Introduction
This role sets up nginx web server configurations with support for multiple servers and locations. It supports SSL, proxying, fastcgi, and various authentication methods like LDAP. Configuration is done through Ansible variables that define server and location blocks.
The role creates configuration files in:
- etc/nginx/conf.d for server configurations
- etc/nginx/location.d for location configurations
- etc/nginx/server.d/<server_name> for additional server-specific configurations
Configuration
All configuration is done through Ansible variables.
Global Variables
nginx_user
The user to run nginx as. Defaults to root.
nginx_group
The group to run nginx as. Defaults to root.
nginx_core
Global nginx core settings that apply to the http block:
nginx_core: access_log: 'syslog:server=unix:/dev/log' error_log: 'syslog:server=unix:/dev/log'
nginx_hostname
Sets the default hostname used in server configurations:
nginx_hostname: ".example.com"
nginx_authdaemons
List of authentication daemons to enable:
nginx_authdaemons: - ldap
For adding custom auth daemons, see the implemntation of the LDAP one.
=nginx_authd_ldap=host_vars/wachter-front.yml
LDAP authentication daemon settings:
nginx_authd_ldap: bind: tcp bind_address: 192.168.29.10
Server Configuration Variables
nginx_servers
List of server configurations. Each server can be either SSL-enabled or non-SSL.
nginx_servers:
- name: default
server_name: "{{nginx_hostname}}"
ssl_rewrite_root: True
acme_norewrite: True
- name: default_ssl
server_name: "{{nginx_hostname}}"
ssl_key: /etc/ssl/keys/wachter-chained-single.pem
ssl: True
default_server: True
- name: autodiscover
server_name: "autodiscover.example.com"
ssl_key: /etc/ssl/keys/wachter-chained-single.pem
ssl: True
Available server keys:
name: Unique name for the server configurationserver_name: The server name(s) to matchssl: Enable SSL for this server (boolean)ssl_key: Path to the SSL private key filessl_certificate: Path to the SSL certificate file (optional, if combined with key)ssl_ciphers: SSL ciphers to use (default: strong cipher suite)ssl_protocols: SSL protocols to use (default: TLSv1.1 TLSv1.2)ssl_rewrite_root: When true, redirects all non-SSL requests to SSLacme_norewrite: When true, excludes ACME challenge from SSL rewrite rulesacme_proxy: When true, enables ACME proxy for this serveracme_proxy_target: Target for ACME proxy when acme_proxy is enabledport: Listen port (defaults to 80 for non-SSL, 443 for SSL)listen_opts: Additional options for the listen directiveaddress: The IP address to bind to (default: *)default_server: When true, this server is the default serverno_http2: When true, disables HTTP/2 (default: false for SSL, true for HTTP)ipv6only: IPv6 only setting (default: not set)root: Root path to serve files fromerror_pages: List of error pages to definerecursive_error_pages: Enable recursive error pagesmax_body_size: Maximum body size for client requestsother: List of additional configurations to include in the server block
Location Configuration Variables
nginx_locations
List of location configurations that can be linked to servers:
nginx_locations:
- name: acme
servers:
- default
location: "/.well-known/acme-challenge"
alias: "/srv/www/htdocs/.well-known/acme-challenge"
- name: dump
servers:
- default_ssl
location: "/dump"
proxy: True
destination: "http://meteor.example.com/"
rewrite:
- "^/dump$ /dump/ permanent"
- "/dump/(.*) /$1 break"
- name: plex
servers:
- plex
location: "/"
proxy: True
destination: "http://plex.example.com:32400/"
Available location keys:
alias: Alias directive for this locationdestination: Target URL for proxied requestserror_pages: List of error pages to definefastcgi: When true, enable fastcgi for this locationfastcgi_document_root: FastCGI document rootfastcgi_index: FastCGI index directivefastcgi_intercept_errors: Intercepts fastcgi errors (boolean)fastcgi_pass: FastCGI pass directivefastcgi_script_filename: FastCGI script filenameindex: Index directive for this locationlocation: Location pattern (regex, prefix, etc.)name: Unique name for the location configurationother: List of additional configurations to includeproxy: When true, enable proxy for this locationproxy_buffering: Proxy buffering (default: off)proxy_cache: Proxy cache configurationproxy_cookie_path: Rewrite cookie pathproxy_forward_header: Add X-Forwarded-For header (boolean)proxy_headers: List of additional proxy headersproxy_host: Proxy host header (default: $host)proxy_read_timeout: Proxy read timeout (default: 300s)proxy_redirect: Proxy redirect configurationproxy_request_buffering: Proxy request buffering (default: on)recursive_error_pages: Enable recursive error pagesredirect: Redirect directive (301 redirect)rewrite: List of rewrite rulesroot: Root directive for this locationservers: List of server names that this location applies totry_files: Try files directive for this location
Features and Additional Configuration
nginx_features
List of additional features to enable:
nginx_features: - php - fcgi - ldap
nginx_with_php
Enable PHP support:
nginx_with_php: True
nginx_locations_from_roles
Include location configurations from other roles:
nginx_locations_from_roles:
mantis:
var: mantis-nginx
file: nginx_locations.yml
nginx_http_zones
Firewall zones to open HTTP access:
nginx_http_zones: - public - internal
nginx_https_zones
Firewall zones to open HTTPS access:
nginx_https_zones: - public - internal
Examples
Basic SSL server configuration
nginx_servers:
- name: default_ssl
server_name: "example.com"
ssl_key: /etc/ssl/private/example.com.key
ssl_certificate: /etc/ssl/certs/example.com.crt
ssl: True
default_server: True
nginx_locations:
- name: root
servers:
- default_ssl
location: "/"
proxy: True
destination: "http://localhost:3000/"
Multiple servers with different configurations
nginx_servers:
- name: default
server_name: "example.com"
ssl_rewrite_root: True
- name: ssl_server
server_name: "example.com"
ssl_key: /etc/ssl/private/example.com.key
ssl_certificate: /etc/ssl/certs/example.com.crt
ssl: True
default_server: True
nginx_locations:
- name: api
servers:
- ssl_server
location: "/api"
proxy: True
destination: "http://localhost:8080/"
- name: web
servers:
- default
- ssl_server
location: "/"
root: /var/www/html
PHP configuration
nginx_with_php: True
nginx_features:
- php
nginx_locations:
- name: php
servers:
- default
index: "index.html index.htm index.php"
location: "~ \\.php$"
fastcgi: True
fastcgi_pass: "unix:/var/run/php-fpm.sock"
fastcgi_index: "index.php"
fastcgi_document_root: "/var/www/html/"
other:
- "fastcgi_split_path_info ^(.+\\.php)(/.+)$"
LDAP authentication configuration
nginx_authdaemons:
- ldap
nginx_authd_ldap:
bind: tcp
bind_address: 192.168.29.10
nginx_locations:
- name: auth
servers:
- default
location: "/secure"
proxy: True
destination: "http://localhost:8080/"
other:
- "auth_basic \"Restricted Area\""
- "auth_basic_user_file /etc/nginx/htpasswd"