Bump to v0.3.1.

Revert most templates to :create action. Integrate restriction file directives into the virtual host files themselves.

Bump to v0.3.1.
Revert most templates to :create action. Integrate restriction file directives into the virtual host files themselves.
nollieheel · Earth Ugat
1 parent eee846a4
Showing 8 changed files with 137 additions and 98 deletions
CHANGELOG.md
attributes/default.rb
metadata.rb
recipes/nginx_configure.rb
templates/default/inc_type_basic.erb
templates/default/inc_type_webserver.erb
templates/default/inc_type_wordpress.erb
templates/default/nginx_site.conf.erb
--- a/CHANGELOG.md
View file @d3dd5de
+++ b/CHANGELOG.md
View file @d3dd5de
+# 0.3.1
+
+Revert most templates to :create action.
+Integrate restriction file directives into 
+the virtual host files themselves.
+
 # 0.3.0
 Add support for multiple FastCGI ports.
--- a/attributes/default.rb
View file @d3dd5de
+++ b/attributes/default.rb
View file @d3dd5de
@@ -18,31 +18,6 @@
 # limitations under the License.
 #
-# TODO defunct attribs
-# The socket used PHP-FPM. If false, fastcgi is not used.
-# Examples:
-#   '127.0.0.1:9000'
-#   '/var/run/php-fpm.sock'
-#   false
-#default['cfe-nginx-php-fpm']['php_fastcgi_socket'] = '127.0.0.1:9000'
-
-# PHP-FPM sockets to be used. If unset, or set to string 'php-fpm-pools' (default),
-# the recipe automatically gets this value from node['php-fpm']['pools'].
-#default['cfe-nginx-php-fpm']['php_fastcgi_sockets'] = [
-#  {
-#    :name     => 'example_socket',
-#    # Example values:
-#    #   '127.0.0.1:9000'
-#    #   '127.0.0.1:9001'
-#    #   '/var/run/php-fpm.sock'
-#    :listen   => '127.0.0.1:9000',
-#    # An optional array of comments for this socket
-#    :comments => []
-#  }
-#]
-
-
-
 # Setting 'update_cacert' to true will get the latest cacert from
 # http://curl.haxx.se/ca/cacert.pem and use that as CAFile for postfix.
 default['cfe-nginx-php-fpm']['postfix']['update_cacert'] = true
@@ -58,15 +33,6 @@ default['cfe-nginx-php-fpm']['php-fpm']['delete_pool_www'] = true
 #default['cfe-nginx-php-fpm']['nginx']['priv_dir'] =
 #  "#{node['nginx']['dir']}/private"
-default['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_robots']   = false
-default['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_hidden']   = true
-default['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_static']   = false
-default['cfe-nginx-php-fpm']['nginx']['restriction_file']['static_types'] = %w{
-  js css ogg ogv svg svgz eot otf woff mp4 ttf rss atom
-  jpg jpeg gif png ico zip tgz gz rar bz2
-  doc xls exe ppt tar mid midi wav bmp rtf
-}
-
 default['cfe-nginx-php-fpm']['nginx']['sites'] = [
   #{
     # Name of server. Mandatory.
@@ -86,16 +52,26 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
     #
     #:index => 'index.php',
-    # Access log options as one long string. Default: nil
-    #
-    #:access_log_options => '<some options>',
-
     # Whether to include a default virtual server named '_' or not.
     # If there is more than one server given in this 'sites' array,
     # :catch_all value will always be overriden to false. Default: true
     #
     #:catch_all => true,
+    # Access log options as one long string. Default: nil
+    #
+    #:access_log_options => '<some options>',
+
+    # Whether to log access to /robots.txt
+    # Default: false
+    #
+    #:log_robots => false,
+
+    # Whether to log attempted accesses to hidden directories and files
+    # Default: true
+    #
+    #:log_hidden => true,
+
     # Necessary values for SSL/TLS setup. Default: nil
     #
     #:ssl => {
@@ -179,6 +155,16 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
     #                     Default: (an auto-generated string)
     #   :add_statements => Additional statements to put in the config file.
     #                      Default: []
+    #   :static_types => An array of strings that denote the file extensions
+    #                    to be included in a certain location directive that
+    #                    gives them a max expiration header. Set this value
+    #                    to false to disable this directive. Default: %w{
+    #                       js css ogg ogv svg svgz eot otf woff mp4 ttf
+    #                       rss atom jpg jpeg gif png ico zip tgz gz rar
+    #                       bz2 doc xls exe ppt tar mid midi wav bmp rtf
+    #                    }
+    #   :log_static => Whether to log accesses to the above static files
+    #                  or not. Default: false
     #
     # Unique attributes for each type are indicated below:
     #   Basic PHP Site (:type => 'basic'):
@@ -208,8 +194,6 @@ default['php-fpm']['emergency_restart_threshold'] = '10'
 default['php-fpm']['emergency_restart_interval']  = '1m'
 default['php-fpm']['process_control_timeout']     = '10s'
 default['php-fpm']['pools'] = [
-  # Most likely, just use one pool for all PHP needs.
-  # (But there are exceptions, of course)
   {
     # Required attributes:
     :name   => 'example_pool',
--- a/metadata.rb
View file @d3dd5de
+++ b/metadata.rb
View file @d3dd5de
@@ -4,11 +4,11 @@ maintainer_email 'sysadmin@chromedia.com'
 license          'Apache License'
 description      'Simplifies setup of Nginx+PHP-FPM in Chromedia.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.3.0'
+version          '0.3.1'
 {
   'php-fpm' => '0.7.5',
-  'mariadb' => '0.2.12',
+  'mariadb' => '0.3.1',
   'postfix' => '3.6.2',
   'nginx'   => '2.7.6'
 }.each { |cb, ver| depends cb, '~> ' + ver }
--- a/recipes/nginx_configure.rb
View file @d3dd5de
+++ b/recipes/nginx_configure.rb
View file @d3dd5de
@@ -28,20 +28,6 @@ priv_dir = node['cfe-nginx-php-fpm']['nginx']['priv_dir']
   end
 end
-# The restrictions file containing default rules for virtual servers.
-path_rest = "#{inc_dir}/inc_restrictions"
-restfa    = node['cfe-nginx-php-fpm']['nginx']['restriction_file']
-template path_rest do
-  action :create_if_missing
-  mode   0644
-  variables(
-    :log_robots   => restfa['log_robots'],
-    :log_hidden   => restfa['log_hidden'],
-    :log_static   => restfa['log_static'],
-    :static_types => restfa['static_types']
-  )
-end
-
 # Generate config files for each virtual server.
 catch_all_def_false = node['cfe-nginx-php-fpm']['nginx']['sites'].length > 1
@@ -65,6 +51,9 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
   site_ss1      = site[:server_statements_1] || []
   site_ss2      = site[:server_statements_2] || []
+  site_logrobots = site.has_key?(:log_robots) ? site[:log_robots] : false
+  site_loghidden = site.has_key?(:log_hidden) ? site[:log_hidden] : true
+
   temp_catch_all = site.has_key?(:catch_all) ? site[:catch_all] : true
   site_catch_all = catch_all_def_false ? false : temp_catch_all
   site_types     = ( site[:types] || [] ).uniq { |e| e[:type] }
@@ -75,6 +64,11 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
     'X-Permitted-Cross-Domain-Policies' => 'none'
   }
+  path_crt     = ''
+  path_key     = ''
+  path_dhparam = ''
+  path_pass    = ''
+
   # If TLS/SSL is enabled, configure it:
   if site_ssl
     if site_ssl[:letsencrypt]
@@ -118,11 +112,6 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
     execute "openssl dhparam -out #{path_dhparam} #{dh_modulus}" do
       not_if { ::File.exist?(path_dhparam) }
     end
-
-  else
-    path_crt     = ''
-    path_key     = ''
-    path_dhparam = ''
   end
   # If basic auth is enabled, create htpasswd file
@@ -135,16 +124,13 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
                   "\\n\" >> #{path_pass}"
         action    :run
         sensitive true
-        not_if    { ::File.exist?(path_pass) }
       end
     end
-  else
-    path_pass = ''
   end
-  site_includes = [path_rest]
-  upstreams     = []
-  # upstreams element:
+  site_includes  = []
+  site_upstreams = []
+  # site_upstreams element:
   # {
   #   :name => 'string',
   #   :servers => [
@@ -155,13 +141,35 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
   # Create necessary include files for each type of this site
   site_types.each do |stype|
+
+    # Set default attributes for each site type
     stype_subp = stype[:subpath] ? stype[:subpath].gsub(/^\/+|\/+$|\s/, '') : ''
     stype_subp = stype_subp.length > 0 ? "#{stype_subp}/" : stype_subp
-    stype_ads  = stype[:add_statements] || []
-    stype_ups  = stype[:upstream_name] ||
+
+    stype_ads = stype[:add_statements] || []
+    stype_ups = stype[:upstream_name] ||
       "#{stype[:type]}_#{site_sname.gsub('.', '_')}"
-    upstreams.push( {
+    stype_logstatic = stype.has_key?(:log_static) ? stype[:log_static] : false
+    stype_statics = if stype.has_key?(:static_types)
+      stype[:static_types]
+    else
+      %w{
+        js css ogg ogv svg svgz eot otf woff mp4 ttf rss atom
+        jpg jpeg gif png ico zip tgz gz rar bz2
+        doc xls exe ppt tar mid midi wav bmp rtf
+      }
+    end
+
+    vars = {
+      :subpath        => stype_subp,
+      :upstream_name  => stype_ups,
+      :add_statements => stype_ads,
+      :static_types   => stype_statics,
+      :log_static     => stype_logstatic
+    }
+
+    site_upstreams.push( {
       :name    => stype_ups,
       :servers => stype[:upstream_servers] || []
     } )
@@ -169,40 +177,30 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
     case stype[:type]
     # BASIC PHP SITE
     when 'basic'
-      stype_intererror = stype.has_key?(:fastcgi_intercept_errors) ?
+      vars[:index] = site_index
+      vars[:fastcgi_intercept_errors] = 
+        stype.has_key?(:fastcgi_intercept_errors) ?
         stype[:fastcgi_intercept_errors] : false
       template "#{inc_dir}/inc_type_basic_#{site_sname}" do
         source 'inc_type_basic.erb'
         mode   0644
-        action :create_if_missing
-        variables(
-          :index                    => site_index,
-          :subpath                  => stype_subp,
-          :upstream_name            => stype_ups,
-          :add_statements           => stype_ads,
-          :fastcgi_intercept_errors => stype_intererror
-        )
+        variables vars
       end
       site_includes.push("#{inc_dir}/inc_type_basic_#{site_sname}")
     # STANDARD WORDPRESS SITE
     when 'wordpress'
-      stype_intererror = stype.has_key?(:fastcgi_intercept_errors) ?
+      vars[:index] = site_index
+      vars[:loginpage_statements] = stype[:loginpage_statements] || []
+      vars[:fastcgi_intercept_errors] = 
+        stype.has_key?(:fastcgi_intercept_errors) ?
         stype[:fastcgi_intercept_errors] : false
       template "#{inc_dir}/inc_type_wordpress_#{site_sname}" do
         source 'inc_type_wordpress.erb'
         mode   0644
-        action :create_if_missing
-        variables(
-          :index                    => site_index,
-          :subpath                  => stype_subp,
-          :upstream_name            => stype_ups,
-          :add_statements           => stype_ads,
-          :loginpage_statements     => stype[:loginpage_statements] || [],
-          :fastcgi_intercept_errors => stype_intererror
-        )
+        variables vars
       end
       site_includes.push("#{inc_dir}/inc_type_wordpress_#{site_sname}")
@@ -211,12 +209,7 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
       template "#{inc_dir}/inc_type_webserver_#{site_sname}" do
         source 'inc_type_webserver.erb'
         mode   0644
-        action :create_if_missing
-        variables(
-          :subpath        => stype_subp,
-          :upstream_name  => stype_ups,
-          :add_statements => stype_ads
-        )
+        variables vars
       end
       site_ins.push("map $http_upgrade $connection_upgrade {\n"\
                     "    default upgrade;\n"\
@@ -233,7 +226,6 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
   # Create the main config file for this site
   template "#{node['nginx']['dir']}/sites-available/#{site_sname}" do
     source   'nginx_site.conf.erb'
-    action   :create_if_missing
     mode     0644
     notifies :restart, 'service[nginx]', :delayed
     variables(
@@ -244,15 +236,17 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
       :ssl         => site_ssl,
       :auth        => site_auth,
-      :access_log_options => site_alo,
       :catch_all          => site_catch_all,
+      :access_log_options => site_alo,
+      :log_robots         => site_logrobots,
+      :log_hidden         => site_loghidden,
       :path_crt     => path_crt,
       :path_key     => path_key,
       :path_pass    => path_pass,
       :path_dhparam => path_dhparam,
-      :upstreams           => upstreams,
+      :upstreams           => site_upstreams,
       :includes            => site_includes,
       :init_statements     => site_ins,
       :add_headers         => site_aheads,
--- a/templates/default/inc_type_basic.erb
View file @d3dd5de
+++ b/templates/default/inc_type_basic.erb
View file @d3dd5de
@@ -2,6 +2,17 @@
 #
 # A basic PHP site config.
+<% if @static_types -%>
+# Send expires headers and (probably?) turn off 404 error logging.
+location ~* ^/<%= @subpath %>.+\.(<%= @static_types.join('|') %>)$ {
+    expires max;
+<%   unless @log_static -%>
+    log_not_found off;
+    access_log off;
+<%   end -%>
+}
+
+<% end -%>
 <% @add_statements.each do |ads| -%>
 <%= ads %>
--- a/templates/default/inc_type_webserver.erb
View file @d3dd5de
+++ b/templates/default/inc_type_webserver.erb
View file @d3dd5de
@@ -6,6 +6,17 @@ if ($http_user_agent ~ "MSIE") {
     return 303 https://browser-update.org/update.html;
 }
+<% if @static_types -%>
+# Send expires headers and (probably?) turn off 404 error logging.
+location ~* ^/<%= @subpath %>.+\.(<%= @static_types.join('|') %>)$ {
+    expires max;
+<%   unless @log_static -%>
+    log_not_found off;
+    access_log off;
+<%   end -%>
+}
+
+<% end -%>
 <% @add_statements.each do |ads| -%>
 <%= ads %>
--- a/templates/default/inc_type_wordpress.erb
View file @d3dd5de
+++ b/templates/default/inc_type_wordpress.erb
View file @d3dd5de
@@ -6,6 +6,17 @@
 # Add trailing slash to */wp-admin requests.
 rewrite /<%= @subpath %>wp-admin$ $scheme://$host$uri/ permanent;
+<% if @static_types -%>
+# Send expires headers and (probably?) turn off 404 error logging.
+location ~* ^/<%= @subpath %>.+\.(<%= @static_types.join('|') %>)$ {
+    expires max;
+<%   unless @log_static -%>
+    log_not_found off;
+    access_log off;
+<%   end -%>
+}
+
+<% end -%>
 <% @add_statements.each do |ads| -%>
 <%= ads %>
--- a/templates/default/nginx_site.conf.erb
View file @d3dd5de
+++ b/templates/default/nginx_site.conf.erb
View file @d3dd5de
@@ -120,6 +120,28 @@ server {
     access_log <%= @log_dir %>/<%= @server_name %>.access.log<% if @access_log_options %> <%= @access_log_options %><% end %>;
     error_log <%= @log_dir %>/<%= @server_name %>.error.log;
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+<% unless @log_robots -%>
+        log_not_found off;
+        access_log off;
+<% end -%>
+    }
+
+    # Deny all attempts to access hidden files and folders
+    location ~ (^|/)\. {
+        deny all;
+<% unless @log_hidden -%>
+        log_not_found off;
+        access_log off;
+<% end -%>
+    }
+
 <% @server_statements_1.each do |s1| -%>
     <%= sm %>
 <% end -%>