Skip to content

Commit 01e544b

Browse files
alessfgalessfg
authored
Refactor NGINX stream templates (#217)
1 parent f35c383 commit 01e544b

File tree

12 files changed

+728
-188
lines changed

12 files changed

+728
-188
lines changed

CHANGELOG.md

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,25 @@
44

55
BREAKING CHANGES:
66

7-
Remove parameters deprecated in release `0.4.0`. To recap, these are `nginx_config_main_upload_*`, `nginx_config_upload_html_*`, and `nginx_config_stream_upload_*`. Use `nginx_config_upload` instead.
7+
* Remove parameters deprecated in release `0.4.0`. To recap, these are `nginx_config_main_upload_*`, `nginx_config_upload_html_*`, and `nginx_config_stream_upload_*`. Use `nginx_config_upload` instead.
8+
* Refactor all the `stream` Jinja2 templates!:
9+
* Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
10+
* This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
11+
* You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with `servers`:
12+
13+
```yaml
14+
core:
15+
root: /usr/share/nginx/html
16+
proxy:
17+
set_header: []
18+
servers:
19+
- core: {}
20+
proxy: {}
21+
```
22+
23+
* Check [`defaults/main/template.yml`](https://github.com/nginxinc/ansible-role-nginx-config/blob/main/defaults/main/template.yml) and [`molecule/default/converge.yml`](https://github.com/nginxinc/ansible-role-nginx-config/blob/main/molecule/default/converge.yml) for examples!
24+
* These changes follow in the footsteps of the `http` Jinja2 refactor introduced in the `0.4.0` release. If you want more information on how to port your `stream` configurations, the release notes/changelog for `0.4.0` are a good place to start.
25+
* Replace `conf_file_name` and `conf_file_location` with `deployment_location` inside `nginx_config_stream_template`.
826

927
FEATURES:
1028

@@ -54,7 +72,7 @@ General updates:
5472

5573
Template engine updates:
5674

57-
* Refactor all the Jinja2 templates!:
75+
* Refactor all the `http` Jinja2 templates!:
5876
* Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.
5977
* This avoids confusing and unnecessary code duplication, as well as hard to maintain code.
6078
* You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with `servers` and `locations`:

molecule/common/requirements/oss_requirements.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
---
22
roles:
33
- name: nginxinc.nginx
4-
version: 0.21.3
4+
version: 0.22.0

molecule/common/requirements/plus_requirements.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
---
22
roles:
33
- name: nginxinc.nginx
4-
version: 0.21.3
4+
version: 0.22.0
55
- name: nginxinc.nginx_app_protect
6-
version: 0.7.0
6+
# version: 0.7.0
7+
src: https://github.com/nginxinc/ansible-role-nginx-app-protect
8+
version: bf514e6

molecule/default/converge.yml

Lines changed: 118 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@
7575
- /etc/nginx/conf.d/backend/*.conf
7676
stream:
7777
include:
78-
- /etc/nginx/conf.d/stream/*.conf
78+
- /etc/nginx/conf.d/streams/*.conf
7979

8080
nginx_config_status_enable: true
8181
nginx_config_status_backup: true
@@ -100,8 +100,12 @@
100100
servers:
101101
- address: 0.0.0.0:8081
102102
weight: 1
103+
max_conns: 100
103104
max_fails: 3
104105
fail_timeout: 5s
106+
backup: false
107+
down: false
108+
resolve: false
105109
- name: backend_servers
106110
zone:
107111
name: backend_mem_zone
@@ -677,34 +681,116 @@
677681
nginx_config_stream_template_enable: true
678682
nginx_config_stream_template:
679683
- template_file: stream/default.conf.j2
680-
conf_file_name: stream_default.conf
681-
conf_file_location: /etc/nginx/conf.d/stream
682-
backup: true
683-
network_streams:
684-
- listen:
685-
- ip: 0.0.0.0
686-
port: 9090
687-
opts:
688-
- udp
689-
proxy_pass: backend
690-
proxy_timeout: 3s
691-
proxy_connect_timeout: 1s
692-
proxy_protocol: false
693-
health_check_plus: false
694-
upstreams:
695-
- name: backend
696-
lb_method: least_conn
697-
zone_name: backend
698-
zone_size: 64k
699-
sticky_cookie: false
700-
servers:
701-
- address: 0.0.0.0
702-
port: 9091
703-
weight: 1
704-
health_check: max_fails=1 fail_timeout=10s
705-
- address: 0.0.0.0
706-
port: 9092
707-
down: true
708-
- address: 0.0.0.0
709-
port: 9083
710-
backup: true
684+
deployment_location: /etc/nginx/conf.d/streams/stream_default.conf
685+
config:
686+
upstreams:
687+
- name: stream_upstream
688+
zone:
689+
name: stream_zone
690+
size: 64k
691+
least_conn: true
692+
servers:
693+
- address: 0.0.0.0:9091
694+
weight: 1
695+
max_conns: 100
696+
max_fails: 3
697+
fail_timeout: 5s
698+
backup: false
699+
down: false
700+
resolve: false
701+
core:
702+
preread_buffer_size: 16k
703+
preread_timeout: 30s
704+
proxy_protocol_timeout: 30s
705+
resolver_timeout: 30s
706+
tcp_nodelay: true
707+
variables_hash_bucket_size: 64
708+
variables_hash_max_size: 1024
709+
ssl:
710+
alpn: http/1.1
711+
certificate: /etc/ssl/certs/molecule.crt
712+
certificate_key: /etc/ssl/private/molecule.key
713+
ciphers:
714+
- HIGH
715+
- "!aNull"
716+
- "!MD5"
717+
conf_command: Protocol TLSv1.2
718+
ecdh_curve: auto
719+
handshake_timeout: 60s
720+
prefer_server_ciphers: false
721+
protocols:
722+
- TLSv1
723+
- TLSv1.1
724+
- TLSv1.2
725+
session_cache:
726+
builtin:
727+
enable: true
728+
size: 20480
729+
session_tickets: true
730+
session_timeout: 5m
731+
verify_client: false
732+
verify_depth: 1
733+
proxy:
734+
bind: false
735+
buffer_size: 4k
736+
connect_timeout: 60s
737+
download_rate: 0
738+
half_close: false
739+
next_upstream: true
740+
next_upstream_timeout: 0
741+
next_upstream_tries: 0
742+
protocol: false
743+
requests: 0
744+
responses: 0
745+
# session_drop: false # Only NGINX Plus
746+
ssl: false
747+
ssl_certificate: /etc/ssl/certs/molecule.crt
748+
ssl_certificate_key: /etc/ssl/private/molecule.key
749+
ssl_ciphers: HIGH
750+
ssl_conf_command:
751+
- Protocol TLSv1.2
752+
ssl_name: $hostname
753+
ssl_protocols: TLSv1.2
754+
ssl_server_name: false
755+
ssl_session_reuse: true
756+
ssl_verify: false
757+
ssl_verify_depth: 1
758+
timeout: 10m
759+
upload_rate: 0
760+
log:
761+
access:
762+
- path: /var/log/nginx/access_stream.log
763+
format: main
764+
buffer: 1m
765+
gzip: 5
766+
flush: 10h
767+
if: $status
768+
format:
769+
- name: main
770+
format: |
771+
'$remote_addr - [$time_local] $status '
772+
error_log:
773+
file: /var/log/nginx/error_stream.log
774+
level: notice
775+
open_log_file_cache:
776+
max: 1000
777+
inactive: 20s
778+
min_uses: 2
779+
valid: 1m
780+
servers:
781+
- core:
782+
listen:
783+
- address: 0.0.0.0
784+
port: 9090
785+
ssl: false
786+
proxy_protocol: false
787+
fastopen: 12
788+
backlog: 511
789+
rcvbuf: 512
790+
sndbuf: 512
791+
bind: false
792+
ipv6only: false
793+
reuseport: false
794+
so_keepalive: false
795+
proxy:
796+
pass: stream_upstream

molecule/plus/converge.yml

Lines changed: 142 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -599,33 +599,145 @@
599599
nginx_config_stream_template_enable: true
600600
nginx_config_stream_template:
601601
- template_file: stream/default.conf.j2
602-
conf_file_name: stream_default.conf
603-
conf_file_location: /etc/nginx/conf.d/stream
604-
network_streams:
605-
- listen:
606-
- ip: 0.0.0.0
607-
port: 9090
608-
opts:
609-
- udp
610-
proxy_pass: backend
611-
proxy_timeout: 3s
612-
proxy_connect_timeout: 1s
613-
proxy_protocol: false
614-
health_check_plus: false
615-
upstreams:
616-
- name: backend
617-
lb_method: least_conn
618-
zone_name: backend
619-
zone_size: 64k
620-
sticky_cookie: false
621-
servers:
622-
- address: 0.0.0.0
623-
port: 9091
624-
weight: 1
625-
health_check: max_fails=1 fail_timeout=10s
626-
- address: 0.0.0.0
627-
port: 9092
628-
down: true
629-
- address: 0.0.0.0
630-
port: 9093
631-
backup: true
602+
deployment_location: /etc/nginx/conf.d/streams/stream_default.conf
603+
config:
604+
upstreams:
605+
- name: stream_upstream
606+
zone:
607+
name: stream_zone
608+
size: 64k
609+
least_conn: true
610+
servers:
611+
- address: 0.0.0.0:9091
612+
weight: 1
613+
max_conns: 100
614+
max_fails: 3
615+
fail_timeout: 5s
616+
backup: false
617+
down: false
618+
resolve: false
619+
core:
620+
preread_buffer_size: 16k
621+
preread_timeout: 30s
622+
proxy_protocol_timeout: 30s
623+
resolver_timeout: 30s
624+
tcp_nodelay: true
625+
variables_hash_bucket_size: 64
626+
variables_hash_max_size: 1024
627+
ssl:
628+
alpn: http/1.1
629+
certificate: /etc/ssl/certs/molecule.crt
630+
certificate_key: /etc/ssl/private/molecule.key
631+
ciphers:
632+
- HIGH
633+
- "!aNull"
634+
- "!MD5"
635+
conf_command: Protocol TLSv1.2
636+
ecdh_curve: auto
637+
handshake_timeout: 60s
638+
prefer_server_ciphers: false
639+
protocols:
640+
- TLSv1
641+
- TLSv1.1
642+
- TLSv1.2
643+
session_cache:
644+
builtin:
645+
enable: true
646+
size: 20480
647+
session_tickets: true
648+
session_timeout: 5m
649+
verify_client: false
650+
verify_depth: 1
651+
proxy:
652+
bind: false
653+
buffer_size: 4k
654+
connect_timeout: 60s
655+
download_rate: 0
656+
half_close: false
657+
next_upstream: true
658+
next_upstream_timeout: 0
659+
next_upstream_tries: 0
660+
protocol: false
661+
requests: 0
662+
responses: 0
663+
session_drop: false
664+
ssl: false
665+
ssl_certificate: /etc/ssl/certs/molecule.crt
666+
ssl_certificate_key: /etc/ssl/private/molecule.key
667+
ssl_ciphers: HIGH
668+
ssl_conf_command:
669+
- Protocol TLSv1.2
670+
ssl_name: $hostname
671+
ssl_protocols: TLSv1.2
672+
ssl_server_name: false
673+
ssl_session_reuse: true
674+
ssl_verify: false
675+
ssl_verify_depth: 1
676+
timeout: 10m
677+
upload_rate: 0
678+
health_check:
679+
match:
680+
- name: nginx_stream
681+
conditions:
682+
- status 200
683+
timeout: 60s
684+
keyval:
685+
keyvals:
686+
- key: $arg_text
687+
variable: $text
688+
zone: key_stream
689+
zones:
690+
- name: key_stream
691+
size: 10m
692+
state: /var/lib/nginx/state/key.keyval
693+
timeout: 2h
694+
type: string
695+
sync: false
696+
log:
697+
access:
698+
- path: /var/log/nginx/access_stream.log
699+
format: main
700+
buffer: 1m
701+
gzip: 5
702+
flush: 10h
703+
if: $status
704+
format:
705+
- name: main
706+
format: |
707+
'$remote_addr - [$time_local] $status '
708+
error_log:
709+
file: /var/log/nginx/error_stream.log
710+
level: notice
711+
open_log_file_cache:
712+
max: 1000
713+
inactive: 20s
714+
min_uses: 2
715+
valid: 1m
716+
servers:
717+
- core:
718+
listen:
719+
- address: 0.0.0.0
720+
port: 9090
721+
ssl: false
722+
proxy_protocol: false
723+
fastopen: 12
724+
backlog: 511
725+
rcvbuf: 512
726+
sndbuf: 512
727+
bind: false
728+
ipv6only: false
729+
reuseport: false
730+
so_keepalive: false
731+
proxy:
732+
pass: stream_upstream
733+
health_check:
734+
health_checks:
735+
- interval: 5
736+
jitter: 0
737+
fails: 1
738+
passes: 1
739+
uri: /
740+
mandatory: false
741+
persistent: false
742+
match: nginx_stream
743+
udp: true

0 commit comments

Comments
 (0)