The task is to write an Ansible role to install and manage Nginx, with the latest stable version on Ubuntu 18.04
- An EC2 instance with a static IP mapped to a hostname
- Security group for this EC2 with opened port
tcp:80
To use this module we have two option:
Just create a file config, for example to deploy laravel app you create a file config like this. Then define it into playbook something like that:
roles:
- role: nfq.nginx
vars:
force_use_external_vhost: true
vhost_directory: "./vhosts/"
if you want to see more details how to use it, take a look at repo https://git.nfq.asia/devops/infrastructure-standard
To use this option you need set variable force_use_external_vhost becomed false
force_use_external_vhost: false
Each vhosts is passed as an item in the array vhosts (see test for examples). Each item must have a type that is 1 in 3 types:
type: "static-site": Serving a static site, with all requests routed to the index file. Useful for ReactJS frontend.type: "reverse-proxy": Will do a proxy-pass to another IP:Port. Useful to act as a reverse proxy for Node.JS.type: "php-fpm": Act as FPM-FPM Gateway for a PHP-FPM backend.
The following options are common for each types:
access_log,error_log: Log paths for the vhostsroot: The webroot for the vhost. Does not do anything for typereverse-proxyindex: Index file. Does not do anything for typereverse-proxycors: Whether to enable CORS for all incoming requests. Note: This should be used in non-production only. Cross-Origin should be handled at the application level
Each item can take an extra_config variable, which is a list of extra files that will be automatically appended to the end of the `server { ... }``` block of that vhost.
vhosts:
# Vhost - static site
- server_name: "nfq.asia"
type: "static-site"
root: "/var/www/static-frontend/current"
index: "/index.html"
access_log: "/var/log/nginx/static-frontend.access.log"
error_log: "/var/log/nginx/static-frontend.error.log"
cors_enabled: true
# Vhost with an extra config files
- server_name: "staging.nfq.asia"
type: "static-site"
root: "/var/www/static-a-frontend/current"
index: "/index.html"
access_log: "/var/log/nginx/static-frontend-2.access.log"
error_log: "/var/log/nginx/static-frontend-2.error.log"
extra_config:
- "files/service-worker.j2"
# Vhost - reverse proxy to port 9000
- server_name: "api.nfq.asia"
type: "reverse-proxy"
access_log: "/var/log/nginx/nodejs-backend.access.log"
error_log: "/var/log/nginx/nodejs-backend.error.log"
cors_enabled: true
reverse_proxy_pass: "http://127.0.0.1:9000"
reverse_proxy_nocache_enabled: true
# 3. Vhost - php-fpm to port tcp:9000
- server_name: "backend.nfq.asia"
type: "php-fpm"
root: "/var/www/backend-symfony/current/web"
index: "app.php"
access_log: "/var/log/nginx/php-fpm-backend.access.log"
error_log: "/var/log/nginx/php-fpm-backend.error.log"
cors_enabled: true
php_fpm_pass: "127.0.0.1:9000"
php_fpm_status_enabled: true- List of default parameters, mostly for tuning:
nginx_user: "www-data"
nginx_worker_processes: "auto"
nginx_worker_cpu_affinity: "auto"
nginx_worker_rlimit_nofile: "100000"
nginx_worker_connections: "4096"
nginx_keepalive_timeout: "100"
nginx_client_body_timeout: "120"
nginx_reset_timedout_connection: "on"
nginx_types_hash_max_size: "2048"
nginx_client_max_body_size: "50M"nginx_server_tokens: "off": Hide nginx version numbernginx_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2": Dropping SSLv3, ref: POODLEnginx_apm_log_enabled: true: Enable apm log format by default
backup_old_config: true: Automatically backing up old configurations before applying new ones at/etc/nginx/.backup/directory
install- install Nginx service.configure- config Nginx service.
- The role does not handle TLS and HTTP->HTTPS Redirection by default since these are assumed to be handled by ALB.
- There is some tuning on nginx done (worker_processes, worker_cpu_affinity, etc.) as per the configuration here
- The access log are in APM format
- Nginx status can be checked with the endpoint
/nginx_status:
curl 127.0.0.1:80/nginx_status