This module was migrated from James Fryman [email protected] and Matthew Haughton [email protected] to Vox Pupuli.
Please note: This module is undergoing some structural maintenance. You may experience breaking changes between minor versions.
This module manages NGINX configuration.
- Puppet 4.6.1 or later. Puppet 3 was supported up until release 0.6.0.
- apt is now a soft dependency. If your system uses apt, you'll need to configure an appropriate version of the apt module. Version 4.4.0 or higher is recommended because of the proper handling of
apt-transport-https
.
- [A Quickstart Guide to the NGINX Puppet Module][quickstart] [quickstart]: https://github.com/voxpupuli/puppet-nginx/blob/master/docs/quickstart.md
class { 'nginx': }
nginx::resource::server { 'kibana.myhost.com':
listen_port => 80,
proxy => 'http://localhost:5601',
}
nginx::resource::server { 'www.puppetlabs.com':
www_root => '/var/www/www.puppetlabs.com',
}
nginx::resource::upstream { 'puppet_rack_app':
members => [
'localhost:3000',
'localhost:3001',
'localhost:3002',
],
}
nginx::resource::server { 'rack.puppetlabs.com':
proxy => 'http://puppet_rack_app',
}
class { 'nginx':
mail => true,
}
nginx::resource::mailhost { 'domain1.example':
auth_http => 'server2.example/cgi-bin/auth',
protocol => 'smtp',
listen_port => 587,
ssl_port => 465,
starttls => 'only',
xclient => 'off',
ssl => true,
ssl_cert => '/tmp/server.crt',
ssl_key => '/tmp/server.pem',
}
By default, creating a server resource will only create a HTTP server. To also
create a HTTPS (SSL-enabled) server, set ssl => true
on the server. You will
have a HTTP server listening on listen_port
(port 80
by default) and a HTTPS
server listening on ssl_port
(port 443
by default). Both servers will have
the same server_name
and a similar configuration.
To create only a HTTPS server, set ssl => true
and also set listen_port
to the
same value as ssl_port
. Setting these to the same value disables the HTTP server.
The resulting server will be listening on ssl_port
.
Locations require specific settings depending on whether they should be included in the HTTP, HTTPS or both servers.
If you only have a HTTP server (i.e. ssl => false
on the server) make sure you
don't set ssl => true
on any location you associate with the server.
If you set ssl => true
and also set listen_port
and ssl_port
to different
values on the server you will need to be specific with the location settings since
you will have a HTTP server listening on listen_port
and a HTTPS server listening
on ssl_port
:
- To add a location to only the HTTP server, set
ssl => false
on the location (this is the default). - To add a location to both the HTTP and HTTPS server, set
ssl => true
on the location, and ensuressl_only => false
(which is the default value forssl_only
). - To add a location only to the HTTPS server, set both
ssl => true
andssl_only => true
on the location.
If you have set ssl => true
and also set listen_port
and ssl_port
to the
same value on the server, you will have a single HTTPS server listening on
ssl_port
. To add a location to this server set ssl => true
and
ssl_only => true
on the location.
Defining nginx resources in Hiera.
nginx::nginx_upstreams:
'puppet_rack_app':
ensure: present
members:
- localhost:3000
- localhost:3001
- localhost:3002
nginx::nginx_servers:
'www.puppetlabs.com':
www_root: '/var/www/www.puppetlabs.com'
'rack.puppetlabs.com':
proxy: 'http://puppet_rack_app'
nginx::nginx_locations:
'static':
location: '~ "^/static/[0-9a-fA-F]{8}\/(.*)$"'
server: www.puppetlabs.com
www_root: /var/www/html
'userContent':
location: /userContent
server: www.puppetlabs.com
www_root: /var/www/html
nginx::nginx_mailhosts:
'smtp':
auth_http: server2.example/cgi-bin/auth
protocol: smtp
listen_port: 587
ssl_port: 465
starttls: only
nginx::nginx_cfg_prepend:
include:
- '/etc/nginx/modules-enabled/*.conf'
nginx::nginx_streamhosts:
'syslog':
ensure: 'present'
listen_port: '514'
listen_options: 'udp'
proxy: 'syslog'
proxy_read_timeout: '1'
proxy_connect_timeout: '1'
raw_append:
- 'error_log off;'
nginx::nginx_upstreams:
'syslog':
upstream_context: 'stream'
members:
- '10.0.0.1:514'
- '10.0.0.2:514'
- '10.0.0.3:514'
Example configuration for Debian and RHEL / CentOS (>6), pulling the Nginx and Passenger packages from the Phusion repo. See additional notes in https://github.com/voxpupuli/puppet-nginx/blob/master/docs/quickstart.md
class { 'nginx':
package_source => 'passenger',
http_cfg_append => {
'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini',
}
}
Here the example for OpenBSD:
class { 'nginx':
package_flavor => 'passenger',
service_flags => '-u'
http_cfg_append => {
passenger_root => '/usr/local/lib/ruby/gems/2.1/gems/passenger-4.0.44',
passenger_ruby => '/usr/local/bin/ruby21',
passenger_max_pool_size => '15',
}
}
Package source passenger
will add Phusion Passenger repository
to APT sources. For each virtual host you should specify which ruby should be used.
nginx::resource::server { 'www.puppetlabs.com':
www_root => '/var/www/www.puppetlabs.com',
server_cfg_append => {
'passenger_enabled' => 'on',
'passenger_ruby' => '/usr/bin/ruby',
}
}
Virtual host config for serving puppet master:
nginx::resource::server { 'puppet':
ensure => present,
server_name => ['puppet'],
listen_port => 8140,
ssl => true,
ssl_cert => '/var/lib/puppet/ssl/certs/example.com.pem',
ssl_key => '/var/lib/puppet/ssl/private_keys/example.com.pem',
ssl_port => 8140,
server_cfg_append => {
'passenger_enabled' => 'on',
'passenger_ruby' => '/usr/bin/ruby',
'ssl_crl' => '/var/lib/puppet/ssl/ca/ca_crl.pem',
'ssl_client_certificate' => '/var/lib/puppet/ssl/certs/ca.pem',
'ssl_verify_client' => 'optional',
'ssl_verify_depth' => 1,
},
www_root => '/etc/puppet/rack/public',
use_default_location => false,
access_log => '/var/log/nginx/puppet_access.log',
error_log => '/var/log/nginx/puppet_error.log',
passenger_cgi_param => {
'HTTP_X_CLIENT_DN' => '$ssl_client_s_dn',
'HTTP_X_CLIENT_VERIFY' => '$ssl_client_verify',
},
}
$full_web_path = '/var/www'
define web::nginx_ssl_with_redirect (
$backend_port = 9000,
$php = true,
$proxy = undef,
$www_root = "${full_web_path}/${name}/",
$location_cfg_append = undef,
) {
nginx::resource::server { "${name}.${::domain}":
ensure => present,
www_root => "${full_web_path}/${name}/",
location_cfg_append => { 'rewrite' => '^ https://$server_name$request_uri? permanent' },
}
if !$www_root {
$tmp_www_root = undef
} else {
$tmp_www_root = $www_root
}
nginx::resource::server { "${name}.${::domain} ${name}":
ensure => present,
listen_port => 443,
www_root => $tmp_www_root,
proxy => $proxy,
location_cfg_append => $location_cfg_append,
index_files => [ 'index.php' ],
ssl => true,
ssl_cert => '/path/to/wildcard_mydomain.crt',
ssl_key => '/path/to/wildcard_mydomain.key',
}
if $php {
nginx::resource::location { "${name}_root":
ensure => present,
ssl => true,
ssl_only => true,
server => "${name}.${::domain} ${name}",
www_root => "${full_web_path}/${name}/",
location => '~ \.php$',
index_files => ['index.php', 'index.html', 'index.htm'],
proxy => undef,
fastcgi => "127.0.0.1:${backend_port}",
fastcgi_script => undef,
location_cfg_append => {
fastcgi_connect_timeout => '3m',
fastcgi_read_timeout => '3m',
fastcgi_send_timeout => '3m'
}
}
}
}
nginx::resource::location { "some_root":
ensure => present,
location => '/some/url',
fastcgi => "127.0.0.1:9000",
fastcgi_param => {
'APP_ENV' => 'local',
},
}
web::nginx_ssl_with_redirect { 'sub-domain-name':
backend_port => 9001,
}