{"id":13753613,"url":"https://github.com/nickjj/ansible-nginx","last_synced_at":"2025-06-30T20:39:43.779Z","repository":{"id":16860554,"uuid":"19620682","full_name":"nickjj/ansible-nginx","owner":"nickjj","description":"Install and configure nginx (SSL A+ by default) with Ansible.","archived":false,"fork":false,"pushed_at":"2022-09-13T13:10:50.000Z","size":158,"stargazers_count":72,"open_issues_count":9,"forks_count":37,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-06-22T01:47:49.250Z","etag":null,"topics":["ansible","nginx"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nickjj.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-05-09T18:09:20.000Z","updated_at":"2025-01-22T09:23:00.000Z","dependencies_parsed_at":"2023-01-11T19:27:33.593Z","dependency_job_id":null,"html_url":"https://github.com/nickjj/ansible-nginx","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/nickjj/ansible-nginx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-nginx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-nginx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-nginx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-nginx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nickjj","download_url":"https://codeload.github.com/nickjj/ansible-nginx/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-nginx/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262847758,"owners_count":23374077,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","nginx"],"created_at":"2024-08-03T09:01:25.670Z","updated_at":"2025-06-30T20:39:43.748Z","avatar_url":"https://github.com/nickjj.png","language":"Jinja","funding_links":[],"categories":["nginx"],"sub_categories":[],"readme":"## What is ansible-nginx? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-nginx.png)](http://travis-ci.org/nickjj/ansible-nginx)\n\nIt is an [Ansible](http://www.ansible.com/home) role to install and configure\nnginx. It has first class support for Let's Encrypt but works out of the box\nwith self signed SSL certificates for non-production environments.\n\n##### Supported platforms:\n\n- Ubuntu 16.04 LTS (Xenial)\n- Debian 8 (Jessie)\n\n### What problem does it solve and why is it useful?\n\nI wasn't happy with any of the nginx roles that I came across. They were either\noverly complex or were missing features that I really wanted.\n\nHere's what you get with this role:\n\n- Configure 1 or more sites-enabled (virtual hosts)\n- Configure 0 or more upstreams per virtual host\n- Configure a working site in as little as 3 lines of YAML\n- Forced HTTPS with A+ certificate ratings (bearing your certificate authority)\n- Self signed certs are generated to work out of the box for non-production environments\n- First class support for Let's Encrypt SSL certificates for production environments\n- Tune a bunch of `nginx.conf` settings for performance\n- Allow you to optionally declare custom nginx and vhost directives easily\n- Allow you to easily customize your upstream's proxy settings\n\n## Role variables\n\nBelow is a list of default values along with a description of what they do.\n\n```yaml\n---\n\n# Should nginx itself be installed? You may want to set this to False in\n# situations where you use Ansible to provision a server but run everything\n# inside of Docker containers. You could use this role to manage your configs\n# but not run nginx by setting this to False.\nnginx_install_service: True\n\n# Which user/group should nginx belong to?\nnginx_user: 'www-data'\n\n# Various nginx config values set up to be efficient and secure, feel free to\n# Google each one as needed for details.\nnginx_worker_processes: 'auto'\nnginx_worker_rlimit_nofile: 4096\nnginx_events_worker_connections: 1024\nnginx_http_server_tokens: 'off'\nnginx_http_add_headers:\n  - 'X-Frame-Options SAMEORIGIN'\n  - 'X-Content-Type-Options nosniff'\n  - 'X-XSS-Protection \"1; mode=block\"'\nnginx_http_server_names_hash_bucket_size: 64\nnginx_http_server_names_hash_max_size: 512\nnginx_http_sendfile: 'on'\nnginx_http_tcp_nopush: 'on'\nnginx_http_keepalive_timeout: 60\nnginx_http_client_max_body_size: '1m'\nnginx_http_types_hash_max_size: 2048\nnginx_http_gzip: 'on'\nnginx_http_gzip_types: 'text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/svg'\nnginx_http_gzip_disable: 'msie6'\n\n# Add your own custom nginx.conf directives in a list.\n# Example:\n#   nginx_http_directives:\n#     - 'auth_http_header X-Auth-Key \"secret_string\"'\nnginx_http_directives: []\n\n# Configure 0 or more basic auth logins, for example:\n#  nginx_basic_auth:\n#    - { user: 'nick', password: 'insecurepassword' }\nnginx_basic_auth: []\n\n# How many bits should we use to generate a dhparam?\n# Technically 2048 is 'good enough' but 4096 combined with a few other\n# things will get you to a perfect 100 A+ SSL rating, do not go below 2048.\n#\n# Time to generate on a 512MB DO droplet: 2048 = 40 seconds, 4096 = 40 minutes.\nnginx_ssl_dhparam_bits: 2048\n\n# If defined, overrides the default value for SSL certificate names. If you\n# leave this undefined, then it will become the file name of the first domain listed\n# in the domains list when defining a virtual host (look in the next section).\n#\n# Setting this comes in handy if you use Let's Encrypt and want to register a\n# single certificate that has multiple domains attached to it.\n# This variable should not be left blank as it may cause undesired results\n# nginx_ssl_override_filename: 'customname'\n\n# Should self signed certificates get generated? Some form of certificate needs\n# to be available for this role to work, so it's enabled by default. You would\n# set it to false once you have your real certificates in place.\nnginx_ssl_generate_self_signed_certs: True\n\n# Default values for your virtual hosts and upstreams.\nnginx_default_sites:\n  # Name of the virtual host and file name of the config, example: default.conf.\n  default:\n    # 1 or more domains to be set for server_name. If you wish to support both\n    # www and no www then supply them like so: domains: ['foo.com', 'www.foo.com'].\n    # In the above case, www.foo.com will redirect to foo.com.\n    # If you want www in your URL then swap the order in the domains list.\n    domains: []\n    # Will this virtual host be the default server? You should set this to\n    # True so that if someone accesses your server's IP address directly, it\n    # will automatically redirect to this vhost.\n    default_server: False\n    # Listen ports for both HTTP and HTTPS.\n    listen_http: 80\n    listen_https: 443\n    # Where are your public files located?\n    # If you're using an upstream, this will likely need to change to your web\n    # framework's public path, such as: /path/to/myapp/public.\n    root: '/usr/share/nginx/html'\n    # Do you have any custom directives for this vhost?\n    # Example:\n    #   nginx_directives:\n    #     - 'access_log logs/access.log combined'\n    directives: []\n    ssl:\n      # Default SSL settings that get you an A+ rating as long as you chain your\n      # certificate with an intermediate certificate.\n      protocols: 'TLSv1 TLSv1.1 TLSv1.2'\n      ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'\n      prefer_server_ciphers: 'on'\n      session_cache: 'shared:SSL:50m'\n      session_timeout: '5m'\n      ssl_stapling: 'on'\n      ssl_stapling_verify: 'on'\n      resolver: '8.8.8.8'\n      resolver_timeout: '5s'\n      # You may want to consider adding ;preload once you're 100% confident\n      # that your server is working over HTTPS and you won't use HTTP for 2 years.\n      # See: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet\n      sts_header: 'Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"'\n    cache_all_locations:\n      # Shall we cache all requests for a bit of time? If so, how long?\n      enabled: True\n      duration: '30s'\n    error_pages:\n      # You will need to supply your own 404.html and 500.html files if you enable\n      # this. It's enabled by default because 99.9% of the time you do want these.\n      # You can disable this by setting, error_pages: [].\n      - { code: 404, page: '404.html' }\n      - { code: 500, page: '500.html' }\n    serve_assets:\n      # Let's serve assets through nginx, adjust the pattern depending on what web\n      # framework you use. Caching is set to maximum time because most frameworks\n      # have a way for you to md5 tag assets to cache bust them in one way or another.\n      # If your framework does not have that capability, disable the cache setting,\n      # or set it to a lower amount of your choosing.\n      enabled: True\n      pattern: ' ~ ^/assets/'\n      expires: 'max'\n    # Perhaps you'd like to include your own location blocks, no problem. Just add\n    # in your location block(s) as you would inside of an nginx config. Example:\n    #   custom_locations: |\n    #     location ~ / {\n    #       return;\n    #     }\n    custom_locations: ''\n    # If you want to override the default / location's try_files, this is the\n    # place to do it. This could be useful for php-fpm based virtual hosts.\n    custom_root_location_try_files: ''\n    # Is basic auth enabled for this virtual host?\n    basic_auth: False\n    # A 1 line message to show during the authentication required dialog.\n    basic_auth_message: 'Please sign in.'\n    disallow_hidden_files:\n      # Block all hidden files and directories, disable at your own risk.\n      enabled: True\n    # Configure 0 or more upstreams in a list, the first item in the list will\n    # be the default try_files fall-back endpoint, for example:\n    #   upstreams:\n          - name: 'myapp'\n            servers: ['localhost:3000']\n          - name: 'websocketapp'\n            servers: ['localhost:3001']\n            add_proxy_settings:\n              - 'proxy_http_version 1.1'\n              - 'proxy_set_header Upgrade $http_upgrade'\n    # The template that generates this config expects you to define at least\n    # the name and servers. It will blow up if you don't.\n    upstreams: []\n\n# Customize the upstream's proxy settings if you want, these are the defaults\n# and they will be pre-pended to your list of optional upstream proxy settings.\nnginx_default_upstream_proxy_settings:\n  - 'proxy_set_header X-Real-IP $remote_addr'\n  - 'proxy_set_header X-Forwarded-Proto $scheme'\n  - 'proxy_set_header Host $http_host'\n  - 'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for'\n  - 'proxy_redirect off'\n\n# If you're using Let's Encrypt, you can configure nginx to accept challenges to\n# validate your domain(s). An HTTP based challenge is already set up for you.\n#\n# If you're using this role along with my LE role you don't need to touch this.\n#\n# That role can be found here: https://github.com/nickjj/ansible-letsencrypt\nnginx_letsencrypt_root: '/usr/share/nginx/challenges'\n\n# This is the value you'll set in your inventory to override any of the defaults\n# from nginx_default_sites. A complete example is shown later on in this README.\nnginx_sites: {}\n```\n\n## Example playbook\n\nFor the sake of this example let's assume you have a group called **app** and\nyou have a typical `site.yml` file.\n\nTo use this role edit your `site.yml` file to look something like this:\n\n```yaml\n---\n\n- name: Configure app server(s)\n  hosts: app\n  become: True\n\n  roles:\n    - { role: nickjj.nginx, tags: nginx }\n```\n\nLet's say you want to accomplish the following goals:\n\n- Set up your main site to work on non-www and www\n- Have all www requests get redirected to non-www\n- Set up the main host as the default server\n- Set up an upstream to serve a back-end using your web framework of choice\n- Load balance between 2 upstream servers\n- Configure a blog sub-domain with assets being served by a CDN\n- Password protect the blog because who needs visitors!\n\nStart by opening or creating `group_vars/app.yml` which is located relative\nto your `inventory` directory and then making it look like this:\n\n```yaml\n---\n\nnginx_basic_auth:\n  - { user: 'coolperson', password: 'heylookatmeicanviewtheprivateblog' }\n\nnginx_sites:\n  default:\n    domains: ['example.com', 'www.example.com']\n    default_server: True\n    upstreams:\n      - name: 'myapp'\n        servers: ['localhost:3000', 'localhost:3001']\n  blog:\n    domains: ['blog.example.com']\n    serve_assets:\n      enabled: False\n    basic_auth: True\n```\n\n## Installation\n\n`$ ansible-galaxy install nickjj.nginx`\n\n## Ansible Galaxy\n\nYou can find it on the official\n[Ansible Galaxy](https://galaxy.ansible.com/nickjj/nginx/) if you want to\nrate it.\n\n## License\n\nMIT\n\n## Special thanks\n\nThanks to [Maciej Delmanowski](https://twitter.com/drybjed) for helping me debug\na few tricky issues with this role. He is the creator of [DebOps](https://debops.org/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickjj%2Fansible-nginx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnickjj%2Fansible-nginx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickjj%2Fansible-nginx/lists"}