debops.nginx default variables¶
Sections
Basic Settings¶
-
nginx__deploy_state
¶
What is the desired state which this role should achieve? Possible options:
present
- Default. Ensure that Nginx is installed and configured as requested.
config
- Highly optional. In this state you are responsible for manually installing nginx packages which are compatible with this role. The role maintains configuration only. This state is designed for very specific deployments which require out-of-tree nginx binaries.
absent
Ensure that Nginx is uninstalled and it's configuration is removed.
Warning
The roles is currently not able to dismantle from
present
state. This needs to be implemented. This state can only be achieved currently whenpresent
has never been set before on a host.
nginx__deploy_state: 'present'
-
nginx_base_packages
¶
List of Debian packages installed by this role
nginx_base_packages: []
-
nginx_flavor
¶
What type of nginx server to install (see nginx_flavor_package_map
)
nginx_flavor: 'full'
-
nginx__flavor_distribution_release
¶
Specify the OS distribution release to use in flavored repositories.
nginx__flavor_distribution_release: '{{ ansible_local.core.distribution_release
|d(ansible_distribution_release) }}'
-
nginx__flavor_apt_key_id
¶
The APT GPG key id of the currently selected flavor.
nginx__flavor_apt_key_id: '{{ nginx__flavor_apt_key_id_map[nginx_flavor]|d() }}'
-
nginx__flavor_apt_repository
¶
The APT repository of the currently selected flavor.
nginx__flavor_apt_repository: '{{ nginx__flavor_apt_repository_map[nginx_flavor]|d() }}'
-
nginx__flavor_apt_key_id_map
¶
Dicrionary which maps the APT GPG key ids to their respective flavors.
nginx__flavor_apt_key_id_map:
'nginx.org': '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62'
'passenger': '16378A33A6EF16762922526E561F9B9CAC40B2F7'
-
nginx__flavor_apt_repository_map
¶
Dicrionary which maps the APT GPG repositories to their respective flavors.
nginx__flavor_apt_repository_map:
'nginx.org': 'deb https://nginx.org/packages/{{ ansible_distribution | lower }}/ {{ nginx__flavor_distribution_release }} nginx'
'passenger': 'deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ nginx__flavor_distribution_release }} main'
-
nginx__flavor_packages
¶
The list of APT packages installed depending on the currently selected flavor.
nginx__flavor_packages: '{{ nginx_flavor_package_map[nginx_flavor] }}'
-
nginx_flavor_package_map
¶
There are many versions of nginx server to choose from, but only 1 can be installed at a time. This is a list of APT packages which will be installed for a specific flavor.
nginx_flavor_package_map:
# Default version from Debian
'full': [ 'nginx-full' ]
# Light version from Debian
'light': [ 'nginx-light' ]
# Extras version from Debian
'extras': [ 'nginx-extras' ]
# nginx with support for Phusion Passenger compiled in. Requires external APT
# repository. See https://phusionpassenger.com/ for more details.
'passenger':
- 'nginx-extras'
- 'ruby'
- '{{ "passenger"
if (nginx__flavor_distribution_release in
[ "wheezy", "jessie", "precise", "trusty", "xenial" ])
else "libnginx-mod-http-passenger" }}'
# Upstream version from https://nginx.org/ packaged for Debian
'nginx.org': [ 'nginx' ]
-
nginx_user
¶
System user used by nginx.
nginx_user: 'www-data'
-
nginx_www
¶
nginx base path for website directories It is exposed using Ansible local facts as 'ansible_local.nginx.www'
nginx_www: '/srv/www'
-
nginx_public_dir_name
¶
public folder foreach website It cat be overwritten per servers
nginx_public_dir_name: 'public'
-
nginx_etc_path
¶
Directory where nginx configuration is stored.
nginx_etc_path: '/etc/nginx'
-
nginx_private_path
¶
Directory where private files used by nginx are stored (for example htpasswd files).
nginx_private_path: '{{ nginx_etc_path + "/private" }}'
-
nginx_run_path
¶
Directory where runtime nginx files are stored.
nginx_run_path: '/run'
-
nginx_log_path
¶
Directory where nginx log files are stored. Socket where nginx sends logs to, if nginx_log_to_syslog is true. A socket can be unix:/path/to/socket or ipaddress:port
nginx_log_path: '{{ "unix:/dev/log" if nginx_log_to_syslog else "/var/log/nginx" }}'
-
nginx_log_to_syslog
¶
If this variable is true, nginx logs to the socket stored in nginx_log_path.
nginx_log_to_syslog: False
-
nginx_syslog_config
¶
Examples from nginx documentation are: nohostname facility=local7,tag=nginx,severity=info
nginx_syslog_config: 'nohostname'
Phusion Passenger support¶
-
nginx_passenger_root
¶
Specify Phusion Passenger root paths manually (by default this variable is detected automatically at Ansible run time).
nginx_passenger_root: ''
-
nginx_passenger_ruby
¶
Specify path to Ruby executable for Phusion Passenger manually (by default this variable is detected automatically at Ansible run time).
nginx_passenger_ruby: ''
-
nginx_passenger_max_pool_size
¶
Maximum number of Passenger processes.
nginx_passenger_max_pool_size: '{{ (ansible_processor_cores | int * 5) }}'
-
nginx_passenger_options
¶
Additional Phusion Passenger global options.
nginx_passenger_options: False
-
nginx_passenger_default_min_instances
¶
Minimum Passenger instances per nginx server.
nginx_passenger_default_min_instances: '{{ ansible_processor_cores }}'
Global server access and authentication¶
-
nginx_http_allow
¶
List of IP addresses or CIDR networks which can access this server. If the list is empty, access is allowed from anywhere.
nginx_http_allow: []
-
nginx_http_auth_basic
¶
Enable or disable HTTP Basic Auth for all nginx servers on this host. By default it depends on the contents of 'nginx_http_auth_users' variable, if the list is not empty, authorization is automatically enabled.
nginx_http_auth_basic: '{{ nginx_http_auth_users }}'
-
nginx_http_auth_basic_name
¶
Name of the htpasswd file in '/etc/nginx/private/' with list of global HTTP Basic Auth accounts.
nginx_http_auth_basic_name: 'nginx_http'
-
nginx_http_auth_users
¶
List of HTTP Basic Auth accounts which need to login before accessing this server. Passwords are generated automatically and stored in 'secret/' directory (see debops.secret role). If this list empty, access is not restricted.
nginx_http_auth_users: []
-
nginx__http_auth_htpasswd
¶
Default htpasswd file used for global HTTP Basic Auth accounts.
nginx__http_auth_htpasswd:
name: '{{ nginx_http_auth_basic_name }}'
users: '{{ nginx_http_auth_users }}'
-
nginx_http_server_names_hash_bucket_size
¶
The default value of 'server_names_hash_bucket_size' depends on the size of the processor’s cache line. If a large number of server names are defined, or unusually long server names are defined, tuning the 'server_names_hash_max_size' and 'server_names_hash_bucket_size' directives at the http level may become necessary. More information can be found at:
nginx_http_server_names_hash_bucket_size: 64
-
nginx_http_server_names_hash_max_size
¶
Sets the maximum size of the server names hash tables. More information can be found at:
nginx_http_server_names_hash_max_size: 512
-
nginx_http_options
¶
Default http { } options.
nginx_http_options: |
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
gzip on;
gzip_disable "msie6";
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
-
nginx_http_extra_options
¶
A string or YAML text block with additional nginx options placed in the
/etc/nginx/nginx.conf
inside of the "http" block.
nginx_http_extra_options: ''
-
nginx_extra_options
¶
A string or YAML text block with additional nginx options placed in the
/etc/nginx/nginx.conf
outside of the "http" block.
nginx_extra_options: ''
-
nginx_manage_ipv6only
¶
If this variable is enabled, debops.nginx
role will automatically add
ipv6only=false
to the default nginx server configuration. You can disable
it and manage IPv4 and IPv6 listen directives yourself. nginx daemon needs to
be restarted when this variable changes. More information can be found at:
- https://github.com/debops/ansible-nginx/issues/86
- http://stefanchrist.eu/blog/2015_01_21/Using%20ipv6only%20in%20Nginx.xhtml
nginx_manage_ipv6only: True
-
nginx_listen_port
¶
Default listen port for HTTP connections.
nginx_listen_port: [ '[::]:80' ]
-
nginx_listen_ssl_port
¶
Default listen port for HTTPS connections.
nginx_listen_ssl_port: [ '[::]:443' ]
-
nginx_listen_socket
¶
Default listen socket for HTTP connections.
nginx_listen_socket: []
-
nginx_listen_ssl_socket
¶
Default listen socket for HTTPS connections.
nginx_listen_ssl_socket: []
-
nginx_real_ip_from
¶
List of IP addresses or CIDR subnets that the server should trust about real IP addresses of clients. If this list is specified, nginx will read the client IP address from the specified header. This is useful when nginx server is used behind another proxy server (local or remote).
nginx_real_ip_from: []
-
nginx_real_ip_header
¶
Specify the header used to lookup client IP addresses given by another server.
nginx_real_ip_header: 'X-Forwarded-For'
-
nginx_real_ip_recursive
¶
If this variable is enabled, nginx will ignore client IP addresses that match the ones from list of trusted upstream servers. This is useful when the upstream server is also a proxy.
nginx_real_ip_recursive: False
-
nginx_default_keepalive_timeout
¶
nginx_default_keepalive_timeout: 60
-
nginx_multi_accept
¶
If enabled a worker process will accept all new connections at a time, instead of a new connection at a time.
nginx_multi_accept: 'off'
-
nginx_pki
¶
Enable or disable support for PKI/SSL/TLS in nginx.
Defaults to True
if debops.pki is enabled on the remote host.
nginx_pki: '{{ ansible_local|d() and ansible_local.pki|d() and
(ansible_local.pki.enabled|d() | bool) }}'
-
nginx_pki_path
¶
Directory path where PKI realm live.
nginx_pki_path: '{{ ansible_local.pki.path|d("/etc/pki/realms") }}'
-
nginx_pki_realm
¶
Default PKI realm to use.
nginx_pki_realm: '{{ ansible_local.pki.realm|d("domain") }}'
-
nginx_pki_ca_realm
¶
PKI realm to use for client CA.
nginx_pki_ca_realm: '{{ ansible_local.pki.ca_realm|d("domain") }}'
-
nginx_pki_crt
¶
Path to default certificate, key and DH parameters file used by all nginx servers if not specified otherwise in server configuration. Relative to 'nginx_pki_realm' variable.
nginx_pki_crt: 'default.crt'
-
nginx_pki_key
¶
The name of the file which contains the private key file of the X.509 certificate, relative to the 'nginx_pki_realm' variable.
nginx_pki_key: 'default.key'
-
nginx_pki_ca
¶
The name of the file which contains the Root Certificate used to authenticate other servers, relative to the 'nginx_pki_realm' variable.
nginx_pki_ca: 'CA.crt'
-
nginx_pki_trusted
¶
The name of the file which contains the Root Certificate used to authenticate client certificates, relative to the 'nginx_pki_realm' variable.
nginx_pki_trusted: 'trusted.crt'
-
nginx_pki_hook_name
¶
Name of the hook script which will be stored in hook directory.
nginx_pki_hook_name: 'nginx'
-
nginx_pki_hook_path
¶
Directory with PKI hooks.
nginx_pki_hook_path: '{{ ansible_local.pki.hooks|d("/etc/pki/hooks") }}'
-
nginx_pki_hook_action
¶
Specify how changes in PKI should affect nginx, either 'reload' or 'restart'.
nginx_pki_hook_action: 'reload'
-
nginx_ssl_dhparam
¶
Path to the file with Diffie-Hellman parameters to use by the webserver.
nginx_ssl_dhparam: '{{ (""
if nginx_default_tls_protocols|length == 1 and
nginx_default_tls_protocols[0] == "TLSv1.3"
else
(ansible_local.dhparam[nginx_ssl_dhparam_set]
if (ansible_local|d() and ansible_local.dhparam|d() and
ansible_local.dhparam[nginx_ssl_dhparam_set]|d())
else "")) }}'
-
nginx_ssl_dhparam_set
¶
Name of the dhparam
set to use.
nginx_ssl_dhparam_set: 'default'
-
nginx_default_ssl_ciphers
¶
Default set of cipher suites to use.
Refer to nginx_ssl_ciphers
for details.
nginx_default_ssl_ciphers: '{{ "mozilla_modern"
if nginx_default_tls_protocols|length == 1 and
nginx_default_tls_protocols[0] == "TLSv1.3"
else "mozilla_intermediate" }}'
-
nginx_default_tls_protocols
¶
Default set of TLS protocols to use. TLSv1.3 is only supported on nginx version 1.13.0 and up.
See also: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
nginx_default_tls_protocols: '{{ [ "TLSv1.2", "TLSv1.3" ]
if ansible_local.nginx.version|d("0.0.0") is version("1.13.0", ">=")
else [ "TLSv1.2" ] }}'
-
nginx_default_ssl_curve
¶
Default SSL ECDH curve used on servers, to see a list of supported curves, run:
openssl ecparam -list_curves
See also: https://security.stackexchange.com/questions/31772/
Set to False
to disable ECC.
nginx_default_ssl_curve: 'secp384r1'
-
nginx_default_ssl_verify_client
¶
Default ssl verify client.
nginx_default_ssl_verify_client: False
-
nginx_default_ssl_client_certificate
¶
Default ssl client certificate
nginx_default_ssl_client_certificate: ''
-
nginx_default_ssl_crl
¶
Default ssl revocation client certificate
nginx_default_ssl_crl: ''
-
nginx_ocsp
¶
Enable or disable OCSP Stapling.
nginx_ocsp: True
-
nginx_ocsp_verify
¶
Verify OCSP responses from the server which requires chained intermediate and Root CA certificates.
nginx_ocsp_verify: '{{ nginx_ocsp | bool }}'
-
nginx_ocsp_resolvers
¶
List of DNS servers used to resolve OCSP stapling and other dns queries (e.g. for proxy_path). If it's empty, nginx role will try to use the nameservers from /etc/resolv.conf Currently only the first nameserver is used
nginx_ocsp_resolvers: []
-
nginx_hsts_age
¶
HTTP Strict-Transport-Security https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Maximum age in seconds for which clients should remember to only make secure connections. Defaults to two earth years.
nginx_hsts_age: '{{ 2 * 365 * 24 * 60 * 60 }}'
-
nginx_hsts_subdomains
¶
Should HSTS also include subdomains? Note that all subdomains have to support HTTPS if you use this!
nginx_hsts_subdomains: True
-
nginx_hsts_preload
¶
Should the preload
parameter be added to the HSTS header?
Refer to the HSTS Preload List Submission page to make use of this
feature.
It is disabled by default because setting this to True
alone does
nothing, it is just one requirement to get included in the preloading list.
Please feel encouraged to get to know HSTS preloading and enable it when you
are ready!
nginx_hsts_preload: False
-
nginx_enable_http2
¶
Enable HTTP/2 (formerly HTTP QUICK) on nginx. HTTP/2 enables a server to pre‑emptively push resources to a remote client, anticipating that the client may soon request those resource, hence reducing the number of RTTs (Round Trip Times). Available with nginx version >= 1.9.5
nginx_enable_http2: True
-
nginx__http_csp_append
¶
CSP directives to append to all policies. This can be used to set the
report-uri
globally.
The string MUST end with a semicolon but MUST NOT begin with one.
Refer HTTP security headers for details.
nginx__http_csp_append: ''
-
nginx_default_name
¶
Specify HTTP server name which will be marked as default_server.
nginx_default_name: ''
-
nginx_default_ssl_name
¶
Specify HTTPS server name which will be marked as default_server.
nginx_default_ssl_name: ''
-
nginx_default_type
¶
Default server template used if no type is selected
nginx_default_type: 'default'
-
nginx_webroot_create
¶
Create global webroot directories?
Path: /srv/www/sites/*/public
.
nginx_webroot_create: True
-
nginx_webroot_owner
¶
The name of the UNIX account which will be the default owner of the webroot directories created by the role, if not specified otherwise.
nginx_webroot_owner: 'root'
-
nginx_webroot_group
¶
The name of the UNIX group which will be the default group of the webroot directories created by the role, if not specified otherwise.
nginx_webroot_group: 'root'
-
nginx_webroot_mode
¶
The default mode of the webroot directories created by the role.
nginx_webroot_mode: '0755'
-
nginx_welcome_template
¶
Name of the Jinja2 template used as a welcome page.
nginx_welcome_template: 'srv/www/sites/welcome/public/index.html.j2'
-
nginx_welcome_domain
¶
The domain used on the default welcome page.
nginx_welcome_domain: '{{ ansible_domain }}'
-
nginx_acme
¶
Enable or disable support for Automated Certificate Management Environment
(ACME) on all servers. This can be overridden per server using item.acme
variable.
nginx_acme: True
-
nginx_acme_root
¶
Global directory where ACME challenges will be served from. It's not created by the role automatically and left to be managed by other Ansible roles.
nginx_acme_root: '{{ nginx_www + "/sites/acme/public" }}'
-
nginx_acme_server
¶
Enable or disable custom ACME challenge server configuration. It will answer
queries on a specified domain, from nginx_acme_root
directory. It can be
used for other things as well, for example to serve certificates to
other hosts.
nginx_acme_server: False
-
nginx_acme_domain
¶
Specifies the DNS domain to which ACME challenge queries will be redirected if
they are not found on the host. The domain must exist in the DNS and a web
server needs to be configured to answer the queries.
Set to False
to disable the redirect.
nginx_acme_domain: 'acme.{{ ansible_domain }}'
-
nginx__hostname_domains
¶
Specify the domains which will be used as a base domains for automatic short name generation. It will not be used if it's defined on the server level. First domain from the list that matches, wins.
nginx__hostname_domains: [ '{{ ansible_domain }}' ]
-
nginx_status
¶
List of IP addresses or CIDR ranges to allow access to the status page
nginx_status: []
-
nginx_status_localhost
¶
By default allow access to the status page from webserver itself
nginx_status_localhost: '{{ ["127.0.0.1/32", "::1/128"] + ansible_all_ipv4_addresses | d([]) +
(ansible_all_ipv6_addresses | d([])
| difference(ansible_all_ipv6_addresses | d([])
| ansible.utils.ipaddr("link-local"))) }}'
-
nginx_status_name
¶
Name of the nginx status page location
nginx_status_name: '/nginx_status'
-
nginx_local_servers
¶
Hash of symlinks to local server definitions stored in /etc/nginx/sites-local/ Entries with empty values or False will be removed Symlinks will be created in /etc/nginx/sites-enabled/
nginx_local_servers: {}
#'symlink': 'file'
#'other-symlink.conf': 'sub/directory/file.conf'
#'removed-file': False
#'also-removed':
#'symlink\ with\ spaces.conf': 'other-file.conf'
-
nginx_default_satisfy
¶
Default "satisfy" mode used if not specified, choices: any, all
nginx_default_satisfy: 'any'
-
nginx_default_auth_basic_realm
¶
Default HTTP Basic Auth "realm" presented to the user
nginx_default_auth_basic_realm: 'Access to this website is restricted'
-
nginx_htpasswd_secret_path
¶
Path on the Ansible Controller used to lookup htpasswd passwords (see debops.secret role). You can change this to for example share a set of passwords between different hosts in case you use nginx in a HA setup
nginx_htpasswd_secret_path: '{{ secret + "/credentials/" + inventory_hostname + "/nginx/htpasswd" }}'
-
nginx__htpasswd_crypt_scheme
¶
The encryption scheme used by the htpasswd
Ansible module to generate
password hashes. You should use schemes supported by passlib
library.
nginx__htpasswd_crypt_scheme: 'sha512_crypt'
-
nginx__htpasswd_password_length
¶
Default length of the automatically generated passwords.
nginx__htpasswd_password_length: 32
-
nginx__htpasswd_password_characters
¶
Set of characters allowed in passwords autogenerated by the role.
nginx__htpasswd_password_characters: 'ascii_letters,digits,.-_~&()*='
-
nginx__htpasswd
¶
List of htpasswd files with user accounts managed by debops.nginx
. Example
entries are included below
nginx__htpasswd: []
# Create specified user accounts
#- name: 'server_domain'
# users: [ 'username1', 'username2@domain' ]
# Delete specified user accounts
#- name: 'server_domain'
# users: [ 'username1', 'username2@domain' ]
# delete: True
# Delete htpasswd file
#- name: 'server_domain'
# users: []
# state: 'absent'
-
nginx__default_htpasswd
¶
List of the default htpasswd file configuration created by the role.
nginx__default_htpasswd:
- '{{ nginx__http_auth_htpasswd }}'
-
nginx__dependent_htpasswd
¶
List of htpasswd file configurations defined by other roles via role dependent variables.
nginx__dependent_htpasswd: []
Nginx server access policy¶
Using the dicts below you can define a named "access policy" consisting of a list of allowed hosts/CIDR networks and/or a name of a htpasswd file in '/etc/nginx/private/' with a list of user accounts to allow access. You can also define if any or all restrictions need to be met to gain access to a website. In website configuration dict, you can define an 'item.access_policy' key with a name of a particular policy. The nginx role will then use this information to generate a proper config file with given restrictions in place.
-
nginx_access_policy_allow_map
¶
List of IP addresses or CIDR networks which can access a particular site
nginx_access_policy_allow_map: {}
#'my_policy': [ '192.0.2.0/24', '2002:db8::/64' ]
-
nginx_access_policy_auth_basic_map
¶
Name of an HTTP Basic Auth htpasswd file in '/etc/nginx/private/' directory
nginx_access_policy_auth_basic_map: {}
#'my_policy': 'htpasswd_file'
-
nginx_access_policy_satisfy_map
¶
Should all or any restrictions be met to gain access?
nginx_access_policy_satisfy_map: {}
#'my_policy': 'any' or 'all'
-
nginx__maps
¶
List of nginx map definitions Each map should be defined in it's own hash variable, similar to upstreams and servers https://nginx.org/en/docs/http/ngx_http_map_module.html
nginx__maps: []
-
nginx__default_maps
¶
List of default nginx map definitions
nginx__default_maps:
# Extract the subdomain from the '*.local' domain managed by Avahi and expose
# it as a variable which can be used to redirect the HTTP clients to websites
- name: 'host_without_local'
map: '$host $host_without_local'
mapping: '~*^(?<subdomain>[a-zA-Z0-9\-\_\.]+)\.local$ $subdomain;'
# Support WebSocket connection upgrade as a proxy
# Documentation: https://nginx.org/en/docs/http/websocket.html
- name: 'connection_upgrade'
map: '$http_upgrade $connection_upgrade'
mapping: |
'' Close;
default: 'Upgrade'
-
nginx__dependent_maps
¶
List of nginx maps defined in Ansible roles
nginx__dependent_maps: []
-
nginx__upstreams
¶
List of nginx upstream definitions
nginx__upstreams: []
-
nginx__default_upstreams
¶
List of default nginx upstream definitions
nginx__default_upstreams:
- '{{ nginx_upstream_php5_www_data }}'
-
nginx__dependent_upstreams
¶
List of nginx upstreams defined in Ansible roles
nginx__dependent_upstreams: []
-
nginx_upstream_php5_www_data
¶
Upstream for default php5-fpm configuration Legacy.
nginx_upstream_php5_www_data:
state: 'absent'
name: 'php5_www-data'
type: 'php5'
php5: 'www-data'
Nginx servers¶
-
nginx__servers
¶
List of nginx server definitions
Refer to the documentation of all options for more details.
nginx__servers: []
-
nginx__default_servers
¶
List of default nginx servers defined by the role.
nginx__default_servers:
- '{{ nginx_server_welcome }}'
-
nginx__internal_servers
¶
List of internal nginx servers.
nginx__internal_servers:
- '{{ nginx_server_localhost }}'
- '{{ nginx_server_acme }}'
-
nginx__dependent_servers
¶
List of nginx servers defined in Ansible roles.
nginx__dependent_servers: []
-
nginx_server_welcome
¶
Default nginx site
List and description of available parameters can be found in nginx server
templates templates/etc/nginx/sites-available/*.conf.j2
.
nginx_server_welcome:
enabled: True
name: [ 'welcome' ]
welcome: True
welcome_domain: '{{ nginx_welcome_domain }}'
csp: "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self';"
csp_enabled: True
-
nginx_server_localhost
¶
Default nginx localhost
server. It can be used to access nginx status
page by other services.
nginx_server_localhost:
enabled: True
name: [ 'localhost', '127.0.0.1', '[::1]' ]
acme: False
ssl: False
welcome: True
welcome_css: False
-
nginx_server_acme
¶
Custom server for ACME challenge queries
nginx_server_acme:
enabled: '{{ nginx_acme_server | bool }}'
delete: '{{ not nginx_acme_server | bool }}'
name: [ '{{ nginx_acme_domain }}' ]
filename: 'acme-challenge'
root: '{{ nginx_acme_root }}'
-
nginx_default_try_files
¶
Checks for the existence of files in order, and returns the first file that is found for location /. https://wiki.nginx.org/NginxHttpCoreModule#try_files
nginx_default_try_files:
- '$uri'
- '$uri/'
- '$uri.html'
- '$uri.htm'
- '/index.html'
- '/index.htm'
-
nginx__log_format
¶
log_format nginx configuration in /etc/nginx/conf.d/
nginx__log_format: []
#- name: 'main'
# log_format: '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'
-
nginx__dependent_log_format
¶
log_format nginx configuration in /etc/nginx/conf.d/
nginx__dependent_log_format: []
-
nginx__custom_config
¶
Custom nginx configuration in /etc/nginx/conf.d/
nginx__custom_config: []
#- name: 'other_config'
# custom: |
# text block {
# }
-
nginx__http_xss_protection
¶
Default value for xss_protection.
nginx__http_xss_protection: '1; mode=block'
-
nginx__http_referrer_policy
¶
Default value for http_referrer_policy.
nginx__http_referrer_policy: 'same-origin'
-
nginx__http_permitted_cross_domain_policies
¶
Default value for permitted_cross_domain_policies.
nginx__http_permitted_cross_domain_policies: '{{ omit }}'
-
nginx__http_robots_tag
¶
Default value for robots_tag.
nginx__http_robots_tag: '{{ omit }}'
-
nginx_apt_preferences_dependent_list
¶
Configuration of custom APT preferences.
nginx_apt_preferences_dependent_list: '{{ nginx__apt_preferences__dependent_list }}'
-
nginx__apt_preferences__dependent_list
¶
Configuration for the debops.apt_preferences Ansible role.
nginx__apt_preferences__dependent_list:
- package: 'nginx nginx-*'
backports: [ 'wheezy' ]
reason: 'Support for SPDY, OCSP stapling'
by_role: 'debops.nginx'
state: '{{ ((nginx__deploy_state in [ "present" ]) and (nginx_flavor not in [ "passenger" ])) | ternary("present", "absent") }}'
- package: 'nginx nginx-*'
pin: 'release o=Phusion'
reason: 'Support for Phusion Passenger'
priority: '600'
suffix: '_passenger'
by_role: 'debops.nginx'
state: '{{ ((nginx__deploy_state in [ "present" ]) and (nginx_flavor in [ "passenger" ])) | ternary("present", "absent") }}'
-
nginx_php5_status
¶
Name of the php5 fpm status page location
nginx_php5_status: False
-
nginx_php5_status_name
¶
Name of the PHP5 status page used in the URL.
nginx_php5_status_name: 'php5_status'
-
nginx_php5_ping_name
¶
Name of the PHP5 ping page used in the URL.
nginx_php5_ping_name: 'php5_ping'
-
nginx_privileged_group
¶
What system group has privileged access to nginx service.
nginx_privileged_group: 'webadmins'
-
nginx_ssl_ciphers
¶
Hash of SSL ciphers available to use in nginx server definitions You can select a set of ciphers using 'ssl_ciphers' variable Default set of ciphers is set in nginx_default_ssl_ciphers variable
nginx_ssl_ciphers:
# https://bettercrypto.org/
# https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/theory/cipher_suites/recommended.tex
# This will come at a certain cost of excluding many clients!
# If you want even higher security then the default values of this role then
# consider to use a preset for this role maintained by ypid:
# https://github.com/ypid/ypid-ansible-inventory
bettercrypto_org__set_a: 'EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3'
# https://bettercrypto.org/
# https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/nginx/default-ec
bettercrypto_org__set_b: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
# https://bettercrypto.org/
# https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/nginx/default-ec
# But only cipher suites which support PFS. Only drops support for Android 2.3.7 which is negligible.
bettercrypto_org__set_b_pfs: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH'
# https://cipherli.st/
cipherli_st: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
# Perfect Forward Secrecy (https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy)
# String taken on 2014-04-11
pfs: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'
# Perfect Forward Secrecy + RC4
# String taken on 2014-04-11
pfs_rc4: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'
# Hardened SSL cipher list (https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/)
# String taken on 2014-04-11
hardened: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
# TLS recommendations from Mozilla Foundation (https://wiki.mozilla.org/Security/Server_Side_TLS)
# String taken on 2014-04-11
mozilla: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
# Modern TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
# Actually they do not specify a ciphersuite, because "modern" means TLSv1.3 only,
# which has its own ciphers, while TLSv1.2 and lower ciphers are not used.
# Therefore, we just repeat mozilla_intermediate here, to avoid a security hole
# that would be created with nginx default ciphersuite and accidental
# activation of TLSv1.2 or lower.
# String taken on 2020-07-27
mozilla_modern: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
# Intermediate TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
# String taken on 2020-07-27
mozilla_intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
# Old TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
# String taken on 2020-07-27
mozilla_old: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
# FIPS 140-2 compliant (https://en.wikipedia.org/wiki/FIPS_140-2)
# https://community.qualys.com/thread/12182
fips: 'FIPS@STRENGTH:!aNULL:!eNULL'
# 'good' cipher suite from NCSC-NL TLS Guidelines v2.0
# https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
# This cipher set disables the 'ssl_ciphers' option in 'nginx' and the
# default set of SSL ciphers for a given platform will be used.
# This is recommended when TLSv1.3 is the only protocol in use.
default: ''
Firewall Configuration¶
-
nginx_allow
¶
List of IP addresses or CIDR networks allowed to connect to HTTP or HTTPS service. It will be configured in iptables firewall via the debops.ferm role. If there are no entries, nginx will accept connections from any IP address or network. If you have multiple web services on a host, you might want to control access using 'item.location_allow' option instead.
nginx_allow: []
-
nginx_group_allow
¶
List of the CIDR subnets or IP addresses which are allowed to connect to the HTTP or HTTPS service, configured on hosts in a specific Ansible inventory group.
nginx_group_allow: []
-
nginx_host_allow
¶
List of the CIDR subnets or IP addresses which are allowed to connect to the HTTP or HTTPS service, configured on specific hosts in the Ansible inventory.
nginx_host_allow: []
-
nginx_ferm_dependent_rules
¶
Configuration of the iptables firewall using ferm.
nginx_ferm_dependent_rules: '{{ nginx__ferm__dependent_rules }}'
-
nginx__ferm__dependent_rules
¶
Configuration for the debops.ferm Ansible role.
nginx__ferm__dependent_rules:
- type: 'accept'
dport: [ 'http', 'https' ]
saddr: '{{ nginx_allow + nginx_group_allow + nginx_host_allow }}'
accept_any: True
weight: '40'
by_role: 'nginx'
name: 'http_https'
multiport: True
delete: '{{ nginx__deploy_state != "present" }}'
Configuration for other Ansible roles¶
-
nginx__keyring__dependent_apt_keys
¶
Configuration for the debops.nginx Ansible role.
nginx__keyring__dependent_apt_keys:
- id: '{{ nginx__flavor_apt_key_id }}'
repo: '{{ nginx__flavor_apt_repository }}'
state: '{{ "present"
if (nginx_flavor in [ "nginx.org", "passenger" ] and
nginx__deploy_state == "present")
else "absent" }}'
-
nginx__python__dependent_packages3
¶
Configuration for the debops.python Ansible role.
nginx__python__dependent_packages3:
- 'python3-passlib'
-
nginx__python__dependent_packages2
¶
Configuration for the debops.python Ansible role.
nginx__python__dependent_packages2:
- 'python-passlib'