κΈ°λ₯ μμ²μ΄ λ¬Έμ μ κ΄λ ¨λμ΄ μμ΅λκΉ?
κ±°μ. nginxλ‘ sslμ μ’
λ£νκ³ λμμ μ νλ‘μλ‘ μ μ©νκ³ μΆμ΅λλ€. λλ κ·Έκ²μ΄ κ½€ μΌλ°μ μΈ μλ리μ€λΌκ³ μκ°νλλΌλ λ¬Έμμμ μ΄μ λν μλ₯Ό λ³΄μ§ λͺ»νμ΅λλ€.
μνλ μ루μ
μ€λͺ
μ νλ‘μλ‘ SSLμ μ’
λ£νλ λ°©λ²μ λν κ΅¬μ± μ
κ³ λ €ν λμμ κΈ°μ νμμμ€
μ΄ μν μμ΄ SSL μ’
λ£μ ν¨κ» nginx 리λ²μ€ νλ‘μλ₯Ό μ μ©νλ κ²μ κ³ λ €νμ΅λλ€. nginxλ₯Ό μλμΌλ‘ ꡬμ±νλ κ²μ²λΌ μ΄κ²μ΄ λ무 μ΄λ ΅λ€λ©΄.
μμ λ₯Ό κ°μ Έ μμ ν νλ¦Ώ κΈ°λ³Έκ°μμ κ°μ Έμ¨ dict κ°μ²΄λ‘ νμ₯ν μ μμ΅λλ€. https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/template.yml
μ΄ κ°μ:
nginx_http_template_enable: true
nginx_http_template:
jira_mydomain_net:
conf_file_name: jira_mydomain_net.conf
servers:
first:
listen:
listen_public:
ip: 0.0.0.0
port: 443
ssl: true
server_name: jira.mydomain.net
ssl:
cert: /etc/ssl/certs/jira.mydomain.net.crt
key: /etc/ssl/private/jira.mydomain.net.key
access_log:
- name: combined
location: /var/log/nginx/jira.mydomain.net_access.log
error_log:
location: /var/log/nginx/jira.mydomain.net_error.log
level: warn
reverse_proxy:
locations:
default:
location: /
proxy_pass: http://jira01.local.mydomain.net:8080
ssl μνΈ, dhparam, proxy_set_header λ±μ κΈ°λ³Έ ꡬμ±μμ μ€μ νκΈ° λλ¬Έμ μλ΅νμ§λ§ μμ λ κΈ°λ³Έκ°μμ κ°μ Έκ° μ μμ΅λλ€. μ μ€νΈλ¦Όμ μ¬μ©ν λλ λ§μ°¬κ°μ§μ λλ€.
@xTrekStorex κ° μμ ν λ§μ΅λλ€. μ΄λ€ λ¨κ³μμλ κ°λ₯ν κ²½μ° SSL(μ체 μλͺ μΈμ¦μ μ¬μ©)μ ν¬ν¨νμ¬ Molecule νλ μ΄λΆμμ λ€λ£¨λ λλΆλΆμ μ¬μ© μ¬λ‘μ λν μμ μμ λ₯Ό κ°κ³ μΆμ΅λλ€.
μ΄μ΄ μμ΄ μλμμ μ΄ κ΅¬μ±μ μμ±νλ €κ³ ν©λλ€. μ§μλλμ§ κΆκΈν©λλ€.
μμΉ /app1/ {
proxy_pass http://localhost :6000;
}
μμΉ /app2/ {
proxy_pass http://localhost :5000;
}
νμ€ν μλν΄μΌν©λλ€. μ΅μ λ¦΄λ¦¬μ€ λλ λ©μΈμ μ¬μ©νκ³ μμ΅λκΉ? λ©μΈμ μλ€λ©΄ https://github.com/nginxinc/ansible-role-nginx-config/blob/main/molecule/default/converge.yml#L153 -L290 -- proxy_pass
κ° μλ λ κ°μ μμΉ λΈλ‘μ΄ μλ κ²μ λ³Ό μ μμ΅λλ€. location
λ° proxy_pass
μ λν΄ μΈκΈν κ°μ μ€μ ν μ μμ΅λλ€. (μ°Έκ³ : μ λ¬Έμ λ₯Ό λ§λ€κ³ μΆμ μλ μμ΅λλ€. κ·νμ μ§λ¬Έμ μ κ° λ§ν μ μλ ν ssl
μ κ΄λ ¨μ΄ μμ΅λλ€.)
λν λ¨μ μλ°©ν₯ νλ‘μλ₯Ό ꡬμ±ν μ μμ΅λλ€. μμ μμμ λλ μΈμνμ§ λͺ»νλ€.
reverse_proxy:
λΆλΆ.
λ΄κ° μ μν μλ²μμ root λμ proxy_passλ₯Ό μ¬μ©νλ €κ³ νλ©΄
TemplateAssertionError: no test named 'boolean'
μμ μλ₯Ό λ€μ΄ μ£Όμλ©΄ κ°μ¬νκ² μ΅λλ€.
reverse_proxy
μΉμ
μ΄ λ μ΄μ μ‘΄μ¬νμ§ μμ΅λλ€. μ΄μ main
(λ° 0.4.0
)μμ μ°Ύμ μ μλ proxy
μ¬μ μΌλ‘ 리ν©ν λ§λμμ΅λλ€. μ΄μ λκΈμμ λΆμ μμλ₯Ό νμΈνμ
¨λμ? λν proxy_pass
λ μλ² μ»¨ν
μ€νΈ λ΄μμ νμ©λμ§ μμ΅λλ€. νμ location
https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass μμ μμ΄μΌ ν©λλ€.
μμ:
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file : http/default.conf.j2
conf_file_name : '{{ my_server_name }}.conf'
conf_file_location: /etc/nginx/conf.d/
servers:
- listen:
- port: 443
ssl : true
opts: []
server_name: '{{ my_server_name }}'
ssl:
cert : '/etc/ssl/certs/{{ my_ssl_prefix }}.nginx.bundle.crt'
key : '/etc/ssl/private/{{ my_ssl_prefix }}.key'
protocols : '{{ NGINX_PROTOCOLS }}'
prefer_server_ciphers: true
ciphers : '{{ NGINX_CIPHERS }}'
stapling : true
stapling_verify : true
autoindex : false
locations :
- location: /
root : '{{ my_root_folder }}'
- location: /backend
proxy_pass: http://127.0.0.1:8080/
proxy:
set_header:
- field: Host
value: $host
- field: X-Real-IP
value: $remote_addr
- field: X-Forwarded-For
value: $proxy_add_x_forwarded_for
- field: X-Forwarded-Proto
value: $scheme
κ·Έ κ²°κ³Ό
failed: [testing-snap05.MYDOMAIN.TLD] (item={'template_file': 'http/default.conf.j2', 'conf_file_name': 'testing-snap05.staging.MYDOMAIN.TLD.conf', 'conf_file_location': '/etc/nginx/conf.d/', 'servers': [{'listen': [{'port': 443, 'ssl': True, 'opts': []}], 'server_name': 'testing-snap05.staging.MYDOMAIN.TLD', 'ssl': {'cert': '/etc/ssl/certs/star.staging.MYDOMAIN.TLD.nginx.bundle.crt', 'key': '/etc/ssl/private/star.staging.MYDOMAIN.TLD.key', 'protocols': 'TLSv1.3', 'prefer_server_ciphers': True, 'ciphers': 'HIGH:!aNULL:!MD5', 'stapling': True, 'stapling_verify': True}, 'autoindex': False, 'locations': [{'location': '/', 'root': '/usr/share/nginx/html'}, {'location': '/backend', 'proxy_pass': 'http://127.0.0.1:8080/', 'proxy': {'set_header': [{'field': 'Host', 'value': '$host'}, {'field': 'X-Real-IP', 'value': '$remote_addr'}, {'field': 'X-Forwarded-For', 'value': '$proxy_add_x_forwarded_for'}, {'field': 'X-Forwarded-Proto', 'value': '$scheme'}]}}]}]}) => {"ansible_loop_var": "item", "changed": false, "item": {"conf_file_location": "/etc/nginx/conf.d/", "conf_file_name": "testing-snap05.staging.MYDOMAIN.TLD.conf", "servers": [{"autoindex": false, "listen": [{"opts": [], "port": 443, "ssl": true}], "locations": [{"location": "/", "root": "/usr/share/nginx/html"}, {"location": "/backend", "proxy": {"set_header": [{"field": "Host", "value": "$host"}, {"field": "X-Real-IP", "value": "$remote_addr"}, {"field": "X-Forwarded-For", "value": "$proxy_add_x_forwarded_for"}, {"field": "X-Forwarded-Proto", "value": "$scheme"}]}, "proxy_pass": "http://127.0.0.1:8080/"}], "server_name": "testing-snap05.staging.MYDOMAIN.TLD", "ssl": {"cert": "/etc/ssl/certs/star.staging.MYDOMAIN.TLD.nginx.bundle.crt", "ciphers": "HIGH:!aNULL:!MD5", "key": "/etc/ssl/private/star.staging.MYDOMAIN.TLD.key", "prefer_server_ciphers": true, "protocols": "TLSv1.3", "stapling": true, "stapling_verify": true}}], "template_file": "http/default.conf.j2"}, "msg": "TemplateAssertionError: no test named 'boolean'"}
μ€λ₯Έμͺ½. μ΅μ λ²μ μ Jinja2λ‘ μ
λ°μ΄νΈν΄ 보μΈμ. ν
νλ¦Ώμ΄ μ λλ‘ μλνλ €λ©΄ Jinja2 2.11.x
κ° νμν©λλ€. μ΄κ²μ https://github.com/nginxinc/ansible-role-nginx-config/issues/94μμ μ°Ύμ μ€λ₯μ κ°μ₯ κ΄λ ¨μ΄ μμ΅λλ€.
κ°μ¬ν©λλ€. Ubuntu 20.04μ© ν¨ν€μ§λ‘ μ‘΄μ¬ν©λκΉ? κ·Έλ μ§ μμΌλ©΄ κΆμ₯λλ μ λ°μ΄νΈ λ°©λ²μ 무μμ λκΉ?
Jinja2λ νμ΄μ¬ ν¨ν€μ§μ
λλ€. pip install -U Jinja2
μ(λ₯Ό) μ€νν΄ λ³Ό μ μμ΅λλ€. https://jinja.palletsprojects.com/en/2.11.x/intro/#installation μμ μμΈν λ΄μ©μ μ½μ μ μμ΅λλ€.
μλ νμΈμ,
python 2.7 λ° ansible 2.9.6μμ λμΌν λ¬Έμ κ° μμ:
"TemplateAssertionError: no test named 'boolean'"
python 3.6 λ° 2.9.6μμλ λͺ¨λ κ²μ΄ μ μλν©λλ€.
λ³μ:
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
conf_file_name: 50_example.com.conf
conf_file_location: /etc/nginx/conf.d/
servers:
- listen:
- ip: 0.0.0.0
port: 80
- ip: 0.0.0.0
port: 443
ssl: true
ssl:
cert: /etc/pki/tls/certs/example.com.crt
key: /etc/pki/tls/private/example.com.key
server_name: example.com
error_page: /usr/share/nginx/html
autoindex: false
http_demo_conf: false
access_log:
- name: json
location: /var/log/nginx/example.com-access.json.log
error_log:
level: warn
location: /var/log/nginx/example.com-error.log
locations:
- location: /
proxy_pass: http://127.0.0.1
proxy:
bind: false
set_header:
- field: Host
value: $host
- field: X-Forwarded-For
value: $proxy_add_x_forwarded_for
- field: X-Real-IP
value: $remote_addr
- field: REMOTE_ADDR
value: $remote_addr
κ²°κ³Ό:
+#
+# Ansible managed
+#
+
+
+
+
+server {
+ listen 0.0.0.0:80;
+ listen 0.0.0.0:443 ssl;
+ server_name example.com;
+ ssl_certificate /etc/pki/tls/certs/example.com.crt;
+ ssl_certificate_key /etc/pki/tls/private/example.com.key;
+ location / {
+ proxy_bind off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header REMOTE_ADDR $remote_addr;
+
+ proxy_pass http://127.0.0.1;
+
+ }
+ # redirect server error pages to the static page /50x.html
+ #
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ access_log /var/log/nginx/example.com-access.json.log json;
+ error_log /var/log/nginx/example.com-error.log warn;
+}
Jinja2λ₯Ό μ λ°μ΄νΈν΄ 보μΈμ. μ΅μ 릴리μ€(v2.11)λ₯Ό μ¬μ©νκ³ μμ§ μμ΅λλ€.
@alessfg κ°μ¬ν©λλ€!
λΉ¨κ°μ μΆλ ₯μ΄ μμκΈ° λλ¬Έμ μ€μ λ‘ Jinja2λ₯Ό λ‘μ»¬λ‘ μ λ°μ΄νΈνλ λ° λ¬Έμ κ° μλ€λ κ²μ μμμ°¨λ¦¬μ§ λͺ»νμ΅λλ€.
bash-3.2$ pip install -U Jinja2
Collecting Jinja2
Using cached https://files.pythonhosted.org/packages/7e/c2/1eece8c95ddbc9b1aeb64f5783a9e07a286de42191b7204d67b7496ddf35/Jinja2-2.11.3-py2.py3-none-any.whl
Requirement not upgraded as not directly required: MarkupSafe>=0.23 in /opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages (from Jinja2) (0.23)
Installing collected packages: Jinja2
Found existing installation: Jinja2 2.10.1
Uninstalling Jinja2-2.10.1:
Successfully uninstalled Jinja2-2.10.1
Rolling back uninstall of Jinja2
You are using pip version 10.0.0, however version 20.3.4 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Python 2.7 λ° Jinja2 2.11.3μ΄ μλ κΉ¨λν virtualenvμμλ λͺ¨λ κ²μ΄ μ μλν©λλ€.
(py27) bash-3.2$ pip freeze
ansible==2.9.6
cffi==1.14.5
cryptography==3.3.2
enum34==1.1.10
ipaddress==1.0.23
Jinja2==2.11.3
MarkupSafe==1.1.1
pycparser==2.20
PyYAML==5.4.1
six==1.15.0
κ°μ₯ μ μ©ν λκΈ
μμ λ₯Ό κ°μ Έ μμ ν νλ¦Ώ κΈ°λ³Έκ°μμ κ°μ Έμ¨ dict κ°μ²΄λ‘ νμ₯ν μ μμ΅λλ€. https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/template.yml
μ΄ κ°μ:
ssl μνΈ, dhparam, proxy_set_header λ±μ κΈ°λ³Έ ꡬμ±μμ μ€μ νκΈ° λλ¬Έμ μλ΅νμ§λ§ μμ λ κΈ°λ³Έκ°μμ κ°μ Έκ° μ μμ΅λλ€. μ μ€νΈλ¦Όμ μ¬μ©ν λλ λ§μ°¬κ°μ§μ λλ€.