iiab · jvonau · Oct 15, 2019 · Oct 15, 2019 · Oct 16, 2019 · Oct 16, 2019
diff --git a/roles/3-base-server/tasks/main.yml b/roles/3-base-server/tasks/main.yml
@@ -6,7 +6,7 @@
 - name: HTTPD (APACHE)
   include_role:
     name: httpd
-  # has no "when: XXXXX_install" flag
+  when: apache_install
   tags: base, httpd
 
 - name: MYSQL

diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml
@@ -3,6 +3,12 @@
 - name: ...IS BEGINNING ==================================
   command: echo
 
+- name: NGINX
+  include_role:
+    name: nginx
+  when: nginx_install
+  tags: base, nginx
+
 - name: Install dnsmasq
   include_tasks: roles/network/tasks/dnsmasq.yml
   when: dnsmasq_install | bool

diff --git a/roles/awstats/tasks/install.yml b/roles/awstats/tasks/install.yml
@@ -18,7 +18,6 @@
   tags:
     - download
 
-# SEE ALSO THE apache2_module SECTION IN roles/httpd/tasks/main.yml
 - name: Enable cgi execution (debuntu)
   command: a2enmod cgi
   when: is_debuntu | bool
@@ -35,25 +34,21 @@
   with_items:
     - "{{ awstats_data_dir }}"
     - "{{ apache_log_dir }}"
+    - /usr/lib/cgi-bin/awstats   # create backward compatible path for awstats
 
-- name: Install Apache's awstats.conf from template (debuntu)
+- name: Install nginx's awstats.conf from template (debuntu)
   template:
-    src: apache.conf
-    dest: "/etc/{{ apache_config_dir }}/awstats.conf"
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     owner: root
     group: root
     mode: 0644
+  with_items:
+     - { src: "awstats-nginx.conf", dest: "/etc/nginx/conf.d/" }
+     - { src: "cgi-bin.php", dest: "/etc/nginx/" }
+#     - { src: "apache-awstats.conf", dest: "/etc/{{ apache_config_dir }}/awstats.conf" }
   when: awstats_enabled and is_debuntu
 
-- name: Install Apache's awstats.conf from template (OS's other than debuntu)
-  template:
-    src: apache-awstats.conf
-    dest: "/etc/{{ apache_config_dir }}/awstats.conf"
-    owner: root
-    group: root
-    mode: 0644
-  when: awstats_enabled and not is_debuntu
-
 - name: Ensure logrotate doesn't make logs unreadable (debuntu)
   template:
     src: logrotate.d.apache2
@@ -69,24 +64,11 @@
   command: mv /etc/awstats/awstats.conf /etc/awstats/awstats.conf.dist
   when: awstats.stat.islnk is defined and not awstats.stat.islnk
 
-- name: Create symlink awstats.conf from sites-enabled to sites-available (debuntu)
+- name: Create symlink for awstats.pl from cgi-bin/awstats/awstats.pl to ../ so that the old apache links to awstats will work after change to nginx
   file:
-    src: /etc/apache2/sites-available/awstats.conf
-    path: /etc/apache2/sites-enabled/awstats.conf
+    src: /usr/lib/cgi-bin/awstats.pl
+    path: /usr/lib/cgi-bin/awstats/awstats.pl
     state: link
-  when: awstats_enabled and is_debuntu
-
-- name: Remove symlink from sites-enabled, to disable AWStats (debuntu)
-  file:
-    path: /etc/apache2/sites-enabled/awstats.conf
-    state: absent
-  when: not awstats_enabled and is_debuntu
-
-- name: Restart Apache service ({{ apache_service }})
-  systemd:
-    name: "{{ apache_service }}"
-    state: restarted
-
 
 - name: Install /etc/awstats/awstats.schoolserver.conf
   template:

diff --git a/roles/awstats/templates/awstats-nginx.conf b/roles/awstats/templates/awstats-nginx.conf
@@ -0,0 +1,24 @@
+location ~ ^/awstats {
+  rewrite ^ http://box.lan/cgi-bin/awstats.pl?config=schoolserver;
+}
+location ^~ /awstatsicons {
+   alias /usr/share/awstats/icon/;
+   access_log off;
+}
+location ^~ /awstatsclasses {
+   alias /usr/share/java/awstats/;
+   access_log off;
+}
+
+location ~ ^/cgi-bin/.*\.(cgi|pl|py|rb) {
+    gzip off;
+    include         fastcgi_params;
+    fastcgi_pass    php;
+    fastcgi_index   cgi-bin.php;
+    fastcgi_param   SCRIPT_FILENAME    /etc/nginx/cgi-bin.php;
+    fastcgi_param   SCRIPT_NAME        cgi-bin.php;
+    fastcgi_param   X_SCRIPT_FILENAME  /usr/lib$fastcgi_script_name;
+    fastcgi_param   X_SCRIPT_NAME      $fastcgi_script_name;
+    fastcgi_param   REMOTE_USER        $remote_user;
+}
+
diff --git a/roles/awstats/templates/awstats.schoolserver.conf.j2 b/roles/awstats/templates/awstats.schoolserver.conf.j2
@@ -49,7 +49,7 @@
 #
 
 {% if is_debuntu %}
-LogFile="/usr/share/awstats/tools/logresolvemerge.pl /var/log/{{ apache_service }}/access.log* |"
+LogFile="/usr/share/awstats/tools/logresolvemerge.pl {{ apache_log_dir }}/access.log* |"
 {% else %}
 LogFile="/usr/share/awstats/tools/logresolvemerge.pl /var/log/httpd/access_log* |"
 {% endif %}

diff --git a/roles/awstats/templates/cgi-bin.php b/roles/awstats/templates/cgi-bin.php
@@ -0,0 +1,32 @@
+<?php
+// This is interface between nginx fastcgi and older cgi perl script: awstats.pl
+// Taken from https://wiki.archlinux.org/index.php/AWStats#Nginx
+$descriptorspec = array(
+   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
+   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
+   2 => array("pipe", "w")   // stderr is a file to write to
+);
+$newenv = $_SERVER;
+$newenv["SCRIPT_FILENAME"] = $_SERVER["X_SCRIPT_FILENAME"];
+$newenv["SCRIPT_NAME"] = $_SERVER["X_SCRIPT_NAME"];
+if (is_executable($_SERVER["X_SCRIPT_FILENAME"])) {
+   $process = proc_open($_SERVER["X_SCRIPT_FILENAME"], $descriptorspec, $pipes, NULL, $newenv);
+   if (is_resource($process)) {
+       fclose($pipes[0]);
+       $head = fgets($pipes[1]);
+       while (strcmp($head, "\n")) {
+           header($head);
+           $head = fgets($pipes[1]);
+       }
+       fpassthru($pipes[1]);
+       fclose($pipes[1]);
+       fclose($pipes[2]);
+       $return_value = proc_close($process);
+   } else {
+       header("Status: 500 Internal Server Error");
+       echo("Internal Server Error");
+   }
+} else {
+   header("Status: 404 Page Not Found");
+   echo("Page Not Found");
+}
diff --git a/roles/calibre-web/tasks/main.yml b/roles/calibre-web/tasks/main.yml
@@ -115,7 +115,7 @@
 # SEE ALSO: https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy
 - name: Enable http://box{{ calibreweb_url1 }}, http://box{{ calibreweb_url2 }}, http://box{{ calibreweb_url3 }} with Apache
   command: a2ensite calibre-web.conf
-  when: calibreweb_enabled | bool
+  when: calibreweb_enabled | bool and not nginx_enabled | bool
 
 #- name: Restart Apache after enabling calibre-web httpd2 site
 #  command: apachectl -k graceful
@@ -127,20 +127,38 @@
     daemon_reload: yes
     enabled: no
     state: stopped
-  when: not calibreweb_enabled
+  when: not calibreweb_enabled | bool
 
 - name: Disable http://box{{ calibreweb_url1 }}, http://box{{ calibreweb_url2 }}, http://box{{ calibreweb_url3 }} with Apache
   command: a2dissite calibre-web.conf
-  when: not calibreweb_enabled
+  when: not calibreweb_enabled or nginx_enabled | bool
 
 #- name: Restart Apache after disabling calibre-web httpd2 site
 #  command: apachectl -k graceful
 #  when: not calibreweb_enabled
 
+- name: Install /etc/nginx/conf.d/calibre-web-nginx.conf
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+    owner: root
+    group: root
+  with_items:
+    - { src: 'calibre-web-nginx.conf.j2', dest: '/etc/nginx/conf.d/calibre-web-nginx.conf', mode: '0644' }
+  when: calibreweb_enabled | bool and nginx_enabled | bool
+
+- name: Restart nginx systemd service
+  systemd:
+    name: nginx
+    state: restarted
+  when: calibreweb_enabled | bool and nginx_enabled | bool
+
 - name: Restart Apache systemd service ({{ apache_service }})
   systemd:
     name: "{{ apache_service }}"    # httpd or apache2
     state: restarted
+  when: not nginx_enabled | bool
 
 - name: Add 'calibre-web' variable values to {{ iiab_ini_file }}
   ini_file:

diff --git a/roles/calibre-web/templates/calibre-web-nginx.conf.j2 b/roles/calibre-web/templates/calibre-web-nginx.conf.j2
@@ -0,0 +1,8 @@
+location /books {
+   proxy_bind              $server_addr;
+   proxy_set_header        Host            $http_host;
+   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+   proxy_set_header        X-Scheme        $scheme;
+   proxy_set_header        X-Script-Name   /books;
+   proxy_pass http://127.0.0.1:8083;
+}
diff --git a/roles/kiwix/tasks/kiwix_install.yml b/roles/kiwix/tasks/kiwix_install.yml
@@ -104,7 +104,25 @@
     src: /etc/apache2/sites-available/kiwix.conf
     path: /etc/apache2/sites-enabled/kiwix.conf
     state: link
-  when: is_debuntu | bool
+  when: kiwix_enabled | bool and not nginx_enabled | bool
+
+- name: Install nginx support
+  template:
+    backup: no
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: 'kiwix-nginx.conf', dest: '/etc/nginx/conf.d/kiwix-nginx.conf', mode: '0644' }
+  when: kiwix_enabled | bool and nginx_enabled | bool
+
+- name: Remove symlink /etc/apache2/sites-enabled/kiwix.conf
+  file:
+    path: /etc/apache2/sites-enabled/kiwix.conf
+    state: absent
+  when: not kiwix_enabled | bool or nginx_enabled | bool
 
 - name: Enable & Restart 'kiwix-serve' service
   systemd:
@@ -142,9 +160,22 @@
   when: kiwix_enabled and is_redhat
 
 - name: Restart Apache, so it picks up kiwix.conf
-  service:
+  systemd:
     name: "{{ apache_service }}"
     state: restarted
+  when: not nginx_enabled | bool
+
+- name: Remove nginx support for kiwix
+  file:
+    path: /etc/nginx/conf.d/kiwix-nginx.conf
+    state: absent
+  when: not kiwix_enabled | bool
+
+- name: Restart nginx, so it picks up kiwix-nginx.conf state
+  systemd:
+    name: nginx
+    state: restarted
+  when: nginx_enabled | bool
 
 # 5. FINALIZE
 

diff --git a/roles/kiwix/templates/kiwix-nginx.conf b/roles/kiwix/templates/kiwix-nginx.conf
@@ -0,0 +1,3 @@
+location /kiwix {
+  proxy_pass http://127.0.0.1:3000;
+}
diff --git a/roles/kolibri/tasks/main.yml b/roles/kolibri/tasks/main.yml
@@ -71,7 +71,6 @@
     enabled: yes
     state: stopped
 
-
 # 2019-10-01: Should no longer be nec, thanks to /etc/kolibri/daemon.conf
 #             containing KOLIBRI_HOME="/library/kolibri" (above)
 #- name: Run Kolibri migrations to begin populating {{ kolibri_home }}    # i.e. /library/kolibri
@@ -118,15 +117,26 @@
 #  apache2_module:
 #    name: proxy_http
 
-- name: Start 'kolibri' systemd service, if kolibri_enabled
+- name: Supply /etc/nginx/conf.d/kolibri-nginx.conf when nginx_enabled
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+    owner: root
+    group: root
+  with_items:
+    - { src: 'kolibri-nginx.conf.j2', dest: '/etc/nginx/conf.d/kolibri-nginx.conf', mode: '0644' }
+  when: kolibri_enabled | bool and nginx_enabled | bool
+
+- name: Enable & (Re)Start kolibri service
   systemd:
     name: kolibri
     state: started
   when: kolibri_enabled | bool
 
 - name: Enable http://box{{ kolibri_url }} with Apache (a2ensite) if kolibri_enabled    # i.e. http://box/kolibri
   command: a2ensite kolibri.conf
-  when: kolibri_enabled | bool
+  when: kolibri_enabled | bool and not nginx_enabled | bool
 
 - name: Disable & Stop 'kolibri' systemd service if not kolibri_enabled
   systemd:
@@ -137,12 +147,19 @@
 
 - name: Disable http://box{{ kolibri_url }} with Apache (a2dissite) if not kolibri_enabled
   command: a2dissite kolibri.conf
-  when: not kolibri_enabled
+  when: not kolibri_enabled or nginx_enabled | bool
 
 - name: Restart Apache service ({{ apache_service }})    # e.g. apache2
   systemd:
     name: "{{ apache_service }}"
     state: restarted
+  when: not nginx_enabled | bool
+
+- name: Restart nginx service
+  systemd:
+    name: nginx
+    state: restarted
+  when: nginx_enabled | bool
 
 - name: Add 'kolibri' variable values to {{ iiab_ini_file }}    # /etc/iiab/iiab.ini
   ini_file:

diff --git a/roles/kolibri/templates/kolibri-nginx.conf.j2 b/roles/kolibri/templates/kolibri-nginx.conf.j2
@@ -0,0 +1,9 @@
+location    /kolibri {
+   proxy_bind              $server_addr;
+   proxy_set_header        Host            $http_host;
+   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+   proxy_set_header        X-Scheme        $scheme;
+   proxy_set_header        X-Script-Name   /kolibri;
+   proxy_pass http://127.0.0.1:8009;
+}
+
diff --git a/roles/moodle/templates/moodle-nginx.conf.j2.native b/roles/moodle/templates/moodle-nginx.conf.j2.native
@@ -0,0 +1,16 @@
+location ^/moodle {
+   alias /opt/iiab/moodle;
+   try_files $uri $uri/ index.php =404;
+}
+location ~ /moodle/(.*)\.php {
+    root /opt/iiab/;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    include fastcgi_params;
+    fastcgi_index index.php;
+    fastcgi_pass php;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
+}
diff --git a/roles/munin/tasks/main.yml b/roles/munin/tasks/main.yml
@@ -30,7 +30,7 @@
     mode: 0644
   with_items:
     - { src: 'munin.conf.j2', dest: '/etc/munin/munin.conf' }
-    - { src: 'munin24.conf.j2', dest: '/etc/{{ apache_config_dir }}/munin24.conf' }
+    - { src: 'munin24-nginx.conf.j2', dest: '/etc/nginx/conf.d/munin24-nginx.conf' }
 
 - name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd
   htpasswd:
@@ -47,19 +47,6 @@
     state: started
   when: munin_enabled | bool
 
-- name: Create symlink munin24.conf from sites-enabled to sites-available (debuntu)
-  file:
-    src: /etc/apache2/sites-available/munin24.conf
-    path: /etc/apache2/sites-enabled/munin24.conf
-    state: link
-  when: munin_enabled and is_debuntu
-
-- name: Remove symlink /etc/apache2/sites-enabled/munin24.conf if not munin_enabled (debuntu)
-  file:
-    path: /etc/apache2/sites-enabled/munin24.conf
-    state: absent
-  when: not munin_enabled and is_debuntu
-
 - name: Disable munin-node service if not munin_enabled
   service:
     name: munin-node

diff --git a/roles/munin/templates/munin24-nginx.conf.j2 b/roles/munin/templates/munin24-nginx.conf.j2
@@ -0,0 +1,4 @@
+location  /munin {
+  alias /var/cache/munin/www/ ;
+  try_files $uri $uri/ /index.html;
+}
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
@@ -0,0 +1 @@
+nginx_log_dir: /var/log/nginx