-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathnginx.yml
199 lines (195 loc) · 7.41 KB
/
nginx.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# Copyright (c) 2015 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
---
- name: Install and configure NGINX
hosts: nginx
vars:
auth_basic_user_file: conf/htpasswd
docker_registry_user: admin
ssl_certs_common_name: "*.{{ cf_system_domain }}"
pre_tasks:
- block:
- ec2_vpc_subnet_facts:
region: "{{ region | mandatory }}"
filters:
subnet-id: "{{ cf_private_subnet_id | mandatory }}"
register: ec2_vpc_subnet_facts_result
- set_fact:
cf_private_cidr: "{{ ec2_vpc_subnet_facts_result.subnets[0].cidr_block }}"
- ec2_vpc_subnet_facts:
region: "{{ region | mandatory }}"
filters:
subnet-id: "{{ docker_subnet_id | mandatory }}"
register: ec2_vpc_subnet_facts_result
- set_fact:
docker_cidr: "{{ ec2_vpc_subnet_facts_result.subnets[0].cidr_block }}"
when: provider == 'aws'
- block:
- os_subnets_facts:
cloud: TAP
region_name: "{{ region | mandatory }}"
filters:
network_id: "{{ cf_private_subnet_id | mandatory }}"
- set_fact:
cf_private_cidr: "{{ openstack_subnets[0].cidr }}"
- os_subnets_facts:
cloud: TAP
region_name: "{{ region | mandatory }}"
filters:
network_id: "{{ docker_subnet_id | mandatory }}"
- set_fact:
docker_cidr: "{{ openstack_subnets[0].cidr }}"
when: provider == 'openstack'
- apt: name=python-passlib state=present
- htpasswd: path=/etc/nginx/{{ auth_basic_user_file }}
name={{ docker_registry_user }}
password={{ docker_registry_password }}
roles:
- jdauphant.ssl-certs
- role: jdauphant.nginx
nginx_official_repo: True
nginx_official_repo_mainline: True
nginx_http_params:
- server_names_hash_bucket_size 128
- sendfile on
- access_log /var/log/nginx/access.log
- error_log /var/log/nginx/error.log warn
- proxy_buffering off
- proxy_buffer_size 8k
- proxy_connect_timeout 180
- proxy_send_timeout 180
- proxy_read_timeout 900
- keepalive_timeout 900
- keepalive_requests 9000
- client_max_body_size 2G
- ssl_session_timeout 15m
- ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2
- ssl_prefer_server_ciphers on
- ssl_certificate_key {{ ssl_certs_privkey_path }}
- ssl_certificate {{ ssl_certs_cert_path }}
nginx_stream_params:
- ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2
- ssl_certificate_key {{ ssl_certs_privkey_path }}
- ssl_certificate {{ ssl_certs_cert_path }}
nginx_sites:
http-cf:
- listen 80 default_server
- listen 443 ssl
- listen 4443 ssl
- server_name *.{{ cf_system_domain }}
- >-
location / {
proxy_pass http://api;
}
http-registry:
- listen 80
- listen 443 ssl
- server_name docker-registry.{{ cf_system_domain }}
- >-
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
return 404;
}
- >-
location / {
proxy_pass http://docker_registry;
}
- satisfy any
- deny all
- auth_basic "closed site"
- auth_basic_user_file {{ auth_basic_user_file }}
- add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always
http-cfapi:
- listen 80
- listen 443 ssl
- server_name cf-api.{{ cf_system_domain }}
- >-
location / {
proxy_pass http://api;
proxy_set_header Host api.{{ cf_system_domain }};
}
http-cfauth:
- listen 80
- listen 443 ssl
- server_name api.{{ cf_system_domain }}
- set $myhost api.{{ cf_system_domain }}
- >-
location / {
proxy_pass http://api;
proxy_set_header Host api.{{ cf_system_domain }};
}
- >-
location ~ "/v2/organizations$" {
if ($request_method = POST) {
set $myhost auth-proxy.{{ cf_system_domain }};
}
proxy_pass http://api;
proxy_set_header Host $myhost;
}
- >-
location ~ "/v2/organizations/[^/]+$" {
if ($request_method = DELETE) {
set $myhost auth-proxy.{{ cf_system_domain }};
}
proxy_pass http://api;
proxy_set_header Host $myhost;
}
- >-
location ~ /v2/organizations/.+?/users {
if ($request_method = PUT) {
set $myhost auth-proxy.{{ cf_system_domain }};
}
if ($request_method = DELETE) {
set $myhost auth-proxy.{{ cf_system_domain }};
}
proxy_pass http://api;
proxy_set_header Host $myhost;
}
- >-
location ~ /v2/users/.+?/organizations {
if ($request_method = PUT) {
set $myhost auth-proxy.{{ cf_system_domain }};
}
if ($request_method = DELETE) {
set $myhost auth-proxy.{{ cf_system_domain }};
}
proxy_set_header Host $myhost;
proxy_pass http://api;
}
nginx_configs:
upstream:
- upstream api { server {{ cf_private_cidr | nthhost(5) }}:80; }
- upstream docker_registry { server {{ docker_cidr | nthhost(4) }}:5000; }
proxy:
- proxy_set_header Host $host
- proxy_set_header X-Forwarded-For $remote_addr
- proxy_http_version 1.1
- proxy_set_header Upgrade $http_upgrade
- proxy_set_header Connection "upgrade"
- proxy_set_header X-Forwarded-Proto $scheme
environment:
no_proxy: "{{ no_proxy | default() }}"
http_proxy: "{{ http_proxy | default() }}"
https_proxy: "{{ https_proxy | default() }}"
ftp_proxy: "{{ ftp_proxy | default() }}"
post_tasks:
- name: Singnal the NGINX wait condition handle for AWS
command: cfn-signal -s true -r 'NGINX installed and configured.' {{ nginx_wait_condition_handle }}
when: nginx_wait_condition_handle and provider == 'aws'
- name: Singnal the NGINX wait condition handle for Openstack
command: "{{ nginx_wait_condition_handle }} --data-binary '{\"status\": \"SUCCESS\"}'"
when: nginx_wait_condition_handle and provider == 'openstack'
# vi:et:sw=2 ts=2 sts=2 ft=ansible