From 98081e863591d4f43447184fa69acc9f43d9ba63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Ob=C5=AFrka?= Date: Tue, 18 Oct 2016 14:58:26 +0200 Subject: nginx: Provide new mechanism for default page manipulation Important changes: - The well-known path is moved to the separate snippet acme.conf - It is possible to disable default page - The autodetection mechanism for default page is provided --- roles/nginx/defaults/main.yml | 3 +++ roles/nginx/files/default | 2 ++ roles/nginx/tasks/main.yml | 16 +++++++++++++--- roles/nginx/templates/snippets/acme.conf.j2 | 4 ++++ roles/nginx/templates/snippets/common.conf.j2 | 4 ---- 5 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 roles/nginx/templates/snippets/acme.conf.j2 diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index dde38dc..d59cd9b 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -2,3 +2,6 @@ nginx_well_known_path: "/home/acme/webroot/" ## First of all - make sure that HTTPS works well; then is possible to enable HSTS nginx_enable_hsts: no +## Control default config uploading +nginx_deploy_default_config: True +nginx_enable_autodetection: True diff --git a/roles/nginx/files/default b/roles/nginx/files/default index 2b909ce..cfec4b2 100644 --- a/roles/nginx/files/default +++ b/roles/nginx/files/default @@ -2,6 +2,7 @@ server { listen 80 default_server; listen [::]:80 default_server; + include snippets/acme.conf; include snippets/common.conf; root /var/www/html; @@ -12,5 +13,6 @@ server { location / { try_files $uri $uri/ =404; + return 301 https://$host$request_uri; } } diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 2ac852e..4d4b085 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -51,6 +51,7 @@ group: root mode: 0644 with_items: + - acme.conf - common.conf - ssl-common.conf - ssl-medium-common.conf @@ -70,18 +71,27 @@ - restart nginx when: stat_default.stat.exists and stat_default.stat.islnk == True -- name: Deploy temporary default page (with our snippets etc) +- name: Detect acme configuration on some vhost + shell: ls | grep -v default | while read LINE; do cat "$LINE" ; done | grep -q 'include snippets/acme.conf' + args: + chdir: /etc/nginx/sites-enabled + register: autodetect + changed_when: False + failed_when: False + when: nginx_deploy_default_config == True and nginx_enable_autodetection == True + +- name: Deploy default page (with our snippets etc) copy: src: default ## Do not deploy it as symlik - ## This method keeps default config available, provides necessary definitions (.well-known) - ## and the particular server ussually deletes /etc/nginx/sites-enabled/default dest: /etc/nginx/sites-enabled/default owner: root group: root mode: 0644 notify: - restart nginx + when: (nginx_deploy_default_config == True and nginx_enable_autodetection == True and autodetect.rc != 0) or + (nginx_deploy_default_config == True and nginx_enable_autodetection == False) - meta: flush_handlers diff --git a/roles/nginx/templates/snippets/acme.conf.j2 b/roles/nginx/templates/snippets/acme.conf.j2 new file mode 100644 index 0000000..4980312 --- /dev/null +++ b/roles/nginx/templates/snippets/acme.conf.j2 @@ -0,0 +1,4 @@ +location ^~ /.well-known/ { + root {{ nginx_well_known_path }}; + allow all; +} diff --git a/roles/nginx/templates/snippets/common.conf.j2 b/roles/nginx/templates/snippets/common.conf.j2 index 727da03..0a8e29e 100644 --- a/roles/nginx/templates/snippets/common.conf.j2 +++ b/roles/nginx/templates/snippets/common.conf.j2 @@ -3,8 +3,4 @@ location ~ /\.ht { deny all; } -location ^~ /.well-known/ { - root {{ nginx_well_known_path }}; -} - charset utf-8; -- cgit v1.2.3