5 Commits 3c98cd09ac ... 11236da338

Autor SHA1 Mensagem Data
  Emmanuel Bouthenot 11236da338 Make possible to bypass HTTP Auth for pma and sys vhost with a whitelisted IP (nginx) 3 anos atrás
  Emmanuel Bouthenot 99ebe67123 Add a setting to configure PHP FPM Process Manager (default is still dynamic) 3 anos atrás
  Emmanuel Bouthenot 4752536ade Install php-soap by default with PHP 3 anos atrás
  Emmanuel Bouthenot af3e0c2357 Update nginx snippet for CloudFlare with new IPs 3 anos atrás
  Emmanuel Bouthenot 919509fc4f Change Let's Encrypt certificates renewal to be spread out during the night 3 anos atrás

+ 1 - 1
roles/common/templates/cron/letsencrypt.j2

@@ -10,4 +10,4 @@ SHELL=/bin/sh
 PATH=/bin:/sbin:/usr/bin:/usr/sbin
 MAILTO=root
 
-@daily      root    dehydrated --cron 2>&1 1>/dev/null | grep -v 'WARNING.*Extra configuration directory.*exists, but no configuration found'
+42 0-7 * * *    root    dehydrated --cron 2>&1 1>/dev/null | grep -v 'WARNING.*Extra configuration directory.*exists, but no configuration found'

+ 1 - 0
roles/webserver/defaults/main.yml

@@ -23,6 +23,7 @@ fpm_pool_count: 1
 fpm_user: 'www-data'
 fpm_group: 'www-data'
 # fpm_max_children ~= (total RAM - RAM used by other process) / (average amount of RAM used by a PHP process)
+fpm_pm: 'dynamic'
 fpm_start_servers: 2
 fpm_max_children: 5
 fpm_min_spare_servers: 1

+ 2 - 0
roles/webserver/tasks/php.yml

@@ -5,6 +5,7 @@
       - 'php5-curl'
       - 'php5-gd'
       - 'php5-intl'
+      - 'php-soap'
       - 'php5-mcrypt'
       - 'php-mime-type'
       - 'php5-pgsql'
@@ -22,6 +23,7 @@
       - 'php{{ php_version }}-curl'
       - 'php{{ php_version }}-gd'
       - 'php{{ php_version }}-intl'
+      - 'php{{ php_version }}-soap'
       - 'php{{ php_version }}-mysql'
       - 'php{{ php_version }}-pgsql'
       - 'php{{ php_version }}-sqlite3'

+ 1 - 1
roles/webserver/templates/fpm/php-fpm-pools-legacy.conf.j2

@@ -108,7 +108,7 @@ listen.mode = 0660
 ;             pm.process_idle_timeout   - The number of seconds after which
 ;                                         an idle process will be killed.
 ; Note: This value is mandatory.
-pm = dynamic
+pm = {{ fpm_pm }}
 
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.

+ 1 - 1
roles/webserver/templates/fpm/php5-fpm-pools.conf.j2

@@ -92,7 +92,7 @@ listen.mode = 0660
 ;             pm.process_idle_timeout   - The number of seconds after which
 ;                                         an idle process will be killed.
 ; Note: This value is mandatory.
-pm = dynamic
+pm = {{ fpm_pm }}
 
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.

+ 5 - 4
roles/webserver/templates/nginx/cloudflare.conf.j2

@@ -6,7 +6,8 @@
 set_real_ip_from 103.21.244.0/22;
 set_real_ip_from 103.22.200.0/22;
 set_real_ip_from 103.31.4.0/22;
-set_real_ip_from 104.16.0.0/12;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
 set_real_ip_from 108.162.192.0/18;
 set_real_ip_from 131.0.72.0/22;
 set_real_ip_from 141.101.64.0/18;
@@ -18,11 +19,11 @@ set_real_ip_from 190.93.240.0/20;
 set_real_ip_from 197.234.240.0/22;
 set_real_ip_from 198.41.128.0/17;
 set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
 set_real_ip_from 2606:4700::/32;
 set_real_ip_from 2803:f800::/32;
-set_real_ip_from 2405:b500::/32;
-set_real_ip_from 2405:8100::/32;
-set_real_ip_from 2c0f:f248::/32;
 set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
 
 real_ip_header CF-Connecting-IP;

+ 7 - 5
roles/webserver/templates/nginx/pma_vhost.j2

@@ -28,15 +28,17 @@ server {
     try_files $uri $uri/ /index.php;
 
 {% if phpmyadmin_http_auth %}
-    auth_basic "Restricted Access";
-    auth_basic_user_file /etc/nginx/auth_admin;
+    location / {
+        auth_basic "Restricted Access";
+        auth_basic_user_file /etc/nginx/auth_admin;
 {% if phpmyadmin_http_whitelist_ip|length > 0 %}
 {% for ip in phpmyadmin_http_whitelist_ip %}
-    allow {{ ip }};
+        allow {{ ip }};
 {% endfor %}
-    deny all;
-    satisfy any;
+        deny all;
+        satisfy any;
 {% endif %}
+    }
 {% endif %}
 
     client_max_body_size 128m;

+ 7 - 5
roles/webserver/templates/nginx/sys_vhost.j2

@@ -28,15 +28,17 @@ server {
     try_files $uri $uri/ /index.php;
 
 {% if phpsyscheck_http_auth %}
-    auth_basic "Restricted Access";
-    auth_basic_user_file /etc/nginx/auth_admin;
+    location / {
+        auth_basic "Restricted Access";
+        auth_basic_user_file /etc/nginx/auth_admin;
 {% if phpsyscheck_http_whitelist_ip|length > 0 %}
 {% for ip in phpsyscheck_http_whitelist_ip %}
-    allow {{ ip }};
+        allow {{ ip }};
 {% endfor %}
-    deny all;
-    satisfy any;
+        deny all;
+        satisfy any;
 {% endif %}
+    }
 {% endif %}
 
     location ~ \.php(/|$) {