diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml new file mode 100644 index 0000000..ae63f15 --- /dev/null +++ b/roles/nginx/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +nginx_anonymize: False diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index f8ceb8b..efd5888 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -8,7 +8,13 @@ when: nginx_ssl - name: Ensure certificates are available - command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt + command: + cmd: > + openssl req -x509 -nodes -newkey rsa:2048 + -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key + -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt + -days 730 -subj "/CN={{ ansible_fqdn }}" + creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt when: nginx_ssl notify: Restart nginx @@ -24,7 +30,7 @@ - /etc/nginx/dhparam.pem - name: Configure nginx - copy: src=nginx.conf dest=/etc/nginx/nginx.conf + template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf notify: Restart nginx - name: Configure default vhost diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2 index 80b99e8..2d6eefe 100644 --- a/roles/nginx/templates/default.j2 +++ b/roles/nginx/templates/default.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + server { listen 80 default_server; listen [::]:80 default_server; diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/templates/nginx.conf.j2 similarity index 71% rename from roles/nginx/files/nginx.conf rename to roles/nginx/templates/nginx.conf.j2 index 5892b8a..2e1953c 100644 --- a/roles/nginx/files/nginx.conf +++ b/roles/nginx/templates/nginx.conf.j2 @@ -47,7 +47,32 @@ http { # Logging Settings ## +{% if nginx_anonymize %} + map $remote_addr $ip_anonym1 { + default 0.0.0; + "~(?P(\d+)\.(\d+)\.(\d+))\.\d+" $ip; + "~(?P[^:]+:[^:]+):" $ip; + } + + map $remote_addr $ip_anonym2 { + default .0; + "~(?P(\d+)\.(\d+)\.(\d+))\.\d+" .0; + "~(?P[^:]+:[^:]+):" ::; + } + + map $ip_anonym1$ip_anonym2 $ip_anonymized { + default 0.0.0.0; + "~(?P.*)" $ip; + } + + log_format anonymized '$ip_anonymized - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /var/log/nginx/access.log anonymized; +{% else %} access_log /var/log/nginx/access.log; +{% endif %} error_log /var/log/nginx/error.log; ##