Web Server

----------

The ``web_server`` role can be used for setting-up a web server on destination

machine.

The role is supposed very lightweight, providing a basis for deployment of web

applications.

The role implements the following:

* Installs and configures nginx with a single, default vhost with a small static

  index page.

* Deploys the HTTPS TLS private key and certificate (for default vhost).

* Configures firewall to allow incoming connections to the web server.

Parameters

~~~~~~~~~~

**https_tls_key** (string, mandatory)

  Path to file on Ansible host that contains the private key used for TLS for

  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.

**https_tls_certificate** (string, mandatory)

  Path to file on Ansible host that contains the X.509 certificate used for TLS

  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.

**web_default_title** (string, mandatory)

  Title for the default web page shown to users (if no other vhosts were matched).

**web_default_message** (string, mandatory)

  Message for the default web page shown to users (if no other vhosts were

  matched).

Examples

~~~~~~~~

Here is an example configuration for setting-up XMPP server using Prosody:

.. code-block:: yaml

  ---

  https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"

  https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"

  web_default_title: "Welcome to Example Inc."

  web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

table filter {

    chain INPUT {

        # HTTP

        proto tcp dport 80 ACCEPT;

        # HTTPS

        proto tcp dport 443 ACCEPT;

    }

}

---

- name: Restart nginx

  service: name=nginx state=restarted

---

- name: Install nginx

  apt: name=nginx state=installed

- name: Allow nginx user to traverse the directory with TLS private keys

  user: name=www-data append=yes groups=ssl-cert

  notify:

    - Restart nginx

- name: Deploy nginx TLS private key

  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"

        mode=640 owner=root group=root

  notify:

    - Restart nginx

- name: Deploy nginx TLS certificate

  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"

        mode=644 owner=root group=root

  notify:

    - Restart nginx

- name: Deploy default vhost configuration

  template: src="nginx-default.j2" dest="/etc/nginx/sites-available/default"

             owner=root group=root mode=644

  notify:

    - Restart nginx

- name: Deploy firewall configuration for web server

  copy: src="ferm_http.conf" dest="/etc/ferm/conf.d/30-web.conf" owner=root group=root mode=640

  notify:

    - Restart ferm

- name: Remove the default Debian html files

  file: path="{{ item }}" state=absent

  with_items:

    - /var/www/html/index.nginx-debian.html

    - /var/www/html/

- name: Create directory for storing the default website page

  file: path="/var/www/default/" state=directory

        owner=root group=www-data mode=750

- name: Deploy the default index.html

  template: src="index.html.j2" dest=/var/www/default/index.html

            owner=root group=www-data mode=640

- name: Enable nginx service

  service: name=nginx enabled=yes state=started

<!DOCTYPE html>

<html>

<head>

<title>{{ web_default_title}}</title>

<style>

    body {

        width: 35em;

        margin: 0 auto;

        font-family: Tahoma, Verdana, Arial, sans-serif;

    }

</style>

</head>

<body>

<h1>{{ web_default_title}}</h1>

<p>{{ web_default_message }}</p>

</body>

</html>

#

# Default server (vhost) configuration.

#

server {

    # HTTP (plaintext) configuration.

    listen 80 default_server;

    listen [::]:80 default_server;

    # HTTPS (TLS) configuration.

    listen 443 ssl default_server;

    listen [::]:443 ssl default_server;

    ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};

    ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};

    # Set-up the serving of default page.

    root /var/www/default/;

    index index.html;

    # Set server_name to something that won't be matched (for default server).

    server_name _;

    location / {

        # Always point user to the same index page.

        try_files $uri /index.html;

    }

}

https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"

https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"

web_default_title: "Welcome to Example Inc."

web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

    - web_server