added support for includes and auths, extended docu

2020-04-18 22:29:15 +02:00 · 2020-04-18 22:29:15 +02:00 · 1ec6fbb1fd
commit 1ec6fbb1fd
parent b1b10fad9b
8 changed files with 58 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -23,6 +23,9 @@ upstreams: {}
 # name: *vhostconfig*, see below for definition
 vhosts: {}

+# name: *mapsconfig*, see below for definition
+maps: {}
+
 # force all traffic on ssl, except letsencrypt challenges
 force_ssl: True

@ -76,6 +79,12 @@ custom: []
 # array of locations, see below
 locations: [*locationconfig*, .. ]

+# array of files to include at the server level
+includes: []
+
+# configure authentication, disabled by default. See *authconfig* below for definition
+auth: *authconfig*
+
 # array of headers to add on this vhost
 add_headers: []
 ```
@ -89,6 +98,22 @@ match: ''
 alias: None
 ```

+**authconfig**
+```
+# Boolean: enable authentication
+enabled: False
+
+# Path to a htpasswd file
+path :''
+
+# can be 'all' or 'any'
+satisfy: 'all
+```
+
+**mapsconfig**:
+```
+```
+
 **phpconfog**:
 ```
 ini:
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -5,11 +5,11 @@ nginx:
    "127.0.0.1": {}
    "::1": {}
  monitoring: true
-  serverpki: true
  php: false
  force_ssl: true
  upstreams: {}
  vhosts: {}
+  maps: {}
  resolver:
    - 8.8.8.8
    - 8.8.4.4
--- a/files/config/nginx.conf
+++ b/files/config/nginx.conf
@ -22,6 +22,7 @@ http {
 	reset_timedout_connection on;

 	server_names_hash_bucket_size 64;
+	map_hash_bucket_size 64;
 	# server_name_in_redirect off;

        include /etc/nginx/mime.types;
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,5 +1,4 @@
 ---
 dependencies:
  - { role: monitoring, when: nginx.monitoring }
-  - { role: x509certs }
  - certificates
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -44,6 +44,13 @@
  notify:
  - restart nginx

+- name: execute maps template
+  template:
+    src: maps.conf.j2
+    dest: /etc/nginx/conf.d/maps.conf
+  notify:
+  - restart nginx
+
 - name: create nginx vhosts
  template:
    src: vhost.conf.j2
--- a/templates/maps.conf.j2
+++ b/templates/maps.conf.j2
@ -0,0 +1,10 @@
+{% for map in nginx.maps %}
+{% set m = nginx.maps[map] %}
+# {{ map }}
+map ${{ m.source }} ${{ m.destination }} {
+{% for i in m.data %}
+	'{{ i }}' '{{ m.data[i] }}';
+{% endfor %}
+}
+
+{% endfor %}
--- a/templates/ssl_files.conf.j2
+++ b/templates/ssl_files.conf.j2
@ -1,8 +1,6 @@
-{% if nginx.serverpki %}
 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
 ssl_certificate /etc/ssl/{{ inventory_hostname }}.crt;
 ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
-{% endif %}

 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@ -32,7 +32,7 @@ server {
 		proxy_pass {{ vhost.backend }};

 		# add proxy headers
-		proxy_set_header  Host $host;
+		proxy_set_header  Host			{% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %};
 		proxy_set_header  X-Real-IP		$remote_addr;
 		proxy_set_header  X-Forwarded-For	$proxy_add_x_forwarded_for;
 		proxy_set_header  X-Forwarded-Proto	$scheme;
@ -61,6 +61,17 @@ server {
 	}
 	{% endfor %}

+	{% if vhost.auth.enable|default(False) %}
+	auth_basic           "restricted area";
+	auth_basic_user_file {{ vhost.auth.path }}; 
+	satisfy {{ vhost.auth.satisfy|d('all') }};
+	{% endif %}
+
+
+	{% for include in vhost.includes|default([]) %}
+	include {{ include }};
+	{% endfor %}
+
 	{% if vhost.letsencrypt|d(False) %}
 	ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
 	ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;