[debops-users] struggling with nginx role

Maciej Delmanowski drybjed at drybjed.net
Mon Mar 26 11:43:49 CEST 2018


On Mar 26, Jan Kowalsky wrote:
>> By default, on Debian and Ubuntu (I think) nginx is configured to listen only
>> on IPv6 connections. The ipv6only=off parameter disables that and lets nginx
>> use "dual stack" mode where it listens for IPv4 and IPv6 connections via the
>> same socket. The ipv6only=off parameter can only be present in 1 server
>> section for each listening port.
> Is it like this?

I haven't look at Debian source, but ipv6only=on is nginx upstream default at
least from v1.3.4, according to: https://trac.nginx.org/nginx/ticket/455

> For my impression there is not really a default in
> debian. But the sites-available/default comes with:
> 
> server {
>         listen 80 default_server;
>         listen [::]:80 default_server;
> 
> which in my opinion is the clearest way.

Yeah, perhaps going with separate listening configuration for IPv4 and IPv6
would be the way to go - that's how Debian handles the defaults from upstream.
It sill requires some modification of the 'debops.nginx' role. I designed the
role to allow for additional listening ports other than 80 and 443, but if we
forgo the complexity, stick only to the http and https ports, and use
subdomains instead, that should make things a little easier. I certainly
hadn't used additional ports with 'debops.nginx' like, ever, and I haven't
heard about anyone else that does this, part from adding separate listen port
like you do below.

> But there is no default configuration for ssl.

SSL involves much more work than installing an APT package, so having no
default SSL configuration enabled is IMO a good thing. That's where DebOps
comes in, with 'debops.pki' role, where proper set of X.509 certificates can
be created and then consumed by nginx.

>> The debops.nginx role is supposed to handle this for you, depending on the
>> existing configuration found on the server. It's a complicated set of rules
>> and conditions where role selects one server, register its choice in the
>> Ansible local facts and sticks to it. Unfortunately it seems, that the
>> mechanism subtly broke some time ago, I haven't been able to pin down the
>> cause yet.
> 
> And if there ist no existing configuration yet on the server? The
> default template only handles http connections - so without manual
> configuration there wont be an working ssl configuration at all.

That's why the 'debops.nginx' removes the symlink to the default server
template provided by Debian and generates its own set of default configuration
for HTTP and HTTPS servers. The complicated method of choosing
a default_server is done to handle a situation where there's no initial server
configured. But as I said, currently it's a bit stupid since role knows only
about the servers that are explicitly configured by Ansible; a dynamic local
fact could handle this much better.

> Would it make sense just to configure the templates like ipv4 and ipv6
> is configured both?
> 
> Since for me the ipv6only=off doesn't work at all for ssl connections, I
> got this now working with a configuration like:
> 
> nginx_manage_ipv6only: False
> # Default listen port for HTTP connections.
> nginx_listen_port: [ '[::]:80', '80' ]
> # Default listen port for HTTPS connections.
> nginx_listen_ssl_port: [ '[::]:443', '443' ]

Sure, I suppose that this issue has caused so much grief over the years that
backing off from utilizing ipv6onky=off and switching to separate listening
sockets on IPv4 and IPv6 would make things easier. I'm not sure if
default_server is really needed either, but it could be useful to still have
the role pick one server as the default.

The 'debops.nginx' role as a whole is a bit neglected, with lacking
documentation and aging code. Ironically it's one of the more used roles,
since many DebOps services depend on it. Now that all of the DebOps roles are
in one git monorepo, doing an overhaul of the debops.nginx role with new
configuration system and improved documentation should be much easier to do,
though.

Cheers,
Maciej
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 585 bytes
Desc: not available
URL: <https://lists.debops.org/pipermail/debops-users/attachments/20180326/8508d1f2/attachment.sig>


More information about the debops-users mailing list