Skip to content

Commit

Permalink
Refactor NGINX stream templates (#217)
Browse files Browse the repository at this point in the history
  • Loading branch information
@alessfg
alessfg committed Feb 7, 2022
1 parent f35c383 commit 01e544b
Show file tree
Hide file tree
Showing 12 changed files with 728 additions and 188 deletions.
22 changes: 20 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,25 @@

BREAKING CHANGES:

Remove parameters deprecated in release `0.4.0`. To recap, these are `nginx_config_main_upload_*`, `nginx_config_upload_html_*`, and `nginx_config_stream_upload_*`. Use `nginx_config_upload` instead.
* Remove parameters deprecated in release `0.4.0`. To recap, these are `nginx_config_main_upload_*`, `nginx_config_upload_html_*`, and `nginx_config_stream_upload_*`. Use `nginx_config_upload` instead.
* Refactor all the `stream` Jinja2 templates!:
* Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
* This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
* You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with `servers`:

```yaml
core:
root: /usr/share/nginx/html
proxy:
set_header: []
servers:
- core: {}
proxy: {}
```

* Check [`defaults/main/template.yml`](https://github.com/nginxinc/ansible-role-nginx-config/blob/main/defaults/main/template.yml) and [`molecule/default/converge.yml`](https://github.com/nginxinc/ansible-role-nginx-config/blob/main/molecule/default/converge.yml) for examples!
* These changes follow in the footsteps of the `http` Jinja2 refactor introduced in the `0.4.0` release. If you want more information on how to port your `stream` configurations, the release notes/changelog for `0.4.0` are a good place to start.
* Replace `conf_file_name` and `conf_file_location` with `deployment_location` inside `nginx_config_stream_template`.

FEATURES:

Expand Down Expand Up @@ -54,7 +72,7 @@ General updates:

Template engine updates:

* Refactor all the Jinja2 templates!:
* Refactor all the `http` Jinja2 templates!:
* Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
* This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
* You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with `servers` and `locations`:
Expand Down
2 changes: 1 addition & 1 deletion molecule/common/requirements/oss_requirements.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
---
roles:
- name: nginxinc.nginx
version: 0.21.3
version: 0.22.0
6 changes: 4 additions & 2 deletions molecule/common/requirements/plus_requirements.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
roles:
- name: nginxinc.nginx
version: 0.21.3
version: 0.22.0
- name: nginxinc.nginx_app_protect
version: 0.7.0
# version: 0.7.0
src: https://github.com/nginxinc/ansible-role-nginx-app-protect
version: bf514e6
150 changes: 118 additions & 32 deletions molecule/default/converge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
- /etc/nginx/conf.d/backend/*.conf
stream:
include:
- /etc/nginx/conf.d/stream/*.conf
- /etc/nginx/conf.d/streams/*.conf

nginx_config_status_enable: true
nginx_config_status_backup: true
Expand All @@ -100,8 +100,12 @@
servers:
- address: 0.0.0.0:8081
weight: 1
max_conns: 100
max_fails: 3
fail_timeout: 5s
backup: false
down: false
resolve: false
- name: backend_servers
zone:
name: backend_mem_zone
Expand Down Expand Up @@ -677,34 +681,116 @@
nginx_config_stream_template_enable: true
nginx_config_stream_template:
- template_file: stream/default.conf.j2
conf_file_name: stream_default.conf
conf_file_location: /etc/nginx/conf.d/stream
backup: true
network_streams:
- listen:
- ip: 0.0.0.0
port: 9090
opts:
- udp
proxy_pass: backend
proxy_timeout: 3s
proxy_connect_timeout: 1s
proxy_protocol: false
health_check_plus: false
upstreams:
- name: backend
lb_method: least_conn
zone_name: backend
zone_size: 64k
sticky_cookie: false
servers:
- address: 0.0.0.0
port: 9091
weight: 1
health_check: max_fails=1 fail_timeout=10s
- address: 0.0.0.0
port: 9092
down: true
- address: 0.0.0.0
port: 9083
backup: true
deployment_location: /etc/nginx/conf.d/streams/stream_default.conf
config:
upstreams:
- name: stream_upstream
zone:
name: stream_zone
size: 64k
least_conn: true
servers:
- address: 0.0.0.0:9091
weight: 1
max_conns: 100
max_fails: 3
fail_timeout: 5s
backup: false
down: false
resolve: false
core:
preread_buffer_size: 16k
preread_timeout: 30s
proxy_protocol_timeout: 30s
resolver_timeout: 30s
tcp_nodelay: true
variables_hash_bucket_size: 64
variables_hash_max_size: 1024
ssl:
alpn: http/1.1
certificate: /etc/ssl/certs/molecule.crt
certificate_key: /etc/ssl/private/molecule.key
ciphers:
- HIGH
- "!aNull"
- "!MD5"
conf_command: Protocol TLSv1.2
ecdh_curve: auto
handshake_timeout: 60s
prefer_server_ciphers: false
protocols:
- TLSv1
- TLSv1.1
- TLSv1.2
session_cache:
builtin:
enable: true
size: 20480
session_tickets: true
session_timeout: 5m
verify_client: false
verify_depth: 1
proxy:
bind: false
buffer_size: 4k
connect_timeout: 60s
download_rate: 0
half_close: false
next_upstream: true
next_upstream_timeout: 0
next_upstream_tries: 0
protocol: false
requests: 0
responses: 0
# session_drop: false # Only NGINX Plus
ssl: false
ssl_certificate: /etc/ssl/certs/molecule.crt
ssl_certificate_key: /etc/ssl/private/molecule.key
ssl_ciphers: HIGH
ssl_conf_command:
- Protocol TLSv1.2
ssl_name: $hostname
ssl_protocols: TLSv1.2
ssl_server_name: false
ssl_session_reuse: true
ssl_verify: false
ssl_verify_depth: 1
timeout: 10m
upload_rate: 0
log:
access:
- path: /var/log/nginx/access_stream.log
format: main
buffer: 1m
gzip: 5
flush: 10h
if: $status
format:
- name: main
format: |
'$remote_addr - [$time_local] $status '
error_log:
file: /var/log/nginx/error_stream.log
level: notice
open_log_file_cache:
max: 1000
inactive: 20s
min_uses: 2
valid: 1m
servers:
- core:
listen:
- address: 0.0.0.0
port: 9090
ssl: false
proxy_protocol: false
fastopen: 12
backlog: 511
rcvbuf: 512
sndbuf: 512
bind: false
ipv6only: false
reuseport: false
so_keepalive: false
proxy:
pass: stream_upstream
172 changes: 142 additions & 30 deletions molecule/plus/converge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -599,33 +599,145 @@
nginx_config_stream_template_enable: true
nginx_config_stream_template:
- template_file: stream/default.conf.j2
conf_file_name: stream_default.conf
conf_file_location: /etc/nginx/conf.d/stream
network_streams:
- listen:
- ip: 0.0.0.0
port: 9090
opts:
- udp
proxy_pass: backend
proxy_timeout: 3s
proxy_connect_timeout: 1s
proxy_protocol: false
health_check_plus: false
upstreams:
- name: backend
lb_method: least_conn
zone_name: backend
zone_size: 64k
sticky_cookie: false
servers:
- address: 0.0.0.0
port: 9091
weight: 1
health_check: max_fails=1 fail_timeout=10s
- address: 0.0.0.0
port: 9092
down: true
- address: 0.0.0.0
port: 9093
backup: true
deployment_location: /etc/nginx/conf.d/streams/stream_default.conf
config:
upstreams:
- name: stream_upstream
zone:
name: stream_zone
size: 64k
least_conn: true
servers:
- address: 0.0.0.0:9091
weight: 1
max_conns: 100
max_fails: 3
fail_timeout: 5s
backup: false
down: false
resolve: false
core:
preread_buffer_size: 16k
preread_timeout: 30s
proxy_protocol_timeout: 30s
resolver_timeout: 30s
tcp_nodelay: true
variables_hash_bucket_size: 64
variables_hash_max_size: 1024
ssl:
alpn: http/1.1
certificate: /etc/ssl/certs/molecule.crt
certificate_key: /etc/ssl/private/molecule.key
ciphers:
- HIGH
- "!aNull"
- "!MD5"
conf_command: Protocol TLSv1.2
ecdh_curve: auto
handshake_timeout: 60s
prefer_server_ciphers: false
protocols:
- TLSv1
- TLSv1.1
- TLSv1.2
session_cache:
builtin:
enable: true
size: 20480
session_tickets: true
session_timeout: 5m
verify_client: false
verify_depth: 1
proxy:
bind: false
buffer_size: 4k
connect_timeout: 60s
download_rate: 0
half_close: false
next_upstream: true
next_upstream_timeout: 0
next_upstream_tries: 0
protocol: false
requests: 0
responses: 0
session_drop: false
ssl: false
ssl_certificate: /etc/ssl/certs/molecule.crt
ssl_certificate_key: /etc/ssl/private/molecule.key
ssl_ciphers: HIGH
ssl_conf_command:
- Protocol TLSv1.2
ssl_name: $hostname
ssl_protocols: TLSv1.2
ssl_server_name: false
ssl_session_reuse: true
ssl_verify: false
ssl_verify_depth: 1
timeout: 10m
upload_rate: 0
health_check:
match:
- name: nginx_stream
conditions:
- status 200
timeout: 60s
keyval:
keyvals:
- key: $arg_text
variable: $text
zone: key_stream
zones:
- name: key_stream
size: 10m
state: /var/lib/nginx/state/key.keyval
timeout: 2h
type: string
sync: false
log:
access:
- path: /var/log/nginx/access_stream.log
format: main
buffer: 1m
gzip: 5
flush: 10h
if: $status
format:
- name: main
format: |
'$remote_addr - [$time_local] $status '
error_log:
file: /var/log/nginx/error_stream.log
level: notice
open_log_file_cache:
max: 1000
inactive: 20s
min_uses: 2
valid: 1m
servers:
- core:
listen:
- address: 0.0.0.0
port: 9090
ssl: false
proxy_protocol: false
fastopen: 12
backlog: 511
rcvbuf: 512
sndbuf: 512
bind: false
ipv6only: false
reuseport: false
so_keepalive: false
proxy:
pass: stream_upstream
health_check:
health_checks:
- interval: 5
jitter: 0
fails: 1
passes: 1
uri: /
mandatory: false
persistent: false
match: nginx_stream
udp: true

0 comments on commit 01e544b

Please sign in to comment.