How to best convert existing nginx config to ansible-role-nginx vars-model?

[tobiasehlert]

What am I looking for?

Is there anywhere some documentation in how to convert existing nginx configurations to be able to deliver them by this role?

I would for example like to have an example how how to do this with this role.. I haven't been even close yet 😄

/etc/nginx/sites-available/example.com.conf

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name www.example.com;
	set $base /var/www/example.com;
	root $base/public;

	# SSL
	ssl_certificate /etc/nginx/ssl/example.com.crt;
	ssl_certificate_key /etc/nginx/ssl/example.com.key;

	# security
	include nginxconfig.io/security.conf;

	# logging
	access_log /var/log/nginx/example.com.access.log;
	error_log /var/log/nginx/example.com.error.log warn;

	# index.php
	index index.php;

	# index.php fallback
	location / {
		try_files $uri $uri/ /index.php?$query_string;
	}

	# handle .php
	location ~ \.php$ {
		include nginxconfig.io/php_fastcgi.conf;
	}

	# additional config
	include nginxconfig.io/general.conf;
}

# non-www, subdomains redirect
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name .example.com;

	# SSL
	ssl_certificate /etc/nginx/ssl/example.com.crt;
	ssl_certificate_key /etc/nginx/ssl/example.com.key;

	return 301 https://www.example.com$request_uri;
}

# HTTP redirect
server {
	listen 80;
	listen [::]:80;

	server_name .example.com;

	return 301 https://www.example.com$request_uri;
}

/etc/nginx/nginxconfig.io/php_fastcgi.conf

# 404
try_files $fastcgi_script_name =404;

# default fastcgi_params
include fastcgi_params;

# fastcgi settings
fastcgi_pass			unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index			index.php;
fastcgi_buffers			8 16k;
fastcgi_buffer_size		32k;

# fastcgi params
fastcgi_param DOCUMENT_ROOT		$realpath_root;
fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE	"open_basedir=$base/:/usr/lib/php/:/tmp/";

/etc/nginx/nginx.conf

# Generated by nginxconfig.io
# https://www.digitalocean.com/community/tools/nginx#?0.domain=example.com&0.non_www=false&0.cert_type=custom&0.access_log_domain&0.error_log_domain&referrer_policy=origin-when-cross-origin

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}

http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /etc/nginx/dhparam.pem;

	# Mozilla Intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# load configs
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

/etc/nginx/nginxconfig.io/security.conf

# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
	deny all;
}

/etc/nginx/nginxconfig.io/general.conf

# favicon.ico
location = /favicon.ico {
	log_not_found off;
	access_log off;
}

# robots.txt
location = /robots.txt {
	log_not_found off;
	access_log off;
}

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
	expires 7d;
	access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 7d;
	access_log off;
}

# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

I did generate those configs by using this tool:
https://www.digitalocean.com/community/tools/nginx#?0.domain=example.com&0.non_www=false&0.cert_type=custom&0.access_log_domain&0.error_log_domain&referrer_policy=origin-when-cross-origin

Best regards,
Tobias

[alessfg]

Hi @tobiasehlert!

You are not wrong that there's no "Here's how to convert your NGINX conf to be used with this role" guides. I never even thought about having one! That being said, it would make sense to have a couple smallish sample configuration to role vars examples to at least set a starting point.

For now, if you can't manage to get the templates working, I would recommend looking at the option to push your files using the https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/upload.yml options. You may need to tweak some of your include statements to make sure that everything is correctly loaded within NGINX, but I do not expect any major issues.

[tobiasehlert]

Hi @alessfg,

Well, I have come quite a bit in translating all my nginx configurations at all various places to work with this Ansible role.. so I will figure it out in the end.

The files I find my things (even if it's not the easiest thing, are:

• templates/http/default.conf.j2
• defaults/main/template.yml

But yeah.. some more documentation should be helpful for others, who are new to Ansible I think 😄

PS. do you want to keep the issue up or is it ok for you to close it? I think you've added an item to your todo list for this

Best regards,
Tobias

[alessfg]

Better to keep the issue open until I have some time to improve the docs 😄

[Migsi]

Also having issues converting an existing config to use the templates ^^"

What is the proper way to use "proxy_set_header" within "reverse_proxy"? I tried a lot of stuff, e.g.

proxy_set_header:
- a:
  name: "Host"
  value: "$host"
- b:
  name: "X-Real-IP"
  value: "$remote_addr"
- c:
  name: "X-Forwarded-For"
  value: "$proxy_add_x_forwarded_for"

and

proxy_set_header:
  - Host: "$host"
   - X-Real-IP: "$remote_addr"
   - X-Forwarded-For: "$proxy_add_x_forwarded_for"

and

proxy_set_header:
  - "proxy_set_header Host $host"
  - "proxy_set_header X-Real-IP $remote_addr"
  - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for"

and

proxy_set_header:
  - { name: "Host", value: "$host" }
  - { name: "X-Real-IP", value: "$remote_addr" }
  - { name: "X-Forwarded-For", value: "$proxy_add_x_forwarded_for" }

but none of these worked. I'd appreciate a more detailed transition/overall documentation but would already be happy about a quick answer in here. ;)

[alessfg]

You can find an example here https://github.com/nginxinc/ansible-role-nginx/blob/master/molecule/common/playbook_template.yml#L108

When in doubt, molecule playbooks are always a good first place to check for working examples 😄

[Migsi]

Thank you a lot! Maybe it would be helpful to put a small hint about the molecule examples into the readme, so other less experienced people, like me, get that quicker. ;)

[alessfg]

Yep definitely! I'll hopefully have something in place in the next few weeks 😁

[alessfg]

Quick update -- I've added links to the various Molecule playbook examples to the README. I might still circle back to include more detailed examples showing how to port smallish sample NGINX configurations to the role template variables, but for the time being I'm going to the sample Molecule playbooks since those are always warranted to work with the current version of the role.