11:12 a.m.
Hi Maciej,
thanks for your quick answer!
Am 25.03.2018 um 15:44 schrieb Maciej Delmanowski:
On Mar 25, Jan Kowalsky wrote:
Hello!
> If I just leave everything as default, I end up with an
> welcome-configuration where nginx on 443 is listen only for ipv6:
>
> listen [::]:443 ssl http2;
>
> While I read somewhere that it should be sufficient to have on
> ipv6only=off statement, it doesn't work for me (with nginx 1.10.3-1+deb9u1).
>
> If it's like
>
> listen [::]:443 ssl http2 ipv6only=off default_server;
>
> it work's with ipv4 only. Maybe it's nginx bug - but anyway it would be
> better to add the ipv6only also to ssl configuration.
By default, on Debian and Ubuntu (I think) nginx is configured to listen only
on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
use "dual stack" mode where it listens for IPv4 and IPv6 connections via the
same socket. The ipv6only=off parameter can only be present in 1 server
section for each listening port.
Is it like this? For my impression there is not really a default in
debian. But the sites-available/default comes with:
server {
listen 80 default_server;
listen [::]:80 default_server;
which in my opinion is the clearest way.
But there is no default configuration for ssl.
The debops.nginx role is supposed to handle this for you, depending
on the
existing configuration found on the server. It's a complicated set of rules
and conditions where role selects one server, register its choice in the
Ansible local facts and sticks to it. Unfortunately it seems, that the
mechanism subtly broke some time ago, I haven't been able to pin down the
cause yet.
And if there ist no existing configuration yet on the server? The
default template only handles http connections - so without manual
configuration there wont be an working ssl configuration at all.
Would it make sense just to configure the templates like ipv4 and ipv6
is configured both?
Since for me the ipv6only=off doesn't work at all for ssl connections, I
got this now working with a configuration like:
nginx_manage_ipv6only: False
# Default listen port for HTTP connections.
nginx_listen_port: [ '[::]:80', '80' ]
# Default listen port for HTTPS connections.
nginx_listen_ssl_port: [ '[::]:443', '443' ]
What you can do for the time being, is to write one of the server
names
(usually a FQDN or a domain) in the /etc/ansible/facts.d/nginx.fact file
manually, both in 'default_server' and 'default_server_ssl' keys. The
next
time you run debops.nginx, it should pick these values and reconfigure your
nginx server accordingly. You might want to remove all symlinks in
/etc/nginx/sites-enabled/ and re-run all application roles to have clean
webserver configuration.
This whole mechanism needs to be replaced at some point, and there are efforts
to do this, not sure when it will be finished, hopefuly before v1.0.0 version.
https://github.com/debops/debops/issues/247
I agree.
> Second:
>
> I tried to define an server with:
>
> nginx__servers:
> - name: [ 'nginxtest.cont0.dknuser.de' ]
> enabled: true
> delete: false
> ssl: true
The 'delete' key is not needed anymore, you can drop it.
> and get the following error.
>
I ran your configuration on one of my test servers and it passed
fine. I'm
using Ansible 2.5 with Python 2.7 and Jinja 2.8. What Ansible version are you
using? If older than 2.4, you should upgrade to latest stable (2.5).
well, the error seemed to be somewhere else - but the other part of
configuration worked without the nginx__servers: configruation and vice
versa.
Kind regards
Jan