3:14 p.m.
Hi all,
I'm struggling with the debops nginx role. Maybe someone can help.
First:
If I just leave everything as default, I end up with an
welcome-configuration where nginx on 443 is listen only for ipv6:
listen [::]:443 ssl http2;
While I read somewhere that it should be sufficient to have on
ipv6only=off statement, it doesn't work for me (with nginx 1.10.3-1+deb9u1).
If it's like
listen [::]:443 ssl http2 ipv6only=off default_server;
it work's with ipv4 only. Maybe it's nginx bug - but anyway it would be
better to add the ipv6only also to ssl configuration.
Second:
I tried to define an server with:
nginx__servers:
- name: [ 'nginxtest.cont0.dknuser.de' ]
enabled: true
delete: false
ssl: true
and get the following error.
TASK [debops.nginx : Create global webroot directories if allowed]
***********************************************************************************
task path:
/home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml:3
changed: [nginxtest.example.org] => (item={u'ssl': True, u'enabled':
True, u'name': [u'nginxtest.cont0.dknuser.de'], u'delete': False})
=>
{"changed": true, "failed": false, "gid": 0,
"group": "root", "item":
{"delete": false, "enabled": true, "name":
["nginxtest.cont0.dknuser.de"], "ssl": true}, "mode":
"0755", "owner":
"root", "path":
"/var/www/html/sites/nginxtest.cont0.dknuser.de/public",
"size": 0, "state": "directory", "uid": 0}
fatal: [nginxtest.example.org]: FAILED! => {"failed": true, "msg":
"The
task includes an option with an undefined variable. The error was:
'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
'name'\n\nThe error appears to have been in
'/home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml':
line 3, column 3, but may\nbe elsewhere in the file depending on the
exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name:
Create global webroot directories if allowed\n ^ here\n\nexception
type: <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception:
'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
'name'"}
What do I wrong?
Best regards
Jan
3:44 p.m.
On Mar 25, Jan Kowalsky wrote:
Hi all,
Hello!
If I just leave everything as default, I end up with an
welcome-configuration where nginx on 443 is listen only for ipv6:
listen [::]:443 ssl http2;
While I read somewhere that it should be sufficient to have on
ipv6only=off statement, it doesn't work for me (with nginx 1.10.3-1+deb9u1).
If it's like
listen [::]:443 ssl http2 ipv6only=off default_server;
it work's with ipv4 only. Maybe it's nginx bug - but anyway it would be
better to add the ipv6only also to ssl configuration.
By default, on Debian and Ubuntu (I think) nginx is configured to listen only
on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
use "dual stack" mode where it listens for IPv4 and IPv6 connections via the
same socket. The ipv6only=off parameter can only be present in 1 server
section for each listening port.
The debops.nginx role is supposed to handle this for you, depending on the
existing configuration found on the server. It's a complicated set of rules
and conditions where role selects one server, register its choice in the
Ansible local facts and sticks to it. Unfortunately it seems, that the
mechanism subtly broke some time ago, I haven't been able to pin down the
cause yet.
What you can do for the time being, is to write one of the server names
(usually a FQDN or a domain) in the /etc/ansible/facts.d/nginx.fact file
manually, both in 'default_server' and 'default_server_ssl' keys. The
next
time you run debops.nginx, it should pick these values and reconfigure your
nginx server accordingly. You might want to remove all symlinks in
/etc/nginx/sites-enabled/ and re-run all application roles to have clean
webserver configuration.
This whole mechanism needs to be replaced at some point, and there are efforts
to do this, not sure when it will be finished, hopefuly before v1.0.0 version.
https://github.com/debops/debops/issues/247
Second:
I tried to define an server with:
nginx__servers:
- name: [ 'nginxtest.cont0.dknuser.de' ]
enabled: true
delete: false
ssl: true
The 'delete' key is not needed anymore, you can drop it.
and get the following error.
TASK [debops.nginx : Create global webroot directories if allowed]
***********************************************************************************
task path:
/home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml:3
changed: [nginxtest.example.org] => (item={u'ssl': True, u'enabled':
True, u'name': [u'nginxtest.cont0.dknuser.de'], u'delete':
False}) =>
{"changed": true, "failed": false, "gid": 0,
"group": "root", "item":
{"delete": false, "enabled": true, "name":
["nginxtest.cont0.dknuser.de"], "ssl": true}, "mode":
"0755", "owner":
"root", "path":
"/var/www/html/sites/nginxtest.cont0.dknuser.de/public",
"size": 0, "state": "directory", "uid": 0}
fatal: [nginxtest.example.org]: FAILED! => {"failed": true, "msg":
"The
task includes an option with an undefined variable. The error was:
'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
'name'\n\nThe error appears to have been in
'/home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml':
line 3, column 3, but may\nbe elsewhere in the file depending on the
exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name:
Create global webroot directories if allowed\n ^ here\n\nexception
type: <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception:
'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
'name'"}
I ran your configuration on one of my test servers and it passed fine. I'm
using Ansible 2.5 with Python 2.7 and Jinja 2.8. What Ansible version are you
using? If older than 2.4, you should upgrade to latest stable (2.5).
Cheers,
Maciej
11:12 a.m.
Hi Maciej,
thanks for your quick answer!
Am 25.03.2018 um 15:44 schrieb Maciej Delmanowski:
On Mar 25, Jan Kowalsky wrote:
Hello!
> If I just leave everything as default, I end up with an
> welcome-configuration where nginx on 443 is listen only for ipv6:
>
> listen [::]:443 ssl http2;
>
> While I read somewhere that it should be sufficient to have on
> ipv6only=off statement, it doesn't work for me (with nginx 1.10.3-1+deb9u1).
>
> If it's like
>
> listen [::]:443 ssl http2 ipv6only=off default_server;
>
> it work's with ipv4 only. Maybe it's nginx bug - but anyway it would be
> better to add the ipv6only also to ssl configuration.
By default, on Debian and Ubuntu (I think) nginx is configured to listen only
on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
use "dual stack" mode where it listens for IPv4 and IPv6 connections via the
same socket. The ipv6only=off parameter can only be present in 1 server
section for each listening port.
Is it like this? For my impression there is not really a default in
debian. But the sites-available/default comes with:
server {
listen 80 default_server;
listen [::]:80 default_server;
which in my opinion is the clearest way.
But there is no default configuration for ssl.
The debops.nginx role is supposed to handle this for you, depending
on the
existing configuration found on the server. It's a complicated set of rules
and conditions where role selects one server, register its choice in the
Ansible local facts and sticks to it. Unfortunately it seems, that the
mechanism subtly broke some time ago, I haven't been able to pin down the
cause yet.
And if there ist no existing configuration yet on the server? The
default template only handles http connections - so without manual
configuration there wont be an working ssl configuration at all.
Would it make sense just to configure the templates like ipv4 and ipv6
is configured both?
Since for me the ipv6only=off doesn't work at all for ssl connections, I
got this now working with a configuration like:
nginx_manage_ipv6only: False
# Default listen port for HTTP connections.
nginx_listen_port: [ '[::]:80', '80' ]
# Default listen port for HTTPS connections.
nginx_listen_ssl_port: [ '[::]:443', '443' ]
What you can do for the time being, is to write one of the server
names
(usually a FQDN or a domain) in the /etc/ansible/facts.d/nginx.fact file
manually, both in 'default_server' and 'default_server_ssl' keys. The
next
time you run debops.nginx, it should pick these values and reconfigure your
nginx server accordingly. You might want to remove all symlinks in
/etc/nginx/sites-enabled/ and re-run all application roles to have clean
webserver configuration.
This whole mechanism needs to be replaced at some point, and there are efforts
to do this, not sure when it will be finished, hopefuly before v1.0.0 version.
https://github.com/debops/debops/issues/247
I agree.
> Second:
>
> I tried to define an server with:
>
> nginx__servers:
> - name: [ 'nginxtest.cont0.dknuser.de' ]
> enabled: true
> delete: false
> ssl: true
The 'delete' key is not needed anymore, you can drop it.
> and get the following error.
>
I ran your configuration on one of my test servers and it passed
fine. I'm
using Ansible 2.5 with Python 2.7 and Jinja 2.8. What Ansible version are you
using? If older than 2.4, you should upgrade to latest stable (2.5).
well, the error seemed to be somewhere else - but the other part of
configuration worked without the nginx__servers: configruation and vice
versa.
Kind regards
Jan
11:43 a.m.
On Mar 26, Jan Kowalsky wrote:
> By default, on Debian and Ubuntu (I think) nginx is configured to
listen only
> on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
> use "dual stack" mode where it listens for IPv4 and IPv6 connections via
the
> same socket. The ipv6only=off parameter can only be present in 1 server
> section for each listening port.
Is it like this?
I haven't look at Debian source, but ipv6only=on is nginx upstream default at
least from v1.3.4, according to: https://trac.nginx.org/nginx/ticket/455
For my impression there is not really a default in
debian. But the sites-available/default comes with:
server {
listen 80 default_server;
listen [::]:80 default_server;
which in my opinion is the clearest way.
Yeah, perhaps going with separate listening configuration for IPv4 and IPv6
would be the way to go - that's how Debian handles the defaults from upstream.
It sill requires some modification of the 'debops.nginx' role. I designed the
role to allow for additional listening ports other than 80 and 443, but if we
forgo the complexity, stick only to the http and https ports, and use
subdomains instead, that should make things a little easier. I certainly
hadn't used additional ports with 'debops.nginx' like, ever, and I
haven't
heard about anyone else that does this, part from adding separate listen port
like you do below.
But there is no default configuration for ssl.
SSL involves much more work than installing an APT package, so having no
default SSL configuration enabled is IMO a good thing. That's where DebOps
comes in, with 'debops.pki' role, where proper set of X.509 certificates can
be created and then consumed by nginx.
> The debops.nginx role is supposed to handle this for you,
depending on the
> existing configuration found on the server. It's a complicated set of rules
> and conditions where role selects one server, register its choice in the
> Ansible local facts and sticks to it. Unfortunately it seems, that the
> mechanism subtly broke some time ago, I haven't been able to pin down the
> cause yet.
And if there ist no existing configuration yet on the server? The
default template only handles http connections - so without manual
configuration there wont be an working ssl configuration at all.
That's why the 'debops.nginx' removes the symlink to the default server
template provided by Debian and generates its own set of default configuration
for HTTP and HTTPS servers. The complicated method of choosing
a default_server is done to handle a situation where there's no initial server
configured. But as I said, currently it's a bit stupid since role knows only
about the servers that are explicitly configured by Ansible; a dynamic local
fact could handle this much better.
Would it make sense just to configure the templates like ipv4 and
ipv6
is configured both?
Since for me the ipv6only=off doesn't work at all for ssl connections, I
got this now working with a configuration like:
nginx_manage_ipv6only: False
# Default listen port for HTTP connections.
nginx_listen_port: [ '[::]:80', '80' ]
# Default listen port for HTTPS connections.
nginx_listen_ssl_port: [ '[::]:443', '443' ]
Sure, I suppose that this issue has caused so much grief over the years that
backing off from utilizing ipv6onky=off and switching to separate listening
sockets on IPv4 and IPv6 would make things easier. I'm not sure if
default_server is really needed either, but it could be useful to still have
the role pick one server as the default.
The 'debops.nginx' role as a whole is a bit neglected, with lacking
documentation and aging code. Ironically it's one of the more used roles,
since many DebOps services depend on it. Now that all of the DebOps roles are
in one git monorepo, doing an overhaul of the debops.nginx role with new
configuration system and improved documentation should be much easier to do,
though.
Cheers,
Maciej
2462
days inactive
2463
days old
3 comments
2 participants
participants (2)
-
Jan Kowalsky -
Maciej Delmanowski