Improve support for listen and ssl directives in stream contexts (#287)

Author: alessfg

CHANGELOG.md

@@ -6,27 +6,49 @@ BREAKING CHANGES:
 
 *   The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
 *   If you use `custom_options` you will now need to manually end each directive with a semicolon.
+*   The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need.
+
+    Old configuration example
+    ```yaml
+    listen_address: localhost
+    listen_port: 80
+    udp_enable: false
+    ```
+
+    New configuration example
+    ```yaml
+    listen:
+      listen_localhost:
+        ip: 0.0.0.0  # Wrap in square brackets for IPv6 addresses
+        port: 80
+        ssl: false
+        opts: []  # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:').
+    ```
+
+    The one major change is that instead of using `udp_enable: true` you will now need to use `opts: [udp]` if you wish to enable `udp`.
 
 FEATURES:
 
-*   Add support to configure logrotate
-*   Add support for Ubuntu Focal
-*   Add support to configure SELinux
-*   Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both
+*   Add support to configure logrotate.
+*   Add support for Ubuntu Focal.
+*   Add support to configure SELinux.
+*   Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both.
 
 ENHANCEMENTS:
 
-*   The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time
+*   Molecule tests using Testinfra have been migrated to use Ansible instead.
+*   The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time.
 *   Improve configuration templating capabilities:
-    *   Add support for unix upstreams
-    *   Add PID templating option
-    *   Add support for down parameter in upstreams
-    *   Add option for custom error pages
+    *   Add support for unix upstreams.
+    *   Add PID templating option.
+    *   Add support for down parameter in upstreams.
+    *   Add option for custom error pages.
+    *   Add SSL support to `stream` contexts.
 
 BUG FIXES:
 
-*   `nginx_debug_output` would sometimes fail if the NGINX had not been automatically started by the system upon installation
-*   If `http_demo_conf` was undefined the web server template interpolation would fail
+*   `nginx_debug_output` would sometimes fail if NGINX had not been automatically started by the system upon installation.
+*   If `http_demo_conf` was undefined the web server template interpolation would fail.
 
 ## 0.14.0 (April 22, 2020)
 
@@ -38,15 +60,15 @@ BREAKING CHANGES:
 
 FEATURES:
 
-*   Install/build NGINX from source options now available
-*   Implement NGINX http sub module templating
-*   NGINX config is now correctly validated each run
-*   SSL Private Key data is hidden when running the role with the --diff flag
+*   Install/build NGINX from source options now available.
+*   Implement NGINX http sub module templating.
+*   NGINX config is now correctly validated each run.
+*   SSL Private Key data is hidden when running the role with the `--diff` flag.
 
 BUG FIXES:
 
-*   The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository
-*   Modules should now correctly install when using a specific NGINX Plus version
+*   The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository.
+*   Modules should now correctly install when using a specific NGINX Plus version.
 
 ## 0.13.0 (December 13, 2019)
 
@@ -58,163 +80,163 @@ BREAKING CHANGES:
 FEATURES:
 
 *   Improve NGINX http templating:
-    *   Multiple server support in HTTP contexts
-    *   Header support
-    *   OCSP stapling
-    *   Improved proxy settings
-    *   Logging settings
-    *   Improved SSL settings
-    *   Improved authentication settings
-    *   Max body size support
-    *   Improved listen templating
-*   Switch to Molecule for testing
-*   Add support for Debian Buster
-*   Support for specifying which version of NGINX to install
-*   Split default variables into multiple functional files
-*   Improve support for Alpine distributions
-*   Support for updating or removing NGINX from your system
-*   Implemented tags to support running specific tasks instead of the whole role
+    *   Multiple server support in HTTP contexts.
+    *   Header support.
+    *   OCSP stapling.
+    *   Improved proxy settings.
+    *   Logging settings.
+    *   Improved SSL settings.
+    *   Improved authentication settings.
+    *   Max body size support.
+    *   Improved listen templating.
+*   Switch to Molecule for testing.
+*   Add support for Debian Buster.
+*   Support for specifying which version of NGINX to install.
+*   Split default variables into multiple functional files.
+*   Improve support for Alpine distributions.
+*   Support for updating or removing NGINX from your system.
+*   Implemented tags to support running specific tasks instead of the whole role.
 
 BUG FIXES:
 
-*   Module installation when using NGINX Plus has been fixed
-*   Websockets templating has been reenabled after being accidentally deleted
+*   Module installation when using NGINX Plus has been fixed.
+*   Websockets templating has been reenabled after being accidentally deleted.
 *   When deleting your NGINX Plus license from the system, the NGINX Plus repository will also be deleted to prevent issues further down the line if you run a repository update since there will not be a license anymore to authenticate into the NGINX Plus repository.
 
 ## 0.12.0 (May 22, 2019)
 
 FEATURES:
 
 *   Improve NGINX http templating - following parameters are now supported:
-    *   Websockets
-    *   Basic authentication
-    *   Proxy cache
-    *   Proxy redirect
-    *   Proxy timeouts
-    *   SSL
-    *   Root (in server context)
-    *   Add basic NGINX stream templating
-    *   Add support for RHEL 8 and Alpine Linux
+    *   Websockets.
+    *   Basic authentication.
+    *   Proxy cache.
+    *   Proxy redirect.
+    *   Proxy timeouts.
+    *   SSL.
+    *   Root (in server context).
+    *   Add basic NGINX stream templating.
+    *   Add support for RHEL 8 and Alpine Linux.
 
 BUG FIXES:
 
-*   Fix module installation tasks
+*   Fix module installation tasks.
 
 ## 0.11.0 (Januray 14, 2019)
 
 FEATURES:
 
-*   Allow setting a custom apt and rpm signing key host
-*   Add support for enabling an http to https redirects
-*   Add ansible_managed to templates
-*   Rename html_app_name to web_server_name
-*   Rename load_balancer block to reverse_proxy
-*   Allow setting the listen port when using SSL
-*   Improve SSL defaults
-*   Allow setting http or https server locations in proxy_pass
+*   Allow setting a custom apt and rpm signing key host.
+*   Add support for enabling an http to https redirects.
+*   Add ansible_managed to templates.
+*   Rename html_app_name to web_server_name.
+*   Rename load_balancer block to reverse_proxy.
+*   Allow setting the listen port when using SSL.
+*   Improve SSL defaults.
+*   Allow setting http or https server locations in proxy_pass.
 
 BUG FIXES:
 
-*   Ignore undefined values for autoindex and health check
-*   Clarify that the redirect variable refers to a http to https redirect
+*   Ignore undefined values for autoindex and health check.
+*   Clarify that the redirect variable refers to a http to https redirect.
 
 ## 0.10.1 (November 26, 2018)
 
 BUG FIXES:
 
-*   Fix HTML template to use correct variable name
+*   Fix HTML template to use correct variable name.
 
 ## 0.10.0 (November 26, 2018)
 
 FEATURES:
 
-*   Improve templating support for health checks, multiple location blocks, and auto indexing
+*   Improve templating support for health checks, multiple location blocks, and auto indexing.
 
 BUG FIXES:
 
-*   Fetching the NGINX signing key is now more reliable
-*   Fixed HTML templating
+*   Fetching the NGINX signing key is now more reliable.
+*   Fixed HTML templating.
 
 ## 0.9.0 (October 18, 2018)
 
 FEATURES:
 
-*   Refactor NGINX templating and file uploading
-*   Add ability to upload and template HTML files
-*   Add ability to upload SSL keys and certificates
+*   Refactor NGINX templating and file uploading.
+*   Add ability to upload and template HTML files.
+*   Add ability to upload SSL keys and certificates.
 
 ## 0.8.0 (September 17, 2018)
 
 FEATURES:
 
-*   Add ability to install NGINX Plus Controller agent
-*   Refactor installation of NGINX Amplify agent
-*   Rename variables to be prefixed with `nginx_`
+*   Add ability to install NGINX Plus Controller agent.
+*   Refactor installation of NGINX Amplify agent.
+*   Rename variables to be prefixed with `nginx_`.
 
 BUG FIXES:
 
-*   Correct spelling of name in `tasks/prerequisites/setup-debian.yml`
+*   Correct spelling of name in `tasks/prerequisites/setup-debian.yml`.
 
 ## 0.7.1 (August 21, 2018)
 
 FEATURES:
 
-*   Add enabled parameter to NGINX and NGINX Unit handlers
+*   Add enabled parameter to NGINX and NGINX Unit handlers.
 
 ## 0.7.0 (August 4, 2018)
 
 FEATURES:
 
-*   Add Amazon Linux 2 support for NGINX Plus
-*   Add ability to delete NGINX Plus license after installation
+*   Add Amazon Linux 2 support for NGINX Plus.
+*   Add ability to delete NGINX Plus license after installation.
 
 BUG FIXES:
 
-*   GeoIP module can now be properly installed
-*   Module installation will no longer fail if only one module is specified
+*   GeoIP module can now be properly installed.
+*   Module installation will no longer fail if only one module is specified.
 
 ## 0.6.0 (July 19, 2018)
 
 FEATURES:
 
-*   Improve NGINX Unit related documentation
-*   Add FreeBSD and Amazon Linux 2 support for NGINX Unit
-*   Allow users to install NGINX Unit without having to also install NGINX
+*   Improve NGINX Unit related documentation.
+*   Add FreeBSD and Amazon Linux 2 support for NGINX Unit.
+*   Allow users to install NGINX Unit without having to also install NGINX.
 
 ## 0.5.0 (June 28, 2018)
 
 FEATURES:
 
-*   Add support for NGINX Unit
+*   Add support for NGINX Unit.
 
 ## 0.4.0 (May 25, 2018)
 
 FEATURES:
 
-*   Implement support for FreeBSD
-*   Allow users to select the default NGINX repository
+*   Implement support for FreeBSD.
+*   Allow users to select the default NGINX repository.
 
 ## 0.3.0 (April 19, 2018)
 
 FEATURES:
 
-*   Improve Travis CI testing strategy
+*   Improve Travis CI testing strategy.
 
 BUG FIXES:
 
-*   Fix templating and push tasks
+*   Fix templating and push tasks.
 
 ## 0.2.0 (April 12, 2018)
 
 FEATURES:
 
-*   Add support for all first party NGINX modules
+*   Add support for all first party NGINX modules.
 
 BUG FIXES:
 
-*   Role should now work correctly in distros with old versions of Python
-*   Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false)
-*   Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory
+*   Role should now work correctly in distros with old versions of Python.
+*   Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false).
+*   Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory.
 
 ## 0.1.0 - Initial release (Januray 26, 2018)
 

defaults/main/template.yml

@@ -75,6 +75,21 @@ nginx_http_template:
             port: 8081
             ssl: true
             opts: []  # Listen opts like http2 which will be added (ssl is automatically added if you specify 'ssl:').
+        ssl:
+          cert: /etc/ssl/certs/default.crt
+          key: /etc/ssl/private/default.key
+          dhparam: /etc/ssl/private/dh_param.pem
+          protocols: TLSv1 TLSv1.1 TLSv1.2
+          ciphers: HIGH:!aNULL:!MD5
+          prefer_server_ciphers: true
+          session_cache: none
+          session_timeout: 5m
+          disable_session_tickets: false
+          trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
+          stapling: true
+          stapling_verify: true
+          buffer_size: 16k
+          ecdh_curve: auto
         server_name: localhost
         include_files: []
         http_error_pages: {}
@@ -106,21 +121,7 @@ nginx_http_template:
           #   name: Header-X
           #   value: Value-X
           #   always: false
-        ssl:
-          cert: /etc/ssl/certs/default.crt
-          key: /etc/ssl/private/default.key
-          dhparam: /etc/ssl/private/dh_param.pem
-          protocols: TLSv1 TLSv1.1 TLSv1.2
-          ciphers: HIGH:!aNULL:!MD5
-          prefer_server_ciphers: true
-          session_cache: none
-          session_timeout: 5m
-          disable_session_tickets: false
-          trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
-          stapling: true
-          stapling_verify: true
-          buffer_size: 16k
-          ecdh_curve: auto
+
         sub_filter:
           # sub_filters: []
           last_modified: "off"
@@ -342,9 +343,24 @@ nginx_stream_template:
     conf_file_location: /etc/nginx/conf.d/stream/
     network_streams:
       default:
-        listen_address: localhost
-        listen_port: 80
-        udp_enable: false
+        listen:
+          listen_localhost:
+            ip: 0.0.0.0  # Wrap in square brackets for IPv6 addresses
+            port: 80
+            ssl: false
+            opts: []  # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:').
+        ssl:
+          cert: /etc/ssl/certs/default.crt
+          key: /etc/ssl/private/default.key
+          dhparam: /etc/ssl/private/dh_param.pem
+          protocols: TLSv1 TLSv1.1 TLSv1.2
+          ciphers: HIGH:!aNULL:!MD5
+          prefer_server_ciphers: true
+          session_cache: none
+          session_timeout: 5m
+          disable_session_tickets: false
+          trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
+          ecdh_curve: auto
         include_files: []
         proxy_pass: backend
         proxy_timeout: 3s