debops.nginx default variables

Basic Settings

nginx__deploy_state

What is the desired state which this role should achieve? Possible options:

present

Default. Ensure that Nginx is installed and configured as requested.

config

Highly optional. In this state you are responsible for manually installing nginx packages which are compatible with this role. The role maintains configuration only. This state is designed for very specific deployments which require out-of-tree nginx binaries.

absent

Ensure that Nginx is uninstalled and it's configuration is removed.

Warning

The roles is currently not able to dismantle from present state. This needs to be implemented. This state can only be achieved currently when present has never been set before on a host.

nginx__deploy_state: 'present'
nginx_base_packages

List of Debian packages installed by this role

nginx_base_packages: []
nginx_flavor

What type of nginx server to install (see nginx_flavor_package_map)

nginx_flavor: 'full'
nginx__flavor_distribution_release

Specify the OS distribution release to use in flavored repositories.

nginx__flavor_distribution_release: '{{ ansible_local.core.distribution_release
                                         | d(ansible_distribution_release) }}'
nginx__flavor_apt_key_id

The APT GPG key id of the currently selected flavor.

nginx__flavor_apt_key_id: '{{ nginx__flavor_apt_key_id_map[nginx_flavor] | d() }}'
nginx__flavor_apt_repository

The APT repository of the currently selected flavor.

nginx__flavor_apt_repository: '{{ nginx__flavor_apt_repository_map[nginx_flavor] | d() }}'
nginx__flavor_apt_key_id_map

Dicrionary which maps the APT GPG key ids to their respective flavors.

nginx__flavor_apt_key_id_map:
  'nginx.org': '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62'
  'passenger': '16378A33A6EF16762922526E561F9B9CAC40B2F7'
nginx__flavor_apt_repository_map

Dicrionary which maps the APT GPG repositories to their respective flavors.

nginx__flavor_apt_repository_map:
  'nginx.org': 'deb https://nginx.org/packages/{{ ansible_distribution | lower }}/ {{ nginx__flavor_distribution_release }} nginx'
  'passenger': 'deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ nginx__flavor_distribution_release }} main'
nginx__flavor_packages

The list of APT packages installed depending on the currently selected flavor.

nginx__flavor_packages: '{{ nginx_flavor_package_map[nginx_flavor] }}'
nginx_flavor_package_map

There are many versions of nginx server to choose from, but only 1 can be installed at a time. This is a list of APT packages which will be installed for a specific flavor.

nginx_flavor_package_map:

  # Default version from Debian
  'full': [ 'nginx-full' ]

  # Light version from Debian
  'light': [ 'nginx-light' ]

  # Extras version from Debian
  'extras': [ 'nginx-extras' ]

  # nginx with support for Phusion Passenger compiled in. Requires external APT
  # repository. See https://phusionpassenger.com/ for more details.
  'passenger':
    - 'nginx-extras'
    - 'ruby'
    - '{{ "passenger"
          if (nginx__flavor_distribution_release in
              ["trusty", "xenial"])
          else "libnginx-mod-http-passenger" }}'

  # Upstream version from https://nginx.org/ packaged for Debian
  'nginx.org': [ 'nginx' ]
nginx_user

System user used by nginx.

nginx_user: 'www-data'
nginx_www

nginx base path for website directories It is exposed using Ansible local facts as 'ansible_local.nginx.www'

nginx_www: '/srv/www'
nginx_public_dir_name

public folder foreach website It cat be overwritten per servers

nginx_public_dir_name: 'public'
nginx_etc_path

Directory where nginx configuration is stored.

nginx_etc_path: '/etc/nginx'
nginx_private_path

Directory where private files used by nginx are stored (for example htpasswd files).

nginx_private_path: '{{ nginx_etc_path + "/private" }}'
nginx_run_path

Directory where runtime nginx files are stored.

nginx_run_path: '/run'
nginx_log_path

Directory where nginx log files are stored. Socket where nginx sends logs to, if nginx_log_to_syslog is true. A socket can be unix:/path/to/socket or ipaddress:port

nginx_log_path: '{{ "unix:/dev/log" if nginx_log_to_syslog else "/var/log/nginx" }}'
nginx_log_to_syslog

If this variable is true, nginx logs to the socket stored in nginx_log_path.

nginx_log_to_syslog: False
nginx_syslog_config

Examples from nginx documentation are: nohostname facility=local7,tag=nginx,severity=info

nginx_syslog_config: 'nohostname'

Phusion Passenger support

nginx_passenger_root

Specify Phusion Passenger root paths manually (by default this variable is detected automatically at Ansible run time).

nginx_passenger_root: ''
nginx_passenger_ruby

Specify path to Ruby executable for Phusion Passenger manually (by default this variable is detected automatically at Ansible run time).

nginx_passenger_ruby: ''
nginx_passenger_max_pool_size

Maximum number of Passenger processes.

nginx_passenger_max_pool_size: '{{ (ansible_processor_cores | int * 5) }}'
nginx_passenger_options

Additional Phusion Passenger global options.

nginx_passenger_options: False
nginx_passenger_default_min_instances

Minimum Passenger instances per nginx server.

nginx_passenger_default_min_instances: '{{ ansible_processor_cores }}'

Global server access and authentication

nginx_http_allow

List of IP addresses or CIDR networks which can access this server. If the list is empty, access is allowed from anywhere.

nginx_http_allow: []
nginx_http_auth_basic

Enable or disable HTTP Basic Auth for all nginx servers on this host. By default it depends on the contents of 'nginx_http_auth_users' variable, if the list is not empty, authorization is automatically enabled.

nginx_http_auth_basic: '{{ nginx_http_auth_users }}'
nginx_http_auth_basic_name

Name of the htpasswd file in '/etc/nginx/private/' with list of global HTTP Basic Auth accounts.

nginx_http_auth_basic_name: 'nginx_http'
nginx_http_auth_users

List of HTTP Basic Auth accounts which need to login before accessing this server. Passwords are generated automatically and stored in 'secret/' directory (see debops.secret role). If this list empty, access is not restricted.

nginx_http_auth_users: []
nginx__http_auth_htpasswd

Default htpasswd file used for global HTTP Basic Auth accounts.

nginx__http_auth_htpasswd:
  name: '{{ nginx_http_auth_basic_name }}'
  users: '{{ nginx_http_auth_users }}'
nginx_http_server_names_hash_bucket_size

The default value of 'server_names_hash_bucket_size' depends on the size of the processor’s cache line. If a large number of server names are defined, or unusually long server names are defined, tuning the 'server_names_hash_max_size' and 'server_names_hash_bucket_size' directives at the http level may become necessary. More information can be found at:

nginx_http_server_names_hash_bucket_size: 64
nginx_http_server_names_hash_max_size

Sets the maximum size of the server names hash tables. More information can be found at:

nginx_http_server_names_hash_max_size: 512
nginx_http_options

Default http { } options.

nginx_http_options: |
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  types_hash_max_size 2048;
  gzip on;
  gzip_disable "msie6";
  gzip_comp_level    5;
  gzip_min_length    256;
  gzip_proxied       any;
  gzip_vary          on;
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
nginx_http_extra_options

A string or YAML text block with additional nginx options placed in the /etc/nginx/nginx.conf inside of the "http" block.

nginx_http_extra_options: ''
nginx_extra_options

A string or YAML text block with additional nginx options placed in the /etc/nginx/nginx.conf outside of the "http" block.

nginx_extra_options: ''
nginx_manage_ipv6only

If this variable is enabled, debops.nginx role will automatically add ipv6only=false to the default nginx server configuration. You can disable it and manage IPv4 and IPv6 listen directives yourself. nginx daemon needs to be restarted when this variable changes. More information can be found at:

nginx_manage_ipv6only: True
nginx_listen_port

Default listen port for HTTP connections.

nginx_listen_port: [ '[::]:80' ]
nginx_listen_ssl_port

Default listen port for HTTPS connections.

nginx_listen_ssl_port: [ '[::]:443' ]
nginx_listen_socket

Default listen socket for HTTP connections.

nginx_listen_socket: []
nginx_listen_ssl_socket

Default listen socket for HTTPS connections.

nginx_listen_ssl_socket: []
nginx_real_ip_from

List of IP addresses or CIDR subnets that the server should trust about real IP addresses of clients. If this list is specified, nginx will read the client IP address from the specified header. This is useful when nginx server is used behind another proxy server (local or remote).

nginx_real_ip_from: []
nginx_real_ip_header

Specify the header used to lookup client IP addresses given by another server.

nginx_real_ip_header: 'X-Forwarded-For'
nginx_real_ip_recursive

If this variable is enabled, nginx will ignore client IP addresses that match the ones from list of trusted upstream servers. This is useful when the upstream server is also a proxy.

nginx_real_ip_recursive: False
nginx_default_keepalive_timeout
nginx_default_keepalive_timeout: 60
nginx_multi_accept

If enabled a worker process will accept all new connections at a time, instead of a new connection at a time.

nginx_multi_accept: 'off'
nginx_pki

Enable or disable support for PKI/SSL/TLS in nginx. Defaults to True if debops.pki is enabled on the remote host.

nginx_pki: '{{ ansible_local | d() and ansible_local.pki | d() and
               (ansible_local.pki.enabled | d() | bool) }}'
nginx_pki_path

Directory path where PKI realm live.

nginx_pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
nginx_pki_realm

Default PKI realm to use.

nginx_pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
nginx_pki_ca_realm

PKI realm to use for client CA.

nginx_pki_ca_realm: '{{ ansible_local.pki.ca_realm | d("domain") }}'
nginx_pki_crt

Path to default certificate, key and DH parameters file used by all nginx servers if not specified otherwise in server configuration. Relative to 'nginx_pki_realm' variable.

nginx_pki_crt: 'default.crt'
nginx_pki_key

The name of the file which contains the private key file of the X.509 certificate, relative to the 'nginx_pki_realm' variable.

nginx_pki_key: 'default.key'
nginx_pki_ca

The name of the file which contains the Root Certificate used to authenticate other servers, relative to the 'nginx_pki_realm' variable.

nginx_pki_ca:  'CA.crt'
nginx_pki_trusted

The name of the file which contains the Root Certificate used to authenticate client certificates, relative to the 'nginx_pki_realm' variable.

nginx_pki_trusted: 'trusted.crt'
nginx_pki_hook_name

Name of the hook script which will be stored in hook directory.

nginx_pki_hook_name: 'nginx'
nginx_pki_hook_path

Directory with PKI hooks.

nginx_pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
nginx_pki_hook_action

Specify how changes in PKI should affect nginx, either 'reload' or 'restart'.

nginx_pki_hook_action: 'reload'
nginx_ssl_dhparam

Path to the file with Diffie-Hellman parameters to use by the webserver.

nginx_ssl_dhparam: '{{ (""
                        if nginx_default_tls_protocols | length == 1 and
                           nginx_default_tls_protocols[0] == "TLSv1.3"
                        else
                           (ansible_local.dhparam[nginx_ssl_dhparam_set]
                            if (ansible_local | d() and ansible_local.dhparam | d() and
                                ansible_local.dhparam[nginx_ssl_dhparam_set] | d())
                            else "")) }}'
nginx_ssl_dhparam_set

Name of the dhparam set to use.

nginx_ssl_dhparam_set: 'default'
nginx_default_ssl_ciphers

Default set of cipher suites to use. Refer to nginx_ssl_ciphers for details.

nginx_default_ssl_ciphers: '{{ "mozilla_modern"
                               if nginx_default_tls_protocols | length == 1 and
                                  nginx_default_tls_protocols[0] == "TLSv1.3"
                               else "mozilla_intermediate" }}'
nginx_default_tls_protocols

Default set of TLS protocols to use. TLSv1.3 is only supported on nginx version 1.13.0 and up.

See also: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

nginx_default_tls_protocols: '{{ ["TLSv1.2", "TLSv1.3"]
                                 if ansible_local.nginx.version | d("0.0.0") is version("1.13.0", ">=")
                                 else ["TLSv1.2"] }}'
nginx_default_ssl_curve

Default SSL ECDH curve used on servers, to see a list of supported curves, run:

openssl ecparam -list_curves

See also: https://security.stackexchange.com/questions/31772/ Set to False to disable ECC.

nginx_default_ssl_curve: 'secp384r1'
nginx_default_ssl_verify_client

Default ssl verify client.

nginx_default_ssl_verify_client: False
nginx_default_ssl_client_certificate

Default ssl client certificate

nginx_default_ssl_client_certificate: ''
nginx_default_ssl_crl

Default ssl revocation client certificate

nginx_default_ssl_crl: ''
nginx_ocsp

Enable or disable OCSP Stapling.

nginx_ocsp: True
nginx_ocsp_verify

Verify OCSP responses from the server which requires chained intermediate and Root CA certificates.

nginx_ocsp_verify: '{{ nginx_ocsp | bool }}'
nginx_ocsp_resolvers

List of DNS servers used to resolve OCSP stapling and other dns queries (e.g. for proxy_path). If it's empty, nginx role will try to use the nameservers from /etc/resolv.conf Currently only the first nameserver is used

nginx_ocsp_resolvers: []
nginx_hsts_age

HTTP Strict-Transport-Security https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Maximum age in seconds for which clients should remember to only make secure connections. Defaults to two earth years.

nginx_hsts_age: '{{ 2 * 365 * 24 * 60 * 60 }}'
nginx_hsts_subdomains

Should HSTS also include subdomains? Note that all subdomains have to support HTTPS if you use this!

nginx_hsts_subdomains: True
nginx_hsts_preload

Should the preload parameter be added to the HSTS header? Refer to the HSTS Preload List Submission page to make use of this feature. It is disabled by default because setting this to True alone does nothing, it is just one requirement to get included in the preloading list. Please feel encouraged to get to know HSTS preloading and enable it when you are ready!

nginx_hsts_preload: False
nginx_enable_http2

Enable HTTP/2 (formerly HTTP QUICK) on nginx. HTTP/2 enables a server to pre‑emptively push resources to a remote client, anticipating that the client may soon request those resource, hence reducing the number of RTTs (Round Trip Times). Available with nginx version >= 1.9.5

nginx_enable_http2: True
nginx__http_csp_append

CSP directives to append to all policies. This can be used to set the report-uri globally. The string MUST end with a semicolon but MUST NOT begin with one. Refer HTTP security headers for details.

nginx__http_csp_append: ''
nginx_default_name

Specify HTTP server name which will be marked as default_server.

nginx_default_name: ''
nginx_default_ssl_name

Specify HTTPS server name which will be marked as default_server.

nginx_default_ssl_name: ''
nginx_default_type

Default server template used if no type is selected

nginx_default_type: 'default'
nginx_webroot_create

Create global webroot directories? Path: /srv/www/sites/*/public.

nginx_webroot_create: True
nginx_webroot_owner

The name of the UNIX account which will be the default owner of the webroot directories created by the role, if not specified otherwise.

nginx_webroot_owner: 'root'
nginx_webroot_group

The name of the UNIX group which will be the default group of the webroot directories created by the role, if not specified otherwise.

nginx_webroot_group: 'root'
nginx_webroot_mode

The default mode of the webroot directories created by the role.

nginx_webroot_mode: '0755'
nginx_welcome_template

Name of the Jinja2 template used as a welcome page.

nginx_welcome_template: 'srv/www/sites/welcome/public/index.html.j2'
nginx_welcome_domain

The domain used on the default welcome page.

nginx_welcome_domain: '{{ ansible_domain }}'
nginx_acme

Enable or disable support for Automated Certificate Management Environment (ACME) on all servers. This can be overridden per server using item.acme variable.

nginx_acme: True
nginx_acme_root

Global directory where ACME challenges will be served from. It's not created by the role automatically and left to be managed by other Ansible roles.

nginx_acme_root: '{{ nginx_www + "/sites/acme/public" }}'
nginx_acme_server

Enable or disable custom ACME challenge server configuration. It will answer queries on a specified domain, from nginx_acme_root directory. It can be used for other things as well, for example to serve certificates to other hosts.

nginx_acme_server: False
nginx_acme_domain

Specifies the DNS domain to which ACME challenge queries will be redirected if they are not found on the host. The domain must exist in the DNS and a web server needs to be configured to answer the queries. Set to False to disable the redirect.

nginx_acme_domain: 'acme.{{ ansible_domain }}'
nginx__hostname_domains

Specify the domains which will be used as a base domains for automatic short name generation. It will not be used if it's defined on the server level. First domain from the list that matches, wins.

nginx__hostname_domains: [ '{{ ansible_domain }}' ]
nginx_status

List of IP addresses or CIDR ranges to allow access to the status page

nginx_status: []
nginx_status_localhost

By default allow access to the status page from webserver itself

nginx_status_localhost: '{{ ["127.0.0.1/32", "::1/128"] + ansible_all_ipv4_addresses | d([]) +
                            (ansible_all_ipv6_addresses | d([])
                             | difference(ansible_all_ipv6_addresses | d([])
                             | ansible.utils.ipaddr("link-local"))) }}'
nginx_status_name

Name of the nginx status page location

nginx_status_name: '/nginx_status'
nginx_local_servers

Hash of symlinks to local server definitions stored in /etc/nginx/sites-local/ Entries with empty values or False will be removed Symlinks will be created in /etc/nginx/sites-enabled/

nginx_local_servers: {}
  #'symlink': 'file'
  #'other-symlink.conf': 'sub/directory/file.conf'
  #'removed-file': False
  #'also-removed':
  #'symlink\ with\ spaces.conf': 'other-file.conf'
nginx_default_satisfy

Default "satisfy" mode used if not specified, choices: any, all

nginx_default_satisfy: 'any'
nginx_default_auth_basic_realm

Default HTTP Basic Auth "realm" presented to the user

nginx_default_auth_basic_realm: 'Access to this website is restricted'
nginx_htpasswd_secret_path

Path on the Ansible Controller used to lookup htpasswd passwords (see debops.secret role). You can change this to for example share a set of passwords between different hosts in case you use nginx in a HA setup

nginx_htpasswd_secret_path: '{{ secret + "/credentials/" + inventory_hostname + "/nginx/htpasswd" }}'
nginx__htpasswd_crypt_scheme

The encryption scheme used by the htpasswd Ansible module to generate password hashes. You should use schemes supported by passlib library.

nginx__htpasswd_crypt_scheme: 'sha512_crypt'
nginx__htpasswd_password_length

Default length of the automatically generated passwords.

nginx__htpasswd_password_length: 32
nginx__htpasswd_password_characters

Set of characters allowed in passwords autogenerated by the role.

nginx__htpasswd_password_characters: 'ascii_letters,digits,.-_~&()*='
nginx__htpasswd

List of htpasswd files with user accounts managed by debops.nginx. Example entries are included below

nginx__htpasswd: []

  # Create specified user accounts
  #- name: 'server_domain'
  #  users: [ 'username1', 'username2@domain' ]

  # Delete specified user accounts
  #- name: 'server_domain'
  #  users: [ 'username1', 'username2@domain' ]
  #  delete: True

  # Delete htpasswd file
  #- name: 'server_domain'
  #  users: []
  #  state: 'absent'
nginx__default_htpasswd

List of the default htpasswd file configuration created by the role.

nginx__default_htpasswd:
  - '{{ nginx__http_auth_htpasswd }}'
nginx__dependent_htpasswd

List of htpasswd file configurations defined by other roles via role dependent variables.

nginx__dependent_htpasswd: []

Nginx server access policy

Using the dicts below you can define a named "access policy" consisting of a list of allowed hosts/CIDR networks and/or a name of a htpasswd file in '/etc/nginx/private/' with a list of user accounts to allow access. You can also define if any or all restrictions need to be met to gain access to a website. In website configuration dict, you can define an 'item.access_policy' key with a name of a particular policy. The nginx role will then use this information to generate a proper config file with given restrictions in place.

nginx_access_policy_allow_map

List of IP addresses or CIDR networks which can access a particular site

nginx_access_policy_allow_map: {}

  #'my_policy': [ '192.0.2.0/24', '2002:db8::/64' ]
nginx_access_policy_auth_basic_map

Name of an HTTP Basic Auth htpasswd file in '/etc/nginx/private/' directory

nginx_access_policy_auth_basic_map: {}

  #'my_policy': 'htpasswd_file'
nginx_access_policy_satisfy_map

Should all or any restrictions be met to gain access?

nginx_access_policy_satisfy_map: {}

  #'my_policy': 'any' or 'all'
nginx__maps

List of nginx map definitions Each map should be defined in it's own hash variable, similar to upstreams and servers https://nginx.org/en/docs/http/ngx_http_map_module.html

nginx__maps: []
nginx__default_maps

List of default nginx map definitions

nginx__default_maps:

  # Extract the subdomain from the '*.local' domain managed by Avahi and expose
  # it as a variable which can be used to redirect the HTTP clients to websites
  - name: 'host_without_local'
    map: '$host $host_without_local'
    mapping: '~*^(?<subdomain>[a-zA-Z0-9\-\_\.]+)\.local$ $subdomain;'

  # Support WebSocket connection upgrade as a proxy
  # Documentation: https://nginx.org/en/docs/http/websocket.html
  - name: 'connection_upgrade'
    map: '$http_upgrade $connection_upgrade'
    mapping: |
      ''      Close;
    default: 'Upgrade'
nginx__dependent_maps

List of nginx maps defined in Ansible roles

nginx__dependent_maps: []
nginx__upstreams

List of nginx upstream definitions

nginx__upstreams: []
nginx__default_upstreams

List of default nginx upstream definitions

nginx__default_upstreams:
  - '{{ nginx_upstream_php5_www_data }}'
nginx__dependent_upstreams

List of nginx upstreams defined in Ansible roles

nginx__dependent_upstreams: []
nginx_upstream_php5_www_data

Upstream for default php5-fpm configuration Legacy.

nginx_upstream_php5_www_data:
  state: 'absent'
  name: 'php5_www-data'
  type: 'php5'
  php5: 'www-data'

Nginx servers

nginx__servers

List of nginx server definitions

Refer to the documentation of all options for more details.

nginx__servers: []
nginx__default_servers

List of default nginx servers defined by the role.

nginx__default_servers:
  - '{{ nginx_server_welcome }}'
nginx__internal_servers

List of internal nginx servers.

nginx__internal_servers:
  - '{{ nginx_server_localhost }}'
  - '{{ nginx_server_acme }}'
nginx__dependent_servers

List of nginx servers defined in Ansible roles.

nginx__dependent_servers: []
nginx_server_welcome

Default nginx site List and description of available parameters can be found in nginx server templates templates/etc/nginx/sites-available/*.conf.j2.

nginx_server_welcome:
  enabled: True
  name: [ 'welcome' ]
  welcome: True
  welcome_domain: '{{ nginx_welcome_domain }}'
  csp: "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self';"
  csp_enabled: True
nginx_server_localhost

Default nginx localhost server. It can be used to access nginx status page by other services.

nginx_server_localhost:
  enabled: True
  name: [ 'localhost', '127.0.0.1', '[::1]' ]
  acme: False
  ssl: False
  welcome: True
  welcome_css: False
nginx_server_acme

Custom server for ACME challenge queries

nginx_server_acme:
  enabled: '{{ nginx_acme_server | bool }}'
  delete: '{{ not nginx_acme_server | bool }}'
  name: [ '{{ nginx_acme_domain }}' ]
  filename: 'acme-challenge'
  root: '{{ nginx_acme_root }}'
nginx_default_try_files

Checks for the existence of files in order, and returns the first file that is found for location /. https://wiki.nginx.org/NginxHttpCoreModule#try_files

nginx_default_try_files:
  - '$uri'
  - '$uri/'
  - '$uri.html'
  - '$uri.htm'
  - '$uri/index.html'
nginx__log_format

log_format nginx configuration in /etc/nginx/conf.d/

nginx__log_format: []

  #- name: 'main'
  #  log_format: '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'
nginx__dependent_log_format

log_format nginx configuration in /etc/nginx/conf.d/

nginx__dependent_log_format: []
nginx__custom_config

Custom nginx configuration in /etc/nginx/conf.d/

nginx__custom_config: []

  #- name: 'other_config'
  #  custom: |
  #    text block {
  #    }
nginx__http_xss_protection

Default value for xss_protection.

nginx__http_xss_protection: '1; mode=block'
nginx__http_referrer_policy

Default value for http_referrer_policy.

nginx__http_referrer_policy: 'same-origin'
nginx__http_permitted_cross_domain_policies

Default value for permitted_cross_domain_policies.

nginx__http_permitted_cross_domain_policies: '{{ omit }}'
nginx__http_robots_tag

Default value for robots_tag.

nginx__http_robots_tag: '{{ omit }}'
nginx_apt_preferences_dependent_list

Configuration of custom APT preferences.

nginx_apt_preferences_dependent_list: '{{ nginx__apt_preferences__dependent_list }}'
nginx__apt_preferences__dependent_list

Configuration for the debops.apt_preferences Ansible role.

nginx__apt_preferences__dependent_list:

  - package: 'nginx nginx-*'
    pin: 'release o=Phusion'
    reason: 'Support for Phusion Passenger'
    priority: '600'
    suffix: '_passenger'
    by_role: 'debops.nginx'
    state: '{{ ((nginx__deploy_state in ["present"]) and (nginx_flavor in ["passenger"])) | ternary("present", "absent") }}'
nginx_php5_status

Name of the php5 fpm status page location

nginx_php5_status: False
nginx_php5_status_name

Name of the PHP5 status page used in the URL.

nginx_php5_status_name: 'php5_status'
nginx_php5_ping_name

Name of the PHP5 ping page used in the URL.

nginx_php5_ping_name: 'php5_ping'
nginx_privileged_group

What system group has privileged access to nginx service.

nginx_privileged_group: 'webadmins'
nginx_ssl_ciphers

Hash of SSL ciphers available to use in nginx server definitions You can select a set of ciphers using 'ssl_ciphers' variable Default set of ciphers is set in nginx_default_ssl_ciphers variable

nginx_ssl_ciphers:

  # https://bettercrypto.org/
  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/theory/cipher_suites/recommended.tex
  # This will come at a certain cost of excluding many clients!
  # If you want even higher security then the default values of this role then
  # consider to use a preset for this role maintained by ypid:
  # https://github.com/ypid/ypid-ansible-inventory
  bettercrypto_org__set_a: 'EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3'

  # https://bettercrypto.org/
  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/nginx/default-ec
  bettercrypto_org__set_b: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'

  # https://bettercrypto.org/
  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/nginx/default-ec
  # But only cipher suites which support PFS. Only drops support for Android 2.3.7 which is negligible.
  bettercrypto_org__set_b_pfs: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH'

  # https://cipherli.st/
  cipherli_st: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'

  # Perfect Forward Secrecy (https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy)
  # String taken on 2014-04-11
  pfs: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'

  # Perfect Forward Secrecy + RC4
  # String taken on 2014-04-11
  pfs_rc4: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'

  # Hardened SSL cipher list (https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/)
  # String taken on 2014-04-11
  hardened: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'

  # TLS recommendations from Mozilla Foundation (https://wiki.mozilla.org/Security/Server_Side_TLS)
  # String taken on 2014-04-11
  mozilla: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'

  # Modern TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
  # Actually they do not specify a ciphersuite, because "modern" means TLSv1.3 only,
  # which has its own ciphers, while TLSv1.2 and lower ciphers are not used.
  # Therefore, we just repeat mozilla_intermediate here, to avoid a security hole
  # that would be created with nginx default ciphersuite and accidental
  # activation of TLSv1.2 or lower.
  # String taken on 2020-07-27
  mozilla_modern: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

  # Intermediate TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
  # String taken on 2020-07-27
  mozilla_intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

  # Old TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
  # String taken on 2020-07-27
  mozilla_old: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'

  # FIPS 140-2 compliant (https://en.wikipedia.org/wiki/FIPS_140-2)
  # https://community.qualys.com/thread/12182
  fips: 'FIPS@STRENGTH:!aNULL:!eNULL'

  # 'good' cipher suite from NCSC-NL TLS Guidelines v2.0
  # https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
  ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'

  # This cipher set disables the 'ssl_ciphers' option in 'nginx' and the
  # default set of SSL ciphers for a given platform will be used.
  # This is recommended when TLSv1.3 is the only protocol in use.
  default: ''

Firewall Configuration

nginx_allow

List of IP addresses or CIDR networks allowed to connect to HTTP or HTTPS service. It will be configured in iptables firewall via the debops.ferm role. If there are no entries, nginx will accept connections from any IP address or network. If you have multiple web services on a host, you might want to control access using 'item.location_allow' option instead.

nginx_allow: []
nginx_group_allow

List of the CIDR subnets or IP addresses which are allowed to connect to the HTTP or HTTPS service, configured on hosts in a specific Ansible inventory group.

nginx_group_allow: []
nginx_host_allow

List of the CIDR subnets or IP addresses which are allowed to connect to the HTTP or HTTPS service, configured on specific hosts in the Ansible inventory.

nginx_host_allow: []
nginx_ferm_dependent_rules

Configuration of the iptables firewall using ferm.

nginx_ferm_dependent_rules: '{{ nginx__ferm__dependent_rules }}'
nginx__ferm__dependent_rules

Configuration for the debops.ferm Ansible role.

nginx__ferm__dependent_rules:

  - type: 'accept'
    dport: [ 'http', 'https' ]
    saddr: '{{ nginx_allow + nginx_group_allow + nginx_host_allow }}'
    accept_any: True
    weight: '40'
    by_role: 'nginx'
    name: 'http_https'
    multiport: True
    delete: '{{ nginx__deploy_state != "present" }}'

Configuration for other Ansible roles

nginx__keyring__dependent_apt_keys

Configuration for the debops.nginx Ansible role.

nginx__keyring__dependent_apt_keys:

  - id: '{{ nginx__flavor_apt_key_id }}'
    repo: '{{ nginx__flavor_apt_repository }}'
    state: '{{ "present"
               if (nginx_flavor in ["nginx.org", "passenger"] and
                   nginx__deploy_state == "present")
               else "absent" }}'
nginx__python__dependent_packages3

Configuration for the debops.python Ansible role.

nginx__python__dependent_packages3:

  - 'python3-passlib'
nginx__python__dependent_packages2

Configuration for the debops.python Ansible role.

nginx__python__dependent_packages2:

  - 'python-passlib'