BUG FIXES:
Improve the NGINX main config defaults to bring them closer to the standard NGINX defaults on a fresh NGINX install.
FEATURES:
Rename all modules to use the fully qualified collection name (FQCN) per Ansible guidelines.
ENHANCEMENTS:
- Bump the Ansible
community.generalcollection to4.7.0andcommunity.dockercollection to2.3.0. - Add labels to loops in
tasks/config/template-config.ymlto reduce amount of output data. - Implement
gunzip,map,mirror,realipandsplit_clientsmodules intohttptemplates. - Streamline configuring SELinux.
- Update Dependabot to trigger updates at the same time across all NGINX core roles at the same time and to avoid triggering release drafter on GitHub actions dependency updates.
BUG FIXES:
Ansible check mode runs will no longer fail if NGINX has not yet been installed.
BREAKING CHANGES:
- Remove parameters deprecated in release
0.4.0. To recap, these arenginx_config_main_upload_*,nginx_config_upload_html_*, andnginx_config_stream_upload_*. Usenginx_config_uploadinstead. - Refactor all the
streamJinja2 templates!:-
Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
-
This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
-
You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with
servers:core: root: /usr/share/nginx/html proxy: set_header: [] servers: - core: {} proxy: {}
-
Check
defaults/main/template.ymlandmolecule/default/converge.ymlfor examples! -
These changes follow in the footsteps of the
httpJinja2 refactor introduced in the0.4.0release. If you want more information on how to port yourstreamconfigurations, the release notes/changelog for0.4.0are a good place to start.
-
- Replace
conf_file_nameandconf_file_locationwithdeployment_locationinsidenginx_config_stream_template. - Replace
html_file_nameandhtml_file_locationwithdeployment_locationinsidenginx_config_html_demo_template.
FEATURES:
- Add
backupvariable to template and upload parameters. Set tofalseif you don't want to keep backups of your previous NGINX config files. - Automatically create a NGINX
client_body_temp_pathdirectory if your NGINX config uses the directive.
ENHANCEMENTS:
Bump the Ansible community.general collection to 4.4.0 and community.docker collection to 2.1.1.
BUG FIXES:
- Fix a bug when using a single
custom_directivesentry and the http template. - Fix check mode issue when running with SELinux enabled. Role no longer reports a change in check mode when setting the host to permissive mode.
- Fix typo in the REST API template.
- Fix incorrect REST API and status log variable names in
defaults/main/template.yml. - Fix bugged conditional check in the
http/ssl.j2Jinja2 template.
BUG FIXES:
- Dictionaries are a sequence per Jinja2 contrary to Python's defaults (dictionaries are not a sequence in Python). The template conditionals assumed the latter.
- NAP DoS monitor directive would fail if some variables were commented out.
- NGINX listen
so_keepaliveparameter was not working as intended when setting specific values. - Make sure all template objects are properly transformed into strings before doing Jinja2 operations.
- Remove unnecessary parentheses.
BUG FIXES:
- Fix issue where your
deployment_locationdirectory would not be properly created due to an outdated variable. - Remove duplicated brace in
http/auth.j2.
This is a very big release which fundamentally refactors the whole NGINX configuration templating engine. Almost all of the templates have undergone some breaking changes. Please take extra caution when upgrading your environment to this release and make sure you test any required changes before using the role in any potential production environments.
Efforts have been made to thoroughly test all these changes and make sure they work as intended, but due to the magnitude of the refactoring work, there will be some bugs that have escaped our tests. If you find any, please open an issue or PR through the usual channels.
DEPRECATION WARNINGS:
The nginx_config_main_upload_*, nginx_config_upload_html_*, and nginx_config_stream_upload_* parameters have been deprecated in favor of a newly introduced parameter, nginx_config_upload (previously nginx_config_snippet_upload_*). The new parameter provides greater flexibility in configuring your upload settings in addition to simplifying the upload Ansible tasks. The deprecated parameters will be removed in the next major release (0.5.0), due December 2021.
BREAKING CHANGES:
General updates:
- Rename upload related variables:
- Rename the
nginx_config_snippet_upload_*parameters tonginx_config_upload_*(checkdefaults/main/upload.ymlfor an example). - Rename the
nginx_config_html_upload_*parameters tonginx_config_upload_html_*. - Rename the
nginx_config_ssl_upload_*parameters tonginx_config_upload_ssl_*.
- Rename the
- Tweak the
nginx_config_html_uploadandnginx_config_ssl_uploadparameters to use a list instead of a singlesrcanddestvalue (checkdefaults/main/upload.ymlfor an example).
Template engine updates:
-
Refactor all the
httpJinja2 templates!:-
Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
-
This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
-
You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with
serversandlocations:core: root: /usr/share/nginx/html proxy: set_header: [] servers: - core: {} proxy: {} locations: - core: {} proxy: {}
-
Check
defaults/main/template.ymlandmolecule/default/converge.ymlfor examples!
-
-
Refactor the base config templates to simplify the creation of templates as well as development and maintenance moving forward:
- Modify
servers,servers.listen,server.locations,upstreamandupstream.serversfrom nested dictionaries in thehttpandstreamconfiguration templates to lists. - Remove/merge the
web_serverandreverse_proxynested dictionary keys from the HTTP templates. These often lead to confusing and unnecessary code duplication and hard to maintain code. To update your templates, remove both keys and adjust your spacing accordingly. - Replaced
conf_file_nameandconf_file_locationwith a single variable,deployment_location. - All config related parameters now live under the
configkey in both the core/main and HTTP templates. - Modify the
nginx_config_html_demo_templatevariable from a nested dictionary to a list.
- Modify
-
Refactor the
nginx_config_main_templateto now include all the respectivecoreandeventsdirectives. The following variables have changed:http_enableno longer exists, neither doeshttp_settings. You can still usehttp.includeto include files within thehttpcontext.stream_enableno longer exists, neither doesstream_settings. You can still usestream.includeto include files within thestreamcontext.
-
Refactor the
upstreamHTTP config template into its own separate file. All theupstreammodule directives are now included. The following variables have changed:portis no longer supported. Instead, include the port as part of youraddress.lb_methodis no longer supported. Instead, you will have to specifically set the method you want to use.zone_nameandzone_sizehave been modified into a dictionary.sticky_cookieis no longer supported as is. You will now have to configure the respectivesticky_cookievalues.- The
health_checkparameter within theserverdictionary is no longer supported. Instead, manually setmax_failsandfail_timeout.
-
Refactor various individual variables into the
coreHTTP config template. All thecoremodule directives are now included. The following variables are now included in thecoredictionary:alias,client_max_body_size,error_log,error_page,include,index,keepalive_timeout,listen,root,send_file,server_name,server_names_hash_bucket_size,server_names_hash_max_size,server_tokens,tcp_nodelay,tcp_nopush,try_fileslisten.portis nowlisten.address, andlisten.optsno longer exists (there are now individual keys for eachlistenparameter).
-
Refactor the
sslHTTP config template into its own separate file. All thesslmodule directives are now included. Almost all variables have changed:- All
sslvariables still live within anssldictionary, but the names have changed to reflect the official NGINX directive names. sslconfigs are now supported within both thehttpandservercontexts.
- All
-
Refactor both the
app_protect_wafandapp_protect_dosmodules into a single file:- The
app_protectdictionary now has theapp_protect_wafkey. app_protect_globaldirectives are now found inside theapp_protect_wafdictionary too.
- The
-
Refactor the
proxyHTTP config template into its own separate file. All theproxymodule directives are now included. All variables have changed:-
All
proxy_*related variables now live under theproxydictionary key. You can specify theproxydictionary key inside thehttp,server, andlocationcontexts. -
Removed the
nginx_config_main_template.http_settings.cachedictionary variable. Usenginx_config_http_template.*.proxy.cache_pathinstead. -
Removed the
location.websocketvariable. Uselocation.proxy.set_headerinstead:proxy: set_header: - field: Upgrade value: $http_upgrade - field: Connection value: Upgrade
-
-
Combine the
grpc_globaldirectives with thegrpcdirectives. -
Refactor the
authHTTP config template into its own separateauthmodules file. All the variousauthrelated module directives including allauth_jwtdirectives are now available. All variables have changed:- All the various
authvariables now live within their respectiveauthdictionaries. authconfigs are now supported within thehttp,server, andlocationcontexts.
- All the various
-
Refactor the
autoindexHTTP config template into its own separate filemodulesfile and added missingautoindexmodule directives. All variables have changed:- The
autoindexdirectives now live within theautoindexdictionary. - The
autoindexdictionary now lives in the HTTP template config instead of the Main template config.
- The
-
Refactor the
add_headersdictionary into aheadersdictionary that now includes all theheadersHTTP config directives:- The
add_headersdirective now lives within theheadersdictionary.
- The
-
Refactor the
keyvaldirectives into its own template config that now includes all thekeyvalHTTP module directives:- Both
keyvaldirectives now live within thekeyvaldictionary. - The
keyvaldictionary now lives in the HTTP template config instead of the Main template config.
- Both
-
Refactor
server.health_check_plusinto its own dictionary that now includes all thehealth_checkmodule directives (checkdefaults/main/template.ymlfor examples). -
Refactor the
limit_reqdirective into its own dictionary:- The
limit_reqdirectives now live within thelimit_reqdictionary. - The
limit_reqdictionary now lives in the HTTP template config instead of the Main template config.
- The
-
Refactor the
access_logandlog_formatdirectives into alogdictionary that now includes all thelogmodule directives:- An
accessandformatdirective now lives within thelogdictionary. - The
logdictionary HTTP context now lives in the HTTP template config instead of the Main template config.
- An
-
Refactor the
returnandrewritedirectives into their own dictionary that now includes all therewriteHTTP module directives:-
The
rewritesdirective has transitioned from a list of one linersrewrites: - (.*).html(.*) $1$2
to
rewrites: - regex: (.*).html(.*) replacement: $1$2
-
The
returndirective has transitioned from a slightly complex dictionary structure (wherein thelocationvariable didn't necessarily have any effect)returns: return301: location: ^~ /old-path code: 301 value: http://$host/new-path
to a slightly less complicated structure
return: # 200 -- Alternatively you could also include a code here instead of fleshing out the dictionary. code: 200 text: nginx
-
-
Refactor the
sub_filterdirectives into their ownsub_filterdictionary that includes all thesub_filterHTTP module directives:-
The only major difference is that one liners under the
sub_filtersdictionary key have changed fromsub_filters: - sub_filter 'server_hostname' '$hostname';
to
sub_filters: - string: server_hostname replacement: $hostname
-
Removed the
server.http_demo_confdictionary. Useserver.sub_filtersinstead:sub_filter: sub_filters: - string: server_hostname replacement: $hostname - string: server_address replacement: $server_addr:$server_port - string: server_url replacement: $request_uri - string: remote_addr replacement: '$remote_addr:$remote_port' - string: server_date replacement: $time_local - string: client_browser replacement: $http_user_agent - string: request_id replacement: $request_id - string: nginx_version replacement: $nginx_version - string: document_root replacement: $document_root - string: proxied_for_ip replacement: $http_x_forwarded_for
-
The
sub_filterdictionary HTTP context now lives in the HTTP template config instead of the Main template config.
-
-
Rename some NGINX template config parameters to align with NGINX directive names:
- Rename
html_file_locationtoroot. - Rename
html_file_nametoindex.
- Rename
-
NGINX App Protect 3.2 supports multiple log destinations per scope. Changing the
security_logvariable from a dictionary to a list of objects in order to support this. -
NGINX App Protect 3.5 supports a new timeout directive which allows the user to configure the period of time between reconnect retries of the module to the web application firewall (WAF) engine. Added this as a supported directive.
FEATURES:
-
Replace Ansible community distribution with Ansible base and add the necessary extra collections as a dependency requirement. For reference, these are:
--- collections: - name: community.general version: 3.8.0 - name: ansible.posix version: 1.3.0 - name: community.docker # This collection is only used as part of the Molecule testing suite version: 1.10.0
-
Explicitly list Jinja2
2.11.3as a requirement, as well as detail the minimum supported version (2.11.x). -
Implement Release Drafter.
-
Add support for configuring NGINX App Protect DoS (Denial of Service) module and directives.
-
Add support for configuring the NGINX Rest API module and the NGINX stub status module.
ENHANCEMENTS:
- Move the
gzipHTTP config template into themodulesfile. It's a small module and did not warrant being in its own individual file. - Update Ansible Lint to
5.1.3, Molecule to3.4.0, yamllint to1.26.3and Docker Python SDK to5.0.2. - Consolidate Molecule testing scenarios to address changes introduced in Ansible Lint
5.*. - Specify GitHub actions Ubuntu release.
- Minor GitHub template tweaks, including the creation of a SECURITY doc.
- Replace Molecule tests using Debian stretch with Debian buster (stretch has reached its EoL), and update list of supported platforms.
- Replace Ansible base with Ansible core. Ansible core will be the "core" Ansible release moving forward from Ansible
2.11. - Update GitHub actions to add a workflow dispatch option.
- Update GitHub actions
ifconditionals to use thecontainsfunction instead of checking for exact names. - Remove Debian Buster from the
plusMolecule scenario since it often fails in the GitHub Actions CI/CD pipeline. - Replace "yes"/"no" boolean values with "true"/"false" to comply with YAML spec
1.2. - Ensure the default values for the
nginx.conftemplate match the default values found on a fresh NGINX installation. - Change Dependabot frequency from daily to weekly.
- Minor touch-up of GitHub actions workflows.
BUG FIXES:
- Add
stateparameter to package module in Molecule verification tests. - In NGINX App Protect environments on SELinux enforced systems, the
nginx -thandler fails when run from a directory that the NGINX process' user does not have access to. - Fix missing GRPC boolean check in GRPC template.
- Fix
nginx_config_cleanup_pathsnot working as intended. - Fix issue with the
app_protect.j2template that was causing the default values fornginx.confto fail.
FEATURES:
- Add support for configuration snippets (use the
nginx_config_snippet_upload_*parameters to configure it). - Add support for Dependabot.
ENHANCEMENTS:
- Add support for NGINX GRPC directives.
- Add support for NGINX GZIP directives.
- Add support for upstream server
backupparameter in http and stream template. - Only run GitHub actions Galaxy CI/CD workflow when a new release is published.
- Update list of supported platforms.
- Update Ansible base to
2.10.5and Ansible to2.10.6.
BUG FIXES:
- Address inconsistent types within Jinja templates.
- Add Jinja2 checks to all config template parameters to ensure that they are only included when appropriately defined.
- Fix edge case where
proxy_passis still required when usinggrpc_pass.
ENHANCEMENTS:
- The GitHub actions Molecule CI/CD workflow is no longer run on a new release (this is not necessary since it already runs on every push).
- The GitHub actions Molecule CI/CD workflow should now correctly avoid running 'Plus' related tests on external PRs.
- The
cleanup-config.ymlplaybook has been slightly refactored and simplified. - Update Ansible base to
2.10.4, Ansible to2.10.5, Molecule to3.2.2and Docker Python SDK to4.4.1. - Update copyright notice.
ENHANCEMENTS:
- Update Molecule to
3.2.1and Docker Python SDK to4.4.0. - Replace TravisCI with GitHub actions.
BUG FIXES:
- Switch to explicit boolean values in
sub_filterdefaults forlast_modifiedandsinceinnginx_config_main_template."on"and"off"values are treated as true instead of true/false when surrounded by double quotes. By always resorting to true/false we avoid unaccounted edge cases. - Fix issue whereas SELinux state would not be correctly set back to
enforcingwhennginx_config_selinux: true.
BREAKING CHANGES:
- The default port of the status and REST API config is now
8080and matches the CI Molecule test which already uses it. You can setnginx_config_status_portto another value if desired. - The allow/deny directives for
nginx_config_statusandnginx_config_rest_apinow take a list instead of a single value. - The default
nginx_config_*_logvalues have changed tonginx_config_*_access_logand no longer have a default value ofoff. Set the respective variables tofalseto preserve the previous behaviour.
ENHANCEMENTS:
- Add survey to README.
- Improve README structure and use tables where relevant.
- Update Ansible (now Ansible base) to
2.10.3, Ansible (now Ansible Community Distribution) to2.10.3, Ansible Lint to4.3.7, Molecule to3.1.5, and yamllint to1.25.0. - Improve templating of stub status and REST API config.
BUG FIXES:
- Prevent TravisCI from trying to build (and failing) NGINX Plus images on external PRs.
- Fix naming for SELinux facts dictionary.
- Correctly import
app_protectglobal directives in template. - Role now runs correctly when using Ansible's check mode.
- Fix issue with access log in stub status and REST API config template not being properly parsed.
BREAKING CHANGES:
The process to configure modules has changed. Instead of manually setting the modules you want to install to true or false, you will now have to use either:
- A newly introduced top level list variable,
nginx_config_modules. - A newly introduced list variable within your main NGINX config template,
nginx_config_main_template.modules.
Make sure you only use one variable or the other, since they will overwrite each other. This change will simplify adding future supported modules to this role, and allows you to include any external modules you may wish in your NGINX config.
FEATURES:
- Support for all NGINX App Protect directives has been added. You can find details on the supported directives on
defaults/main/template.yml. This is the first module to be included using J2 macros. Expect to slowly see a refactor of various modules to use macros where possible. - Add Alpine
3.12to the list of supported platforms. - Remove Alpine
3.8from the list of supported platforms . - Add NGINX Plus tests to TravisCI
ENHANCEMENTS:
- Added handlers to check for NGINX syntax validity and fail if any errors are detected.
- Switch to using
ansible_factswherever possible. - Improved tasks naming conventions.
- Update Ansible to
2.9.13and Ansible Lint to4.3.5. - Explicitly defined
modein relevant tasks. - Improve configuration templating capabilities:
- Allow setting
access_log/access_log_locationtooff. - Add IP restriction for web servers
- Allow setting
BUG FIXES:
An empty nginx_config_cleanup_files will no longer cause nginx_config_cleanup related tasks to fail.
Initial release of the NGINX Config role. Contains all NGINX Config related features previously available on the NGINX Ansible role.