diff --git a/README.md b/README.md index 8f9d564..6fd4a54 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ En el repositorio sobre el que estamos trabajando, agregar este rol como submódulo: ```bash -git submodule add https://servicios.unl.edu.ar/gitlab/administradores/ansible-role-nginx-docker.git roles/nginx-docker +git submodule add https://git.mau.ro/mauro/ansible-role-nginx-docker.git roles/nginx-docker ``` En el playbook, incluir el rol: diff --git a/defaults/main.yml b/defaults/main.yml index b0d0df4..56db510 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,25 +1,17 @@ --- -# nombre de la imagen a bajar -nginx_image: nginx - -# certificado y clave privadas para HTTPS -nginx_ssl_certificate: /etc/ssl/certs/host-rectorado.pem -nginx_ssl_private_key: /etc/ssl/private/host-rectorado.key - # nombre del volumen de configuracion -nginx_config_volume: nginx_conf +nginx_config_volume: nginx_config + +# nombre del volumen ssl +nginx_ssl_volume: nginx_ssl # nombre del volumen web nginx_webroot_volume: nginx_webroot +# nombre del volumen location +nginx_location_volume: nginx_location + # puertos a publicar nginx_publish_ports: - - "80:80" - - "443:443" - -# forzar redireccion a https? -nginx_redirect_https: yes - -# argumentos extra para las directivas 'listen' -nginx_http_listen_args: [] -nginx_https_listen_args: [] + - 80:80 + - 443:443 diff --git a/files/Dockerfile b/files/Dockerfile new file mode 100644 index 0000000..97e1354 --- /dev/null +++ b/files/Dockerfile @@ -0,0 +1,19 @@ +# nginx container with self-signed SSL certificates +FROM nginx +MAINTAINER Mauro Torrez + +RUN apt-get update \ + && apt-get install -y -q ssl-cert \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ + && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/cert.pem \ + && cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/cert.key + +ADD nginx.conf /etc/nginx/ +ADD dhparams.pem /etc/nginx/ssl/ +ADD default_ssl.conf /etc/nginx/conf.d/ + +VOLUME /etc/nginx/ssl/ +VOLUME /etc/nginx/conf.d/ +VOLUME /etc/nginx/locations/ +VOLUME /usr/share/nginx/html/ diff --git a/files/default_ssl.conf b/files/default_ssl.conf new file mode 100644 index 0000000..78e86f1 --- /dev/null +++ b/files/default_ssl.conf @@ -0,0 +1,16 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name _; + root /usr/share/nginx/html; + include locations/*.conf; +} diff --git a/files/dhparams.pem b/files/dhparams.pem new file mode 100644 index 0000000..e1f44a2 --- /dev/null +++ b/files/dhparams.pem @@ -0,0 +1,25 @@ +-----BEGIN X9.42 DH PARAMETERS----- +MIIELAKCAgEAiv8Jwz/DveMn0fonZXPf5Bh2d+CBwE4tHeMUCArtm4D06EftfEhh +6vgFiWIVxH7LAdQ4aXV18UDOL78wOYOV4jNAdOzXG/SqWVVKftXgE2+igyQcPile +TQk/tXAPOgHNoT1Sk94ziKFFfBOyzw6wWjfyLBBSZ0FUj31y6u9b1jGAdbFYTF3J +IR5sHtxbjnGL3EDFp8a/m0zIwxyEC+nJokiW2EwURQggJEReYNrjONJ0yqnIuEWx +5zK2lxm55LEfBSOK1bkRKXe9yT9F+uBMUmVoWC4buURJaPxTwLUrFp8oi6LMM6Ep +RZNNF2fOBxuGawqi7Xt8DZdcUS4vszYyx2S6Fha1wH2BnJqfZZZdhw2B2A+dQM7n +O21GbEVGJwr1RBO1H6up/sJwy4TH9vSR/f33rWaC1ZE3phG/dYPhBB91oKuQJ9eb +IullFJJbhaNjzk0pzBQyaI/v7QtZX++/wpyL7TWW24ldXCgvCbkNxFpIqIaOalIw +MSLOsC6LLQ/DhxjJ6nvIC+oNuFyD6KHIWkYm43VDFJlbFIMiZrOs8xZOFRPg9uh4 +9jDLC+dHp8tqhdOwbvtqxC6PemxgfOQ1fij+JQGaRTrab/0XFH26nxVjSZcDb1Ah +5XIdBrOHxeu2Is61O10AhqHbapF0YctLpNz4/gxNVB1tRrPxHGCQu5ECggIAGwOV +2KzUNUDy2OO74wZ6AO9XZku/w2Nccj2FcHvyrYIQVsdaTs8fNNmKaTKJ5EQP9kJO +dL5odyw+B+RnedaRQWYKU6byva1EatutQ98z5PkfjruXmj3fUA1nse1F6nrR+mYU +hLdpWPM9YkvdIqV3ZpZToy/FHIWNfg/5n3gjhCE27hXuSkiDn/0g+ccuPkolvfhU +PP4ZKn/IGU+hAuBI0UEhixXnAQBSS4zueEF9PXptCC8TlBHEO06SkETkdpMrbv3a +1vhziiBjKwvzuNOZoF2NbNhiV9bg04KDQgIKX3xVhFduBXQfGbHKMlpT2p/7SxM+ +L055KK70+yPQ+PBxPpuH97A3ru3CBJYs/XA9UhQp2ixCrUqycpxKso6nHMxATVx+ +EgqBggO1sjpvGH1vPhZJXjXR1qLz+DXK0u1AefjrkKBbjy9qJWSmLjxnFvp8HUH5 +BVcazGnP6Su0IuW4gg+8kx2Pjdb3wyE6LDOfsFgAz4qayNzE51i2uFK7k0ChFHbW +ng2o+Bp7eaYUguHveXZ3Ik2PBFe8YHFyxarSn5EncwlHY/yv8VMeyrV3fZEhPY5r +UEFIM25t4r8ywzKmEGO6WQOhVPhHfssehWOF9EjAYyQM8IkwrYNH2G6REG+vxahu +bsLiqdakirWzAZnw5SLWwHfvq2I6h8gpThEIwTsCIQC8dydvhEwDnjNGgmfu8QaX +WBn6CTGhx2hPVqxuKi64rQ== +-----END X9.42 DH PARAMETERS----- diff --git a/files/nginx.conf b/files/nginx.conf new file mode 100644 index 0000000..c34415b --- /dev/null +++ b/files/nginx.conf @@ -0,0 +1,64 @@ + +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + # gzip on; + # gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript + # text/xml application/xml application/xml+rss text/javascript; + + # ver https://mozilla.github.io/server-side-tls/ssl-config-generator/ + ssl_certificate ssl/cert.pem; + ssl_certificate_key ssl/cert.key; + ssl_dhparam ssl/dhparams.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + # add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + # ssl_stapling on; + # ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + + include /etc/nginx/conf.d/*.conf; + +} diff --git a/tasks/main.yml b/tasks/main.yml index f151382..b150dc7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,74 +1,71 @@ --- -- name: "Activar container nginx" +- name: Directorio de build nginx + file: + path: /root/.nginx-docker-image + state: directory + tags: skip_me + +- name: Copiar archivos de build + copy: + src: "{{ item }}" + dest: /root/.nginx-docker-image + loop: + - Dockerfile + - nginx.conf + - dhparam.pem + - default.conf + tags: skip_me + +- name: Crear imagen my_nginx + docker_image: + state: present + name: my_nginx + path: /root/.nginx-docker-image + tags: skip_me + +- name: Activar container nginx docker_container: - name: "nginx" - state: "started" - restart_policy: "unless-stopped" - image: "{{ nginx_image }}" + name: nginx + state: started + restart_policy: unless-stopped + image: my_nginx volumes: - - "{{ nginx_ssl_certificate }}:/etc/nginx/server.crt" - - "{{ nginx_ssl_private_key }}:/etc/nginx/server.key" + - "{{ nginx_ssl_volume }}:/etc/nginx/ssl/" - "{{ nginx_config_volume }}:/etc/nginx/conf.d/" - "{{ nginx_webroot_volume }}:/usr/share/nginx/html/" networks: - name: "{{ docker_network_name }}" ports: "{{ nginx_publish_ports }}" env: - register: "container" + register: container -- name: "Configurar volumen {{ nginx_config_volume }}" - docker_volume: +- name: Leer info de volumen {{ nginx_config_volume }} + docker_volume_info: name: "{{ nginx_config_volume }}" - state: "present" - register: "st_c_volume" + register: res_cnf -- name: "Configurar volumen {{ nginx_webroot_volume }}" - docker_volume: +- name: Leer info de volumen {{ nginx_ssl_volume }} + docker_volume_info: + name: "{{ nginx_ssl_volume }}" + register: res_ssl + +- name: Leer info de volumen {{ nginx_webroot_volume }} + docker_volume_info: name: "{{ nginx_webroot_volume }}" - state: "present" - register: "st_w_volume" + register: res_web + +- name: Leer info de volumen {{ nginx_location_volume }} + docker_volume_info: + name: "{{ nginx_location_volume }}" + register: res_loc # exportar punto de montaje del volumen - set_fact: - nginx_config_mountpoint: "{{ st_c_volume.ansible_facts.docker_volume.Mountpoint }}" - nginx_webroot_mountpoint: "{{ st_w_volume.ansible_facts.docker_volume.Mountpoint }}" - -# TODO: creo que estas tareas se deberian hacer desde dentro de un container -- copy: - content: | - ssl_certificate /etc/nginx/server.crt; - ssl_certificate_key /etc/nginx/server.key; - dest: "{{ nginx_config_mountpoint }}/00_ssl.conf" - notify: "restart nginx container" - -- copy: - content: | - server { - listen 80 {{ nginx_http_listen_args | join (' ') }}; - server_name _; - root /usr/share/nginx/html; - include /etc/nginx/conf.d/common/*.conf; - {% if nginx_redirect_https %} - location / { - rewrite ^ https://$http_host$request_uri permanent; - } - {% endif %} - include /etc/nginx/conf.d/locations-http/*.conf; - } - server { - listen 443 ssl {{ nginx_https_listen_args | join (' ') }}; - server_name _; - root /usr/share/nginx/html; - include /etc/nginx/conf.d/common/*.conf; - include /etc/nginx/conf.d/locations/*.conf; - } - dest: "{{ nginx_config_mountpoint }}/10_server.conf" - notify: "restart nginx container" - -- file: - name: "{{ nginx_config_mountpoint }}/{{ item }}" - state: "directory" - loop: - - common - - locations - - locations-http + nginx_config_mountpoint: "{{ res_cnf.volume.Mountpoint }}" + nginx_location_mountpoint: "{{ res_loc.volume.Mountpoint }}" + nginx_webroot_mountpoint: "{{ res_web.volume.Mountpoint }}" + nginx_ssl_mountpoint: "{{ res_ssl.volume.Mountpoint }}" + nginx_config_volume: "{{ lookup('vars','nginx_config_volume') }}" + nginx_webroot_volume: "{{ lookup('vars','nginx_webroot_volume') }}" + nginx_ssl_volume: "{{ lookup('vars','nginx_ssl_volume') }}" + nginx_location_volume: "{{ lookup('vars','nginx_location_volume') }}"