Repository: ANXS/nginx Branch: master Commit: b469b10482ef Files: 53 Total size: 55.5 KB Directory structure: gitextract_5nkzvnhi/ ├── .gitignore ├── .travis.yml ├── LICENSE ├── README.md ├── Vagrantfile ├── defaults/ │ └── main.yml ├── files/ │ ├── index.html │ ├── mime.types │ └── naxsi_core.rules ├── handlers/ │ └── main.yml ├── meta/ │ └── main.yml ├── tasks/ │ ├── configure.yml │ ├── default_site.yml │ ├── directories.yml │ ├── main.yml │ ├── modules/ │ │ ├── _authorized_ips.yml │ │ ├── google_perftools_module.yml │ │ ├── headers_more_module.yml │ │ ├── http_auth_request_module.yml │ │ ├── http_echo_module.yml │ │ ├── http_geoip_module.yml │ │ ├── http_gzip_static_module.yml │ │ ├── http_perl_module.yml │ │ ├── http_realip_module.yml │ │ ├── http_spdy_module.yml │ │ ├── http_ssl_module.yml │ │ ├── http_stub_status_module.yml │ │ ├── ipv6_module.yml │ │ ├── naxsi_module.yml │ │ ├── ngx_pagespeed.yml │ │ └── upload_progress_module.yml │ ├── modules.yml │ ├── monit.yml │ ├── package.yml │ ├── scripts.yml │ ├── sites.yml │ ├── source.yml │ └── user.yml ├── templates/ │ ├── .nginx_compilation_flags.j2 │ ├── default.site.j2 │ ├── etc_monit_conf.d_nginx.j2 │ ├── modules/ │ │ ├── authorized_ips.j2 │ │ ├── http_gzip_static.conf.j2 │ │ ├── http_realip.conf.j2 │ │ ├── nginx_status.j2 │ │ └── upload_progress.j2 │ ├── nginx.conf.j2 │ ├── nginx.init.j2 │ ├── nxdissite.j2 │ ├── nxensite.j2 │ └── site.j2 ├── test.yml └── vagrant-inventory ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ *.sw[op] .DS_Store .AppleDouble .LSOverride Icon ._* .Spotlight-V100 .Trashes .vagrant test ================================================ FILE: .travis.yml ================================================ --- language: python python: "2.7" env: - INSTALL_METHOD=source ANSIBLE_VERSION=1.9.0.1 - INSTALL_METHOD=source ANSIBLE_VERSION=2.0.0.2 - INSTALL_METHOD=package ANSIBLE_VERSION=1.9.0.1 - INSTALL_METHOD=package ANSIBLE_VERSION=2.0.0.2 before_install: - sudo apt-get update -qq - sudo apt-get install -qq python-apt python-pycurl install: - pip install ansible==$ANSIBLE_VERSION script: - echo localhost > inventory - ansible-playbook -i inventory test.yml --syntax-check - ansible-playbook -i inventory test.yml --connection=local --sudo -e "nginx_install_method=$INSTALL_METHOD" - > ansible-playbook -i inventory test.yml --connection=local --sudo -e "nginx_install_method=$INSTALL_METHOD" | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1) after_failure: - cat /etc/nginx/nginx.conf ================================================ FILE: LICENSE ================================================ The MIT License Copyright (c) 2014 Pieterjan Vandaele Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ ## ANXS - nginx [![Build Status](https://travis-ci.org/ANXS/nginx.svg?branch=master)](https://travis-ci.org/ANXS/nginx) Ansible role which installs and configures Nginx, from a package or from source (including a series of optional modules). #### Requirements & Dependencies ##### Ansible It has been tested on Ansible 1.5 and above, and depends on the following roles: - ANXS.apt - ANXS.build-essential - ANXS.perl - ANXS.monit (if you want monit protection) ##### Platforms Currently it's been developed for, and tested on Ubuntu. It is assumed to work on other Debian distributions as well. #### Variables ##### default (nginx.conf) - `nginx_install_method` - "source" or "package" - `nginx_user` - user Nginx will run as - `nginx_uid` - the uid for this user - `nginx_group` - Nginx group - `nginx_gid` - the gid for this group - `nginx_dir` - location of the Nginx configuration (conf, sites-available, sites-enabled, ...) - `nginx_www_dir` - location of the www root for Nginx sites - `nginx_log_dir` - location of the Nginx logs - `nginx_pid` - location of the Nginx PID file - `nginx_worker_processes` - sets the number of worker processes - `nginx_daemon_disable` - whether the daemon should be disabled which can be set to yes or no - `nginx_worker_rlimit_nofile` - used for config value of `worker_rlimit_nofile`. Can replace any "ulimit -n" command. The value depend on your usage (cache or not) but must always be superior than worker_connections. Set to `null` to ignore - `nginx_error_log_options` - option flags for the error_log - `nginx_error_log_filename` - filename for the error log - `nginx_worker_connections` - sets the number of worker connections - `nginx_multi_accept` - used for config value of events { multi_accept }. Try to accept() as many connections as possible. Can be set to yes or no - `nginx_charset` - used to specify an explicit default charset (say, 'utf-8', 'off'…) - `nginx_disable_access_log` - whether or not to disable the access log, yes or no - `nginx_access_log_options` - option flags for the access_log - `nginx_server_tokens` - whether to send the Nginx version number in error pages and Server header, on or off - `nginx_event` - used for config value of events { use }. Set the event-model. By default nginx looks for the most suitable method for your OS. - `nginx_sendfile` - directive to activate or deactivate the usage of sendfile(), on or off - `nginx_keepalive` - option whether to use the timeout options (below). Only the value "on" will include them - `nginx_keepalive_timeout` - assigns the timeout for keep-alive connections with the client - `nginx_client_body_timeout` - sets the read timeout for the request body from client - `nginx_client_header_timeout` - specifies how long to wait for the client to send a request header - `nginx_send_timeout` - specifies the response timeout to the client; it does not apply to the entire transfer but, rather, only between two subsequent client-read operations - `nginx_buffers` - option whether to use the buffer options (below). Only the value "on" will include them - `client_body_buffer_size` - specifies the client request body buffer size - `client_header_buffer_size` - sets the headerbuffer size for the request header from client - `client_max_body_size` - specifies the maximum accepted body size of a client request, as indicated by the request header Content-Length. Set to 0 to disable - `large_client_header_buffers` - assigns the maximum number and size of buffers for large headers to read from client request - `nginx_server_names_hash_bucket_size` - assigns the size of basket in the hash-tables of the names of servers. This value by default depends on the size of the line of processor cache - `nginx_types_hash_max_size` - - `nginx_types_hash_bucket_size` - - `nginx_proxy_read_timeout` - defines a timeout (between two successive read operations) for reading a response from the proxied server. - `nginx_enable_rate_limiting` - enable rate limiting, yes or no - `nginx_rate_limiting_zone_name` - sets the shared memory zone - `nginx_rate_limiting_backoff` - sets the maximum burst size of requests - `nginx_rate_limit` - sets the rate (e.g. 1r/s) - `nginx_access_logs` - a list of access log formats, filenames and options nginx_access_logs: - name: "main" format: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' options: null filename: "access.log" #This will generate access_log /var/log/nginx/access.log combined nginx_access_logs: - name: "combined" filename: "access.log" - `nginx_default_root` - the directory to place the default site - `nginx_default_enable` - whether or not to actually enable the defaul site ##### source - `nginx_source_version` - the version of Nginx to install - `nginx_source_url` - URL for the Nginx source (versioned). By default it will get it from `nginx_source_version` - `nginx_source_prefix` - prefix for installing nginx from source (versioned) - `nginx_source_conf_path` - location of the main config file (in `nginx_dir` by default) - `nginx_source_default_configure_flags` - the default configure flags (before adding the modules). By default, this sets --prefix, --conf-path and --sbin-path - `nginx_source_modules_included` - see below - `nginx_source_modules_excluded` - a list of configure flags to exclude modules. Example: ["mail_pop3_module", "mail_imap_module", "mail_smtp_module"] `nginx_source_modules_included` is a dictionary (k,v) where k is the module name, and v its accompanying configure flag. All the possible options are given below: ```yaml nginx_source_modules_included: http_stub_status_module: "--with-http_stub_status_module" http_ssl_module: "--with-http_ssl_module" http_gzip_static_module: "--with-http_gzip_static_module" upload_progress_module: "--add-module=/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}" headers_more_module: "--add-module=/tmp/headers-more-nginx-module-{{nginx_headers_more_version}}" http_auth_request_module: "--add-module=/tmp/ngx_http_auth_request_module-{{nginx_auth_request_release}}" http_echo_module: "--add-module=/tmp/echo-nginx-module-{{nginx_echo_version}}" google_perftools_module: "--with-google_perftools_module" ipv6_module: "--with-ipv6" http_real_ip_module: "--with-http_realip_module" http_spdy_module: "--with-http_spdy_module" http_perl_module: "--with-http_perl_module" naxsi_module: "--add-module=/tmp/naxsi-{{nginx_naxsi_version}}/naxsi_src" ngx_pagespeed: "--add-module=/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" http_geoip_module: "--with-http_geoip_module" ``` ##### Sites There is a possibility to configure a list of servers to be available (not yet enabled) as well. Just provide a list of dictionaries according to the following format: ```yaml nginx_sites: - server: name: foo listen: 8080 server_name: localhost location1: name: "/" try_files: "$uri $uri/ /index.html" sendfile: "on" - server: name: bar listen: 8888 server_name: webmail.localhost location1: name: / try_files: "$uri $uri/ /index.html" location2: name: /images/ try_files: "$uri $uri/ /index.html" ``` To enable or disable specific sites you can add prior used `server_name` attribute to the variables `nginx_enabled_sites` and `nginx_disabled_sites`. ```yaml nginx_enabled_sites: - localhost ``` ```yaml nginx_disabled_sites: - webmail.localhost ``` ##### Monit ? You can put Nginx under monit monitoring protection, by setting `monit_protection: yes` ##### Modules ###### gzip module - 'nginx_gzip' - whether to use gzip, can be "on" or "off" - 'nginx_gzip_http_version' - 'nginx_gzip_comp_level' - 'nginx_gzip_proxied' - 'nginx_gzip_vary' - 'nginx_gzip_buffers' - 'nginx_gzip_min_length' - 'nginx_gzip_types' - 'nginx_gzip_disable' ###### http_stub_status module - `nginx_remote_ip_var` - `nginx_authorized_ips` ###### http_gzip_static module - `nginx_gzip_static` - whether to use gzip_static, can be on or off ###### upload_progress module - `nginx_upload_progress_version` - version of the upload_progress module - `nginx_upload_progress_javascript_output`- sets output in javascript. The default is true for backwards compatibility - `nginx_upload_progress_zone_name` - assigns one name which will be used to store the per-connection tracking information. The default is proxied - `nginx_upload_progress_zone_size` - assigns the zone size in bytes. Default is 1m (1 megabyte) ###### headers_more module - `nginx_headers_more_version` - version of the headers_more module ###### http_auth_request module - `nginx_auth_request_release` - the release number of the http_auth_request module ###### http_echo module - `nginx_echo_version` - version of the http_echo module ###### http_realip module - `nginx_realip_header` - Sets the header to use for the RealIp Module; only accepts "X-Forwarded-For" or "X-Real-IP" - `nginx_realip_addresses` - Sets the addresses to use for the http_realip configuration - `nginx_realip_real_ip_recursive` - If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field. Can be on "on" or "off". The default is "off" ###### naxsi module - `nginx_naxsi_version` - version of the naxsi module ###### geoip module - `nginx_geoip: 'on'` - `nginx_geoip_country: "{{nginx_dir}}/geoip/GeoIP.dat"` - `nginx_geoip_city: "{{nginx_dir}}/geoip/GeoLiteCity.dat"` #### Thanks To the contributors: - [Jean-Denis Vauguet](https://github.com/chikamichi) #### Testing This project comes with a VagrantFile, this is a fast and easy way to test changes to the role, fire it up with `vagrant up`. See [vagrant docs](https://docs.vagrantup.com/v2/) for getting setup with vagrant There are two ways to test the install: compiling nginx from source or installing from a package manager. By default nginx compiles from source, however if desired, we can set a command line variable to install from the package manager export NGINX_INSTALL_METHOD=package #### License Licensed under the MIT License. See the LICENSE file for details. #### Feedback, bug-reports, requests, ... Are [welcome](https://github.com/ANXS/nginx/issues)! ================================================ FILE: Vagrantfile ================================================ # -*- mode: ruby -*- # vi: set ft=ruby : nginx_install_method = ENV.key?('NGINX_INSTALL_METHOD') ? ENV['NGINX_INSTALL_METHOD'] : 'source' Vagrant.configure('2') do |config| config.vm.define 'anxs' do |c| c.vm.box = 'ubuntu/trusty64' c.vm.network :private_network, ip: '192.168.88.16' c.vm.hostname = 'anxs.local' c.vm.provision 'ansible' do |ansible| ansible.playbook = 'test.yml' ansible.sudo = true ansible.inventory_path = 'vagrant-inventory' ansible.host_key_checking = false ansible.extra_vars = { nginx_install_method: nginx_install_method } end end end ================================================ FILE: defaults/main.yml ================================================ # file: nginx/defaults/main.yml nginx_install_method: "source" nginx_source_version: "1.8.0" nginx: "nginx" nginx_user: www-data nginx_group: www-data nginx_uid: 33 nginx_gid: 33 nginx_dir: "/etc/nginx" nginx_www_dir: "/srv/www" nginx_log_dir: "/var/log/nginx" nginx_pid: "/var/run/nginx.pid" # nginx.conf nginx_worker_processes: 4 nginx_daemon_disable: no nginx_worker_rlimit_nofile: null nginx_error_log_options: null nginx_error_log_filename: 'error.log' nginx_worker_connections: 1024 nginx_multi_accept: 'on' nginx_event: null nginx_charset: null nginx_disable_access_log: no nginx_server_tokens: 'off' nginx_sendfile: 'on' nginx_keepalive: "on" nginx_keepalive_timeout: "30" nginx_client_body_timeout: "10" nginx_client_header_timeout: "10" nginx_send_timeout: "10" nginx_buffers: "on" nginx_client_body_buffer_size: "1k" nginx_client_header_buffer_size: "1k" nginx_client_max_body_size: "2m" nginx_large_client_header_buffers: "2 1k" nginx_server_names_hash_bucket_size: 64 nginx_types_hash_max_size: 2048 nginx_types_hash_bucket_size: 64 nginx_proxy_read_timeout: null nginx_enable_rate_limiting: no nginx_rate_limiting_zone_name: "default" nginx_rate_limiting_backoff: "10m" nginx_rate_limit: "1r/s" nginx_access_logs: - name: "main" format: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' options: null filename: "access.log" # default site nginx_default_root: "{{nginx_www_dir}}/default" nginx_default_enable: yes # site inventory nginx_sites: [] nginx_enabled_sites: [] nginx_disabled_sites: [] # source nginx_source_url: "http://nginx.org/download/nginx-{{nginx_source_version}}.tar.gz" nginx_source_prefix: "/usr/local/nginx/nginx-{{nginx_source_version}}" nginx_source_conf_path: "{{nginx_dir}}/nginx.conf" nginx_source_sbin_path: "{{nginx_source_prefix}}/sbin/nginx" nginx_source_default_configure_flags: "--prefix={{nginx_source_prefix}} --conf-path={{nginx_source_conf_path}} --sbin-path={{nginx_source_sbin_path}}" nginx_source_modules_included: http_stub_status_module: "--with-http_stub_status_module" http_ssl_module: "--with-http_ssl_module" openssl: "--with-openssl=/tmp/openssl-{{ openssl_version }}" http_gzip_static_module: "--with-http_gzip_static_module" upload_progress_module: "--add-module=/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}" headers_more_module: "--add-module=/tmp/headers-more-nginx-module-{{nginx_headers_more_version}}" http_auth_request_module: "--add-module=/tmp/ngx_http_auth_request_module-{{nginx_auth_request_release}}" http_echo_module: "--add-module=/tmp/echo-nginx-module-{{nginx_echo_version}}" google_perftools_module: "--with-google_perftools_module" ipv6_module: "--with-ipv6" http_real_ip_module: "--with-http_realip_module" http_spdy_module: "--with-http_spdy_module" http_perl_module: "--with-http_perl_module" naxsi_module: "--add-module=/tmp/naxsi-{{nginx_naxsi_version}}/naxsi_src" ngx_pagespeed: "--add-module=/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" http_geoip_module: "--with-http_geoip_module" nginx_source_modules_excluded: - mail_pop3_module - mail_imap_module - mail_smtp_module nginx_source_configure_flags: "{{nginx_source_default_configure_flags}}{% for key, value in nginx_source_modules_included.items() %} {{value}}{% endfor %}{% for item in nginx_source_modules_excluded %} --without-{{item}}{% endfor %}" # gzip_module nginx_gzip: 'on' nginx_gzip_http_version: 1.1 nginx_gzip_comp_level: 2 nginx_gzip_proxied: expired no-cache no-store private auth nginx_gzip_vary: 'on' nginx_gzip_buffers: null nginx_gzip_min_length: 10240 nginx_gzip_types: - text/plain - text/css - text/xml - text/csv - text/javascript - application/x-javascript - application/xml - application/xml+rss - application/javascript - application/postscript - application/pdf - application/ecmascript - application/json - image/svg+xml nginx_gzip_disable: "MSIE [1-6]\\." # geoip_module nginx_geoip: 'off' nginx_geoip_country: "{{nginx_dir}}/geoip/GeoIP.dat" nginx_geoip_city: "{{nginx_dir}}/geoip/GeoLiteCity.dat" # http_stub_status_module configuration nginx_remote_ip_var: "remote_addr" nginx_authorized_ips: - "127.0.0.1/32" # http_gzip_static_module configuration nginx_gzip_static: "off" # upload_progress_module configuration nginx_upload_progress_version: "0.9.1" nginx_upload_progress_javascript_output: yes nginx_upload_progress_zone_name: "proxied" nginx_upload_progress_zone_size: "1m" nginx_upload_progress_url: "https://github.com/masterzen/nginx-upload-progress-module/archive/v{{nginx_upload_progress_version}}.tar.gz" # headers_more_module configuration nginx_headers_more_version: "0.261" nginx_headers_more_url: "https://github.com/agentzh/headers-more-nginx-module/archive/v{{nginx_headers_more_version}}.tar.gz" # http_auth_request_module configuration nginx_auth_request_release: "662785733552" nginx_auth_request_url: "http://mdounin.ru/hg/ngx_http_auth_request_module/archive/{{nginx_auth_request_release}}.tar.gz" # http_echo_module configuration nginx_echo_version: "0.58" nginx_echo_url: "https://github.com/agentzh/echo-nginx-module/archive/v{{nginx_echo_version}}.tar.gz" # http_realip_module configuration nginx_realip_header: "X-Forwarded-For" nginx_realip_addresses: ["127.0.0.1"] nginx_realip_real_ip_recursive: "off" # naxsi_module configuration nginx_naxsi_version: "0.53" nginx_naxsi_url: "https://github.com/nbs-system/naxsi/archive/{{nginx_naxsi_version}}.tar.gz" # ngx_pagespeed_module configuration nginx_ngx_pagespeed_version: 1.9.32.4 # OpenSSL configuration openssl_version: "1.0.2h" ================================================ FILE: files/index.html ================================================ Welcome to nginx!

Thank you for using ANXS.nginx

If you see this page then Ansible has properly provisioned your nginx installation and you have not specified a default site with an existing index.html.

Additional configuration will likely be neccesary

================================================ FILE: files/mime.types ================================================ types { text/html html htm shtml; text/css css; text/xml xml; image/gif gif; image/jpeg jpeg jpg; application/x-javascript js; application/json json; application/atom+xml atom; application/rss+xml rss; text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/png png; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; image/svg+xml svg svgz; image/webp webp; application/java-archive jar war ear; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.ms-excel xls; application/vnd.ms-powerpoint ppt; application/vnd.wap.wmlc wmlc; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream eot; application/octet-stream iso img; application/octet-stream msi msp msm; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; } ================================================ FILE: files/naxsi_core.rules ================================================ ################################## ## INTERNAL RULES IDS:1-10 ## ################################## #weird_request : 1 #big_body : 2 #no_content_type : 3 #@MainRule "msg:weird/incorrect request" id:1; #@MainRule "msg:big request, unparsed" id:2; #@MainRule "msg:uncommon hex encoding (%00 etc.)" id:10; #@MainRule "msg:uncommon/empty content-type in POST" id:11; #@MainRule "msg:uncommon/malformed URL" id:12; #MainRule "str:123FREETEXT" "msg:exemple learning test pattern" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:BLOCK" id:0; ################################## ## SQL Injections IDs:1000-1099 ## ################################## MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; ## Hardcore rules MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; ## end of hardcore rules MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; ############################### ## OBVIOUS RFI IDs:1100-1199 ## ############################### MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104; MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105; MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106; MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107; MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108; MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109; ####################################### ## Directory traversal IDs:1200-1299 ## ####################################### MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; ######################################## ## Cross Site Scripting IDs:1300-1399 ## ######################################## MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; MainRule "str:`" "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; #################################### ## Evading tricks IDs: 1400-1500 ## #################################### MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402; ############################# ## File uploads: 1500-1600 ## ############################# MainRule "rx:.ph|.asp|.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; ================================================ FILE: handlers/main.yml ================================================ # file: nginx/handlers/main.yml - name: restart nginx service: name=nginx state=restarted become: yes when: not nginx_first_start.changed - name: reload nginx service: name=nginx state=reloaded become: yes ================================================ FILE: meta/main.yml ================================================ # file: nginx/meta/main.yml galaxy_info: author: pjan vandaele company: ANXS description: Install and configure Nginx min_ansible_version: 1.9 license: MIT platforms: - name: Ubuntu versions: - all categories: - system dependencies: - ANXS.hostname - ANXS.apt - role: ANXS.build-essential when: nginx_install_method is defined and nginx_install_method == "source" - role: ANXS.perl when: nginx_install_method is defined and nginx_install_method == "source" - role: ANXS.monit when: monit_protection is defined and monit_protection == true ================================================ FILE: tasks/configure.yml ================================================ # nginx/tasks/configure.yml - name: Nginx | Make sure the mime.types file is up to date copy: src: mime.types dest: "{{nginx_dir}}/mime.types" owner: root group: root mode: 0644 - name: Nginx | Check for existence of Nginx configuration stat: path: "{{nginx_dir}}/nginx.conf" register: nginx_config - name: Nginx | Make sure the Nginx configuration is updated template: src: nginx.conf.j2 dest: "{{nginx_dir}}/nginx.conf" owner: root group: root mode: 0644 notify: - restart nginx - name: Nginx | Start Nginx the first time service: name: nginx state: started register: nginx_first_start when: not nginx_config.stat.exists ================================================ FILE: tasks/default_site.yml ================================================ # file: nginx/tasks/default_site.yml - name: Nginx | Make sure the default site root directory is present file: path: "{{nginx_default_root}}" state: directory owner: "{{nginx_user}}" group: "{{nginx_group}}" mode: 0754 - name: Nginx | Check for existing index.html stat: path: "{{nginx_default_root}}/index.html" register: nginx_default_index - name: Nginx | Copy placeholder index.html copy: src: "index.html" dest: "{{nginx_default_root}}/index.html" owner: "{{nginx_user}}" group: "{{nginx_group}}" mode: 0644 when: not nginx_default_index.stat.exists - name: Nginx | Update the default site configuration template: src: default.site.j2 dest: "{{nginx_dir}}/sites-available/default" owner: root group: root mode: 0644 - name: Nginx | Enable the default site file: path: "{{nginx_dir}}/sites-enabled/default" src: "{{nginx_dir}}/sites-available/default" state: link when: nginx_default_enable notify: - reload nginx - name: Nginx | Disable the default site file: path: "{{nginx_dir}}/sites-enabled/default" state: absent when: not nginx_default_enable notify: - reload nginx - name: Nginx | Reload if we just created index.html service: name: nginx state: reloaded when: not nginx_default_index.stat.exists ================================================ FILE: tasks/directories.yml ================================================ # file: nginx/tasks/commons.yml - name: Nginx | Make sure the nginx directory exists file: path: "{{nginx_dir}}" owner: root group: root mode: 0755 state: directory - name: Nginx | Make sure the nginx log directory exists file: path: "{{nginx_log_dir}}" owner: root group: root mode: 0755 state: directory - name: Nginx | Make sure the sites-available, sites-enabled and conf.d directories exist file: path: "{{nginx_dir}}/{{item}}" owner: root group: root mode: 0755 state: directory with_items: ["sites-available", "sites-enabled", "conf.d"] ================================================ FILE: tasks/main.yml ================================================ # file: nginx/tasks/main.yml - include: package.yml when: nginx_install_method == "package" - include: source.yml when: nginx_install_method == "source" - include: scripts.yml - include: configure.yml - include: default_site.yml - include: sites.yml - include: monit.yml when: monit_protection is defined and monit_protection == true ================================================ FILE: tasks/modules/_authorized_ips.yml ================================================ # file: nginx/tasks/modules/authorized_ips.yml - name: Nginx | Modules | Updated the authorized_ip file template: src: templates/modules/authorized_ips.j2 dest: "{{nginx_dir}}/authorized_ips" owner: root group: root mode: 0644 ================================================ FILE: tasks/modules/google_perftools_module.yml ================================================ # file: roles/nginx/tasks/modules/google_perftools_module.yml # configure flag: --with-google_perftools_module - name: Nginx | Modules | Make sure the libgoogle-perftools-dev package is installed apt: pkg: libgoogle-perftools-dev state: present ================================================ FILE: tasks/modules/headers_more_module.yml ================================================ # file: nginx/tasks/modules/headers_more_module.yml # configure flag: --add-module=/tmp/nginx_headers_more - name: Nginx | Modules | Download the headers_more_module source get_url: url: "{{nginx_headers_more_url}}" dest: "/tmp/nginx-headers-more-module-{{nginx_headers_more_version}}.tar.gz" - name: Nginx | Modules | Unpack the headers_more_module source command: tar -xvzf /tmp/nginx-headers-more-module-{{nginx_headers_more_version}}.tar.gz chdir=/tmp creates=/tmp/headers-more-nginx-module-{{nginx_headers_more_version}} ================================================ FILE: tasks/modules/http_auth_request_module.yml ================================================ # file: nginx/tasks/modules/http_auth_request_module.yml # configure flag: --add-module=/tmp/nginx_auth_request - name: Nginx | Modules | Download the http_auth_request_module source get_url: url: "{{nginx_auth_request_url}}" dest: "/tmp/nginx-auth-request-module.tar.gz" - name: Nginx | Modules | Unpack the http_auth_request_module source command: tar -xvzf /tmp/nginx-auth-request-module.tar.gz chdir=/tmp creates=/tmp/ngx_http_auth_request_module-{{nginx_auth_request_release}} ================================================ FILE: tasks/modules/http_echo_module.yml ================================================ # file: nginx/tasks/modules/http_echo_module.yml # configure flag: --add-module=/tmp/nginx_echo - name: Nginx | Modules | Download the http_echo_module source get_url: url: "{{nginx_echo_url}}" dest: "/tmp/nginx-echo-module.tar.gz" - name: Nginx | Modules | Unpack the http_echo_module source command: tar -xvzf /tmp/nginx-echo-module.tar.gz chdir=/tmp creates=/tmp/echo-nginx-module-{{nginx_echo_version}} ================================================ FILE: tasks/modules/http_geoip_module.yml ================================================ # file: nginx/tasks/modules/http_geoip_module.yml # configure flag: --with-http_geoip_module - name: Nginx | Modules | Install GeoIp lib apt: pkg={{ item }} state=latest with_items: - libgeoip1 - libgeoip-dev when: nginx_source_modules_included.http_geoip_module is defined - name: Nginx | Modules | Create directory inside nginx file: path={{nginx_dir}}/geoip state=directory when: nginx_source_modules_included.http_geoip_module is defined - name: Nginx | Modules | Download GeoIP database files get_url: url=http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz dest={{nginx_dir}}/geoip/GeoIP.dat.gz when: nginx_source_modules_included.http_geoip_module is defined - name: Nginx | Modules | Download GeoLiteCity database files get_url: url=http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz dest={{nginx_dir}}/geoip/GeoLiteCity.dat.gz when: nginx_source_modules_included.http_geoip_module is defined - name: Nginx | Modules | Check if the GeoIP file exists stat: path={{nginx_dir}}/geoip/GeoIP.dat register: geoip_file - name: Nginx | Modules | Unarchive GeoIP files shell: gunzip -c {{nginx_dir}}/geoip/GeoIP.dat.gz > {{nginx_dir}}/geoip/GeoIP.dat when: not geoip_file.stat.exists - name: Nginx | Modules | Check if the GeoLiteCity file exists stat: path={{nginx_dir}}/geoip/GeoLiteCity.dat register: geolitecity_file - name: Nginx | Modules | Unarchive GeoLiteCity files shell: gunzip -c {{nginx_dir}}/geoip/GeoLiteCity.dat.gz > {{nginx_dir}}/geoip/GeoLiteCity.dat when: not geolitecity_file.stat.exists ================================================ FILE: tasks/modules/http_gzip_static_module.yml ================================================ # file: nginx/tasks/modules/http_gzip_static_module.yml # configure flag: --with-http_gzip_static_module - name: Nginx | Modules | Update the http_gzip_static_module configuration template: src: templates/modules/http_gzip_static.conf.j2 dest: "{{nginx_dir}}/conf.d/http_gzip_static.conf" owner: root group: root mode: 0644 ================================================ FILE: tasks/modules/http_perl_module.yml ================================================ # file: nginx/tasks/modules/http_perl_module.yml # configure flag: --with-http_perl_module # no contents ================================================ FILE: tasks/modules/http_realip_module.yml ================================================ # file: nginx/tasks/modules/http_realip_module.yml # configure flag: --with-http_realip_module - name: Nginx | Modules | Update the http_realip_module configuration template: src: templates/modules/http_realip.conf.j2 dest: "{{nginx_dir}}/conf.d/http_realip.conf" owner: root group: root mode: 0644 ================================================ FILE: tasks/modules/http_spdy_module.yml ================================================ # file: nginx/tasks/modules/http_spdy_module.yml # configure flag: --with-http_spdy_module # no contents ================================================ FILE: tasks/modules/http_ssl_module.yml ================================================ # file: nginx/tasks/modules/http_ssl_module.yml # configure flag: --with-http_ssl_module - name: get openssl source shell: "wget https://www.openssl.org/source/openssl-{{ openssl_version }}.tar.gz" args: chdir: /tmp creates: "/tmp/openssl-{{ openssl_version }}.tar.gz" when: nginx_source_modules_included.openssl is defined #get_url: # url: "https://www.openssl.org/source/openssl-{{ openssl_version }}.tar.gz" # dest: "/tmp/openssl-{{ openssl_version }}.tar.gz" #when: nginx_source_modules_included.openssl is defined - name: extract openssl source command: "tar -xf /tmp/openssl-{{ openssl_version }}.tar.gz" args: chdir: /tmp creates: "/tmp/openssl-{{ openssl_version }}" when: nginx_source_modules_included.openssl is defined ================================================ FILE: tasks/modules/http_stub_status_module.yml ================================================ # file: nginx/tasks/modules/http_stub_status_module.yml # configure flag: --with-http_stub_status_module - include: _authorized_ips.yml - name: Nginx | Modules | Make sure the nginx status configuration is updated template: src: templates/modules/nginx_status.j2 dest: "{{nginx_dir}}/sites-available/nginx_status" owner: root group: root mode: 0644 - name: Nginx | Modules | Enable the status stub sites-available file: path: "{{nginx_dir}}/sites-enabled/nginx_status" src: "{{nginx_dir}}/sites-available/nginx_status" state: link force: yes ================================================ FILE: tasks/modules/ipv6_module.yml ================================================ # file: roles/nginx/tasks/modules/ipv6_module.yml # configure flag: --with-ipv6 # no contents ================================================ FILE: tasks/modules/naxsi_module.yml ================================================ # file: roles/nginx/tasks/modules/naxsi_module.yml # configure flag: --add-module=/tmp/naxsi-{{nginx_naxsi_version}}/naxsi_src - name: Nginx | Modules | Download the naxsi_module source get_url: url: "{{nginx_naxsi_url}}" dest: "/tmp/nginx-naxsi-module.tar.gz" - name: Nginx | Modules | Unpack the naxsi_module source command: tar -xvzf /tmp/nginx-naxsi-module.tar.gz chdir=/tmp creates=/tmp/naxsi-{{nginx_naxsi_version}} - name: Nginx | Modules | Make sure the naxsi_module configuration is up to date copy: src: files/naxsi_core.rules dest: "{{nginx_dir}}/naxsi_core.rules" owner: root group: root mode: 0644 ================================================ FILE: tasks/modules/ngx_pagespeed.yml ================================================ # file: nginx/tasks/modules/ngx_pagespeed.yml # configure flag: --add-module=/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta - name: Nginx | Modules | Make sure the dependences are installed apt: pkg: "{{item}}" with_items: - zlib1g-dev - libpcre3 - libpcre3-dev - name: Nginx | Modules | Download the ngx_pagespeed source get_url: url: "https://github.com/pagespeed/ngx_pagespeed/archive/release-{{nginx_ngx_pagespeed_version}}-beta.tar.gz" dest: "/tmp/ngx_pagespeed_module.tar.gz" - name: Nginx | Modules | Unpack the ngx_pagespeed source command: tar -xvzf /tmp/ngx_pagespeed_module.tar.gz args: chdir: /tmp creates: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" - name: Nginx | Modules | Download the psol source get_url: url: "https://dl.google.com/dl/page-speed/psol/{{nginx_ngx_pagespeed_version}}.tar.gz" dest: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta/psol.tar.gz" - name: Nginx | Modules | Unpack the psol source command: "tar -xvzf /tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta/psol.tar.gz" args: chdir: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta" creates: "/tmp/ngx_pagespeed-release-{{nginx_ngx_pagespeed_version}}-beta/psol" ================================================ FILE: tasks/modules/upload_progress_module.yml ================================================ # file: nginx/tasks/modules/upload_progress_module.yml # configure flag: --add-module=/tmp/nginx_upload_progress # to be completed... - name: Nginx | Modules | Download the upload_progress_module source get_url: url: "{{nginx_upload_progress_url}}" dest: "/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}.tar.gz" - name: Nginx | Modules | Unpack the upload_progress_module source command: tar -xvzf /tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}}.tar.gz chdir=/tmp creates=/tmp/nginx-upload-progress-module-{{nginx_upload_progress_version}} - name: Nginx | Modules | Make sure the upload_progress_module configuration is updated template: src: templates/modules/upload_progress.j2 dest: "{{nginx_dir}}/sites-available/upload_progress" owner: root group: root mode: 0644 ================================================ FILE: tasks/modules.yml ================================================ # file: nginx/tasks/modules.yml - include: modules/http_stub_status_module.yml when: nginx_source_modules_included.http_stub_status_module is defined - include: modules/http_ssl_module.yml when: nginx_source_modules_included.http_ssl_module is defined - include: modules/http_gzip_static_module.yml when: nginx_source_modules_included.http_gzip_static_module is defined - include: modules/upload_progress_module.yml when: nginx_source_modules_included.upload_progress_module is defined - include: modules/headers_more_module.yml when: nginx_source_modules_included.headers_more_module is defined - include: modules/http_auth_request_module.yml when: nginx_source_modules_included.http_auth_request_module is defined - include: modules/http_echo_module.yml when: nginx_source_modules_included.http_echo_module is defined - include: modules/google_perftools_module.yml when: nginx_source_modules_included.google_perftools_module is defined - include: modules/ipv6_module.yml when: nginx_source_modules_included.ipv6_module is defined - include: modules/http_realip_module.yml when: nginx_source_modules_included.http_realip_module is defined - include: modules/http_spdy_module.yml when: nginx_source_modules_included.http_spdy_module is defined - include: modules/naxsi_module.yml when: nginx_source_modules_included.naxsi_module is defined - include: modules/ngx_pagespeed.yml when: nginx_source_modules_included.ngx_pagespeed is defined - include: modules/http_geoip_module.yml when: nginx_source_modules_included.http_geoip_module is defined ================================================ FILE: tasks/monit.yml ================================================ # file: nginx/tasks/monit.yml - name: Nginx | | (Monit) Copy the nginx monit service file template: src: etc_monit_conf.d_nginx.j2 dest: /etc/monit/conf.d/nginx notify: - restart monit ================================================ FILE: tasks/package.yml ================================================ # file: nginx/tasks/package.yml - name: Nginx | Make sure the ansible required dependencies are installed apt: pkg: python-pycurl state: present - name: Nginx | Add the nginx repository apt_repository: repo: ppa:nginx/stable - name: Nginx | Make sure nginx is installed (package) apt: pkg: "{{nginx}}" state: present notify: - restart nginx - include: directories.yml ================================================ FILE: tasks/scripts.yml ================================================ # file: nginx/tasks/scripts.yml - name: Nginx | Copy the nxensite and nxdissite scripts template: src: "{{item}}.j2" dest: "/usr/sbin/{{item}}" owner: root group: root mode: 0755 with_items: ["nxensite", "nxdissite"] ================================================ FILE: tasks/sites.yml ================================================ # file: nginx/tasks/sites.yml - name: Nginx | Update the configurations for the sites inventory template: src: site.j2 dest: "{{nginx_dir}}/sites-available/{{item.server.name}}" with_items: "{{nginx_sites}}" when: nginx_sites|lower != 'none' notify: - reload nginx - name: Nginx | Create virtual sites directories file: path: "{{nginx_www_dir}}/{{item.server.name}}" state: directory owner: "{{nginx_user}}" group: "{{nginx_user}}" mode: 0755 with_items: "{{nginx_sites}}" - name: Nginx | Enable sites file: path: "{{nginx_dir}}/sites-enabled/{{item}}" src: "{{nginx_dir}}/sites-available/{{item}}" state: link with_items: "{{nginx_enabled_sites}}" notify: - reload nginx when: nginx_enabled_sites|lower != 'none' - name: Nginx | Disable sites file: path: "{{nginx_dir}}/sites-enabled/{{item}}" state: absent with_items: "{{nginx_disabled_sites}}" notify: - reload nginx when: nginx_disabled_sites|lower != 'none' ================================================ FILE: tasks/source.yml ================================================ # file: nginx/tasks/source.yml - include: user.yml - include: directories.yml - name: Nginx | Make sure the Nginx build dependencies are installed apt: update_cache: yes pkg: "{{item}}" state: present with_items: - libpcre3 - libpcre3-dev - libssl-dev - name: Nginx | Download the Nginx source release if not yet present get_url: url: "{{nginx_source_url}}" dest: "/tmp/nginx-{{nginx_source_version}}.tar.gz" - include: "modules.yml" - name: Nginx | Unpack the compressed Nginx source command: tar -xvzf /tmp/nginx-{{nginx_source_version}}.tar.gz chdir=/tmp creates=/tmp/nginx-{{nginx_source_version}}/README - name: Nginx | Write out the version and flags used for the build template: src: .nginx_compilation_flags.j2 dest: "{{nginx_dir}}/.nginx_compilation_flags" register: nginx_flags - name: Nginx | Kill Nginx (old threads) command: pkill nginx ignore_errors: yes when: nginx_flags.changed - name: Nginx | Compile the Nginx source shell: > cd /tmp/{{nginx}}-{{nginx_source_version}} && ./configure {{nginx_source_configure_flags}} && make && make install when: nginx_flags.changed - name: Nginx | Update the symbolic link to the nginx install file: path: /usr/local/nginx/default src: "{{nginx_source_prefix}}" state: link force: yes - name: Nginx | Install the upstart init script template: src: nginx.init.j2 dest: /etc/init.d/nginx owner: root group: root mode: 0755 notify: - restart nginx - name: Nginx | Register Nginx as a service service: name: nginx enabled: yes ================================================ FILE: tasks/user.yml ================================================ # file: nginx/tasks/user.yml - name: Nginx | Make sure the nginx group is present group: gid: "{{nginx_gid}}" name: "{{nginx_group}}" state: present - name: Nginx | Make sure the www directory is present file: path: "{{nginx_www_dir}}" state: directory - name: Nginx | Make sure the nginx user is present user: name: "{{nginx_user}}" uid: "{{nginx_uid}}" group: "{{nginx_group}}" comment: "Nginx user" home: "{{nginx_www_dir}}" shell: /bin/false state: present system: yes - name: Nginx | Set the right directory permissions for the www directory file: path: "{{nginx_www_dir}}" owner: "{{nginx_user}}" group: "{{nginx_group}}" mode: 0755 state: directory - name: Nginx | Check the current password expiry command: grep {{nginx_user}} /etc/shadow become: yes register: nginx_old_password changed_when: false - name: Nginx | Set the right expiration on the nginx user shell: "chage -I -1 -E -1 -m -1 -M -1 -W -1 -E -1 {{nginx_user}} && grep {{nginx_user}} /etc/shadow" become: yes register: nginx_new_password changed_when: nginx_new_password.stdout != nginx_old_password.stdout ================================================ FILE: templates/.nginx_compilation_flags.j2 ================================================ # This file is used to track the nginx build flags, DO NOT CHANGE MANUALLY {{nginx_source_version}} {{nginx_source_configure_flags}} ================================================ FILE: templates/default.site.j2 ================================================ server { listen 80; server_name {{inventory_hostname}}; access_log {{nginx_log_dir}}/default.access.log; location / { root {{nginx_default_root}}; index index.html index.htm; } } ================================================ FILE: templates/etc_monit_conf.d_nginx.j2 ================================================ check process nginx with pidfile {{nginx_pid}} group www start program = "/etc/init.d/nginx start" stop program = "/etc/init.d/nginx stop" if failed host localhost port 80 protocol http with timeout 10 seconds then restart if 5 restarts within 5 cycles then timeout ================================================ FILE: templates/modules/authorized_ips.j2 ================================================ geo ${{nginx_remote_ip_var}} $authorized_ip { default no; {% for ip in nginx_authorized_ips %} {{ip}} yes; {% endfor %} } ================================================ FILE: templates/modules/http_gzip_static.conf.j2 ================================================ gzip_static {{nginx_gzip_static}}; ================================================ FILE: templates/modules/http_realip.conf.j2 ================================================ {% for address in nginx_realip_addresses %} set_real_ip_from {{address}}; {% endfor %} real_ip_header {{nginx_realip_header}}; real_ip_recursive {{nginx_realip_real_ip_recursive}}; ================================================ FILE: templates/modules/nginx_status.j2 ================================================ include authorized_ips; server { listen 8090; server_name _; location /nginx_status { if ($authorized_ip = no) { return 404; } stub_status on; access_log off; } } ================================================ FILE: templates/modules/upload_progress.j2 ================================================ upload_progress {{nginx_upload_progress_zone_name}} {{nginx_upload_progress_zone_size}}; {% if nginx_upload_progress_javascript_output %} upload_progress_java_output; {% endif %} ================================================ FILE: templates/nginx.conf.j2 ================================================ user {{nginx_user}}{% if nginx_user != nginx_group%} {{nginx_group}}{% endif %}; worker_processes {{nginx_worker_processes}}; {% if nginx_daemon_disable %} daemon off; {% endif %} {% if nginx_worker_rlimit_nofile %} worker_rlimit_nofile {{nginx_worker_rlimit_nofile}}; {% endif %} error_log {{nginx_log_dir}}/{{nginx_error_log_filename}}{% if nginx_error_log_options %} {{nginx_error_log_options}}{% endif %}; pid {{nginx_pid}}; events { worker_connections {{nginx_worker_connections}}; {% if nginx_multi_accept %} multi_accept on; {% endif %} {% if nginx_event %} use {{nginx_event}}; {% endif %} } http { {% if nginx_install_method == "source" %} {% if nginx_source_modules_included.naxsi_module is defined %} include {{nginx_dir}}/naxsi_core.rules; {% endif %} {% endif %} include {{nginx_dir}}/mime.types; default_type application/octet-stream; {% if nginx_charset %} charset {{nginx_charset}}; {% endif %} {% if nginx_disable_access_log %} access_log off; {% else %} {% for log in nginx_access_logs %} {% if 'format' in log %} log_format {{log['name']}} {{log['format']}}; {% endif %} access_log {{nginx_log_dir}}/{{log['filename']}} {{log['name']}}{% if 'options' in log and log['options']|lower != 'none' %} {{log['options']}}{% endif %}; {% endfor %} {% endif %} {% if nginx_server_tokens %} server_tokens {{nginx_server_tokens}}; {% endif %} sendfile {{nginx_sendfile}}; tcp_nopush on; tcp_nodelay on; {% if nginx_keepalive == 'on' %} # Timeouts keepalive_timeout {{nginx_keepalive_timeout}}; client_body_timeout {{nginx_client_body_timeout}}; client_header_timeout {{nginx_client_header_timeout}}; send_timeout {{nginx_send_timeout}}; {% endif %} gzip {{nginx_gzip}}; {% if nginx_gzip == 'on' %} gzip_http_version {{nginx_gzip_http_version}}; gzip_comp_level {{nginx_gzip_comp_level}}; gzip_proxied {{nginx_gzip_proxied}}; gzip_vary {{nginx_gzip_vary}}; {% if nginx_gzip_buffers %} gzip_buffers {{nginx_gzip_buffers}}; {% endif %} gzip_types {{nginx_gzip_types|join(' ')}}; gzip_min_length {{nginx_gzip_min_length}}; gzip_disable "{{nginx_gzip_disable}}"; {% endif %} {% if nginx_install_method == "source" %} {% if nginx_geoip == 'on' %} geoip_country {{nginx_geoip_country}}; geoip_city {{nginx_geoip_city}}; {% endif %} {% endif %} {% if nginx_buffers == 'on' %} client_body_buffer_size {{nginx_client_body_buffer_size}}; client_header_buffer_size {{nginx_client_header_buffer_size}}; client_max_body_size {{nginx_client_max_body_size}}; large_client_header_buffers {{nginx_large_client_header_buffers}}; {% endif %} server_names_hash_bucket_size {{nginx_server_names_hash_bucket_size}}; types_hash_max_size {{nginx_types_hash_max_size}}; types_hash_bucket_size {{nginx_types_hash_bucket_size}}; {% if nginx_proxy_read_timeout %} proxy_read_timeout {{nginx_proxy_read_timeout}}; {% endif %} {% if nginx_enable_rate_limiting %} limit_req_zone $binary_remote_addr zone={{nginx_rate_limiting_zone_name}}:{{nginx_rate_limiting_backoff}} rate={{nginx_rate_limit}}; {% endif %} include {{nginx_dir}}/conf.d/*.conf; include {{nginx_dir}}/sites-enabled/*; } ================================================ FILE: templates/nginx.init.j2 ================================================ #!/bin/sh ### BEGIN INIT INFO # Provides: nginx # Required-Start: $local_fs $remote_fs $network $syslog # Required-Stop: $local_fs $remote_fs $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: starts the nginx web server # Description: starts nginx using start-stop-daemon ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON={{nginx_source_prefix}}/sbin/nginx NAME=nginx DESC=nginx PID={{nginx_pid}} # Include nginx defaults if available if [ -f /etc/default/nginx ]; then . /etc/default/nginx fi test -x $DAEMON || exit 0 set -e . /lib/lsb/init-functions test_nginx_config() { if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then return 0 else $DAEMON -t $DAEMON_OPTS return $? fi } case "$1" in start) echo -n "Starting $DESC: " test_nginx_config # Check if the ULIMIT is set in /etc/default/nginx if [ -n "$ULIMIT" ]; then # Set the ulimits ulimit $ULIMIT fi start-stop-daemon --start --quiet --pidfile $PID \ --exec $DAEMON -- $DAEMON_OPTS || true echo "$NAME." ;; stop) echo -n "Stopping $DESC: " start-stop-daemon --stop --quiet --pidfile $PID \ --exec $DAEMON || true echo "$NAME." ;; restart|force-reload) echo -n "Restarting $DESC: " start-stop-daemon --stop --quiet --pidfile \ $PID --exec $DAEMON || true sleep 1 test_nginx_config start-stop-daemon --start --quiet --pidfile \ $PID --exec $DAEMON -- $DAEMON_OPTS || true echo "$NAME." ;; reload) echo -n "Reloading $DESC configuration: " test_nginx_config start-stop-daemon --stop --signal HUP --quiet --pidfile $PID \ --exec $DAEMON || true echo "$NAME." ;; configtest|testconfig) echo -n "Testing $DESC configuration: " if test_nginx_config; then echo "$NAME." else exit $? fi ;; status) status_of_proc -p $PID "$DAEMON" nginx && exit 0 || exit $? ;; *) echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2 exit 1 ;; esac exit 0 ================================================ FILE: templates/nxdissite.j2 ================================================ #!/bin/sh -e SYSCONFDIR='{{nginx_dir}}' if [ -z $1 ]; then echo "Which site would you like to disable?" echo -n "Your choices are: " ls $SYSCONFDIR/sites-enabled/* | \ sed -e "s,$SYSCONFDIR/sites-enabled/,,g" | xargs echo echo -n "Site name? " read SITENAME else SITENAME=$1 fi if [ $SITENAME = "default" ]; then PRIORITY="000" fi if ! [ -e $SYSCONFDIR/sites-enabled/$SITENAME -o \ -e $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" ]; then echo "This site is already disabled, or does not exist!" exit 1 fi if ! rm $SYSCONFDIR/sites-enabled/$SITENAME 2>/dev/null; then rm -f $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" fi echo "Site $SITENAME disabled; reload nginx to disable." ================================================ FILE: templates/nxensite.j2 ================================================ #!/bin/sh -e SYSCONFDIR='{{nginx_dir}}' if [ -z $1 ]; then echo "Which site would you like to enable?" echo -n "Your choices are: " ls $SYSCONFDIR/sites-available/* | \ sed -e "s,$SYSCONFDIR/sites-available/,,g" | xargs echo echo -n "Site name? " read SITENAME else SITENAME=$1 fi if [ $SITENAME = "default" ]; then PRIORITY="000" fi if [ -e $SYSCONFDIR/sites-enabled/$SITENAME -o \ -e $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" ]; then echo "This site is already enabled!" exit 0 fi if ! [ -e $SYSCONFDIR/sites-available/$SITENAME ]; then echo "This site does not exist!" exit 1 fi if [ $SITENAME = "default" ]; then ln -sf $SYSCONFDIR/sites-available/$SITENAME \ $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" else ln -sf $SYSCONFDIR/sites-available/$SITENAME $SYSCONFDIR/sites-enabled/$SITENAME fi echo "Site $SITENAME installed; reload nginx to enable." ================================================ FILE: templates/site.j2 ================================================ server { {% for k,v in item.server.iteritems() %} {% if k.find('location') == -1 and k != 'name' %} {{ k }} {{ v }}; {% endif %} {% endfor %} {% for k,v in item.server.iteritems() if k.find('location') != -1 %} location {{ v.name }} { {% for x,y in v.iteritems() if x != 'name' %} {{ x }} {{ y }}; {% endfor %} } {% endfor %} } ================================================ FILE: test.yml ================================================ - hosts: all vars_files: - 'defaults/main.yml' tasks: - name: install the dependencies apt: pkg: "{{item}}" state: present update_cache: yes with_items: ["perl", "libperl-dev", "monit", "build-essential", "python-httplib2"] - include: 'tasks/main.yml' - name: Nginx | Check if nginx is available uri: url="http://127.0.0.1" status=200 handlers: - name: restart monit service: name: monit state: restarted - include: 'handlers/main.yml' ================================================ FILE: vagrant-inventory ================================================ [anxs] anxs.local ansible_ssh_user=vagrant ansible_ssh_host=192.168.88.16 ansible_ssh_port=22