[debops-users] struggling with nginx role

Maciej Delmanowski drybjed at drybjed.net
Sun Mar 25 15:44:03 CEST 2018

On Mar 25, Jan Kowalsky wrote:
> Hi all,


> If I just leave everything as default, I end up with an
> welcome-configuration where nginx on 443 is listen only for ipv6:
>    listen [::]:443 ssl http2;
> While I read somewhere that it should be sufficient to have on
> ipv6only=off statement, it doesn't work for me (with nginx 1.10.3-1+deb9u1).
> If it's like
>   listen [::]:443 ssl http2 ipv6only=off default_server;
> it work's with ipv4 only. Maybe it's nginx bug - but anyway it would be
> better to add the ipv6only also to ssl configuration.

By default, on Debian and Ubuntu (I think) nginx is configured to listen only
on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
use "dual stack" mode where it listens for IPv4 and IPv6 connections via the
same socket. The ipv6only=off parameter can only be present in 1 server
section for each listening port.

The debops.nginx role is supposed to handle this for you, depending on the
existing configuration found on the server. It's a complicated set of rules
and conditions where role selects one server, register its choice in the
Ansible local facts and sticks to it. Unfortunately it seems, that the
mechanism subtly broke some time ago, I haven't been able to pin down the
cause yet.

What you can do for the time being, is to write one of the server names
(usually a FQDN or a domain) in the /etc/ansible/facts.d/nginx.fact file
manually, both in 'default_server' and 'default_server_ssl' keys. The next
time you run debops.nginx, it should pick these values and reconfigure your
nginx server accordingly. You might want to remove all symlinks in
/etc/nginx/sites-enabled/ and re-run all application roles to have clean
webserver configuration.

This whole mechanism needs to be replaced at some point, and there are efforts
to do this, not sure when it will be finished, hopefuly before v1.0.0 version.


> Second:
> I tried to define an server with:
> nginx__servers:
>   - name: [ 'nginxtest.cont0.dknuser.de' ]
>     enabled: true
>     delete: false
>     ssl: true

The 'delete' key is not needed anymore, you can drop it.

> and get the following error.
> TASK [debops.nginx : Create global webroot directories if allowed]
> ***********************************************************************************
> task path:
> /home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml:3
> changed: [nginxtest.example.org] => (item={u'ssl': True, u'enabled':
> True, u'name': [u'nginxtest.cont0.dknuser.de'], u'delete': False}) =>
> {"changed": true, "failed": false, "gid": 0, "group": "root", "item":
> {"delete": false, "enabled": true, "name":
> ["nginxtest.cont0.dknuser.de"], "ssl": true}, "mode": "0755", "owner":
> "root", "path": "/var/www/html/sites/nginxtest.cont0.dknuser.de/public",
> "size": 0, "state": "directory", "uid": 0}
> fatal: [nginxtest.example.org]: FAILED! => {"failed": true, "msg": "The
> task includes an option with an undefined variable. The error was:
> 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
> 'name'\n\nThe error appears to have been in
> '/home/user/.local/share/debops/debops/ansible/roles/debops.nginx/tasks/nginx_servers.yml':
> line 3, column 3, but may\nbe elsewhere in the file depending on the
> exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name:
> Create global webroot directories if allowed\n  ^ here\n\nexception
> type: <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception:
> 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute
> 'name'"}

I ran your configuration on one of my test servers and it passed fine. I'm
using Ansible 2.5 with Python 2.7 and Jinja 2.8. What Ansible version are you
using? If older than 2.4, you should upgrade to latest stable (2.5).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 585 bytes
Desc: not available
URL: <https://lists.debops.org/pipermail/debops-users/attachments/20180325/ff87952a/attachment.sig>

More information about the debops-users mailing list