CD2H gitForager

voxpupuli/puppet-nginx

Name: puppet-nginx

Owner: Vox Pupuli

Description: Puppet Module to manage NGINX on various UNIXes

Created: 2011-05-24 01:53:48.0

Updated: 2018-01-11 10:03:45.0

Pushed: 2018-01-10 14:34:37.0

Homepage: https://forge.puppet.com/puppet/nginx

Size: 1909

Language: Ruby

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

NGINX module for Puppet

This module was migrated from James Fryman james@frymanet.com and Matthew Haughton matt@3flex.com.au to Vox Pupuli.

INSTALLING OR UPGRADING

Please note: This module is undergoing some structural maintenance. You may experience breaking changes between minor versions.

This module manages NGINX configuration.

Requirements

Puppet 4.6.1 or later. Puppet 3 was supported up until release 0.6.0.
apt is now a soft dependency. If your system uses apt, you'll need to configure an appropriate version of the apt module. Version 4.4.0 or higher is recommended because of the proper handling of apt-transport-https.

Additional Documentation

A Quickstart Guide to the NGINX Puppet Module

Install and bootstrap an NGINX instance

s { 'nginx': }

A simple reverse proxy

x::resource::server { 'kibana.myhost.com':
sten_port => 80,
oxy       => 'http://localhost:5601',

A virtual host with static content

x::resource::server { 'www.puppetlabs.com':
w_root => '/var/www/www.puppetlabs.com',

A more complex proxy example

x::resource::upstream { 'puppet_rack_app':
mbers => [
'localhost:3000',
'localhost:3001',
'localhost:3002',



x::resource::server { 'rack.puppetlabs.com':
oxy => 'http://puppet_rack_app',

Add a smtp proxy

s { 'nginx':
il => true,


x::resource::mailhost { 'domain1.example':
th_http   => 'server2.example/cgi-bin/auth',
otocol    => 'smtp',
sten_port => 587,
l_port    => 465,
arttls    => 'only',
lient     => 'off',
l         => true,
l_cert    => '/tmp/server.crt',
l_key     => '/tmp/server.pem',

SSL configuration

By default, creating a server resource will only create a HTTP server. To also create a HTTPS (SSL-enabled) server, set ssl => true on the server. You will have a HTTP server listening on listen_port (port 80 by default) and a HTTPS server listening on ssl_port (port 443 by default). Both servers will have the same server_name and a similar configuration.

To create only a HTTPS server, set ssl => true and also set listen_port to the same value as ssl_port. Setting these to the same value disables the HTTP server. The resulting server will be listening on ssl_port.

Locations

Locations require specific settings depending on whether they should be included in the HTTP, HTTPS or both servers.

HTTP only server (default)

If you only have a HTTP server (i.e. ssl => false on the server) make sure you don't set ssl => true on any location you associate with the server.

HTTP and HTTPS server

If you set ssl => true and also set listen_port and ssl_port to different values on the server you will need to be specific with the location settings since you will have a HTTP server listening on listen_port and a HTTPS server listening on ssl_port:

To add a location to only the HTTP server, set ssl => false on the location (this is the default).
To add a location to both the HTTP and HTTPS server, set ssl => true on the location, and ensure ssl_only => false (which is the default value for ssl_only).
To add a location only to the HTTPS server, set both ssl => true and ssl_only => true on the location.

HTTPS only server

If you have set ssl => true and also set listen_port and ssl_port to the same value on the server, you will have a single HTTPS server listening on ssl_port. To add a location to this server set ssl => true and ssl_only => true on the location.

Hiera Support

Defining nginx resources in Hiera.

x::nginx_upstreams:
uppet_rack_app':
ensure: present
members:
  - localhost:3000
  - localhost:3001
  - localhost:3002
x::nginx_servers:
ww.puppetlabs.com':
www_root: '/var/www/www.puppetlabs.com'
ack.puppetlabs.com':
proxy: 'http://puppet_rack_app'
x::nginx_locations:
tatic':
location: '~ "^/static/[0-9a-fA-F]{8}\/(.*)$"'
server: www.puppetlabs.com
www_root: /var/www/html
serContent':
location: /userContent
server: www.puppetlabs.com
www_root: /var/www/html
x::nginx_mailhosts:
mtp':
auth_http: server2.example/cgi-bin/auth
protocol: smtp
listen_port: 587
ssl_port: 465
starttls: only

A stream syslog UDP proxy

x::nginx_cfg_prepend:
clude:
- '/etc/nginx/modules-enabled/*.conf'

x::nginx_streamhosts:
yslog':
ensure:                 'present'
listen_port:            '514'
listen_options:         'udp'
proxy:                  'syslog'
proxy_read_timeout:     '1'
proxy_connect_timeout:  '1'
raw_append:
  - 'error_log off;'

x::nginx_upstreams:
yslog':
upstream_context: 'stream'
members:
  - '10.0.0.1:514'
  - '10.0.0.2:514'
  - '10.0.0.3:514'

Nginx with precompiled Passenger

Example configuration for Debian and RHEL / CentOS (>6), pulling the Nginx and Passenger packages from the Phusion repo. See additional notes in https://github.com/voxpupuli/puppet-nginx/blob/master/docs/quickstart.md

s { 'nginx':
ckage_source  => 'passenger',
tp_cfg_append => {
'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini',

Here the example for OpenBSD:

s { 'nginx':
ckage_flavor => 'passenger',
rvice_flags  => '-u'
tp_cfg_append => {
passenger_root          => '/usr/local/lib/ruby/gems/2.1/gems/passenger-4.0.44',
passenger_ruby          =>  '/usr/local/bin/ruby21',
passenger_max_pool_size => '15',

Package source passenger will add Phusion Passenger repository to APT sources. For each virtual host you should specify which ruby should be used.

x::resource::server { 'www.puppetlabs.com':
w_root          => '/var/www/www.puppetlabs.com',
rver_cfg_append => {
'passenger_enabled' => 'on',
'passenger_ruby'    => '/usr/bin/ruby',

Puppet master served by Nginx and Passenger

Virtual host config for serving puppet master:

x::resource::server { 'puppet':
sure               => present,
rver_name          => ['puppet'],
sten_port          => 8140,
l                  => true,
l_cert             => '/var/lib/puppet/ssl/certs/example.com.pem',
l_key              => '/var/lib/puppet/ssl/private_keys/example.com.pem',
l_port             => 8140,
rver_cfg_append    => {
'passenger_enabled'      => 'on',
'passenger_ruby'         => '/usr/bin/ruby',
'ssl_crl'                => '/var/lib/puppet/ssl/ca/ca_crl.pem',
'ssl_client_certificate' => '/var/lib/puppet/ssl/certs/ca.pem',
'ssl_verify_client'      => 'optional',
'ssl_verify_depth'       => 1,

w_root             => '/etc/puppet/rack/public',
e_default_location => false,
cess_log           => '/var/log/nginx/puppet_access.log',
ror_log            => '/var/log/nginx/puppet_error.log',
ssenger_cgi_param  => {
'HTTP_X_CLIENT_DN'     => '$ssl_client_s_dn',
'HTTP_X_CLIENT_VERIFY' => '$ssl_client_verify',

Example puppet class calling nginx::server with HTTPS FastCGI and redirection of HTTP

l_web_path = '/var/www'

ne web::nginx_ssl_with_redirect (
ackend_port         = 9000,
hp                  = true,
roxy                = undef,
ww_root             = "${full_web_path}/${name}/",
ocation_cfg_append  = undef,

inx::resource::server { "${name}.${::domain}":
ensure              => present,
www_root            => "${full_web_path}/${name}/",
location_cfg_append => { 'rewrite' => '^ https://$server_name$request_uri? permanent' },


 !$www_root {
$tmp_www_root = undef
else {
$tmp_www_root = $www_root


inx::resource::server { "${name}.${::domain} ${name}":
ensure                => present,
listen_port           => 443,
www_root              => $tmp_www_root,
proxy                 => $proxy,
location_cfg_append   => $location_cfg_append,
index_files           => [ 'index.php' ],
ssl                   => true,
ssl_cert              => '/path/to/wildcard_mydomain.crt',
ssl_key               => '/path/to/wildcard_mydomain.key',



 $php {
nginx::resource::location { "${name}_root":
  ensure          => present,
  ssl             => true,
  ssl_only        => true,
  server           => "${name}.${::domain} ${name}",
  www_root        => "${full_web_path}/${name}/",
  location        => '~ \.php$',
  index_files     => ['index.php', 'index.html', 'index.htm'],
  proxy           => undef,
  fastcgi         => "127.0.0.1:${backend_port}",
  fastcgi_script  => undef,
  location_cfg_append => {
    fastcgi_connect_timeout => '3m',
    fastcgi_read_timeout    => '3m',
    fastcgi_send_timeout    => '3m'
  }
}

Add custom fastcgi_params

x::resource::location { "some_root":
sure         => present,
cation       => '/some/url',
stcgi        => "127.0.0.1:9000",
stcgi_param  => {
'APP_ENV' => 'local',

Call class web::nginx_ssl_with_redirect

:nginx_ssl_with_redirect { 'sub-domain-name':
backend_port => 9001,

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.