ansible/roles/nginx

Overview

Role for using nginx. Sets up ssl certs in known locations and inactive template for application use.

Role options

• update_ssl_certs - Only push the SSL key and PEM files and restart Nginx

SSL

This role will copy over key/crt by default. It can be disabled by setting httpd_no_ssl to true

You will still need to configure the application to use ssl. A reference template templates/example_ssl.conf.j2 is provided

The script will look for keys and certs in the paths specified by the httpd_ssl_key_file, httpd_ssl_crt_file and httpd_ssl_pem_file variables.

If that fails, it will attempt to create key/crt pair if there isn't one already installed.

If a pem file exists in the location specified by httpd_ssl_pem_file, it will be copied across as ssl.pem. Applications that required the certificate chain should point at /etc/nginx/conf.d/ssl.pem.

Caveats

The key, crt and pem will always be stored on the host under /etc/nginx/conf.d/{{ inventory_hostname }}.{key,crt,pem} due to the multi-sourcing nature of the setup. Use httpd_no_ssl and setup as desired if it deviates from what is covered here.

Logrotate

A default template is configured.

SELinux

selinux contexts are application specific. Enable the following as needed by your setup:

httpd_can_network_relay
httpd_can_network_memcache
httpd_can_network_connect *
httpd_can_network_connect_db *
httpd_can_sendmail

• • commonly used items enabled by default

Handlers

restart nginx - restart the nginx service

Variables

• service_name - canonical name for service
• httpd_no_ssl - don't set up ssl
• httpd_ssl_key_file - local path to use as source for ssl.key file
• httpd_ssl_crt_file - local path to use as source for ssl.crt file
• httpd_ssl_pem_file - local path to use as source for ssl.pem file
• ssl_fast_dh - whether to use a speedy method to generate Diffie Hellman parameters
• ssl_intermediate_ca_pattern - pattern to check if certificate is self-signed
• ssl_self_signed_string - location and CN settings for self signed cert