Home Explore Help
Sign In
kolter
/
ansible-playbooks
1
0
Fork 0

5 Commits 3c98cd09ac ... 11236da338

Author SHA1 Message Date
  Emmanuel Bouthenot 11236da338 Make possible to bypass HTTP Auth for pma and sys vhost with a whitelisted IP (nginx) 3 years ago
  Emmanuel Bouthenot 99ebe67123 Add a setting to configure PHP FPM Process Manager (default is still dynamic) 3 years ago
  Emmanuel Bouthenot 4752536ade Install php-soap by default with PHP 3 years ago
  Emmanuel Bouthenot af3e0c2357 Update nginx snippet for CloudFlare with new IPs 3 years ago
  Emmanuel Bouthenot 919509fc4f Change Let's Encrypt certificates renewal to be spread out during the night 3 years ago
8 changed files with 25 additions and 17 deletions
Split View Show Diff Stats
  1. 1 1
      roles/common/templates/cron/letsencrypt.j2
  2. 1 0
      roles/webserver/defaults/main.yml
  3. 2 0
      roles/webserver/tasks/php.yml
  4. 1 1
      roles/webserver/templates/fpm/php-fpm-pools-legacy.conf.j2
  5. 1 1
      roles/webserver/templates/fpm/php5-fpm-pools.conf.j2
  6. 5 4
      roles/webserver/templates/nginx/cloudflare.conf.j2
  7. 7 5
      roles/webserver/templates/nginx/pma_vhost.j2
  8. 7 5
      roles/webserver/templates/nginx/sys_vhost.j2

+ 1 - 1
roles/common/templates/cron/letsencrypt.j2
View File 

@@ -10,4 +10,4 @@ SHELL=/bin/sh
 
 PATH=/bin:/sbin:/usr/bin:/usr/sbin
 
 MAILTO=root
 
 
-@daily      root    dehydrated --cron 2>&1 1>/dev/null | grep -v 'WARNING.*Extra configuration directory.*exists, but no configuration found'
 
+42 0-7 * * *    root    dehydrated --cron 2>&1 1>/dev/null | grep -v 'WARNING.*Extra configuration directory.*exists, but no configuration found'

+ 1 - 0
roles/webserver/defaults/main.yml
View File 

@@ -23,6 +23,7 @@ fpm_pool_count: 1
 
 fpm_user: 'www-data'
 
 fpm_group: 'www-data'
 
 # fpm_max_children ~= (total RAM - RAM used by other process) / (average amount of RAM used by a PHP process)
 
+fpm_pm: 'dynamic'
 
 fpm_start_servers: 2
 
 fpm_max_children: 5
 
 fpm_min_spare_servers: 1

+ 2 - 0
roles/webserver/tasks/php.yml
View File 

@@ -5,6 +5,7 @@
 
       - 'php5-curl'
 
       - 'php5-gd'
 
       - 'php5-intl'
 
+      - 'php-soap'
 
       - 'php5-mcrypt'
 
       - 'php-mime-type'
 
       - 'php5-pgsql'
 
@@ -22,6 +23,7 @@
 
       - 'php{{ php_version }}-curl'
 
       - 'php{{ php_version }}-gd'
 
       - 'php{{ php_version }}-intl'
 
+      - 'php{{ php_version }}-soap'
 
       - 'php{{ php_version }}-mysql'
 
       - 'php{{ php_version }}-pgsql'
 
       - 'php{{ php_version }}-sqlite3'

+ 1 - 1
roles/webserver/templates/fpm/php-fpm-pools-legacy.conf.j2
View File 

@@ -108,7 +108,7 @@ listen.mode = 0660
 
 ;             pm.process_idle_timeout   - The number of seconds after which
 
 ;                                         an idle process will be killed.
 
 ; Note: This value is mandatory.
 
-pm = dynamic
 
+pm = {{ fpm_pm }}
 
 
 ; The number of child processes to be created when pm is set to 'static' and the
 
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.

+ 1 - 1
roles/webserver/templates/fpm/php5-fpm-pools.conf.j2
View File 

@@ -92,7 +92,7 @@ listen.mode = 0660
 
 ;             pm.process_idle_timeout   - The number of seconds after which
 
 ;                                         an idle process will be killed.
 
 ; Note: This value is mandatory.
 
-pm = dynamic
 
+pm = {{ fpm_pm }}
 
 
 ; The number of child processes to be created when pm is set to 'static' and the
 
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.

+ 5 - 4
roles/webserver/templates/nginx/cloudflare.conf.j2
View File 

@@ -6,7 +6,8 @@
 
 set_real_ip_from 103.21.244.0/22;
 
 set_real_ip_from 103.22.200.0/22;
 
 set_real_ip_from 103.31.4.0/22;
 
-set_real_ip_from 104.16.0.0/12;
 
+set_real_ip_from 104.16.0.0/13;
 
+set_real_ip_from 104.24.0.0/14;
 
 set_real_ip_from 108.162.192.0/18;
 
 set_real_ip_from 131.0.72.0/22;
 
 set_real_ip_from 141.101.64.0/18;
 
@@ -18,11 +19,11 @@ set_real_ip_from 190.93.240.0/20;
 
 set_real_ip_from 197.234.240.0/22;
 
 set_real_ip_from 198.41.128.0/17;
 
 set_real_ip_from 2400:cb00::/32;
 
+set_real_ip_from 2405:8100::/32;
 
+set_real_ip_from 2405:b500::/32;
 
 set_real_ip_from 2606:4700::/32;
 
 set_real_ip_from 2803:f800::/32;
 
-set_real_ip_from 2405:b500::/32;
 
-set_real_ip_from 2405:8100::/32;
 
-set_real_ip_from 2c0f:f248::/32;
 
 set_real_ip_from 2a06:98c0::/29;
 
+set_real_ip_from 2c0f:f248::/32;
 
 
 real_ip_header CF-Connecting-IP;

+ 7 - 5
roles/webserver/templates/nginx/pma_vhost.j2
View File 

@@ -28,15 +28,17 @@ server {
 
     try_files $uri $uri/ /index.php;
 
 
 {% if phpmyadmin_http_auth %}
 
-    auth_basic "Restricted Access";
 
-    auth_basic_user_file /etc/nginx/auth_admin;
 
+    location / {
 
+        auth_basic "Restricted Access";
 
+        auth_basic_user_file /etc/nginx/auth_admin;
 
 {% if phpmyadmin_http_whitelist_ip|length > 0 %}
 
 {% for ip in phpmyadmin_http_whitelist_ip %}
 
-    allow {{ ip }};
 
+        allow {{ ip }};
 
 {% endfor %}
 
-    deny all;
 
-    satisfy any;
 
+        deny all;
 
+        satisfy any;
 
 {% endif %}
 
+    }
 
 {% endif %}
 
 
     client_max_body_size 128m;

+ 7 - 5
roles/webserver/templates/nginx/sys_vhost.j2
View File 

@@ -28,15 +28,17 @@ server {
 
     try_files $uri $uri/ /index.php;
 
 
 {% if phpsyscheck_http_auth %}
 
-    auth_basic "Restricted Access";
 
-    auth_basic_user_file /etc/nginx/auth_admin;
 
+    location / {
 
+        auth_basic "Restricted Access";
 
+        auth_basic_user_file /etc/nginx/auth_admin;
 
 {% if phpsyscheck_http_whitelist_ip|length > 0 %}
 
 {% for ip in phpsyscheck_http_whitelist_ip %}
 
-    allow {{ ip }};
 
+        allow {{ ip }};
 
 {% endfor %}
 
-    deny all;
 
-    satisfy any;
 
+        deny all;
 
+        satisfy any;
 
 {% endif %}
 
+    }
 
 {% endif %}
 
 
     location ~ \.php(/|$) {