Skip to content

perfect-timing/nginx-ansible-role

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This is an Ansible role for installing nginx in a relatively secure way.

What it Does

Assumptions

This installation is only as secure as you make it. It assumes you have an SSL certificate (nginx_ssl_certificate, nginx_ssl_certificate_key) and an htpasswd (nginx_auth_file) file that you have securely transferred to the webserver node.

Software

Installs nginx which provides the following nginx command.

Also removes the default nginx virtual hosts. Disable this by setting nginx_disable_default_site to false. Build your own more secure virtual hosts using the SSL and firewall definitions provided below.

SSL

Defines shared SSL parameters at /etc/nginx/ssl.conf. These SSL parameters can be included into the configuration files of any subsequent nginx virtual host (=server=) by including the configuration file /etc/nginx/ssl.conf.

It is assumed that the SSL certificate and key have previously been moved to the remote machine. The paths defined in the variables nginx_ssl_certificate and nginx_ssl_certificate_key are templated into /etc/nginx/ssl.conf.

Firewall

Creates a firewall definition at /etc/nginx/firewall.conf which forces traffic to either

This firewall is useful for (partially) securing a site during development for example, or for securing an admin interface of a site during production.

Authorized users are defined in /etc/nginx/conf.d/users. Update this file separately to manage users.

Configuration & Logging

Creates the files:

  • /etc/nginx/firewall.conf -- firewall for virtual hosts needing to restrict access
  • /etc/nginx/ssl.conf -- shared SSL parameters for virtual hosts needing SSL
  • /var/log/nginx -- log directory

Services

Leaves a service nginx running without any virtual hosts.

Usage

Use the role in a playbook like this:

- hosts: all
  roles:
    - nginx

Variables

The following variables are exposed for configuration:

  • nginx_package -- the name of the nginx package to install (default: nginx-full)
  • nginx_user -- the user to run nginx worker processes as (default: www-data)
  • nginx_group -- the group to run nginx worker processes as (default: www-data)
  • nginx_worker_processes -- number of nginx worker processes
  • nginx_worker_connections -- number of nginx worker connections
  • nginx_whitelisted_ips -- array of IP addresses which will be whitelisted in the firewall
  • nginx_auth_realm -- name of basic authentication realm for firewall (default: Restricted)
  • nginx_auth_file -- path to existing nginx auth file
  • nginx_ssl_certificate -- path to existing nginx SSL certificate
  • nginx_ssl_certificate_key -- path to existing nginx SSL key

About

Ansible role for a simple but secure nginx installation.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published