BUG FIXES:
- Dictionaries are a sequence per Jinja2 contrary to Python's defaults (dictionaries are not a sequence in Python). The template conditionals assumed the latter.
- NAP DoS monitor directive would fail if some variables were commented out.
- NGINX listen
so_keepalive
parameter was not working as intended when setting specific values. - Make sure all template objects are properly transformed into strings before doing Jinja2 operations.
- Remove unnecessary parentheses.
BUG FIXES:
- Fix issue where your
deployment_location
directory would not be properly created due to an outdated variable. - Remove duplicated brace in
http/auth.j2
.
This is a very big release which fundamentally refactors the whole NGINX configuration templating engine. Almost all of the templates have undergone some breaking changes. Please take extra caution when upgrading your environment to this release and make sure you test any required changes before using the role in any potential production environments.
Efforts have been made to thoroughly test all these changes and make sure they work as intended, but due to the magnitude of the refactoring work, there will be some bugs that have escaped our tests. If you find any, please open an issue or PR through the usual channels.
DEPRECATION WARNINGS:
The nginx_config_main_upload_*
, nginx_config_upload_html_*
, and nginx_config_stream_upload_*
parameters have been deprecated in favor of a newly introduced parameter, nginx_config_upload_*
(previously nginx_config_snippet_upload_*
). The new parameter provides greater flexibility in configuring your upload settings in addition to simplifying the upload Ansible tasks. The deprecated parameters will be removed in the next major release (0.5.0), due December 2021.
BREAKING CHANGES:
General updates:
- Rename upload related variables:
- Rename the
nginx_config_snippet_upload_*
parameters tonginx_config_upload_*
(checkdefaults/main/upload.yml
for an example). - Rename the
nginx_config_html_upload_*
parameters tonginx_config_upload_html_*
. - Rename the
nginx_config_ssl_upload_*
parameters tonginx_config_upload_ssl_*
.
- Rename the
- Tweak the
nginx_config_html_upload
andnginx_config_ssl_upload
parameters to use a list instead of a singlesrc
anddest
value (checkdefaults/main/upload.yml
for an example).
Template engine updates:
-
Refactor all the Jinja2 templates!:
-
Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
-
This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
-
You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with
servers
andlocations
:core: root: /usr/share/nginx/html proxy: set_header: [] servers: - core: {} proxy: {} locations: - core: {} proxy: {}
-
Check
defaults/main/template.yml
andmolecule/default/converge.yml
for examples!
-
-
Refactor the base config templates to simplify the creation of templates as well as development and maintenance moving forward:
- Modify
servers
,servers.listen
,server.locations
,upstream
andupstream.servers
from nested dictionaries in thehttp
andstream
configuration templates to lists. - Remove/merge the
web_server
andreverse_proxy
nested dictionary keys from the HTTP templates. These often lead to confusing and unnecessary code duplication and hard to maintain code. To update your templates, remove both keys and adjust your spacing accordingly. - Replaced
conf_file_name
andconf_file_location
with a single variable,deployment_location
. - All config related parameters now live under the
config
key in both the core/main and HTTP templates. - Modify the
nginx_config_html_demo_template
variable from a nested dictionary to a list.
- Modify
-
Refactor the
nginx_config_main_template
to now include all the respectivecore
andevents
directives. The following variables have changed:http_enable
no longer exists, neither doeshttp_settings
. You can still usehttp.include
to include files within thehttp
context.stream_enable
no longer exists, neither doesstream_settings
. You can still usestream.include
to include files within thestream
context.
-
Refactor the
upstream
HTTP config template into its own separate file. All theupstream
module directives are now included. The following variables have changed:port
is no longer supported. Instead, include the port as part of youraddress
.lb_method
is no longer supported. Instead, you will have to specifically set the method you want to use.zone_name
andzone_size
have been modified into a dictionary.sticky_cookie
is no longer supported as is. You will now have to configure the respectivesticky_cookie
values.- The
health_check
parameter within theserver
dictionary is no longer supported. Instead, manually setmax_fails
andfail_timeout
.
-
Refactor various individual variables into the
core
HTTP config template. All thecore
module directives are now included. The following variables are now included in thecore
dictionary:alias
,client_max_body_size
,error_log
,error_page
,include
,index
,keepalive_timeout
,listen
,root
,send_file
,server_name
,server_names_hash_bucket_size
,server_names_hash_max_size
,server_tokens
,tcp_nodelay
,tcp_nopush
,try_files
listen.port
is nowlisten.address
, andlisten.opts
no longer exists (there are now individual keys for eachlisten
parameter).
-
Refactor the
ssl
HTTP config template into its own separate file. All thessl
module directives are now included. Almost all variables have changed:- All
ssl
variables still live within anssl
dictionary, but the names have changed to reflect the official NGINX directive names. ssl
configs are now supported within both thehttp
andserver
contexts.
- All
-
Refactor both the
app_protect_waf
andapp_protect_dos
modules into a single file:- The
app_protect
dictionary now has theapp_protect_waf
key. app_protect_global
directives are now found inside theapp_protect_waf
dictionary too.
- The
-
Refactor the
proxy
HTTP config template into its own separate file. All theproxy
module directives are now included. All variables have changed:-
All
proxy_*
related variables now live under theproxy
dictionary key. You can specify theproxy
dictionary key inside thehttp
,server
, andlocation
contexts. -
Removed the
nginx_config_main_template.http_settings.cache
dictionary variable. Usenginx_config_http_template.*.proxy.cache_path
instead. -
Removed the
location.websocket
variable. Uselocation.proxy.set_header
instead:proxy: set_header: - field: Upgrade value: $http_upgrade - field: Connection value: Upgrade
-
-
Combine the
grpc_global
directives with thegrpc
directives. -
Refactor the
auth
HTTP config template into its own separateauth
modules file. All the variousauth
related module directives including allauth_jwt
directives are now available. All variables have changed:- All the various
auth
variables now live within their respectiveauth
dictionaries. auth
configs are now supported within thehttp
,server
, andlocation
contexts.
- All the various
-
Refactor the
autoindex
HTTP config template into its own separate filemodules
file and added missingautoindex
module directives. All variables have changed:- The
autoindex
directives now live within theautoindex
dictionary. - The
autoindex
dictionary now lives in the HTTP template config instead of the Main template config.
- The
-
Refactor the
add_headers
dictionary into aheaders
dictionary that now includes all theheaders
HTTP config directives:- The
add_headers
directive now lives within theheaders
dictionary.
- The
-
Refactor the
keyval
directives into its own template config that now includes all thekeyval
HTTP module directives:- Both
keyval
directives now live within thekeyval
dictionary. - The
keyval
dictionary now lives in the HTTP template config instead of the Main template config.
- Both
-
Refactor
server.health_check_plus
into its own dictionary that now includes all thehealth_check
module directives (checkdefaults/main/template.yml
for examples). -
Refactor the
limit_req
directive into its own dictionary:- The
limit_req
directives now live within thelimit_req
dictionary. - The
limit_req
dictionary now lives in the HTTP template config instead of the Main template config.
- The
-
Refactor the
access_log
andlog_format
directives into alog
dictionary that now includes all thelog
module directives:- An
access
andformat
directive now lives within thelog
dictionary. - The
log
dictionary HTTP context now lives in the HTTP template config instead of the Main template config.
- An
-
Refactor the
return
andrewrite
directives into their own dictionary that now includes all therewrite
HTTP module directives:-
The
rewrites
directive has transitioned from a list of one linersrewrites: - (.*).html(.*) $1$2
to
rewrites: - regex: (.*).html(.*) replacement: $1$2
-
The
return
directive has transitioned from a slightly complex dictionary structure (wherein thelocation
variable didn't necessarily have any effect)returns: return301: location: ^~ /old-path code: 301 value: http://$host/new-path
to a slightly less complicated structure
return: # 200 -- Alternatively you could also include a code here instead of fleshing out the dictionary. code: 200 text: nginx
-
-
Refactor the
sub_filter
directives into their ownsub_filter
dictionary that includes all thesub_filter
HTTP module directives:-
The only major difference is that one liners under the
sub_filters
dictionary key have changed fromsub_filters: - sub_filter 'server_hostname' '$hostname';
to
sub_filters: - string: server_hostname replacement: $hostname
-
Removed the
server.http_demo_conf
dictionary. Useserver.sub_filters
instead:sub_filter: sub_filters: - string: server_hostname replacement: $hostname - string: server_address replacement: $server_addr:$server_port - string: server_url replacement: $request_uri - string: remote_addr replacement: '$remote_addr:$remote_port' - string: server_date replacement: $time_local - string: client_browser replacement: $http_user_agent - string: request_id replacement: $request_id - string: nginx_version replacement: $nginx_version - string: document_root replacement: $document_root - string: proxied_for_ip replacement: $http_x_forwarded_for
-
The
sub_filter
dictionary HTTP context now lives in the HTTP template config instead of the Main template config.
-
-
Rename some NGINX template config parameters to align with NGINX directive names:
- Rename
html_file_location
toroot
. - Rename
html_file_name
toindex
.
- Rename
-
NGINX App Protect 3.2 supports multiple log destinations per scope. Changing the
security_log
variable from a dictionary to a list of objects in order to support this. -
NGINX App Protect 3.5 supports a new timeout directive which allows the user to configure the period of time between reconnect retries of the module to the web application firewall (WAF) engine. Added this as a supported directive.
FEATURES:
-
Replace Ansible community distribution with Ansible base and add the necessary extra collections as a dependency requirement. For reference, these are:
--- collections: - name: community.general version: 3.8.0 - name: ansible.posix version: 1.3.0 - name: community.docker # This collection is only used as part of the Molecule testing suite version: 1.10.0
-
Explicitly list Jinja2
2.11.3
as a requirement, as well as detail the minimum supported version (2.11.x
). -
Implement Release Drafter.
-
Add support for configuring NGINX App Protect DoS (Denial of Service) module and directives.
-
Add support for configuring the NGINX Rest API module and the NGINX stub status module.
ENHANCEMENTS:
- Move the
gzip
HTTP config template into themodules
file. It's a small module and did not warrant being in its own individual file. - Update Ansible Lint to
5.1.3
, Molecule to3.4.0
, yamllint to1.26.3
and Docker Python SDK to5.0.2
. - Consolidate Molecule testing scenarios to address changes introduced in Ansible Lint
5.*
. - Specify GitHub actions Ubuntu release.
- Minor GitHub template tweaks, including the creation of a SECURITY doc.
- Replace Molecule tests using Debian stretch with Debian buster (stretch has reached its EoL), and update list of supported platforms.
- Replace Ansible base with Ansible core. Ansible core will be the "core" Ansible release moving forward from Ansible
2.11
. - Update GitHub actions to add a workflow dispatch option.
- Update GitHub actions
if
conditionals to use thecontains
function instead of checking for exact names. - Remove Debian Buster from the
plus
Molecule scenario since it often fails in the GitHub Actions CI/CD pipeline. - Replace "yes"/"no" boolean values with "true"/"false" to comply with YAML spec
1.2
. - Ensure the default values for the
nginx.conf
template match the default values found on a fresh NGINX installation. - Change Dependabot frequency from daily to weekly.
- Minor touch-up of GitHub actions workflows.
BUG FIXES:
- Add
state
parameter to package module in Molecule verification tests. - In NGINX App Protect environments on SELinux enforced systems, the
nginx -t
handler fails when run from a directory that the NGINX process' user does not have access to. - Fix missing GRPC boolean check in GRPC template.
- Fix
nginx_config_cleanup_paths
not working as intended. - Fix issue with the
app_protect.j2
template that was causing the default values fornginx.conf
to fail.
FEATURES:
- Add support for configuration snippets (use the
nginx_config_snippet_upload_*
parameters to configure it). - Add support for Dependabot.
ENHANCEMENTS:
- Add support for NGINX GRPC directives.
- Add support for NGINX GZIP directives.
- Add support for upstream server
backup
parameter in http and stream template. - Only run GitHub actions Galaxy CI/CD workflow when a new release is published.
- Update list of supported platforms.
- Update Ansible base to
2.10.5
and Ansible to2.10.6
.
BUG FIXES:
- Address inconsistent types within Jinja templates.
- Add Jinja2 checks to all config template parameters to ensure that they are only included when appropriately defined.
- Fix edge case where
proxy_pass
is still required when usinggrpc_pass
.
ENHANCEMENTS:
- The GitHub actions Molecule CI/CD workflow is no longer run on a new release (this is not necessary since it already runs on every push).
- The GitHub actions Molecule CI/CD workflow should now correctly avoid running 'Plus' related tests on external PRs.
- The
cleanup-config.yml
playbook has been slightly refactored and simplified. - Update Ansible base to
2.10.4
, Ansible to2.10.5
, Molecule to3.2.2
and Docker Python SDK to4.4.1
. - Update copyright notice.
ENHANCEMENTS:
- Update Molecule to
3.2.1
and Docker Python SDK to4.4.0
. - Replace TravisCI with GitHub actions.
BUG FIXES:
- Switch to explicit boolean values in
sub_filter
defaults forlast_modified
andsince
innginx_config_main_template
."on"
and"off"
values are treated as true instead of true/false when surrounded by double quotes. By always resorting to true/false we avoid unaccounted edge cases. - Fix issue whereas SELinux state would not be correctly set back to
enforcing
whennginx_config_selinux: true
.
BREAKING CHANGES:
- The default port of the status and REST API config is now
8080
and matches the CI Molecule test which already uses it. You can setnginx_config_status_port
to another value if desired. - The allow/deny directives for
nginx_config_status
andnginx_config_rest_api
now take a list instead of a single value. - The default
nginx_config_*_log
values have changed tonginx_config_*_access_log
and no longer have a default value ofoff
. Set the respective variables tofalse
to preserve the previous behaviour.
ENHANCEMENTS:
- Add survey to README.
- Improve README structure and use tables where relevant.
- Update Ansible (now Ansible base) to
2.10.3
, Ansible (now Ansible Community Distribution) to2.10.3
, Ansible Lint to4.3.7
, Molecule to3.1.5
, and yamllint to1.25.0
. - Improve templating of stub status and REST API config.
BUG FIXES:
- Prevent TravisCI from trying to build (and failing) NGINX Plus images on external PRs.
- Fix naming for SELinux facts dictionary.
- Correctly import
app_protect
global directives in template. - Role now runs correctly when using Ansible's check mode.
- Fix issue with access log in stub status and REST API config template not being properly parsed.
BREAKING CHANGES:
The process to configure modules has changed. Instead of manually setting the modules you want to install to true
or false
, you will now have to use either:
- A newly introduced top level list variable,
nginx_config_modules
. - A newly introduced list variable within your main NGINX config template,
nginx_config_main_template.modules
.
Make sure you only use one variable or the other, since they will overwrite each other. This change will simplify adding future supported modules to this role, and allows you to include any external modules you may wish in your NGINX config.
FEATURES:
- Support for all NGINX App Protect directives has been added. You can find details on the supported directives on
defaults/main/template.yml
. This is the first module to be included using J2 macros. Expect to slowly see a refactor of various modules to use macros where possible. - Add Alpine
3.12
to the list of supported platforms. - Remove Alpine
3.8
from the list of supported platforms . - Add NGINX Plus tests to TravisCI
ENHANCEMENTS:
- Added handlers to check for NGINX syntax validity and fail if any errors are detected.
- Switch to using
ansible_facts
wherever possible. - Improved tasks naming conventions.
- Update Ansible to
2.9.13
and Ansible Lint to4.3.5
. - Explicitly defined
mode
in relevant tasks. - Improve configuration templating capabilities:
- Allow setting
access_log
/access_log_location
tooff
. - Add IP restriction for web servers
- Allow setting
BUG FIXES:
An empty nginx_config_cleanup_files
will no longer cause nginx_config_cleanup
related tasks to fail.
Initial release of the NGINX Config role. Contains all NGINX Config related features previously available on the NGINX Ansible role.