Merge branch 'master' of https://git.cccv.de/infra/ansible/roles/nginx

README.md

@@ -26,6 +26,9 @@ vhosts: {}
 # name: *mapsconfig*, see below for definition
 maps: {}
 
+# name: *cacheconfig*, see below for definition
+caches: {}
+
 # force all traffic on ssl, except letsencrypt challenges
 force_ssl: True
 
@@ -117,6 +120,9 @@ alias: None
 
 # Array of custom config strings to add to the vhost config, the ";" is added after every entry
 custom: []
+
+# name of the cache to use, only set if not none
+cache: None
 ```
 
 **authconfig**
@@ -148,7 +154,16 @@ data: {}
 
 **phpconfig**:
 ```
+# If set, fpm forks exactly the number of worker processes specified (pm=static, pm.max_children=COUNT)
+fpm_process_count: 5
 ini:
 	post_max_size: 64M
 	upload_max_filesize: 64M
 ```
+
+**cacheconfig**:
+```
+keys_zone_size: "10m"
+cache_size: "1g"
+inactive_time: "10m"
+```

defaults/main.yml

@@ -12,6 +12,7 @@ nginx:
   vhosts: {}
   streams: {}
   maps: {}
+  caches: {}
   resolver:
     - 8.8.8.8
     - 8.8.4.4
@@ -57,6 +58,11 @@ nginx_streams_defaults:
   proxy_connect_timeout: "2s"
   proxy_next_upstream_tries: 2
 
+nginx_caches_defaults:
+  keys_zone_size: "10m"
+  cache_size: "1g"
+  inactive_time: "60m"
+
 nginx_forcessl_vhost:
   "https-redirect":
     listen:
@@ -78,3 +84,5 @@ phpinidefault:
   upload_max_filesize: 64M
   memory_limit: 128M
   date_timezone: UTC
+  session_gc_maxlifetime: 1440
+  syslog: true

tasks/main.yml

@@ -42,6 +42,15 @@
   notify:
   - restart nginx
 
+- name: create cache directories
+  with_dict: "{{ nginx.caches }}"
+  file:
+    path: "/var/cache/nginx/{{ item.key }}"
+    state: directory
+    mode: '0755'
+    owner: www-data
+    recurse: True
+
 - name: execute ssl template
   template:
     src: ssl_files.conf.j2
@@ -58,6 +67,7 @@
     - upstreams.conf
     - proxy.conf
     - maps.conf
+    - caches.conf
   template:
     src: "{{ item }}.j2"
     dest: "/etc/nginx/conf.d/{{ item }}"

tasks/php-fpm.yml

@@ -8,6 +8,7 @@
     - php-ldap
     - php-gd
     - php-imagick
+    - libmagickcore-6.q16-6-extra # SVG support for php-imagick
     - php-xml
     - php-mbstring
     - php-opcache

templates/caches.conf.j2

@@ -0,0 +1,6 @@
+{% for cache in nginx.caches %}
+{% set c = {}|combine(nginx_caches_defaults, nginx.caches[cache], recursive=True) %}
+# {{ cache }}
+proxy_cache_path /var/cache/nginx/{{ cache }} levels=1:2 keys_zone={{ cache }}:{{ c.keys_zone_size }} max_size={{ c.cache_size }} inactive={{ c.inactive_time }} use_temp_path=off;
+
+{% endfor %}

templates/php-fpm/php.ini.j2

@@ -571,7 +571,9 @@ html_errors = On
 ; Example:
 ;error_log = php_errors.log
 ; Log errors to syslog (Event Log on Windows).
-;error_log = syslog
+{% if phpini.syslog %}
+error_log = syslog
+{% endif %}
 
 ;windows.show_crt_warning
 ; Default value: 0
@@ -1422,7 +1424,7 @@ session.gc_divisor = 1000
 ; After this number of seconds, stored data will be seen as 'garbage' and
 ; cleaned up by the garbage collection process.
 ; http://php.net/session.gc-maxlifetime
-session.gc_maxlifetime = 1440
+session.gc_maxlifetime = {{ phpini.session_gc_maxlifetime }}
 
 ; NOTE: If you are using the subdirectory option for storing session files
 ;       (see session.save_path above), then garbage collection does *not*

templates/php-fpm/www.conf.j2

@@ -99,7 +99,11 @@ listen.group = www-data
 ;             pm.process_idle_timeout   - The number of seconds after which
 ;                                         an idle process will be killed.
 ; Note: This value is mandatory.
+{% if nginx.php.fpm_process_count|d(False) %}
+pm = static
+{% else %}
 pm = dynamic
+{% endif %}
 
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
@@ -110,7 +114,7 @@ pm = dynamic
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
-pm.max_children = 50
+pm.max_children = {{ nginx.php.fpm_process_count|d(50) }}
 
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'

templates/vhost.conf.j2

@@ -47,7 +47,19 @@ server {
 		{% if location.backend|d(False) %}
 		proxy_pass {{ location.backend }};
 
+		{% if location.cache|d(False) %}
+		proxy_cache                             {{ location.cache }};
+		proxy_cache_revalidate                  on;
+		proxy_cache_lock                        on;
+		proxy_cache_use_stale                   error timeout http_500 http_502 http_503 http_504;
+		proxy_cache_background_update           on;
+		# use actual host instead of proxy host for cache key
+		proxy_cache_key 						$scheme$host$uri$is_args$args;
+		# for debugging purposes, add the following header
+		#add_header X-Cache-Status $upstream_cache_status;
+		{% else %}
 		proxy_buffering off;
+		{% endif %}
 
 		# add proxy headers
 		proxy_set_header Host			{{ location.host|d(vhost.host) }};