[debops-users] struggling with nginx role

Jan Kowalsky jankow at datenkollektiv.net
Mon Mar 26 11:12:56 CEST 2018


Hi Maciej,

thanks for your quick answer!

Am 25.03.2018 um 15:44 schrieb Maciej Delmanowski:
> On Mar 25, Jan Kowalsky wrote:
> Hello!
> 
>> If I just leave everything as default, I end up with an
>> welcome-configuration where nginx on 443 is listen only for ipv6:
>>
>>    listen [::]:443 ssl http2;
>>
>> While I read somewhere that it should be sufficient to have on
>> ipv6only=off statement, it doesn't work for me (with nginx 1.10.3-1+deb9u1).
>>
>> If it's like
>>
>>   listen [::]:443 ssl http2 ipv6only=off default_server;
>>
>> it work's with ipv4 only. Maybe it's nginx bug - but anyway it would be
>> better to add the ipv6only also to ssl configuration.
> 
> By default, on Debian and Ubuntu (I think) nginx is configured to listen only
> on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
> use "dual stack" mode where it listens for IPv4 and IPv6 connections via the
> same socket. The ipv6only=off parameter can only be present in 1 server
> section for each listening port.

Is it like this? For my impression there is not really a default in
debian. But the sites-available/default comes with:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

which in my opinion is the clearest way.

But there is no default configuration for ssl.

> The debops.nginx role is supposed to handle this for you, depending on the
> existing configuration found on the server. It's a complicated set of rules
> and conditions where role selects one server, register its choice in the
> Ansible local facts and sticks to it. Unfortunately it seems, that the
> mechanism subtly broke some time ago, I haven't been able to pin down the
> cause yet.

And if there ist no existing configuration yet on the server? The
default template only handles http connections - so without manual
configuration there wont be an working ssl configuration at all.

Would it make sense just to configure the templates like ipv4 and ipv6
is configured both?

Since for me the ipv6only=off doesn't work at all for ssl connections, I
got this now working with a configuration like:

nginx_manage_ipv6only: False
# Default listen port for HTTP connections.
nginx_listen_port: [ '[::]:80', '80' ]
# Default listen port for HTTPS connections.
nginx_listen_ssl_port: [ '[::]:443', '443' ]


> What you can do for the time being, is to write one of the server names
> (usually a FQDN or a domain) in the /etc/ansible/facts.d/nginx.fact file
> manually, both in 'default_server' and 'default_server_ssl' keys. The next
> time you run debops.nginx, it should pick these values and reconfigure your
> nginx server accordingly. You might want to remove all symlinks in
> /etc/nginx/sites-enabled/ and re-run all application roles to have clean
> webserver configuration.
> 
> This whole mechanism needs to be replaced at some point, and there are efforts
> to do this, not sure when it will be finished, hopefuly before v1.0.0 version.
> 
> https://github.com/debops/debops/issues/247

I agree.

>> Second:
>>
>> I tried to define an server with:
>>
>> nginx__servers:
>>   - name: [ 'nginxtest.cont0.dknuser.de' ]
>>     enabled: true
>>     delete: false
>>     ssl: true
> 
> The 'delete' key is not needed anymore, you can drop it.
> 
>> and get the following error.
>>

> I ran your configuration on one of my test servers and it passed fine. I'm
> using Ansible 2.5 with Python 2.7 and Jinja 2.8. What Ansible version are you
> using? If older than 2.4, you should upgrade to latest stable (2.5).
> 

well, the error seemed to be somewhere else - but the other part of
configuration worked without the nginx__servers: configruation and vice
versa.

Kind regards
Jan


More information about the debops-users mailing list