Introduction

This role sets up nginx web server configurations with support for multiple servers and locations. It supports SSL, proxying, fastcgi, and various authentication methods like LDAP. Configuration is done through Ansible variables that define server and location blocks.

The role creates configuration files in:

  • etc/nginx/conf.d for server configurations
  • etc/nginx/location.d for location configurations
  • etc/nginx/server.d/<server_name> for additional server-specific configurations

Configuration

All configuration is done through Ansible variables.

Global Variables

nginx_user

The user to run nginx as. Defaults to root.

nginx_group

The group to run nginx as. Defaults to root.

nginx_core

Global nginx core settings that apply to the http block:

nginx_core:
  access_log: 'syslog:server=unix:/dev/log'
  error_log: 'syslog:server=unix:/dev/log'

nginx_hostname

Sets the default hostname used in server configurations:

nginx_hostname: ".example.com"

nginx_authdaemons

List of authentication daemons to enable:

nginx_authdaemons:
  - ldap

For adding custom auth daemons, see the implemntation of the LDAP one.

=nginx_authd_ldap=host_vars/wachter-front.yml

LDAP authentication daemon settings:

nginx_authd_ldap:
  bind: tcp
  bind_address: 192.168.29.10

Server Configuration Variables

nginx_servers

List of server configurations. Each server can be either SSL-enabled or non-SSL.

nginx_servers:
  - name: default
    server_name: "{{nginx_hostname}}"
    ssl_rewrite_root: True
    acme_norewrite: True
  - name: default_ssl
    server_name: "{{nginx_hostname}}"
    ssl_key: /etc/ssl/keys/wachter-chained-single.pem
    ssl: True
    default_server: True
  - name: autodiscover
    server_name: "autodiscover.example.com"
    ssl_key: /etc/ssl/keys/wachter-chained-single.pem
    ssl: True

Available server keys:

  • name: Unique name for the server configuration
  • server_name: The server name(s) to match
  • ssl: Enable SSL for this server (boolean)
  • ssl_key: Path to the SSL private key file
  • ssl_certificate: Path to the SSL certificate file (optional, if combined with key)
  • ssl_ciphers: SSL ciphers to use (default: strong cipher suite)
  • ssl_protocols: SSL protocols to use (default: TLSv1.1 TLSv1.2)
  • ssl_rewrite_root: When true, redirects all non-SSL requests to SSL
  • acme_norewrite: When true, excludes ACME challenge from SSL rewrite rules
  • acme_proxy: When true, enables ACME proxy for this server
  • acme_proxy_target: Target for ACME proxy when acme_proxy is enabled
  • port: Listen port (defaults to 80 for non-SSL, 443 for SSL)
  • listen_opts: Additional options for the listen directive
  • address: The IP address to bind to (default: *)
  • default_server: When true, this server is the default server
  • no_http2: When true, disables HTTP/2 (default: false for SSL, true for HTTP)
  • ipv6only: IPv6 only setting (default: not set)
  • root: Root path to serve files from
  • error_pages: List of error pages to define
  • recursive_error_pages: Enable recursive error pages
  • max_body_size: Maximum body size for client requests
  • other: List of additional configurations to include in the server block

Location Configuration Variables

nginx_locations

List of location configurations that can be linked to servers:

nginx_locations:
  - name: acme
    servers:
      - default
    location: "/.well-known/acme-challenge"
    alias: "/srv/www/htdocs/.well-known/acme-challenge"
  - name: dump
    servers:
      - default_ssl
    location: "/dump"
    proxy: True
    destination: "http://meteor.example.com/"
    rewrite:
      - "^/dump$ /dump/ permanent"
      - "/dump/(.*) /$1 break"
  - name: plex
    servers:
      - plex
    location: "/"
    proxy: True
    destination: "http://plex.example.com:32400/"

Available location keys:

  • alias: Alias directive for this location
  • destination: Target URL for proxied requests
  • error_pages: List of error pages to define
  • fastcgi: When true, enable fastcgi for this location
  • fastcgi_document_root: FastCGI document root
  • fastcgi_index: FastCGI index directive
  • fastcgi_intercept_errors: Intercepts fastcgi errors (boolean)
  • fastcgi_pass: FastCGI pass directive
  • fastcgi_script_filename: FastCGI script filename
  • index: Index directive for this location
  • location: Location pattern (regex, prefix, etc.)
  • name: Unique name for the location configuration
  • other: List of additional configurations to include
  • proxy: When true, enable proxy for this location
  • proxy_buffering: Proxy buffering (default: off)
  • proxy_cache: Proxy cache configuration
  • proxy_cookie_path: Rewrite cookie path
  • proxy_forward_header: Add X-Forwarded-For header (boolean)
  • proxy_headers: List of additional proxy headers
  • proxy_host: Proxy host header (default: $host)
  • proxy_read_timeout: Proxy read timeout (default: 300s)
  • proxy_redirect: Proxy redirect configuration
  • proxy_request_buffering: Proxy request buffering (default: on)
  • recursive_error_pages: Enable recursive error pages
  • redirect: Redirect directive (301 redirect)
  • rewrite: List of rewrite rules
  • root: Root directive for this location
  • servers: List of server names that this location applies to
  • try_files: Try files directive for this location

Features and Additional Configuration

nginx_features

List of additional features to enable:

nginx_features:
  - php
  - fcgi
  - ldap

nginx_with_php

Enable PHP support:

nginx_with_php: True

nginx_locations_from_roles

Include location configurations from other roles:

nginx_locations_from_roles:
  mantis:
    var: mantis-nginx
    file: nginx_locations.yml

nginx_http_zones

Firewall zones to open HTTP access:

nginx_http_zones:
  - public
  - internal

nginx_https_zones

Firewall zones to open HTTPS access:

nginx_https_zones:
  - public
  - internal

Examples

Basic SSL server configuration

nginx_servers:
  - name: default_ssl
    server_name: "example.com"
    ssl_key: /etc/ssl/private/example.com.key
    ssl_certificate: /etc/ssl/certs/example.com.crt
    ssl: True
    default_server: True

nginx_locations:
  - name: root
    servers:
      - default_ssl
    location: "/"
    proxy: True
    destination: "http://localhost:3000/"

Multiple servers with different configurations

nginx_servers:
  - name: default
    server_name: "example.com"
    ssl_rewrite_root: True
  - name: ssl_server
    server_name: "example.com"
    ssl_key: /etc/ssl/private/example.com.key
    ssl_certificate: /etc/ssl/certs/example.com.crt
    ssl: True
    default_server: True

nginx_locations:
  - name: api
    servers:
      - ssl_server
    location: "/api"
    proxy: True
    destination: "http://localhost:8080/"
  - name: web
    servers:
      - default
      - ssl_server
    location: "/"
    root: /var/www/html

PHP configuration

nginx_with_php: True
nginx_features:
  - php

nginx_locations:
  - name: php
    servers:
      - default
    index: "index.html index.htm index.php"
    location: "~ \\.php$"
    fastcgi: True
    fastcgi_pass: "unix:/var/run/php-fpm.sock"
    fastcgi_index: "index.php"
    fastcgi_document_root: "/var/www/html/"
    other:
      - "fastcgi_split_path_info ^(.+\\.php)(/.+)$"

LDAP authentication configuration

nginx_authdaemons:
  - ldap

nginx_authd_ldap:
  bind: tcp
  bind_address: 192.168.29.10

nginx_locations:
  - name: auth
    servers:
      - default
    location: "/secure"
    proxy: True
    destination: "http://localhost:8080/"
    other:
      - "auth_basic \"Restricted Area\""
      - "auth_basic_user_file /etc/nginx/htpasswd"