Bump to v0.3.0.

Add support for multiple upstream servers in nginx config.
Add support for LetsEncrypt certificate configurations.

+# 0.3.0
+
+Add support for multiple FastCGI ports.
+Add support for Letsencrypt configuration.
+
 # 0.2.1
 # 0.2.1
 
 
 Add some defaults for php-fpm
 Add some defaults for php-fpm

@@ -18,12 +18,6 @@ Ubuntu 14.04
     <th>Default</th>
     <th>Default</th>
   </tr>
   </tr>
   <tr>
   <tr>
-    <td><tt>['cfe-nginx-php-fpm']['php_fastcgi_socket']</tt></td>
-    <td>String</td>
-    <td>The socket used by PHP-FPM. Set to boolean false to disable PHP-FPM.</td>
-    <td><tt>'127.0.0.1:9000'</tt></td>
-  </tr>
-  <tr>
     <td><tt>['cfe-nginx-php-fpm']['postfix']['email_domain']</tt></td>
     <td><tt>['cfe-nginx-php-fpm']['postfix']['email_domain']</tt></td>
     <td>String</td>
     <td>String</td>
     <td>Email domain to be used by Postfix.</td>
     <td>Email domain to be used by Postfix.</td>

 #
 #
-# Author:: Earth U (<sysadmin@chromedia.com>)
+# Author:: Earth U (<sysadmin @ chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Cookbook Name:: cfe-nginx-php-fpm
 # Attribute:: default
 # Attribute:: default
 #
 #
@@ -18,12 +18,30 @@
 # limitations under the License.
 # limitations under the License.
 #
 #
 
 
+# TODO defunct attribs
 # The socket used PHP-FPM. If false, fastcgi is not used.
 # The socket used PHP-FPM. If false, fastcgi is not used.
 # Examples:
 # Examples:
 #   '127.0.0.1:9000'
 #   '127.0.0.1:9000'
 #   '/var/run/php-fpm.sock'
 #   '/var/run/php-fpm.sock'
 #   false
 #   false
-default['cfe-nginx-php-fpm']['php_fastcgi_socket'] = '127.0.0.1:9000'
+#default['cfe-nginx-php-fpm']['php_fastcgi_socket'] = '127.0.0.1:9000'
+
+# PHP-FPM sockets to be used. If unset, or set to string 'php-fpm-pools' (default),
+# the recipe automatically gets this value from node['php-fpm']['pools'].
+#default['cfe-nginx-php-fpm']['php_fastcgi_sockets'] = [
+#  {
+#    :name     => 'example_socket',
+#    # Example values:
+#    #   '127.0.0.1:9000'
+#    #   '127.0.0.1:9001'
+#    #   '/var/run/php-fpm.sock'
+#    :listen   => '127.0.0.1:9000',
+#    # An optional array of comments for this socket
+#    :comments => []
+#  }
+#]
+
+
 
 
 # Setting 'update_cacert' to true will get the latest cacert from
 # Setting 'update_cacert' to true will get the latest cacert from
 # http://curl.haxx.se/ca/cacert.pem and use that as CAFile for postfix.
 # http://curl.haxx.se/ca/cacert.pem and use that as CAFile for postfix.
@@ -51,35 +69,64 @@ default['cfe-nginx-php-fpm']['nginx']['restriction_file']['static_types'] = %w{
 
 
 default['cfe-nginx-php-fpm']['nginx']['sites'] = [
 default['cfe-nginx-php-fpm']['nginx']['sites'] = [
   #{
   #{
+    # Name of server. Mandatory.
+    #
     #:server_name => 'example.com',
     #:server_name => 'example.com',
+
+    # Server aliases in an array. Default: []
+    #
     #:aliases => ['www.example.com'],
     #:aliases => ['www.example.com'],
+
+    # Location of document root. If not given, the root directive
+    # will not be included in the config. Default: nil
+    #
     #:doc_root => '/var/www/example.com',
     #:doc_root => '/var/www/example.com',
+
+    # Index, if applicable, of the site. Default: nil
+    #
     #:index => 'index.php',
     #:index => 'index.php',
 
 
-    # Access log options as one long string. Default: false
+    # Access log options as one long string. Default: nil
+    #
     #:access_log_options => '<some options>',
     #:access_log_options => '<some options>',
 
 
     # Whether to include a default virtual server named '_' or not.
     # Whether to include a default virtual server named '_' or not.
     # If there is more than one server given in this 'sites' array,
     # If there is more than one server given in this 'sites' array,
-    # 'catch_all' value will always be overriden to 'false'.
-    # Default: true
+    # :catch_all value will always be overriden to false. Default: true
+    #
     #:catch_all => true,
     #:catch_all => true,
 
 
-    # Necessary values for SSL/TLS setup. Default: :ssl => false
+    # Necessary values for SSL/TLS setup. Default: nil
+    #
     #:ssl => {
     #:ssl => {
-    #  :cert => '[contents of chain cert here]',
-    #  :key => '[contents of cert private key here]',
-    #  :dh_modulus => 2048,
-    #  :self_signed => false,
-    #  :hsts_max_age => '15758000',
-    #  :hsts_include_subdomains => true
+    #  # Subvalues and their defaults:
+    #
+    #  # If LetsEncrypt is used, set to true.
+    #  # le_sub_dir defaults to the server name.
+    #  #
+    #  :letsencrypt => false,
+    #  :le_base_dir => '/etc/letsencrypt/live',
+    #  :le_sub_dir  => '<server_name>',
+    #
+    #  # If not using LetsEncrypt, specify cert and key here.
+    #  # If using LetsEncrypt, these attributes are not used:
+    #  #
+    #  :cert => '<contents of chain cert here>',
+    #  :key  => '<contents of cert private key here>',
+    #
+    #  :self_signed     => false,
+    #  :cipher_suite    => 'medium', # or 'modern'
+    #  :dh_modulus      => 4096,
+    #  :hsts_max_age    => '15758000',
+    #  :hsts_subdomains => true
     #},
     #},
 
 
-    # Necessary values for Basic Auth setup. Default: :auth => false
+    # Necessary values for Basic Auth setup. Default: nil
+    #
     #:auth => {
     #:auth => {
     #  :msg => 'Restricted Area. Please authenticate.',
     #  :msg => 'Restricted Area. Please authenticate.',
     #  :users => {
     #  :users => {
-    #    'example_user' => 'secretpassword123'
+    #    'example_user' => '<password>'
     #  }
     #  }
     #},
     #},
 
 
@@ -87,31 +134,63 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
     # the 'server' declaration. Default: []
     # the 'server' declaration. Default: []
     #:init_statements => [],
     #:init_statements => [],
 
 
+    # Additional headers to insert into the server responses.
+    # If the site uses HTTPS, the header 'Strict-Transport-Security' will
+    # always be included. Default:
+    #   {
+    #     'X-Frame-Options'                   => 'SAMEORIGIN',
+    #     'X-Content-Type-Options'            => 'nosniff',
+    #     'X-XSS-Protection'                  => '"1; mode=block"',
+    #     'X-Permitted-Cross-Domain-Policies' => 'none'
+    #   }
+    #
+    #:add_headers => {},
+
     # An array of strings that will be included as statements in the main
     # An array of strings that will be included as statements in the main
-    # nginx config file for this server. Default: []
-    #:custom_statements => [],
+    # nginx config file for this server, before the first 'include'
+    # directive. Default: []
+    #
+    #:server_statements_1 => [],
+
+    # An array of strings that will be included as statements in the main
+    # nginx config file for this server, after the last 'include'
+    # directive. Default: []
+    #
+    #:server_statements_2 => [],
 
 
     # Enumerates the different site types this server supports.
     # Enumerates the different site types this server supports.
-    # Possible elements of :types are (only :type is mandatory):
-    #   {
-    #     :type => 'basic',
-    #     :subpath => ''
-    #   }
-    #   {
-    #     :type => 'wordpress',
-    #     :subpath => '',
-    #     :fastcgi_intercept_errors => false,
-    #     :loginpage_statements => [] # An array of strings to be 
-    #                                 # written on the config for the
-    #                                 # /wp-login.php and /wp-admin pages.
-    #   }
-    #   {
-    #     :type          => 'webserver',
-    #     :subpath       => '',
-    #     :upstream_name => 'example',
-    #     :upstream_ip   => '127.0.0.1',
-    #     :upstream_port => '8080',
-    #   }
+    # Each type element of this array is a hash containing different attributes.
+    #
+    # Mandatory attributes are:
+    #   :type => One of: 'basic' (basic PHP site)
+    #                    'wordpress' (standard Wordpress site)
+    #                    'webserver' (proxy webserver)
+    #   :upstream_servers => An array containing upstream server endpoints.
+    #                        Unix socket example: ['/var/run/php-fpm.sock']
+    #                        Tcp port example: ['127.0.0.1:9000']
+    #
+    # Optional attributes are:
+    #   :subpath => A string of the form: 'news/blog'.
+    #               Indicates what subpath of the site this type applies.
+    #               Default: '', which means this site type applies
+    #               to the root directory of the site.
+    #   :upstream_name => The auto-generated config's upstream name can
+    #                     be customized through this attribute.
+    #                     Default: (an auto-generated string)
+    #   :add_statements => Additional statements to put in the config file.
+    #                      Default: []
+    #
+    # Unique attributes for each type are indicated below:
+    #   Basic PHP Site (:type => 'basic'):
+    #     :fastcgi_intercept_errors => Optional. Default: false
+    #   Standard Wordpress Site (:type => 'wordpress'):
+    #     :fastcgi_intercept_errors => Optional. Default: false
+    #     :loginpage_statements => An array of strings to be put on the
+    #                              config for the /wp-login.php
+    #                              and /wp-admin pages. Default: []
+    #   Proxy Webserver (:type => 'webserver'):
+    #     (none)
+    #
     #:types => []
     #:types => []
   #}
   #}
 ]
 ]
@@ -132,12 +211,14 @@ default['php-fpm']['pools'] = [
   # Most likely, just use one pool for all PHP needs.
   # Most likely, just use one pool for all PHP needs.
   # (But there are exceptions, of course)
   # (But there are exceptions, of course)
   {
   {
+    # Required attributes:
     :name   => 'example_pool',
     :name   => 'example_pool',
     :enable => true,
     :enable => true,
+    :listen => '127.0.0.1:9000',
+    #:listen => '/var/run/php-fpm.sock',
 
 
-    # Default value is: node['cfe-nginx-php-fpm']['php_fastcgi_socket']
-    #:listen => node['cfe-nginx-php-fpm']['php_fastcgi_socket'],
-
+    # Optional attributes with their defaults:
+    #
     # Default is same as Nginx user and group
     # Default is same as Nginx user and group
     #:user   => node['nginx']['user'],
     #:user   => node['nginx']['user'],
     #:group  => node['nginx']['group'],
     #:group  => node['nginx']['group'],

 #
 #
-# Author:: Earth U (<sysadmin@chromedia.com>)
+# Author:: Earth U (<sysadmin @ chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Cookbook Name:: cfe-nginx-php-fpm
 # Definition:: php_ext
 # Definition:: php_ext
 #
 #

@@ -4,7 +4,7 @@ maintainer_email 'sysadmin@chromedia.com'
 license          'Apache License'
 license          'Apache License'
 description      'Simplifies setup of Nginx+PHP-FPM in Chromedia.'
 description      'Simplifies setup of Nginx+PHP-FPM in Chromedia.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.2.1'
+version          '0.3.0'
 
 
 {
 {
   'php-fpm' => '0.7.5',
   'php-fpm' => '0.7.5',

 #
 #
-# Author:: Earth U (<sysadmin@chromedia.com>)
+# Author:: Earth U (<sysadmin @ chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Cookbook Name:: cfe-nginx-php-fpm
 # Recipe:: default
 # Recipe:: default
 #
 #

 #
 #
-# Author:: Earth U (<sysadmin@chromedia.com>)
+# Author:: Earth U (<sysadmin @ chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Cookbook Name:: cfe-nginx-php-fpm
 # Recipe:: mariadb_client
 # Recipe:: mariadb_client
 #
 #

 #
 #
-# Author:: Earth U (<sysadmin@chromedia.com>)
+# Author:: Earth U (<sysadmin @ chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Cookbook Name:: cfe-nginx-php-fpm
 # Recipe:: nginx
 # Recipe:: nginx
 #
 #
@@ -30,216 +30,4 @@ node.default['cfe-nginx-php-fpm']['nginx']['priv_dir'] =
 # Begin server configuration
 # Begin server configuration
 
 
 include_recipe 'nginx'
 include_recipe 'nginx'
-
-attribs  = node['cfe-nginx-php-fpm']['nginx']
-inc_dir  = attribs['inc_dir']
-priv_dir = attribs['priv_dir']
-
-[ inc_dir, priv_dir ].each do |ndir|
-  directory ndir do
-    recursive true
-  end
-end
-
-# The restrictions.conf file containing default rules for virtual servers.
-path_rest = "#{inc_dir}/restrictions.conf"
-template path_rest do
-  action :create_if_missing
-  mode   0644
-  variables(
-    :log_robots   => attribs['restriction_file']['log_robots'],
-    :log_hidden   => attribs['restriction_file']['log_hidden'],
-    :log_static   => attribs['restriction_file']['log_static'],
-    :static_types => attribs['restriction_file']['static_types']
-  )
-end
-
-# Some basic "include" files for PHP
-path_bpf = "#{inc_dir}/inc_basic_php_fastcgi"
-template path_bpf do
-  action :create_if_missing
-  mode 0644
-  variables(
-    :socket => node['cfe-nginx-php-fpm']['php_fastcgi_socket']
-  )
-  only_if { node['cfe-nginx-php-fpm']['php_fastcgi_socket'] }
-end
-
-catch_all_def_false = attribs['sites'].length > 1
-
-attribs['sites'].each do |site|
-
-  if site.is_a?(Array)
-    site_sname = site[0]
-    site = site[1]
-  else
-    site_sname = site[:server_name]
-  end
-
-  site_index    = site[:index] || 'index.php'
-  site_aliases  = site[:aliases] || []
-  site_doc_root = site[:doc_root] || ''
-  site_ssl      = site[:ssl] || false
-  site_auth     = site[:auth] || false
-  site_alo      = site[:access_log_options] || false
-  site_cs       = site[:custom_statements] || []
-  site_ins      = site[:init_statements] || []
-
-  site_types = ( site[:types] || [] ).uniq { |e| e[:type] }
-
-  temp_catch_all = site.has_key?(:catch_all) ? site[:catch_all] : true
-  site_catch_all = catch_all_def_false ? false : temp_catch_all
-
-  path_crt     = "#{priv_dir}/#{site_sname}.crt"
-  path_key     = "#{priv_dir}/#{site_sname}.key"
-  path_pass    = "#{priv_dir}/#{site_sname}.htpasswd"
-  path_dhparam = "#{priv_dir}/#{site_sname}.dhparam"
-
-  # If TLS/SSL is enabled, create necessary files
-  if site_ssl
-    if site_ssl[:cert].nil?
-      Chef::Log.error('Missing SSL certificate')
-      raise 'Missing SSL certificate'
-    end
-
-    if site_ssl[:key].nil?
-      Chef::Log.error('Missing SSL key file')
-      raise 'Missing SSL key file'
-    end
-
-    file path_crt do
-      mode      0644
-      content   site_ssl[:cert]
-      sensitive true
-      action    :create_if_missing
-    end
-
-    file path_key do
-      mode      0644
-      content   site_ssl[:key]
-      sensitive true
-      action    :create_if_missing
-    end
-
-    dh_modulus = site_ssl[:dh_modulus] || 2048
-    execute "openssl dhparam -out #{path_dhparam} #{dh_modulus}" do
-      not_if { ::File.exist?(path_dhparam) }
-    end
-  end
-
-  # If basic auth is enabled, create htaccess file
-  if site_auth
-    site_auth[:users].each do |auser, apass|
-      execute "Generate #{path_pass}" do
-        command   "printf \"#{auser}:"\
-                  "$( openssl passwd -apr1 '#{apass}' )"\
-                  "\\n\" >> #{path_pass}"
-        action    :run
-        sensitive true
-        not_if    { ::File.exist?(path_pass) }
-      end
-    end
-  end
-
-  site_includes = []
-  upstreams     = []
-
-  # Create necessary include files for each type of this site
-  site_types.each do |stype|
-    stype_subp = stype[:subpath] ? stype[:subpath].gsub(/^\/+|\/$|\s/, '') : ''
-    stype_subp = stype_subp.length > 0 ? "#{stype_subp}/" : stype_subp
-
-    case stype[:type]
-    # BASIC PHP SITE
-    when 'basic'
-      template "#{inc_dir}/inc_type_basic_#{site_sname}" do
-        source 'inc_type_basic.erb'
-        mode   0644
-        action :create_if_missing
-        variables(
-          :index             => site_index,
-          :subpath           => stype_subp,
-          :basic_php_fastcgi => path_bpf
-        )
-      end
-      site_includes.push("#{inc_dir}/inc_type_basic_#{site_sname}")
-
-    # STANDARD WORDPRESS SITE
-    when 'wordpress'
-      template "#{inc_dir}/inc_type_wordpress_#{site_sname}" do
-        source 'inc_type_wordpress.erb'
-        mode   0644
-        action :create_if_missing
-        variables(
-          :index                    => site_index,
-          :subpath                  => stype_subp,
-          :basic_php_fastcgi        => path_bpf,
-          :loginpage_statements     => stype[:loginpage_statements] || [],
-          :fastcgi_intercept_errors => stype[:fastcgi_intercept_errors] || false
-        )
-      end
-      site_includes.push("#{inc_dir}/inc_type_wordpress_#{site_sname}")
-
-    # BASIC PROXIED WEBSERVER
-    when 'webserver'
-      upstream_name = stype[:upstream_name] || 'webserver'
-      template "#{inc_dir}/inc_type_webserver_#{site_sname}" do
-        source 'inc_type_webserver.erb'
-        mode   0644
-        action :create_if_missing
-        variables(
-          :subpath       => stype_subp,
-          :upstream_name => upstream_name
-        )
-      end
-      site_ins.push("map $http_upgrade $connection_upgrade {\n"\
-                    "    default upgrade;\n"\
-                    "    ''      close;\n"\
-                    "}")
-      upstreams.push( {
-        :name => upstream_name,
-        :ip   => stype[:upstream_ip] || '127.0.0.1',
-        :port => stype[:upstream_port] || '8080'
-      } )
-      site_includes.push("#{inc_dir}/inc_type_webserver_#{site_sname}")
-
-    else
-      Chef::Log.error("Unknown site type: #{stype[:type]}")
-      raise 'Unknown site type'
-    end
-  end
-
-  # Create the main config file for this site
-  template "#{node['nginx']['dir']}/sites-available/#{site_sname}" do
-    source   'nginx_site.conf.erb'
-    action   :create_if_missing
-    mode     0644
-    notifies :restart, 'service[nginx]'
-    variables(
-      :server_name => site_sname,
-      :aliases     => site_aliases,
-      :doc_root    => site_doc_root,
-      :index       => site_index,
-      :ssl         => site_ssl,
-      :auth        => site_auth,
-
-      :access_log_options => site_alo,
-      :catch_all          => site_catch_all,
-
-      :path_crt     => path_crt,
-      :path_key     => path_key,
-      :path_pass    => path_pass,
-      :path_dhparam => path_dhparam,
-      :path_rest    => path_rest,
-
-      :upstreams         => upstreams,
-      :includes          => site_includes,
-      :init_statements   => site_ins,
-      :custom_statements => site_cs
-    )
-  end
-
-  nginx_site site_sname do
-    enable true
-  end
-end
+include_recipe "#{cookbook_name}::nginx_configure"

+#
+# Author:: Earth U (<sysadmin @ chromedia.com>)
+# Cookbook Name:: cfe-nginx-php-fpm
+# Recipe:: nginx_configure
+#
+# Copyright 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Create necessary directories
+inc_dir  = node['cfe-nginx-php-fpm']['nginx']['inc_dir']
+priv_dir = node['cfe-nginx-php-fpm']['nginx']['priv_dir']
+
+[ inc_dir, priv_dir ].each do |ndir|
+  directory ndir do
+    recursive true
+  end
+end
+
+# The restrictions file containing default rules for virtual servers.
+path_rest = "#{inc_dir}/inc_restrictions"
+restfa    = node['cfe-nginx-php-fpm']['nginx']['restriction_file']
+template path_rest do
+  action :create_if_missing
+  mode   0644
+  variables(
+    :log_robots   => restfa['log_robots'],
+    :log_hidden   => restfa['log_hidden'],
+    :log_static   => restfa['log_static'],
+    :static_types => restfa['static_types']
+  )
+end
+
+# Generate config files for each virtual server.
+catch_all_def_false = node['cfe-nginx-php-fpm']['nginx']['sites'].length > 1
+
+node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site|
+
+  if site.is_a?(Array)
+    site_sname = site[0]
+    site = site[1]
+  else
+    site_sname = site[:server_name]
+  end
+
+  # Assign default values to attributes
+  site_index    = site[:index] || nil
+  site_aliases  = site[:aliases] || []
+  site_doc_root = site[:doc_root] || nil
+  site_alo      = site[:access_log_options] || nil
+  site_ssl      = site[:ssl] || nil
+  site_auth     = site[:auth] || nil
+  site_ins      = site[:init_statements] || []
+  site_ss1      = site[:server_statements_1] || []
+  site_ss2      = site[:server_statements_2] || []
+
+  temp_catch_all = site.has_key?(:catch_all) ? site[:catch_all] : true
+  site_catch_all = catch_all_def_false ? false : temp_catch_all
+  site_types     = ( site[:types] || [] ).uniq { |e| e[:type] }
+  site_aheads    = site[:add_headers] || {
+    'X-Frame-Options'                   => 'SAMEORIGIN',
+    'X-Content-Type-Options'            => 'nosniff',
+    'X-XSS-Protection'                  => '"1; mode=block"',
+    'X-Permitted-Cross-Domain-Policies' => 'none'
+  }
+
+  # If TLS/SSL is enabled, configure it:
+  if site_ssl
+    if site_ssl[:letsencrypt]
+      le_base_dir = site_ssl[:le_base_dir] || '/etc/letsencrypt/live'
+      le_sub_dir  = site_ssl[:le_sub_dir] || site_sname
+      path_crt    = "#{le_base_dir}/#{le_sub_dir}/fullchain.pem"
+      path_key    = "#{le_base_dir}/#{le_sub_dir}/privkey.pem"
+
+    else
+      path_crt = "#{priv_dir}/#{site_sname}.crt"
+      path_key = "#{priv_dir}/#{site_sname}.key"
+
+      if site_ssl[:cert].nil?
+        Chef::Log.error('Missing SSL certificate')
+        raise 'Missing SSL certificate'
+      end
+
+      if site_ssl[:key].nil?
+        Chef::Log.error('Missing SSL key file')
+        raise 'Missing SSL key file'
+      end
+
+      file path_crt do
+        mode      0644
+        content   site_ssl[:cert]
+        sensitive true
+        action    :create_if_missing
+      end
+
+      file path_key do
+        mode      0644
+        content   site_ssl[:key]
+        sensitive true
+        action    :create_if_missing
+      end
+    end
+
+    # Configure a high modulus DH param
+    path_dhparam = "#{priv_dir}/#{site_sname}.dhparam"
+    dh_modulus   = site_ssl[:dh_modulus] || 4096
+    execute "openssl dhparam -out #{path_dhparam} #{dh_modulus}" do
+      not_if { ::File.exist?(path_dhparam) }
+    end
+
+  else
+    path_crt     = ''
+    path_key     = ''
+    path_dhparam = ''
+  end
+
+  # If basic auth is enabled, create htpasswd file
+  if site_auth
+    path_pass = "#{priv_dir}/#{site_sname}.htpasswd"
+    site_auth[:users].each do |auser, apass|
+      execute "Generate #{path_pass}" do
+        command   "printf \"#{auser}:"\
+                  "$( openssl passwd -apr1 '#{apass}' )"\
+                  "\\n\" >> #{path_pass}"
+        action    :run
+        sensitive true
+        not_if    { ::File.exist?(path_pass) }
+      end
+    end
+  else
+    path_pass = ''
+  end
+
+  site_includes = [path_rest]
+  upstreams     = []
+  # upstreams element:
+  # {
+  #   :name => 'string',
+  #   :servers => [
+  #     '127.0.0.1:9000',
+  #     '/var/run/php-fpm.sock'
+  #   ]
+  # }
+
+  # Create necessary include files for each type of this site
+  site_types.each do |stype|
+    stype_subp = stype[:subpath] ? stype[:subpath].gsub(/^\/+|\/+$|\s/, '') : ''
+    stype_subp = stype_subp.length > 0 ? "#{stype_subp}/" : stype_subp
+    stype_ads  = stype[:add_statements] || []
+    stype_ups  = stype[:upstream_name] ||
+      "#{stype[:type]}_#{site_sname.gsub('.', '_')}"
+
+    upstreams.push( {
+      :name    => stype_ups,
+      :servers => stype[:upstream_servers] || []
+    } )
+
+    case stype[:type]
+    # BASIC PHP SITE
+    when 'basic'
+      stype_intererror = stype.has_key?(:fastcgi_intercept_errors) ?
+        stype[:fastcgi_intercept_errors] : false
+
+      template "#{inc_dir}/inc_type_basic_#{site_sname}" do
+        source 'inc_type_basic.erb'
+        mode   0644
+        action :create_if_missing
+        variables(
+          :index                    => site_index,
+          :subpath                  => stype_subp,
+          :upstream_name            => stype_ups,
+          :add_statements           => stype_ads,
+          :fastcgi_intercept_errors => stype_intererror
+        )
+      end
+      site_includes.push("#{inc_dir}/inc_type_basic_#{site_sname}")
+
+    # STANDARD WORDPRESS SITE
+    when 'wordpress'
+      stype_intererror = stype.has_key?(:fastcgi_intercept_errors) ?
+        stype[:fastcgi_intercept_errors] : false
+
+      template "#{inc_dir}/inc_type_wordpress_#{site_sname}" do
+        source 'inc_type_wordpress.erb'
+        mode   0644
+        action :create_if_missing
+        variables(
+          :index                    => site_index,
+          :subpath                  => stype_subp,
+          :upstream_name            => stype_ups,
+          :add_statements           => stype_ads,
+          :loginpage_statements     => stype[:loginpage_statements] || [],
+          :fastcgi_intercept_errors => stype_intererror
+        )
+      end
+      site_includes.push("#{inc_dir}/inc_type_wordpress_#{site_sname}")
+
+    # REVERSE PROXY WEBSERVER
+    when 'webserver'
+      template "#{inc_dir}/inc_type_webserver_#{site_sname}" do
+        source 'inc_type_webserver.erb'
+        mode   0644
+        action :create_if_missing
+        variables(
+          :subpath        => stype_subp,
+          :upstream_name  => stype_ups,
+          :add_statements => stype_ads
+        )
+      end
+      site_ins.push("map $http_upgrade $connection_upgrade {\n"\
+                    "    default upgrade;\n"\
+                    "    ''      close;\n"\
+                    "}")
+      site_includes.push("#{inc_dir}/inc_type_webserver_#{site_sname}")
+
+    else
+      Chef::Log.error("Unknown site type: #{stype[:type]}")
+      raise 'Unknown site type'
+    end
+  end
+
+  # Create the main config file for this site
+  template "#{node['nginx']['dir']}/sites-available/#{site_sname}" do
+    source   'nginx_site.conf.erb'
+    action   :create_if_missing
+    mode     0644
+    notifies :restart, 'service[nginx]', :delayed
+    variables(
+      :server_name => site_sname,
+      :aliases     => site_aliases,
+      :doc_root    => site_doc_root,
+      :index       => site_index,
+      :ssl         => site_ssl,
+      :auth        => site_auth,
+
+      :access_log_options => site_alo,
+      :catch_all          => site_catch_all,
+
+      :path_crt     => path_crt,
+      :path_key     => path_key,
+      :path_pass    => path_pass,
+      :path_dhparam => path_dhparam,
+
+      :upstreams           => upstreams,
+      :includes            => site_includes,
+      :init_statements     => site_ins,
+      :add_headers         => site_aheads,
+      :server_statements_1 => site_ss1,
+      :server_statements_2 => site_ss2,
+
+      :log_dir => node['nginx']['log_dir']
+    )
+  end
+
+  nginx_site site_sname do
+    enable true
+  end
+end

 #
 #
-# Author:: Earth U (<sysadmin@chromedia.com>)
+# Author:: Earth U (<sysadmin @ chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Cookbook Name:: cfe-nginx-php-fpm
 # Recipe:: php-fpm
 # Recipe:: php-fpm
 #
 #
@@ -53,8 +53,6 @@ if node['php-fpm']['pools']
     pool2['php_options']     = def_php_opts unless pool['php_options']
     pool2['php_options']     = def_php_opts unless pool['php_options']
     pool2['user']            = node['nginx']['user'] unless pool['user']
     pool2['user']            = node['nginx']['user'] unless pool['user']
     pool2['group']           = node['nginx']['user'] unless pool['group']
     pool2['group']           = node['nginx']['user'] unless pool['group']
-    pool2['listen'] =
-      node['cfe-nginx-php-fpm']['php_fastcgi_socket'] unless pool['listen']
 
 
     node.default['php-fpm']['pools'][key] = pool2
     node.default['php-fpm']['pools'][key] = pool2
   end
   end

 #
 #
-# Author:: Earth U (<sysadmin@chromedia.com>)
+# Author:: Earth U (<sysadmin @ chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Cookbook Name:: cfe-nginx-php-fpm
 # Recipe:: postfix
 # Recipe:: postfix
 #
 #

-# Generated by Chef
-#
-
-# No need to enable this if PHP and Nginx share the same filesystem
-#fastcgi_index index.php;
-
-# You should have "cgi.fix_pathinfo = 0;" in php.ini
-fastcgi_split_path_info ^(.+\.php)(/.+)$;
-include fastcgi_params;
-fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-
-<% socket = @socket[0] == '/' ? "unix:#{@socket}" : @socket -%>
-fastcgi_pass <%= socket %>;

@@ -2,18 +2,33 @@
 #
 #
 # A basic PHP site config.
 # A basic PHP site config.
 
 
-# Pass all .php files onto a php-fpm/php-fcgi server.
+<% @add_statements.each do |ads| -%>
+<%= ads %>
+
+<% end -%>
+# Pass all .php files onto a PHP-FPM fastcgi server.
 #location ~ [^/]\.php(/|$) {
 #location ~ [^/]\.php(/|$) {
 # Customized location directive to account for URL subpathing:
 # Customized location directive to account for URL subpathing:
 location ~ ^/<%= @subpath %>.+\.php(/|$) {
 location ~ ^/<%= @subpath %>.+\.php(/|$) {
     try_files $uri =404;
     try_files $uri =404;
 
 
-    # Enable only if implementing custom error pages
-    #fastcgi_intercept_errors on;
+    # No need to enable this if PHP and Nginx share the same filesystem
+    #fastcgi_index index.php;
+
+<% if @fastcgi_intercept_errors -%>
+    # Enable if implementing custom error pages
+    fastcgi_intercept_errors on;
+
+<% end -%>
+    # You should have "cgi.fix_pathinfo = 0;" in php.ini
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 
 
-    include <%= @basic_php_fastcgi %>;
+    fastcgi_pass <%= @upstream_name %>;
 }
 }
 
 
 location ~ ^/<%= @subpath %> {
 location ~ ^/<%= @subpath %> {
-    try_files $uri $uri/ /<%= @subpath %><%= @index %>?$args;
+<% str = @fastcgi_intercept_errors ? '=404' : "/#{@subpath}#{@index}?$args" -%>
+    try_files $uri $uri/ <%= str %>;
 }
 }

@@ -6,6 +6,10 @@ if ($http_user_agent ~ "MSIE") {
     return 303 https://browser-update.org/update.html;
     return 303 https://browser-update.org/update.html;
 }
 }
 
 
+<% @add_statements.each do |ads| -%>
+<%= ads %>
+
+<% end -%>
 location ~ ^/<%= @subpath %> {
 location ~ ^/<%= @subpath %> {
     proxy_pass http://<%= @upstream_name %>;
     proxy_pass http://<%= @upstream_name %>;
     proxy_http_version 1.1;
     proxy_http_version 1.1;

@@ -6,6 +6,10 @@
 # Add trailing slash to */wp-admin requests.
 # Add trailing slash to */wp-admin requests.
 rewrite /<%= @subpath %>wp-admin$ $scheme://$host$uri/ permanent;
 rewrite /<%= @subpath %>wp-admin$ $scheme://$host$uri/ permanent;
 
 
+<% @add_statements.each do |ads| -%>
+<%= ads %>
+
+<% end -%>
 # Deny access to any files with a .php extension in the uploads directory
 # Deny access to any files with a .php extension in the uploads directory
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~* /<%= @subpath %>(.+/)*(?:uploads|files)/.*\.php$ {
 location ~* /<%= @subpath %>(.+/)*(?:uploads|files)/.*\.php$ {
@@ -26,7 +30,12 @@ location ~ ^/<%= @subpath %>(wp-admin|wp-login\.php) {
         fastcgi_intercept_errors on;
         fastcgi_intercept_errors on;
 
 
 <% end -%>
 <% end -%>
-        include <%= @basic_php_fastcgi %>;
+        # You should have "cgi.fix_pathinfo = 0;" in php.ini
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+
+        fastcgi_pass <%= @upstream_name %>;
     }
     }
 }
 }
 
 
@@ -40,9 +49,15 @@ location ~ ^/<%= @subpath %>.+\.php(/|$) {
     fastcgi_intercept_errors on;
     fastcgi_intercept_errors on;
 
 
 <% end -%>
 <% end -%>
-    include <%= @basic_php_fastcgi %>;
+    # You should have "cgi.fix_pathinfo = 0;" in php.ini
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+
+    fastcgi_pass <%= @upstream_name %>;
 }
 }
 
 
 location ~ ^/<%= @subpath %> {
 location ~ ^/<%= @subpath %> {
-    try_files $uri $uri/ /<%= @subpath %><%= @index %>?$args;
+<% str = @fastcgi_intercept_errors ? '=404' : "/#{@subpath}#{@index}?$args" -%>
+    try_files $uri $uri/ <%= str %>;
 }
 }

 # Generated by Chef
 # Generated by Chef
 #
 #
-<%
-@init_statements.each do |ins|
--%>
-<%= ins %>
-
-<%
-end
 
 
-@upstreams.each do |us|
--%>
+<% ## -%>
+<% ## Initial directives -%>
+<% ## -%>
+<% @init_statements.each do |ins| -%>
+<%= ins %>
+<% end -%>
+<% ## -%>
+<% ## List upstreams -%>
+<% ## Example @upstreams element: -%>
+<% ## { -%>
+<% ##   :name => 'string', -%>
+<% ##   :servers => [ -%>
+<% ##     '127.0.0.1:9000', -%>
+<% ##     '/var/run/php-fpm.sock' -%>
+<% ##   ] -%>
+<% ## } -%>
+<% ## -%>
+<% @upstreams.each do |us| -%>
+<%   us_servers = us[:servers].inject([]) do |acc, serv| -%>
+<%     acc << ( serv[0] == '/' ? "unix:#{serv}" : serv ) -%>
+<%     acc -%>
+<%   end -%>
 upstream <%= us[:name] %> {
 upstream <%= us[:name] %> {
-    server <%= us[:ip] %>:<%= us[:port] %>;
+<%   us_servers.each do |serv| -%>
+    server <%= serv %>;
+<%   end -%>
 }
 }
 
 
-<% 
-end
-
-servers = [@server_name]
-@aliases.each do |aname|
-  servers << aname
-end
-servers.uniq!
-
-if @catch_all
--%>
+<% end -%>
+<% ## -%>
+<% ## Server block for default nameless server -%>
+<% ## -%>
+<% if @catch_all -%>
 server {
 server {
     listen      80 default_server;
     listen      80 default_server;
     server_name _;
     server_name _;
     return      444;
     return      444;
 }
 }
 
 
-<%
-end
-if @ssl
-  if @catch_all
--%>
+<% end -%>
+<% ## -%>
+<% ## Main server block -%>
+<% ## -%>
+<% servers = @aliases.inject([@server_name]) do |acc, elem| -%>
+<%   acc << elem -%>
+<% end -%>
+<% servers.uniq! -%>
+<% if @ssl -%>
+<%   if @catch_all -%>
 server {
 server {
     listen      443 default_server;
     listen      443 default_server;
     server_name _;
     server_name _;
     return      444;
     return      444;
 }
 }
 
 
-<%
-  end
--%>
+<%   end -%>
 server {
 server {
     listen 80;
     listen 80;
     server_name <%= servers.join(' ') %>;
     server_name <%= servers.join(' ') %>;
@@ -57,53 +69,66 @@ server {
     ssl_certificate <%= @path_crt %>;
     ssl_certificate <%= @path_crt %>;
     ssl_certificate_key <%= @path_key %>;
     ssl_certificate_key <%= @path_key %>;
 <%   unless @ssl[:self_signed] -%>
 <%   unless @ssl[:self_signed] -%>
+<%     if @ssl[:cipher_suite] == 'modern' -%>
 
 
     # Modern cipher suite:
     # Modern cipher suite:
-    #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
+<%     else -%>
+
     # Medium compatibility cipher suite (compatible with IE7 WinXP):
     # Medium compatibility cipher suite (compatible with IE7 WinXP):
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+<%     end -%>
     ssl_prefer_server_ciphers on;
     ssl_prefer_server_ciphers on;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_session_cache shared:SSL:10m;
     ssl_session_cache shared:SSL:10m;
     ssl_dhparam <%= @path_dhparam %>;
     ssl_dhparam <%= @path_dhparam %>;
 <%   end -%>
 <%   end -%>
-
-<%
-  hsts = "max-age=#{@ssl[:hsts_max_age]};"
-  hsts << 'includeSubDomains;' if @ssl[:hsts_include_subdomains]
--%>
+<%   hage = @ssl[:hsts_max_age] || '15758000' -%>
+<%   hsub = @ssl.has_key?(:hsts_subdomains) ? @ssl[:hsts_subdomains] : true -%>
+<%   hsts = "max-age=#{hage};" -%>
+<%   hsts << 'includeSubDomains;' if hsub -%>
     add_header Strict-Transport-Security "<%= hsts %>";
     add_header Strict-Transport-Security "<%= hsts %>";
-<%
-else
--%>
+<% else -%>
 server {
 server {
     listen 80;
     listen 80;
 
 
-<%
-end
--%>
-    add_header X-Frame-Options SAMEORIGIN;
-    add_header X-Content-Type-Options nosniff;
+<% end -%>
+<% @add_headers.each do |header, value| -%>
+    add_header <%= header %> <%= value %>;
+<% end -%>
+
+    # Add CSP headers here:
+    # [https://www.owasp.org/index.php/Content_Security_Policy]
+    # [http://www.html5rocks.com/en/tutorials/security/content-security-policy/]
+    #
+    #add_header Content-Security-Policy "default-src 'self'";
+    #add_header X-Content-Security-Policy "default-src 'self'";
 
 
     server_name <%= servers.join(' ') %>;
     server_name <%= servers.join(' ') %>;
-
+<% if @doc_root -%>
     root <%= @doc_root %>;
     root <%= @doc_root %>;
+<% end -%>
+<% if @index -%>
     index <%= @index %>;
     index <%= @index %>;
+<% end -%>
 
 
 <% if @auth -%>
 <% if @auth -%>
     auth_basic "<%= @auth[:msg] %>";
     auth_basic "<%= @auth[:msg] %>";
     auth_basic_user_file <%= @path_pass %>;
     auth_basic_user_file <%= @path_pass %>;
 
 
 <% end -%>
 <% end -%>
-    access_log <%= node['nginx']['log_dir'] %>/<%= @server_name %>.access.log<% if @access_log_options %> <%= @access_log_options %><% end %>;
-    error_log <%= node['nginx']['log_dir'] %>/<%= @server_name %>.error.log;
+    access_log <%= @log_dir %>/<%= @server_name %>.access.log<% if @access_log_options %> <%= @access_log_options %><% end %>;
+    error_log <%= @log_dir %>/<%= @server_name %>.error.log;
+
+<% @server_statements_1.each do |s1| -%>
+    <%= sm %>
+<% end -%>
 
 
-    include <%= @path_rest %>;
 <% @includes.each do |inc| -%>
 <% @includes.each do |inc| -%>
     include <%= inc %>;
     include <%= inc %>;
 <% end -%>
 <% end -%>
 
 
-<% @custom_statements.each do |sm| -%>
-    <%= sm %>
+<% @server_statements_2.each do |s2| -%>
+    <%= s2 %>
 <% end -%>
 <% end -%>
 }
 }