3:44 p.m.
On Mar 25, Jan Kowalsky wrote:
Hi all,
Hello!
If I just leave everything as default, I end up with an
welcome-configuration where nginx on 443 is listen only for ipv6:
listen [::]:443 ssl http2;
While I read somewhere that it should be sufficient to have on
ipv6only=off statement, it doesn't work for me (with nginx 1.10.3-1+deb9u1).
If it's like
listen [::]:443 ssl http2 ipv6only=off default_server;
it work's with ipv4 only. Maybe it's nginx bug - but anyway it would be
better to add the ipv6only also to ssl configuration.
By default, on Debian and Ubuntu (I think) nginx is configured to listen only
on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
use "dual stack" mode where it listens for IPv4 and IPv6 connections via the
same socket. The ipv6only=off parameter can only be present in 1 server
section for each listening port.
The debops.nginx role is supposed to handle this for you, depending on the
existing configuration found on the server. It's a complicated set of rules
and conditions where role selects one server, register its choice in the
Ansible local facts and sticks to it. Unfortunately it seems, that the
mechanism subtly broke some time ago, I haven't been able to pin down the
cause yet.
What you can do for the time being, is to write one of the server names
(usually a FQDN or a domain) in the /etc/ansible/facts.d/nginx.fact file
manually, both in 'default_server' and 'default_server_ssl' keys. The
next
time you run debops.nginx, it should pick these values and reconfigure your
nginx server accordingly. You might want to remove all symlinks in
/etc/nginx/sites-enabled/ and re-run all application roles to have clean
webserver configuration.
This whole mechanism needs to be replaced at some point, and there are efforts
to do this, not sure when it will be finished, hopefuly before v1.0.0 version.
https://github.com/debops/debops/issues/247
Second:
I tried to define an server with:
nginx__servers:
- name: [ 'nginxtest.cont0.dknuser.de' ]
enabled: true
delete: false
ssl: true
The 'delete' key is not needed anymore, you can drop it.
and get the following error.
TASK [debops.nginx : Create global webroot directories if allowed]
***********************************************************************************
task path:
/home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml:3
changed: [nginxtest.example.org] => (item={u'ssl': True, u'enabled':
True, u'name': [u'nginxtest.cont0.dknuser.de'], u'delete':
False}) =>
{"changed": true, "failed": false, "gid": 0,
"group": "root", "item":
{"delete": false, "enabled": true, "name":
["nginxtest.cont0.dknuser.de"], "ssl": true}, "mode":
"0755", "owner":
"root", "path":
"/var/www/html/sites/nginxtest.cont0.dknuser.de/public",
"size": 0, "state": "directory", "uid": 0}
fatal: [nginxtest.example.org]: FAILED! => {"failed": true, "msg":
"The
task includes an option with an undefined variable. The error was:
'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
'name'\n\nThe error appears to have been in
'/home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml':
line 3, column 3, but may\nbe elsewhere in the file depending on the
exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name:
Create global webroot directories if allowed\n ^ here\n\nexception
type: <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception:
'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
'name'"}
I ran your configuration on one of my test servers and it passed fine. I'm
using Ansible 2.5 with Python 2.7 and Jinja 2.8. What Ansible version are you
using? If older than 2.4, you should upgrade to latest stable (2.5).
Cheers,
Maciej