Ansible编排Nginx配置

ansible目录结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# tree Ansible
Ansible
├── inventories
│ └── Project
│ ├── hosts
│ └── group_vars
│ ├── all.yaml
│ └── nginx.yaml
├── roles
│ └── nginx
│ ├── defaults
│ │ └── main.yaml
│ ├── tasks
│ │ └── main.yaml
│ └── templates
│ ├── nginx.conf
│ └── service.conf.j2
└── Project.yaml

playbook

Ansible/Project.yaml

1
2
3
4
5
- hosts: all
roles:
- role: nginx
tags:
- nginx

inventories

Ansible/inventories/Project/hosts

1
2
3
4
5
6
7
8
9
[all]          # Project.yaml中指定的hosts
Project-manager-1 ansible_ssh_host=10.200.110.185
Project-manager-2 ansible_ssh_host=10.200.110.186
Project-manager-3 ansible_ssh_host=10.200.110.187

[nginx] # 该组host将自动加载group_vars目录中的nginx.yaml文件定义的变量
Project-manager-1
Project-manager-2
Project-manager-3

group_vars

Ansible/inventories/group_vars/nginx.yaml

nginx_server 参数说明

变量名 类型 说明
name(必须) str server对应的server_name
port(必须) str 端口号
https(必须) bool 是否跳转https
ssl_certificate(若https为true则必须) str ssl_certificate文件名
ssl_certificate_key(若https为true则必须) str ssl_certificate_key文件名
location(必须) str location
location.name(必须) str location表达式
location.upstream(可选) str proxy_pass中对应的upstream
location.protocol(若指定location.upstream则必须) str proxy_pass中对应的upstream对应的scheme(http或https)
location.rewrite(可选) str rewrite规则
location.extend(可选) dit 用于扩展其他参数
location.extend.name(若指定location.extend则必须) str 扩展参数对应的参数名
location.extend.value(若指定location.extend则必须) str 扩展参数对应的参数值

nginx_upstream 参数说明

变量名 类型 说明
name(必须) str upstream名称
backend(必须) list upstream对应的后端server
backend.name(必须) str backend名称
backend.weigth(必须) str 后端服务器权重
backend.max_fails(必须) str 后端服务器最大请求失败次数(超过则置为不可用)
backend.fail_timeout(必须) str 后端服务器故障后置为不可用时间
balance(可选) str 负载均衡策略( hash/ip_hash默认为roundrobin)
connections(可选) str keepalive数量(指定最大空闲连接数量,用于长链接)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
nginx_server:
- name: project-nginx.vnimos.cn
port: 80
https: true
ssl_certificate: wildcard-client.vnimos.cn.crt
ssl_certificate_key: wildcard-client.vnimos.cn.key
location:
# Web前端
- name: /
upstream: server_frontend
protocol: https
# Web后端
- name: ~ (/datacenter|/pin|/phonebook|/freeswitch|/user-account|/api/v1/external/phonebook|/negotiate|/autop)
upstream: server_backend
protocol: http

nginx_upstream:
- name: server_frontend
backend:
- name: '{{ hostvars["Project-manager-1"]["ansible_ssh_host"] }}:{{ web_project_port }}'
weight: 1
max_fails: 5
fail_timeout: 10s
- name: '{{ hostvars["Project-manager-2"]["ansible_ssh_host"] }}:{{ web_project_port }}'
weight: 1
max_fails: 5
fail_timeout: 10s
- name: '{{ hostvars["Project-manager-3"]["ansible_ssh_host"] }}:{{ web_project_port }}'
weight: 1
max_fails: 5
fail_timeout: 10s
- name: server_backend
backend:
- name: '{{ hostvars["Project-manager-1"]["ansible_ssh_host"] }}:{{ microconference_service_server_port }}'
weight: 1
max_fails: 5
fail_timeout: 10s
- name: '{{ hostvars["Project-manager-2"]["ansible_ssh_host"] }}:{{ microconference_service_server_port }}'
weight: 1
max_fails: 5
fail_timeout: 10s
- name: '{{ hostvars["Project-manager-3"]["ansible_ssh_host"] }}:{{ microconference_service_server_port }}'
weight: 1
max_fails: 5
fail_timeout: 10s

template模版

Ansible/roles/nginx/templates/service.conf.j2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#server
{% for server in nginx_server %}
server {
listen {{ server.port }};
server_name {{ server.name }};
{% if server.https %}
listen 443 ssl;
if ($scheme = http ) {
return 301 https://$host$request_uri;
}
ssl_certificate ssl/{{ server.ssl_certificate }};
ssl_certificate_key ssl/{{ server.ssl_certificate_key }};
{% endif %}

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol "$scheme";
add_header Strict-Transport-Security "max-age=16000000;includeSubDomains;preload;" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1;mode=block" always;

{% for location in server.location %}
location {{ location.name }} {
{% if location.rewrite is defined %}
rewrite {{ location.rewrite }};
{% endif %}
{% if location.upstream is defined %}
proxy_pass {{ location.protocol }}://{{ location.upstream }};
{% endif %}
{% if location.extend is defined %}
{% for extend in location.extend %}
{{ extend.name }} {{ extend.value }};
{% endfor %}
{% endif %}
}
{% endfor %}
}
{% endfor %}

#upstream
{% for upstream in nginx_upstream %}
upstream {{ upstream.name }} {
{% for backend in upstream.backend %}
server {{ backend.name }} weight={{ backend.weight }} max_fails={{ backend.max_fails }} fail_timeout={{ backend.fail_timeout }};
{% endfor %}
{% if upstream.balance is defined %}
{{ upstream.balance }};
{% endif %}
{% if upstream.connections is defined %}
keepalive {{ upstream.connections }};
{% endif %}
}
{% endfor %}

执行playbook

1
# ansible-playbook -i inventories/Project/hosts Project.yaml  --tag nginx

生成后的配置(service.conf)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#server
server {
listen 80;
server_name project-nginx.vnimos.cn;
listen 443 ssl;
if ($scheme = http ) {
return 301 https://$host$request_uri;
}
ssl_certificate ssl/wildcard.vnimos.cn.crt;
ssl_certificate_key ssl/wildcard.vnimos.cn.key;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol "$scheme";
add_header Strict-Transport-Security "max-age=16000000;includeSubDomains;preload;" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1;mode=block" always;

location / {
proxy_pass https://server_frontend;

}
location ~ (/datacenter|/pin|/phonebook|/freeswitch|/user-account|/api/v1/external/phonebook|/negotiate|/autop) {
proxy_pass http://server_backend;

}
}

#upstream
upstream server_frontend {
server 127.0.0.1:9880 weight=1 max_fails=5 fail_timeout=10s;
}
upstream server_meeting_join {
server 127.0.0.1:9884 weight=1 max_fails=5 fail_timeout=10s;
}
upstream server_meeting_control {
server 127.0.0.1:9884 weight=1 max_fails=5 fail_timeout=10s;
ip_hash;
keepalive 64;
}
upstream server_backend {
server 127.0.0.1:9999 weight=1 max_fails=5 fail_timeout=10s;
}
坚持原创技术分享,您的支持将鼓励我继续创作!
0%