JoergFiedler.freebsd-jailed-nginx
freebsd-jailed-nginx
This tool sets up a jailed nginx server that listens on localhost for incoming requests on ports 80 and 443.
It also includes a working SSL setup with Let's Encrypt.
You need to create a custom dhparam.pem file by making a folder named after your server name (like example.com) in the files directory next to your playbook.
The certificates will be validated and generated on a weekly basis. To get started right away, a self-signed certificate for localhost will be installed. You can manually generate your Let's Encrypt certificates after starting the jail using this command:
/usr/local/bin/acme-client-weekly.sh
This setup can also work with other roles to support WordPress or Joomla installations. An SFTP server is configured for secure file transfers to the webroot directory using public key authentication.
You can also use this role to create an SSL proxy that forwards traffic to specific jails or external sites.
Requirements
This role is designed for use with a fresh FreeBSD installation. You can utilize a Vagrant Box compatible with VirtualBox or EC2.
Role Variables
nginx_letsencrypt_enabled
Set to yes to enable automatic certificate management with Let's Encrypt for all nginx servers. Enabling it will install the acme-client tool and prepare configurations for the servers. Default: no.
nginx_letsencrypt_acme_private_key
Use this variable to specify the private key for the acme client to communicate with Let's Encrypt. Default: '''.
nginx_letsencrypt_api_host
Specify the server hostname for the acme client. Default: acme-v02.api.letsencrypt.org.
nginx_tarsnap_enabled
Specify whether to back up the webroot of all nginx servers using tarsnap. It must be turned on at the host level (tarsnap_enabled: yes). Default: {{ tarsnap_enabled | default("no") }}.
nginx_syslogd_server
This defines the syslog server nginx should use for error and access logs. Default: {{ syslogd_server | default("localhost") }}.
nginx_pf_redirect
Set to yes if traffic to HTTP/HTTPS ports should be forwarded to this jail's nginx server. Default: no.
If enabled, the configuration will forward traffic for ports 80 and 443 on the host's external interface to the jail. You can change this using the nginx_pf_rdrs variable.
nginx_pf_rdrs
This manages how traffic is redirected from the host to the jail. The default configuration is as follows:
nginx_pf_rdrs:
- ports:
- 'http'
- 'https'
ext_ip: '{{ host_net_ext_ip }}'
ext_if: '{{ host_net_ext_if }}'
This means all traffic on the external interface for both HTTP and HTTPS will be redirected to the nginx server in the jail.
nginx_servers
This variable contains an array of nginx server instances for this jail. Use it to configure different types of nginx jails, like HTTPS proxies or websites. Example:
aliases: ''
basic_auth_enabled: no
force_www: no
https:
enabled: no
letsencrypt_enabled: no
key_file: 'localhost-key.pem'
certbundle_file: 'localhost-certbundle.pem'
dhparam_file: 'localhost-dhparam.pem'
name: 'localhost'
php_fpm_enabled: no
sftp:
user: '{{ server_sftp_user }}'
uuid: '{{ server_sftp_uuid }}'
authorized_keys: '{{ server_sftp_authorized_keys }}'
home: '{{ server_home }}'
port: '{{ server_sftp_port }}'
sftp_enabled: no
webroot: '{{ server_webroot }}'
aliases
If the server should handle requests for domains other than server_name, provide a list separated by spaces. Use default for the Nginx default server. Default: ''.
basic_auth_enabled
Set to true to enable basic authentication. You must provide an htpasswd file in the {{ server_name }} folder.
force_www
Set to yes if the server should redirect requests to the www subdomain. If yes, add www.name to aliases. Default: no.
https
Settings related to SSL/HTTPS.
enabled
Set to yes to enable SSL/HTTPS. HTTP requests will be redirected to HTTPS.
letsencrypt_enabled
Set to enable HTTPS and Let’s Encrypt certificates for the server. You must also set nginx_letsencrypt_enabled to yes. Default: no.
name
The domain name of this server, e.g., example.com. Default: default.
php
Settings for PHP.
fpm_enabled
Set to true to install and enable the php-fpm package. Default: no.
fastcgi_cache
Set to off to disable fastcgi caching. Default: z_nginx.
max_requests
The number of requests each child process should handle before it restarts. Default: 1000.
max_children
The maximum number of child processes to create. Default: 5.
memory_limit
This sets the maximum memory a script can use. Default: 128M.
upload_max_filesize
The largest file size allowed for uploads. Default: 48M.
post_max_size
Sets the maximum size of POST data allowed. Default: 64M
sftp_enabled
Turn on sftp for this server, which creates a user and adjusts settings accordingly. Default: false.
sftp
Settings for user access and SSHD configuration.
user
The SFTP user's name. Default: 'sftp_{{ name | truncate(5, True, "") }}'.
uuid
The UUID for the SFTP user. Default: 5000.
home
The home directory for the user. sshd changes root to this directory. Default: '/srv/{{ name }}'.
port
The external port redirected to the jail through this role. Default: 10022.
authorized_keys
The public key used for user authentication. Default: '{{ host_sshd_authorized_keys_file }}'.
Dependencies
Example Playbook
Proxy host that forwards traffic to another external server.
- hosts: all
become: true
tasks:
- import_role:
name: 'JoergFiedler.freebsd-jail-host'
- include_role:
name: 'JoergFiedler.freebsd-jailed-nginx'
vars:
nginx_pf_redirect: true
nginx_letsencrypt_enabled: yes
nginx_servers:
- name: 'test.moumantai.de'
https:
enabled: yes
letsencrypt_enabled: yes
proxy:
host: 'www.freebsd.org'
scheme: 'https'
port: 443
local: no
jail_net_ip: '10.1.0.10'
jail_name: 'nginx'
Nginx server with php-fpm module and HTTPS.
- hosts: all
become: true
tasks:
- import_role:
name: 'JoergFiedler.freebsd-jail-host'
- include_role:
name: 'JoergFiedler.freebsd-jailed-nginx'
vars:
jail_net_ip: '10.1.0.10'
jail_name: 'nginx'
nginx_pf_redirect: yes
nginx_servers:
- name: 'default'
https:
enabled: yes
php:
fpm_enabled: yes
sftp_enabled: yes
sftp:
authorized_keys: '~/.vagrant.d/insecure_private_key.pub'
License
BSD
Author Information
If you like this project or have suggestions for improvement, please open an issue on GitHub. Thank you.