESC=nginx 17 | PID={{nginx_pid}} 18 | 19 | # Include nginx defaults if available 20 | if [ -f /etc/default/nginx ]; then 21 | . /etc/default/nginx 22 | fi 23 | 24 | test -x $DAEMON || exit 0 25 | 26 | set -e 27 | 28 | . /lib/lsb/init-functions 29 | 30 | test_nginx_config() { 31 | if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then 32 | return 0 33 | else 34 | $DAEMON -t $DAEMON_OPTS 35 | return $? 36 | fi 37 | } 38 | 39 | case "$1" in 40 | start) 41 | echo -n "Starting $DESC: " 42 | test_nginx_config 43 | # Check if the ULIMIT is set in /etc/default/nginx 44 | if [ -n "$ULIMIT" ]; then 45 | # Set the ulimits 46 | ulimit $ULIMIT 47 | fi 48 | start-stop-daemon --start --quiet --pidfile $PID \ 49 | --exec $DAEMON -- $DAEMON_OPTS || true 50 | echo "$NAME." 51 | ;; 52 | 53 | stop) 54 | echo -n "Stopping $DESC: " 55 | start-stop-daemon --stop --quiet --pidfile $PID \ 56 | --exec $DAEMON || true 57 | echo "$NAME." 58 | ;; 59 | 60 | restart|force-reload) 61 | echo -n "Restarting $DESC: " 62 | start-stop-daemon --stop --quiet --pidfile \ 63 | $PID --exec $DAEMON || true 64 | sleep 1 65 | test_nginx_config 66 | start-stop-daemon --start --quiet --pidfile \ 67 | $PID --exec $DAEMON -- $DAEMON_OPTS || true 68 | echo "$NAME." 69 | ;; 70 | 71 | reload) 72 | echo -n "Reloading $DESC configuration: " 73 | test_nginx_config 74 | start-stop-daemon --stop --signal HUP --quiet --pidfile $PID \ 75 | --exec $DAEMON || true 76 | echo "$NAME." 77 | ;; 78 | 79 | configtest|testconfig) 80 | echo -n "Testing $DESC configuration: " 81 | if test_nginx_config; then 82 | echo "$NAME." 83 | else 84 | exit $? 85 | fi 86 | ;; 87 | 88 | status) 89 | status_of_proc -p $PID "$DAEMON" nginx && exit 0 || exit $? 90 | ;; 91 | *) 92 | echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2 93 | exit 1 94 | ;; 95 | esac 96 | 97 | exit 0 98 | -------------------------------------------------------------------------------- /templates/nxdissite.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | SYSCONFDIR='{{nginx_dir}}' 4 | 5 | if [ -z $1 ]; then 6 | echo "Which site would you like to disable?" 7 | echo -n "Your choices are: " 8 | ls $SYSCONFDIR/sites-enabled/* | \ 9 | sed -e "s,$SYSCONFDIR/sites-enabled/,,g" | xargs echo 10 | echo -n "Site name? " 11 | read SITENAME 12 | else 13 | SITENAME=$1 14 | fi 15 | 16 | if [ $SITENAME = "default" ]; then 17 | PRIORITY="000" 18 | fi 19 | 20 | if ! [ -e $SYSCONFDIR/sites-enabled/$SITENAME -o \ 21 | -e $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" ]; then 22 | echo "This site is already disabled, or does not exist!" 23 | exit 1 24 | fi 25 | 26 | if ! rm $SYSCONFDIR/sites-enabled/$SITENAME 2>/dev/null; then 27 | rm -f $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" 28 | fi 29 | echo "Site $SITENAME disabled; reload nginx to disable." 30 | -------------------------------------------------------------------------------- /templates/nxensite.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | SYSCONFDIR='{{nginx_dir}}' 4 | 5 | if [ -z $1 ]; then 6 | echo "Which site would you like to enable?" 7 | echo -n "Your choices are: " 8 | ls $SYSCONFDIR/sites-available/* | \ 9 | sed -e "s,$SYSCONFDIR/sites-available/,,g" | xargs echo 10 | echo -n "Site name? " 11 | read SITENAME 12 | else 13 | SITENAME=$1 14 | fi 15 | 16 | if [ $SITENAME = "default" ]; then 17 | PRIORITY="000" 18 | fi 19 | 20 | if [ -e $SYSCONFDIR/sites-enabled/$SITENAME -o \ 21 | -e $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" ]; then 22 | echo "This site is already enabled!" 23 | exit 0 24 | fi 25 | 26 | if ! [ -e $SYSCONFDIR/sites-available/$SITENAME ]; then 27 | echo "This site does not exist!" 28 | exit 1 29 | fi 30 | 31 | if [ $SITENAME = "default" ]; then 32 | ln -sf $SYSCONFDIR/sites-available/$SITENAME \ 33 | $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" 34 | else 35 | ln -sf $SYSCONFDIR/sites-available/$SITENAME $SYSCONFDIR/sites-enabled/$SITENAME 36 | fi 37 | 38 | echo "Site $SITENAME installed; reload nginx to enable." 39 | -------------------------------------------------------------------------------- /templates/site.j2: -------------------------------------------------------------------------------- 1 | server { 2 | 3 | {% for k,v in item.server.iteritems() %} 4 | {% if k.find('location') == -1 and k != 'name' %} 5 | {{ k }} {{ v }}; 6 | {% endif %} 7 | {% endfor %} 8 | 9 | {% for k,v in item.server.iteritems() if k.find('location') != -1 %} 10 | location {{ v.name }} { 11 | {% for x,y in v.iteritems() if x != 'name' %} 12 | {{ x }} {{ y }}; 13 | {% endfor %} 14 | } 15 | {% endfor %} 16 | 17 | } 18 | -------------------------------------------------------------------------------- /test.yml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | vars_files: 3 | - 'defaults/main.yml' 4 | tasks: 5 | - name: install the dependencies 6 | apt: 7 | pkg: "{{item}}" 8 | state: present 9 | update_cache: yes 10 | with_items: ["perl", "libperl-dev", "monit", "build-essential", "python-httplib2"] 11 | - include: 'tasks/main.yml' 12 | - name: Nginx | Check if nginx is available 13 | uri: url="http://127.0.0.1" status=200 14 | 15 | handlers: 16 | - name: restart monit 17 | service: 18 | name: monit 19 | state: restarted 20 | - include: 'handlers/main.yml' 21 | -------------------------------------------------------------------------------- /vagrant-inventory: -------------------------------------------------------------------------------- 1 | [anxs] 2 | anxs.local ansible_ssh_user=vagrant ansible_ssh_host=192.168.88.16 ansible_ssh_port=22 3 | --------------------------------------------------------------------------------