diff --git a/manifests/config.pp b/manifests/config.pp index 230a663..89fba7a 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -30,6 +30,8 @@ class nginx::config( $client_max_body_size = $nginx::params::nx_client_max_body_size, $proxy_buffers = $nginx::params::nx_proxy_buffers, $http_cfg_append = $nginx::params::nx_http_cfg_append, + $nginx_error_log = $nginx::params::nx_nginx_error_log, + $http_access_log = $nginx::params::nx_http_access_log, $proxy_buffer_size = $nginx::params::nx_proxy_buffer_size, ) inherits nginx::params { File { diff --git a/manifests/init.pp b/manifests/init.pp index 63d93f8..1bc474d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -48,6 +48,8 @@ class nginx ( $proxy_buffers = $nginx::params::nx_proxy_buffers, $proxy_buffer_size = $nginx::params::nx_proxy_buffer_size, $http_cfg_append = $nginx::params::nx_http_cfg_append, + $nginx_error_log = $nginx::params::nx_nginx_error_log, + $http_access_log = $nginx::params::nx_http_access_log, $nginx_vhosts = {}, $nginx_upstreams = {}, $nginx_locations = {}, @@ -75,6 +77,8 @@ class nginx ( proxy_buffers => $proxy_buffers, proxy_buffer_size => $proxy_buffer_size, http_cfg_append => $http_cfg_append, + nginx_error_log => $nginx_error_log, + http_access_log => $http_access_log, require => Class['nginx::package'], notify => Class['nginx::service'], } diff --git a/manifests/params.pp b/manifests/params.pp index a38abdb..2fbe394 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -85,6 +85,8 @@ class nginx::params { $nx_http_cfg_append = false - $package_ensure = 'present' + $nx_nginx_error_log = "${nx_logdir}/error.log" + $nx_http_access_log = "${nx_logdir}/access.log" + $package_ensure = 'present' } diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 3aee89e..90b05ed 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -3,27 +3,44 @@ # This definition creates a new location entry within a virtual host # # Parameters: -# [*ensure*] - Enables or disables the specified location (present|absent) -# [*vhost*] - Defines the default vHost for this location entry to include with -# [*location*] - Specifies the URI associated with this location entry -# [*location_allow*] - Array: Locations to allow connections from. -# [*location_deny*] - Array: Locations to deny connections from. -# [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy -# [*index_files*] - Default index files for NGINX to read when traversing a directory -# [*proxy*] - Proxy server(s) for a location to connect to. Accepts a single value, can be used in conjunction -# with nginx::resource::upstream -# [*proxy_read_timeout*] - Override the default the proxy read timeout value of 90 seconds +# [*ensure*] - Enables or disables the specified location +# (present|absent) +# [*vhost*] - Defines the default vHost for this location +# entry to include with +# [*location*] - Specifies the URI associated with this location +# entry +# [*location_allow*] - Array: Locations to allow connections from. +# [*location_deny*] - Array: Locations to deny connections from. +# [*www_root*] - Specifies the location on disk for files to be +# read from. Cannot be set in conjunction with $proxy +# [*index_files*] - Default index files for NGINX to read when +# traversing a directory +# [*proxy*] - Proxy server(s) for a location to connect to. +# Accepts a single value, can be used in conjunction with +# nginx::resource::upstream +# [*proxy_read_timeout*] - Override the default the proxy read timeout +# value of 90 seconds # [*fastcgi*] - location of fastcgi (host:port) # [*fastcgi_params*] - optional alternative fastcgi_params file to use # [*fastcgi_script*] - optional SCRIPT_FILE parameter -# [*fastcgi_split_path*] - Allows settings of fastcgi_split_path_info so that you can split the script_name and path_info via regex -# [*ssl*] - Indicates whether to setup SSL bindings for this location. -# [*ssl_only*] - Required if the SSL and normal vHost have the same port. -# [*location_alias*] - Path to be used as basis for serving requests for this location -# [*stub_status*] - If true it will point configure module stub_status to provide nginx stats on location -# [*location_custom_cfg*] - Expects a hash with custom directives, cannot be used with other location types (proxy, fastcgi, root, or stub_status) -# [*location_cfg_prepend*] - Expects a hash with extra directives to put before anything else inside location (used with all other types except custom_cfg) -# [*location_cfg_append*] - Expects a hash with extra directives to put after everything else inside location (used with all other types except custom_cfg) +# [*fastcgi_split_path*] - Allows settings of fastcgi_split_path_info so +# that you can split the script_name and path_info via regex +# [*ssl*] - Indicates whether to setup SSL bindings for +# this location. +# [*ssl_only*] - Required if the SSL and normal vHost have the +# same port. +# [*location_alias*] - Path to be used as basis for serving requests +# for this location +# [*stub_status*] - If true it will point configure module +# stub_status to provide nginx stats on location +# [*location_custom_cfg*] - Expects a hash with custom directives, cannot +# be used with other location types (proxy, fastcgi, root, or stub_status) +# [*location_cfg_prepend*] - Expects a hash with extra directives to put +# before anything else inside location (used with all other types except +# custom_cfg) +# [*location_cfg_append*] - Expects a hash with extra directives to put +# after everything else inside location (used with all other types except +# custom_cfg) # [*try_files*] - An array of file locations to try # [*option*] - Reserved for future use # [*proxy_cache*] - This directive sets name of zone for caching. @@ -137,7 +154,7 @@ define nginx::resource::location ( $content_real = template('nginx/vhost/vhost_location_empty.erb') } - if $fastcgi != undef and !defined(File['/etc/nginx/fastcgi_params']) { + if $fastcgi != undef and !defined(File['/etc/nginx/fastcgi_params']) { file { '/etc/nginx/fastcgi_params': ensure => present, mode => '0770', diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 3054170..eec78ba 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -3,36 +3,56 @@ # This definition creates a virtual host # # Parameters: -# [*ensure*] - Enables or disables the specified vhost (present|absent) -# [*listen_ip*] - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*) -# [*listen_port*] - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80 -# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. +# [*ensure*] - Enables or disables the specified vhost +# (present|absent) +# [*listen_ip*] - Default IP Address for NGINX to listen with this +# vHost on. Defaults to all interfaces (*) +# [*listen_port*] - Default IP Port for NGINX to listen with this +# vHost on. Defaults to TCP 80 +# [*listen_options*] - Extra options for listen directive like +# 'default' to catchall. Undef by default. # [*location_allow*] - Array: Locations to allow connections from. # [*location_deny*] - Array: Locations to deny connections from. -# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 -# support exists on your system before enabling. -# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::) -# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this vHost on. Defaults to TCP 80 -# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on. -# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'. -# [*index_files*] - Default index files for NGINX to read when traversing a directory -# [*proxy*] - Proxy server(s) for the root location to connect to. Accepts a single value, can be used in -# conjunction with nginx::resource::upstream -# [*proxy_read_timeout*] - Override the default the proxy read timeout value of 90 seconds +# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support +# (false|true). Module will check to see if IPv6 support exists on your +# system before enabling. +# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with +# this vHost on. Defaults to all interfaces (::) +# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this +# vHost on. Defaults to TCP 80 +# [*ipv6_listen_options*] - Extra options for listen directive like 'default' +# to catchall. Template will allways add ipv6only=on. While issue +# jfryman/puppet-nginx#30 is discussed, default value is 'default'. +# [*index_files*] - Default index files for NGINX to read when +# traversing a directory +# [*proxy*] - Proxy server(s) for the root location to connect +# to. Accepts a single value, can be used in conjunction with +# nginx::resource::upstream +# [*proxy_read_timeout*] - Override the default the proxy read timeout value +# of 90 seconds # [*fastcgi*] - location of fastcgi (host:port) # [*fastcgi_params*] - optional alternative fastcgi_params file to use # [*fastcgi_script*] - optional SCRIPT_FILE parameter -# [*ssl*] - Indicates whether to setup SSL bindings for this vhost. -# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. -# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. -# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443 -# [*ssl_protocols*] - SSL protocols enabled. Defaults to 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'. -# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to 'HIGH:!aNULL:!MD5'. +# [*ssl*] - Indicates whether to setup SSL bindings for this +# vhost. +# [*ssl_cert*] - Pre-generated SSL Certificate file to reference +# for SSL Support. This is not generated by this module. +# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL +# Support. This is not generated by this module. +# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL +# vHost on. Defaults to TCP 443 +# [*ssl_protocols*] - SSL protocols enabled. Defaults to 'SSLv3 TLSv1 +# TLSv1.1 TLSv1.2'. +# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to +# 'HIGH:!aNULL:!MD5'. # [*spdy*] - Toggles SPDY protocol. -# [*server_name*] - List of vhostnames for which this vhost will respond. Default [$name]. -# [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy +# [*server_name*] - List of vhostnames for which this vhost will +# respond. Default [$name]. +# [*www_root*] - Specifies the location on disk for files to be +# read from. Cannot be set in conjunction with $proxy # [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to -# rewrite www.domain.com to domain.com in order to avoid duplicate content (SEO); +# rewrite www.domain.com to domain.com in order to avoid duplicate +# content (SEO); # [*try_files*] - Specifies the locations for files to be # checked as an array. Cannot be used in conjuction with $proxy. # [*proxy_cache*] - This directive sets name of zone for caching. @@ -45,9 +65,15 @@ # the authentication realm. # [*vhost_cfg_append*] - It expects a hash with custom directives to # put after everything else inside vhost +# [*vhost_cfg_prepend*] - It expects a hash with custom directives to +# put before everything else inside vhost # [*rewrite_to_https*] - Adds a server directive and rewrite rule to # rewrite to ssl # [*include_files*] - Adds include files to vhost +# [*access_log*] - Where to write access log. May add additional +# options like log format to the end. +# [*error_log*] - Where to write error log. May add additional +# options like error level to the end. # # Actions: # @@ -101,8 +127,11 @@ define nginx::resource::vhost ( $try_files = undef, $auth_basic = undef, $auth_basic_user_file = undef, + $vhost_cfg_prepend = undef, $vhost_cfg_append = undef, - $include_files = undef + $include_files = undef, + $access_log = undef, + $error_log = undef, ) { validate_array($location_allow) @@ -132,6 +161,19 @@ define nginx::resource::vhost ( } } + # This was a lot to add up in parameter list so add it down here + # Also opted to add more logic here and keep template cleaner which + # unfortunately means resorting to the $varname_real thing + $domain_log_name = regsubst($name, ' ', '_', 'G') + $access_log_real = $access_log ? { + undef => "${nginx::params::nx_logdir}/${domain_log_name}.access.log", + default => $access_log, + } + $error_log_real = $error_log ? { + undef => "${nginx::params::nx_logdir}/${domain_log_name}.error.log", + default => $error_log, + } + # Use the File Fragment Pattern to construct the configuration files. # Create the base configuration file reference. if ($listen_port != $ssl_port) { @@ -183,7 +225,7 @@ define nginx::resource::vhost ( location_cfg_append => $location_cfg_append } } - if $fastcgi != undef and !defined(File['/etc/nginx/fastcgi_params']) { + if $fastcgi != undef and !defined(File['/etc/nginx/fastcgi_params']) { file { '/etc/nginx/fastcgi_params': ensure => present, mode => '0770', @@ -198,6 +240,15 @@ define nginx::resource::vhost ( # Create SSL File Stubs if SSL is enabled if ($ssl == true) { + # Access and error logs are named differently in ssl template + $ssl_access_log = $access_log ? { + undef => "${nginx::params::nx_logdir}/ssl-${domain_log_name}.access.log", + default => $access_log, + } + $ssl_error_log = $error_log ? { + undef => "${nginx::params::nx_logdir}/ssl-${domain_log_name}.error.log", + default => $error_log, + } file { "${nginx::config::nx_temp_dir}/nginx.d/${name}-700-ssl": ensure => $ensure ? { 'absent' => absent, diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb index 06f6840..5c38de8 100644 --- a/templates/conf.d/nginx.conf.erb +++ b/templates/conf.d/nginx.conf.erb @@ -1,7 +1,7 @@ user <%= scope.lookupvar('nginx::config::nx_daemon_user') %>; worker_processes <%= @worker_processes %>; -error_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/error.log; +error_log <%= @nginx_error_log %>; pid <%= scope.lookupvar('nginx::params::nx_pid')%>; events { @@ -14,7 +14,7 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - access_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/access.log; + access_log <%= @http_access_log %>; sendfile <%= scope.lookupvar('nginx::params::nx_sendfile')%>; diff --git a/templates/vhost/vhost_header.erb b/templates/vhost/vhost_header.erb index 38c9f9c..15b2a74 100644 --- a/templates/vhost/vhost_header.erb +++ b/templates/vhost/vhost_header.erb @@ -11,6 +11,12 @@ server { <% if defined? @auth_basic_user_file -%> auth_basic_user_file <%= @auth_basic_user_file %>; <% end -%> +<%# make sure that allow comes before deny by forcing the allow key (if it -%> +<%# exists) to be first in the output order. The hash keys also need to be -%> +<%# sorted so that the ordering is stable. -%> +<% if @vhost_cfg_prepend -%><% vhost_cfg_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> + <%= key %> <%= value %>; +<% end -%><% end -%> <% @proxy_set_header.each do |header| -%> proxy_set_header <%= header %>; <% end -%> @@ -20,6 +26,6 @@ server { } <% end -%> - access_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/<%= @name.gsub(' ', '_') %>.access.log; - error_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/<%= @name.gsub(' ', '_') %>.error.log; + access_log <%= @access_log_real %>; + error_log <%= @error_log_real %>; diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb index 862a8ea..3e66be7 100644 --- a/templates/vhost/vhost_ssl_header.erb +++ b/templates/vhost/vhost_ssl_header.erb @@ -21,5 +21,5 @@ server { auth_basic_user_file "<%= @auth_basic_user_file %>"; <% end -%> - access_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/ssl-<%= @name.gsub(' ', '_') %>.access.log; - error_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/ssl-<%= @name.gsub(' ', '_') %>.error.log; + access_log <%= @ssl_access_log %>; + error_log <%= @ssl_error_log %>;