Skip to content

C
configuration
Commit d89d315f by Max Rothman
Options

Add new nginx_config "function"

parent 694e444a
Showing with 285 additions and 0 deletions
playbooks/roles/nginx_config/defaults/main.yml 0 → 100644
### Required arguments ###
# Should match the calling role's service_name var
nginx_config_app_service_name: !!null
nginx_config_gunicorn_hosts: !!null
nginx_config_gunicorn_port: !!null
#List of hostnames used to access this site
nginx_config_allowed_hosts: !!null
### Optional arguments that can be overridden by calling role ###
nginx_config_port: 80
nginx_config_enable_ssl: false
nginx_config_ssl_port: 443
#Paths to key/certificate files
nginx_config_ssl_certificate: !!null
nginx_config_ssl_key: !!null
nginx_config_p3p_message: CP="Open edX does not have a P3P policy."
nginx_config_redirect_to_https: false
# Which nginx variable to use for checking the source protocol
# for redirecting http to https.
# If you're running nginx behind an ELB, use http_x_forwarded_proto
nginx_config_https_redirect_protocol_var: scheme
nginx_config_enable_basic_auth: false
# A list of dicts of the following format:
# { agent: "user-agent string", disallow: "path" }
# These get rendered into robots.txt in the following format:
# User-agent: <agent>
# Disallow: <path>
nginx_config_robot_rules: []
### Internal vars ###
nginx_config_sites_available_dir: "{{ COMMON_CFG_DIR }}/nginx/sites-available"
nginx_config_sites_enabled_dir: "/etc/nginx/sites-enabled"
\ No newline at end of file
playbooks/roles/nginx_config/meta/main.yml 0 → 100644
dependencies:
- common
\ No newline at end of file
playbooks/roles/nginx_config/tasks/main.yml 0 → 100644
#
# edX Configuration
#
# github: https://github.com/edx/configuration
# wiki: https://openedx.atlassian.net/wiki/display/OpenOPS
# code style: https://openedx.atlassian.net/wiki/display/OpenOPS/Ansible+Code+Conventions
# license: https://github.com/edx/configuration/blob/master/LICENSE.TXT
#
#
# Tasks for role nginx_config
#
# Overview:
#
# This role creates nginx configuration files from a shared template
# for the referencing role.
#
# Example play:
#
# Rather than being included in the play, this role
# is included as a dependency by other roles in the meta/main.yml
# file. The including role should add the following
# depency definition.
#
# dependencies:
# - role: nginx_config
#
# Every task in this role is tagged with the "install:vhosts" lifecycle tag,
# so if you run nginx on separate servers from your apps you can simply exclude
# that tag.
#
# NB: this role requires that the nginx role has ever run on the server
# on which it runs. If that is not the case, this role will immediately fail.
- name: Check for the sites-available directory
stat:
path: "{{ item }}"
with_items:
- "{{ nginx_config_sites_available_dir }}"
- "{{ nginx_config_sites_enabled_dir }}"
register: nginx_config_required_dirs
tags:
- install
- install:vhosts
- fail:
msg: >
{{ item }} does not exist.
The nginx role has not been run, or the value of
nginx_config_sites_available_dir or nginx_config_sites_enabled_dir
does not match that of nginx_sites_available_dir and nginx_sites_enabled_dir,
respectively.
when: not (item.stat.exists and item.stat.isdir)
with_items: nginx_config_required_dirs.results
tags:
- install
- install:vhosts
- name: Create robot rules
template:
src: "edx/var/app/robots.txt.j2"
dest: "{{ COMMON_DATA_DIR }}/{{ nginx_config_app_service_name }}/robots.txt"
owner: root
group: "{{ common_web_user }}"
mode: 0644
when: nginx_config_robot_rules | length > 0
tags:
- install
- install:vhosts
- name: Create nginx config for {{ nginx_config_app_service_name }}
template:
src: "edx/etc/nginx/sites-available/master.j2"
dest: "{{ nginx_config_sites_available_dir }}/{{ nginx_config_app_service_name }}"
owner: root
group: "{{ common_web_user }}"
mode: "0640"
tags:
- install
- install:vhosts
- name: Link nginx config for {{ nginx_app_service_name }}
file:
src: "{{ nginx_config_sites_available_dir }}/{{ nginx_config_app_service_name }}"
dest: "{{ nginx_config_sites_enabled_dir }}/{{ nginx_config_app_service_name }}"
state: link
owner: root
group: root
tags:
- install
- install:vhosts
# Check to see if the ssl cert/key exists before copying.
# This extra check is done to prevent failures when
# ansible-playbook is run locally
- local_action:
module: stat
path: "{{ nginx_config_ssl_certificate }}"
become: False
register: ssl_cert
tags:
- install
- install:vhosts
- local_action:
module: stat
path: "{{ nginx_config_ssl_key }}"
become: False
register: ssl_key
tags:
- install
- install:vhosts
- name: copy ssl cert
copy:
src: "{{ nginx_config_ssl_certificate }}"
dest: "/etc/ssl/certs/"
owner: root
group: root
mode: 0644
when: ssl_cert.stat.exists and nginx_config_enable_ssl and nginx_config_ssl_certificate != 'ssl-cert-snakeoil.pem'
tags:
- install
- install:vhosts
- name: copy ssl key
copy:
src: "{{ nginx_config_ssl_key }}"
dest: "/etc/ssl/private/"
owner: root
group: root
mode: 0640
when: ssl_key.stat.exists and nginx_config_enable_ssl and nginx_config_ssl_key != 'ssl-cert-snakeoil.key'
no_log: True
tags:
- install
- install:vhosts
- name: Reload nginx
service:
name: nginx
state: reloaded
tags:
- install
- install:vhosts
\ No newline at end of file
playbooks/roles/nginx_config/templates/edx/etc/nginx/sites-available/master.j2 0 → 100644
#
# {{ ansible_managed }}
#
upstream {{ nginx_config_app_service_name }} {
{% for host in nginx_config_gunicorn_hosts %}
server {{ host }}:{{ nginx_config_gunicorn_port }} fail_timeout=0;
{% endfor %}
}
{# Black hole server to deny all requests without a known "Host" header #}
server {
listen {{ nginx_config_port }} default_server;
return 444;
}
server {
server_name
{%- for allowed_host in nginx_config_allowed_hosts %}
{{ allowed_host }}
{%- endfor %}
;
listen {{ nginx_config_port }};
{%- if nginx_config_enable_ssl -%}
listen {{ nginx_config_ssl_port }} ssl;
ssl_certificate /etc/ssl/certs/{{ nginx_config_ssl_certificate | basename }};
ssl_certificate_key /etc/ssl/private/{{ nginx_config_ssl_key | basename }};
# request the browser to use SSL for all connections
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
{%- endif -%}
{#- Prevent invalid display courseware in IE 10+ with high privacy settings -#}
add_header P3P '{{ nginx_config_p3p_message }}';
{%- if nginx_config_redirect_to_https -%}
{#- This is an ansible variable that contains the name of an nginx variable.
For example, if NGINX_HTTPS_REDIRECT_PROTOCOL_HEADER = "scheme",
this renders to $scheme, thus the scheme nginx variable will be checked. #}
if (${{ nginx_config_https_redirect_protocol_var }} = "http") {
return 301 https://$server_name$request_uri;
}
{%- endif %}
location ~ ^/static/(?P<file>.*) {
root {{ COMMON_DATA_DIR }}/{{ nginx_config_app_service_name }};
try_files /staticfiles/$file =404;
}
location / {
{%- if nginx_config_enable_basic_auth | bool %}
{% include "basic-auth.j2" %}
{%- endif %}
try_files $uri @proxy_to_app;
}
{#- APIs should be secured with OAuth 2.0 or or JWT. #}
location /api {
try_files $uri @proxy_to_app;
}
{% if nginx_config_robot_rules | length > 0 -%}
location /robots.txt {
root {{ COMMON_DATA_DIR }}/{{ nginx_config_app_service_name }};
try_files $uri /robots.txt =404;
}
{%- endif %}
location @proxy_to_app {
{%- if nginx_config_set_x_forwarded_headers %}
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $remote_addr;
{%- else %}
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
{%- endif %}
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://{{ nginx_config_app_service_name }};
}
}
playbooks/roles/nginx_config/templates/edx/var/app/robots.txt.j2 0 → 100644
{%- for item in nginx_config_robot_rules %}
User-agent: {{ item.agent }}
Disallow: {{ item.disallow }}
{% endfor -%}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment