diff --git a/playbook3_haproxy.yml b/playbook3_haproxy.yml index 7a0547a..090b4ab 100644 --- a/playbook3_haproxy.yml +++ b/playbook3_haproxy.yml @@ -1,5 +1,5 @@ --- -- name: Configure HAProxy Load Balancer (ALT Linux) +- name: Configure Nginx Load Balancer (ALT Linux) hosts: proxy become: true vars: @@ -7,23 +7,28 @@ backend_servers: "{{ groups['server'] }}" backend_port: 443 stats_port: 9000 - stats_uri: "/haproxy_stats" - stats_user: "admin" - stats_password: "haproxy_secure_pass" - ssl_cert_path: "/etc/haproxy/ssl/www.au.team.pem" server_name: "www.au.team" + ssl_cert_path: "/etc/nginx/ssl/www.au.team.crt" + ssl_key_path: "/etc/nginx/ssl/www.au.team.key" tasks: - - name: Install HAProxy package (ALT Linux) + - name: Update package cache (ALT Linux) + ansible.builtin.command: + cmd: apt-rpm update + changed_when: false + tags: + - nginx + + - name: Install Nginx package (ALT Linux) ansible.builtin.package: - name: haproxy + name: nginx state: present tags: - - haproxy + - nginx - - name: Create SSL directory for HAProxy + - name: Create SSL directory for Nginx ansible.builtin.file: - path: /etc/haproxy/ssl + path: /etc/nginx/ssl state: directory mode: '0755' owner: root @@ -31,72 +36,137 @@ tags: - ssl - - name: Copy SSL certificate to HAProxy (from web server) + - name: Copy SSL certificate to Nginx (from web server) ansible.builtin.shell: | - cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > {{ ssl_cert_path }} - chmod 600 {{ ssl_cert_path }} + cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > /etc/nginx/ssl/www.au.team.pem + chmod 600 /etc/nginx/ssl/www.au.team.pem args: - creates: "{{ ssl_cert_path }}" + creates: /etc/nginx/ssl/www.au.team.pem tags: - ssl - - name: Configure HAProxy with SSL termination + - name: Create directories for Nginx config + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: '0755' + owner: root + group: root + loop: + - /etc/nginx/conf.d + - /etc/nginx/sites-available + - /etc/nginx/sites-enabled + tags: + - nginx + + - name: Configure Nginx upstream for backend servers ansible.builtin.copy: content: | - global - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin - stats timeout 30s - user haproxy - group haproxy - daemon - - defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - - frontend https_front - bind {{ vip_address }}:443 ssl crt {{ ssl_cert_path }} - bind {{ vip_address }}:80 - server_name {{ server_name }} - http-request redirect scheme https unless { ssl_fc } - default_backend web_backend - - backend web_backend - balance roundrobin - option httpchk GET / HTTP/1.1\r\nHost:\ {{ server_name }} - {% for server in backend_servers %} - server {{ server }} {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} check ssl verify none - {% endfor %} - - backend stats_backend - stats enable - stats uri {{ stats_uri }} - stats auth {{ stats_user }}:{{ stats_password }} - dest: /etc/haproxy/haproxy.cfg + upstream backend_servers { + balance roundrobin; + {% for server in backend_servers %} + server {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} weight=1 max_fails=3 fail_timeout=30s; + {% endfor %} + } + dest: /etc/nginx/conf.d/upstream.conf mode: '0644' backup: true - notify: Reload haproxy + notify: Reload nginx tags: - - haproxy + - nginx - - name: Enable and start HAProxy service + - name: Configure Nginx vhost with SSL and load balancing + ansible.builtin.copy: + content: | + # HTTP server - redirect to HTTPS + server { + listen {{ vip_address }}:80; + listen [::]:80; + server_name {{ server_name }}; + return 301 https://$host$request_uri; + } + + # HTTPS server with load balancing + server { + listen {{ vip_address }}:443 ssl; + listen [::]:443 ssl; + server_name {{ server_name }}; + + ssl_certificate /etc/nginx/ssl/www.au.team.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + # Proxy to backend servers + location / { + proxy_pass https://backend_servers; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_ssl_verify off; + proxy_connect_timeout 10s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + } + + # HSTS header + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + } + + # Stats server + server { + listen {{ vip_address }}:{{ stats_port }}; + server_name {{ server_name }}; + + location / { + stub_status on; + allow 127.0.0.1; + allow 10.0.0.0/8; + allow 172.16.0.0/12; + allow 192.168.0.0/16; + deny all; + } + + location /haproxy_stats { + return 200 "Nginx Stats\nActive connections: $connections_active\n"; + add_header Content-Type text/plain; + } + } + dest: /etc/nginx/sites-available/www.au.team.conf + mode: '0644' + backup: true + notify: Reload nginx + tags: + - nginx + + - name: Enable site configuration + ansible.builtin.file: + src: /etc/nginx/sites-available/www.au.team.conf + dest: /etc/nginx/sites-enabled/www.au.team.conf + state: link + notify: Reload nginx + tags: + - nginx + + - name: Remove default Nginx site + ansible.builtin.file: + path: /etc/nginx/sites-enabled/default + state: absent + ignore_errors: true + tags: + - nginx + + - name: Enable and start Nginx service ansible.builtin.systemd: - name: haproxy + name: nginx enabled: true state: started tags: - - haproxy + - nginx handlers: - - name: Reload haproxy + - name: Reload nginx ansible.builtin.systemd: - name: haproxy + name: nginx state: reloaded \ No newline at end of file