added support for includes and auths, extended docu

2020-04-18 22:29:15 +02:00 · 2020-04-18 22:29:15 +02:00 · 1ec6fbb1fd
commit 1ec6fbb1fd
parent b1b10fad9b
8 changed files with 58 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -23,6 +23,9 @@ upstreams: {}
 # name: *vhostconfig*, see below for definition
 vhosts: {}
 # name: *mapsconfig*, see below for definition
 maps: {}
 # force all traffic on ssl, except letsencrypt challenges
 force_ssl: True
@ -76,6 +79,12 @@ custom: []
 # array of locations, see below
 locations: [*locationconfig*, .. ]
 # array of files to include at the server level
 includes: []
 # configure authentication, disabled by default. See *authconfig* below for definition
 auth: *authconfig*
 # array of headers to add on this vhost
 add_headers: []
 ```
@ -89,6 +98,22 @@ match: ''
 alias: None
 ```
 **authconfig**
 ```
 # Boolean: enable authentication
 enabled: False
 # Path to a htpasswd file
 path :''
 # can be 'all' or 'any'
 satisfy: 'all
 ```
 **mapsconfig**:
 ```
 ```
 **phpconfog**:
 ```
 ini:
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -5,11 +5,11 @@ nginx:
    "127.0.0.1": {}
    "::1": {}
  monitoring: true
  serverpki: true
  php: false
  force_ssl: true
  upstreams: {}
  vhosts: {}
  maps: {}
  resolver:
    - 8.8.8.8
    - 8.8.4.4
--- a/files/config/nginx.conf
+++ b/files/config/nginx.conf
@ -22,6 +22,7 @@ http {
 	reset_timedout_connection on;
 	server_names_hash_bucket_size 64;
 	map_hash_bucket_size 64;
 	# server_name_in_redirect off;
        include /etc/nginx/mime.types;
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,5 +1,4 @@
 ---
 dependencies:
  - { role: monitoring, when: nginx.monitoring }
  - { role: x509certs }
  - certificates
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -44,6 +44,13 @@
  notify:
  - restart nginx
 - name: execute maps template
  template:
    src: maps.conf.j2
    dest: /etc/nginx/conf.d/maps.conf
  notify:
  - restart nginx
 - name: create nginx vhosts
  template:
    src: vhost.conf.j2
--- a/templates/maps.conf.j2
+++ b/templates/maps.conf.j2
@ -0,0 +1,10 @@
 {% for map in nginx.maps %}
 {% set m = nginx.maps[map] %}
 # {{ map }}
 map ${{ m.source }} ${{ m.destination }} {
 {% for i in m.data %}
 	'{{ i }}' '{{ m.data[i] }}';
 {% endfor %}
 }
 {% endfor %}
--- a/templates/ssl_files.conf.j2
+++ b/templates/ssl_files.conf.j2
@ -1,8 +1,6 @@
 {% if nginx.serverpki %}
 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
 ssl_certificate /etc/ssl/{{ inventory_hostname }}.crt;
 ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
 {% endif %}
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@ -32,7 +32,7 @@ server {
 		proxy_pass {{ vhost.backend }};
 		# add proxy headers
-		proxy_set_header  Host $host;
+		proxy_set_header  Host			{% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %};
 		proxy_set_header  X-Real-IP		$remote_addr;
 		proxy_set_header  X-Forwarded-For	$proxy_add_x_forwarded_for;
 		proxy_set_header  X-Forwarded-Proto	$scheme;
@ -61,8 +61,19 @@ server {
 	}
 	{% endfor %}
 	{% if vhost.auth.enable|default(False) %}
 	auth_basic           "restricted area";
 	auth_basic_user_file {{ vhost.auth.path }}; 
 	satisfy {{ vhost.auth.satisfy|d('all') }};
 	{% endif %}
 	{% for include in vhost.includes|default([]) %}
 	include {{ include }};
 	{% endfor %}
 	{% if vhost.letsencrypt|d(False) %}
-		ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
+	ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
-		ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
+	ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
 	{% endif %}
 }