From 193460891fb8992082a35734617cfdadd4d586f9 Mon Sep 17 00:00:00 2001 From: Pablo Castillo Date: Wed, 15 Apr 2015 15:55:15 -0700 Subject: [PATCH] Updated Nginx Role: * Updated Passenger: * Adding native support to Passenger config * Passenger Config * Adding log variable * Changing "switching user" passenger variable to on * Added Passenger log file variable * Updated SSL: * Updating task names to better describe what the current task * Updated SSL configuration * Added task to check for dhparam cert creation * Added task to create dhparam cert * Added security against Logjam --- circle.yml | 2 +- defaults/main.yml | 24 ++++++++++------------ handlers/main.yml | 4 ---- meta/main.yml | 2 +- tasks/custom.yml | 10 +++++----- tasks/main.yml | 40 ++++++++++++++++++++----------------- tasks/passenger.yml | 17 +++++++++------- tasks/ssl.yml | 16 +++++++++------ tasks/sudoers.yml | 12 +++++++---- templates/nginx.conf.j2 | 15 +++++++++++--- templates/passenger.conf.j2 | 9 +++++---- 11 files changed, 85 insertions(+), 66 deletions(-) delete mode 100644 handlers/main.yml diff --git a/circle.yml b/circle.yml index ad6437f..a980c64 100644 --- a/circle.yml +++ b/circle.yml @@ -31,4 +31,4 @@ test: timeout: 900 # Idempotence Test - - "ansible-playbook -i tests/inventory tests/test.yml | grep -q 'changed=3.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)" + - "ansible-playbook -i tests/inventory tests/test.yml | grep -q 'changed=6.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)" diff --git a/defaults/main.yml b/defaults/main.yml index bd66515..a67029c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,21 +1,19 @@ --- app_name: test app_path: /srv/test/public +app_user: ubuntu +app_group: ubuntu +server_env: production ssl: 'false' passenger: 'true' updates: 'true' custom: 'true' -nginx: - version: 1.6.2 - upstream_port: 5000 - ssl_cert: - crt: "" - key: "" - passenger: - version: 5.0.6 - prestart: http://test.com -app: - user: ubuntu - group: ubuntu +nginx_version: 1.6.2 +nginx_upstream_port: 5000 +nginx_ssl_cert: +nginx_crt: "" +nginx_key: "" +nginx_passenger_version: 5.0.6 +nginx_passenger_prestart: http://test.com +nginx_passenger_log_file: "{{ app_path }}/log.log" domains: test.com -server_env: production \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml deleted file mode 100644 index 0b1c784..0000000 --- a/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: restart nginx - service: name=nginx state=restarted - sudo: yes \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index a63e6d8..77abd73 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -15,4 +15,4 @@ galaxy_info: - web - system dependencies: [] -version: 1.0.0 +version: 2.0.0 diff --git a/tasks/custom.yml b/tasks/custom.yml index 3101965..1b219a4 100644 --- a/tasks/custom.yml +++ b/tasks/custom.yml @@ -1,23 +1,23 @@ --- -- name: Create Sites Enabled Directory +- name: Custom | Create Sites Enabled Directory file: path=/etc/nginx/sites-enabled state=directory owner=root group=root sudo: yes -- name: Apply defaultserver conf file +- name: Custom | Apply defaultserver conf file template: src=defaultserver.j2 dest=/etc/nginx/sites-enabled/zzzzzdefaultserver owner=root group=root sudo: yes -- name: Apply site conf file +- name: Custom | Apply site conf file template: src=site.com.j2 dest=/etc/nginx/sites-enabled/{{ app_name }} owner=root group=root sudo: yes when: passenger == "false" -- name: Apply Passenger site conf file +- name: Custom | Apply Passenger site conf file template: src=passenger.site.j2 dest=/etc/nginx/sites-enabled/{{ app_name }} owner=root group=root sudo: yes when: passenger == "true" -- name: Custom Config template placement +- name: Custom | Custom Config template placement template: src=passenger.conf.j2 dest=/etc/nginx/conf.d/passenger.conf owner=root group=root sudo: yes when: passenger == "true" diff --git a/tasks/main.yml b/tasks/main.yml index 8a07c49..ccc9f8f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,15 +1,15 @@ --- - name: Check if installed - shell: /usr/bin/test `nginx -v 2>&1 | grep "nginx" | awk '{gsub("nginx/","",$3); print $3}'` = {{ nginx.version }} && echo True + shell: /usr/bin/test `nginx -v 2>&1 | grep "nginx" | awk '{gsub("nginx/","",$3); print $3}'` = {{ nginx_version }} && echo True register: result ignore_errors: yes - name: Take Ownership of /opt - file: path=/opt/ owner={{ app.user }} group={{ app.group }} recurse=yes state=directory + file: path=/opt/ owner={{ app_user }} group={{ app_group }} recurse=yes state=directory sudo: yes when: result|failed -- name: Install dependancies +- name: Install Dependancies action: apt pkg={{ item }} state=present sudo: yes when: result|failed @@ -25,61 +25,65 @@ - zlib1g-dev - name: Download Source - get_url: url=http://nginx.org/download/nginx-{{ nginx.version }}.tar.gz dest=/opt/ + get_url: url=http://nginx.org/download/nginx-{{ nginx_version }}.tar.gz dest=/opt/ when: result|failed - name: Unzip Nginx Tar - unarchive: src=/opt/nginx-{{ nginx.version }}.tar.gz dest=/opt copy=no group={{ app.group }} owner={{ app.user }} + unarchive: src=/opt/nginx-{{ nginx_version }}.tar.gz dest=/opt copy=no group={{ app_group }} owner={{ app_user }} when: result|failed - name: Download Third Party modules - get_url: url=http://www.dropbox.com/s/e3n2lin6dvqlaos/modules.tar.gz?dl=1 dest=/opt/nginx-{{ nginx.version }} + get_url: url=http://www.dropbox.com/s/e3n2lin6dvqlaos/modules.tar.gz?dl=1 dest=/opt/nginx-{{ nginx_version }} when: result|failed - name: Unzip Modules - unarchive: src=/opt/nginx-{{ nginx.version }}/modules.tar.gz dest=/opt/nginx-{{ nginx.version }} copy=no group={{ app.group }} owner={{ app.user }} + unarchive: src=/opt/nginx-{{ nginx_version }}/modules.tar.gz dest=/opt/nginx-{{ nginx_version }} copy=no group={{ app_group }} owner={{ app_user }} when: result|failed - include: passenger.yml when: passenger == "true" - name: Change Directory & Configure - shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 chdir=/opt/nginx-{{ nginx.version }} + shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 chdir=/opt/nginx-{{ nginx_version }} when: result|failed when: passenger == "false" - name: Make - shell: /usr/bin/make chdir=/opt/nginx-{{ nginx.version }}/ + shell: /usr/bin/make chdir=/opt/nginx-{{ nginx_version }}/ sudo: yes when: result|failed - name: Make Install - shell: /usr/bin/make install chdir=/opt/nginx-{{ nginx.version }}/ + shell: /usr/bin/make install chdir=/opt/nginx-{{ nginx_version }}/ sudo: yes when: result|failed -- name: copy init.d configuration file +- name: Copy Upstart Configuration File copy: src=nginx_upstart.conf dest=/etc/init/nginx.conf sudo: yes when: result|failed -- name: Create conf.d Directory +- name: Create Conf.d Directory file: path=/etc/nginx/conf.d state=directory owner=root group=root sudo: yes - when: result|failed -- name: Custom Config template placement +- include: ssl.yml + when: ssl == "true" + +- name: Copy Nginx Configuration Template template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root sudo: yes - when: result|failed -- name: Move config files to server +- name: Copy Logrotate Configuration File copy: src=nginx dest=/etc/logrotate.d/nginx sudo: yes - when: result|failed - include: custom.yml when: custom == "true" +- name: restart nginx + service: name=nginx state=restarted + sudo: yes + - include: ssl.yml - when: ssl == "true" \ No newline at end of file + when: ssl == "true" diff --git a/tasks/passenger.yml b/tasks/passenger.yml index 24757f2..c4e0e28 100644 --- a/tasks/passenger.yml +++ b/tasks/passenger.yml @@ -1,15 +1,18 @@ --- -- name: Download Passenger modules - get_url: url=https://codeload.github.com/phusion/passenger/tar.gz/release-{{ nginx.passenger.version }} dest=/opt/passenger.tar.gz +- name: Passenger | Download Passenger modules + get_url: url=https://codeload.github.com/phusion/passenger/tar.gz/release-{{ nginx_passenger_version }} dest=/opt/passenger.tar.gz -- name: Unzip Passenger Tar +- name: Passenger | Unzip Passenger Tar unarchive: src=/opt/passenger.tar.gz dest=/opt/ copy=no - include: sudoers.yml -- name: Change Directory & Configure Passenger - shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 --add-module=/opt/passenger/ext/nginx chdir=/opt/nginx-{{ nginx.version }} +- name: Passenger | Change Directory & Configure Passenger + shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 --add-module=/opt/passenger/ext/nginx chdir=/opt/nginx-{{ nginx_version }} -- name: Create Sites Enabled Directory +- name: Passenger | Create Sites Enabled Directory file: path=/etc/nginx/sites-enabled state=directory owner=root group=root - sudo: yes \ No newline at end of file + sudo: yes + +- name: Passenger | Build Native Support + command: /opt/passenger/bin/passenger-config build-native-support diff --git a/tasks/ssl.yml b/tasks/ssl.yml index c6e886f..e3c5989 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -1,17 +1,21 @@ --- -- name: Create SSL directory +- name: SSL | Create SSL directory file: path=/etc/nginx/ssl/ state=directory owner=root group=root sudo: yes -- name: Apply ssl site conf file +- name: SSL | Apply SSL VHOST file template: src=passenger.ssl.site.j2 dest=/etc/nginx/sites-enabled/{{ app_name }} owner=root group=root sudo: yes when: passenger == "true" -- name: Copy SSL Certs to server - copy: src={{ nginx.ssl_cert.crt }} dest=/etc/nginx/ssl/ owner=root group=root force=yes +- name: SSL | Copy SSL Certs to server + copy: src={{ nginx_ssl_crt }} dest=/etc/nginx/ssl/ owner=root group=root force=yes sudo: yes -- name: Copy SSL Certs to server - copy: src={{ nginx.ssl_cert.key }} dest=/etc/nginx/ssl/ owner=root group=root force=yes +- name: SSL | Copy SSL Certs to server + copy: src={{ nginx_ssl_key }} dest=/etc/nginx/ssl/ owner=root group=root force=yes + sudo: yes + +- name: SSL | Create DHPARAM cert + command: openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048 sudo: yes diff --git a/tasks/sudoers.yml b/tasks/sudoers.yml index 37cf116..d889a73 100644 --- a/tasks/sudoers.yml +++ b/tasks/sudoers.yml @@ -1,11 +1,15 @@ --- - name: Symlink Passenger directory - file: src=/opt/passenger-release-{{ nginx.passenger.version }} path=/opt/passenger state=link + file: src=/opt/passenger-release-{{ nginx_passenger_version }} path=/opt/passenger state=link -- name: Copy passenger-path file +- name: Sudoers | Copy passenger-path file copy: src=passenger-path.sh dest=/etc/profile.d/passenger-path.sh owner=root group=root sudo: yes -- name: Copy Sudoers template +- name: Sudoers | Copy Sudoers template copy: src=sudoers dest=/etc/sudoers owner=root group=root validate='visudo -cf %s' - sudo: yes \ No newline at end of file + sudo: yes + +- name: Restart ssh + service: name=ssh state=restarted + sudo: yes diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 index 712f255..ac9559e 100644 --- a/templates/nginx.conf.j2 +++ b/templates/nginx.conf.j2 @@ -56,14 +56,23 @@ http { # don’t use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; - ssl_session_cache shared:SSL:10m; + ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; + ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 10m; + ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; + ssl_stapling on; + ## + # Additional Headers + ## + + add_header "X-UA-Compatible" "IE=Edge"; + add_header "X-SSL-Protocol" $ssl_protocol; + add_header Strict-Transport-Security "max-age=31536000;"; ## # Virtual Host Configs & Extra NGINX features ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; -} \ No newline at end of file +} diff --git a/templates/passenger.conf.j2 b/templates/passenger.conf.j2 index 3b2d58b..17d7d1f 100644 --- a/templates/passenger.conf.j2 +++ b/templates/passenger.conf.j2 @@ -7,10 +7,11 @@ passenger_max_pool_size 15; passenger_min_instances 1; passenger_pool_idle_time 300; - passenger_log_level 2; + passenger_log_level 3; + passenger_log_file {{ nginx_passenger_log_file }}; passenger_user deploy; passenger_group deploy; - passenger_user_switching off; - passenger_pre_start {{ nginx.passenger.prestart }}; + passenger_user_switching on; + passenger_pre_start {{ nginx_passenger_prestart }}; passenger_instance_registry_dir /tmp; - passenger_app_env {{ server_env }}; \ No newline at end of file + passenger_app_env {{ server_env }};