diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index 06f47575f..14b3aaba2 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -1,38 +1,29 @@ -# 2021-07-11: (1) WE NEED TO GET http://box:631 AND http://box.lan:631 WORKING. -# /var/log/cups/error_log* shows "400 Bad Request" errors as follows: -# -# Request from "localhost" using invalid Host: field "box:631". -# Request from "localhost" using invalid Host: field "box.lan:631". -# -# (2) WE NEED NGINX PROXY TO GET http://box/print WORKING RELIABLY ON ALL OS's. - - name: Install 'cups' package package: name: cups state: present -- name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' for remote administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 '@SYSTEM' lines in /etc/cups/cupsd.conf) - command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" # iiab-admin - #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" +# 2021-07-12: LET'S STICK CLOSE TO THE DEFAULT /etc/cups/cupsd.conf SO WE CAN +# SKIP MOST OF THE NEXT ~100 LINES, THX TO NEW NGINX (cups/templates/cups.conf) +# # WARNING: 'apt install cups' AND 'apt install --reinstall cups' +# # UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR +# # INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: -# WARNING: 'apt install cups' AND 'apt install --reinstall cups' -# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR -# INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: +# # OPTION #1: OLD WAY (BRITTLE) +# # +# # - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin +# # template: +# # src: cupsd.conf.j2 +# # dest: /etc/cups/cupsd.conf -# OPTION #1: OLD WAY (BRITTLE) -# -# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin -# template: -# src: cupsd.conf.j2 -# dest: /etc/cups/cupsd.conf +# # OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) -# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) +# # - name: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~2 STANZAS BELOW... +# # meta: noop -- name: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... - meta: noop -# - debug: -# msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... +# # - debug: +# # msg: FILE /etc/cups/cupsd.conf WILL BE CREATED BY THE ~5 STANZAS BELOW... - name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' is saved in /etc/cups copy: @@ -43,58 +34,87 @@ mode: 0640 backup: yes -- name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW - systemd: - daemon_reload: yes - name: "{{ item }}" - state: restarted - with_items: - - cups - - cups-browsed - -- name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf - command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging - -# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: -# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. -# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) - -# - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging - -# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml -# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* -# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) +# 2021-07-12: lineinfile fails to insert the needed lines, as these same 2 lines +# already appear throughout /etc/cups/cupsd.conf -- so we use blockinfile below. # -# FYI repeated use of 'cupsctl' commands also removes comments and blank lines. +# - name: Insert 2 lines into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings) +# lineinfile: +# path: /etc/cups/cupsd.conf +# #regexp: +# line: "{{ item }}" +# insertafter: '^$' +# with_items: +# - " Require user @SYSTEM" # Will appear BELOW, in /etc/cups/cupsd.conf +# - " AuthType Default" # Will appear ABOVE, in /etc/cups/cupsd.conf + +- name: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings) + blockinfile: + path: /etc/cups/cupsd.conf + insertafter: '^$' + block: |2 # Indent with 2 spaces, and surround block with 2 comment lines: "# BEGIN ANSIBLE MANAGED BLOCK", "# END ANSIBLE MANAGED BLOCK" + AuthType Default + Require user @SYSTEM + +- name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' for web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf) + command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" # iiab-admin + #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" + +# - name: (Re)Start 'cups' and 'cups-browsed' systemd services -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW +# systemd: +# daemon_reload: yes +# name: "{{ item }}" +# state: restarted +# with_items: +# - cups +# - cups-browsed + +# 2021-07-12: 'cupsctl --remote-admin && systemctl restart cups' enables +# http://10.8.0.x:631 -- but this is even less useful than ever, now that +# http://10.8.0.x/print works -- thx to the new /etc/nginx/conf.d/cups.conf # -# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf -# command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging -# when: not cups_enabled +# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --remote-admin --share-printers --user-cancel-any --debug-logging -- name: "2021-07-11: UNFORTUNATELY http://box:631 AND http://box/print DO NOT YET WORK RELIABLY -- CUPS NEEDS TO WORK FROM MANY MORE URL'S THAN JUST http://localhost:631 AND http://192.168.0.x:631 AND http://172.18.96.1:631 -- please help us find the correct directive(s) for /etc/cups/cupsd.conf and /etc/nginx/conf.d/cups.conf followed by 'systemctl restart cups' and 'systemctl restart nginx'" - lineinfile: - path: /etc/cups/cupsd.conf - line: "{{ item }}" - insertbefore: '^Listen .*/run/cups/cups.sock$' # Also matches old form: '^Listen /var/run/cups/cups.sock$' - with_items: - - "#ServerAlias *" - - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}" # box.lan - - "#Listen {{ lan_ip }}:631" # 172.18.96.1 - - "Listen 127.0.0.1:631" - - "#Listen 0.0.0.0:631" - - "#Listen *:631" +# # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: +# # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. +# # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) -- name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)" - lineinfile: - path: /etc/cups/cupsd.conf - regexp: '^MaxLogSize ' - insertbefore: 'Listen ' - firstmatch: yes - line: "MaxLogSize 1m" # CUPS Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default +# # - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any --debug-logging' for /var/log/cups/error_log (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# # command: cupsctl --remote-any --share-printers --user-cancel-any --debug-logging -# REMINDER: 3 systemd services should be restarted (cups, cups-browsed, nginx) -# within enable-or-disable.yml, so /etc/cups/cupsd.conf (ETC) take effect! +# # 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml +# # BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* +# # /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) +# # +# # FYI repeated use of 'cupsctl' commands also removes comments and blank lines. +# # +# # - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# # command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging +# # when: not cups_enabled + +# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'. As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx'). Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!) RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request') -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)" +# lineinfile: +# path: /etc/cups/cupsd.conf +# line: "{{ item }}" +# insertbefore: '^Listen .*/run/cups/cups.sock$' # Also matches old form: '^Listen /var/run/cups/cups.sock$' +# with_items: +# - "#ServerAlias *" +# - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}" # box.lan +# - "#Listen {{ lan_ip }}:631" # 172.18.96.1 +# - "Listen 127.0.0.1:631" +# - "#Listen 0.0.0.0:631" +# - "#Listen *:631" + +# - name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)" +# lineinfile: +# path: /etc/cups/cupsd.conf +# regexp: '^MaxLogSize ' +# insertbefore: 'Listen ' +# firstmatch: yes +# line: "MaxLogSize 1m" # CUPS Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default + +# REMINDER: 3 SYSTEMD SERVICES WILL BE RESTARTED (cups, cups-browsed, nginx) +# LATER IN enable-or-disable.yml, SO /etc/cups/cupsd.conf (ETC) TAKE EFFECT! # RECORD CUPS AS INSTALLED diff --git a/roles/cups/tasks/main.yml b/roles/cups/tasks/main.yml index 32e65e4e6..b9bbe9866 100644 --- a/roles/cups/tasks/main.yml +++ b/roles/cups/tasks/main.yml @@ -1,10 +1,4 @@ -# Administer CUPS at http://box:631 -# Above URL does NOT work over OpenVPN (ANYONE KNOW WHY?) - -# TO DO: -# -# - CREATE /etc/nginx/conf.d/cups-nginx.conf as SHIM to Apache on port 8090. -# SEE OTHERS @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md +# ADMINISTER CUPS AT http://box/print/admin WITH iiab-admin + ITS LINUX PASSWORD # "How do i fail a task in Ansible if the variable contains a boolean value? diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml index 9a80ded0f..80921e99f 100644 --- a/roles/cups/tasks/nginx.yml +++ b/roles/cups/tasks/nginx.yml @@ -1,10 +1,10 @@ -- name: Enable http://box/print and http://box/cups via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template +- name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template template: src: cups.conf dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d when: cups_enabled -- name: Disable http://box/print and http://box/cups via NGINX, by removing {{ nginx_conf_dir }}/cups.conf +- name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf file: path: "{{ nginx_conf_dir }}/cups.conf" state: absent diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf index 1f286da4c..e61d87f34 100644 --- a/roles/cups/templates/cups.conf +++ b/roles/cups/templates/cups.conf @@ -1,25 +1,30 @@ +location = /print { + return 301 /print/; # "Moved Permanently" redirect + #rewrite /print /print/; # Faster, if links are fixed! +} + location ~ /print/(.*) { proxy_pass http://127.0.0.1:631/$1; proxy_set_header Host '127.0.0.1'; proxy_cache_bypass $http_upgrade; proxy_set_header X-Real-IP $remote_addr; - + sub_filter ' href="/' ' href="/print/'; sub_filter ' action="/' ' action="/print/'; sub_filter ' src="/' ' src="/print/'; sub_filter_types *; sub_filter_once off; -} +} -location ~ /cups/(.*) { - proxy_pass http://127.0.0.1:631/$1; - proxy_set_header Host '127.0.0.1'; - proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - - sub_filter ' href="/' ' href="/cups/'; - sub_filter ' action="/' ' action="/cups/'; - sub_filter ' src="/' ' src="/cups/'; - sub_filter_types *; - sub_filter_once off; -} +# location ~ /cups/(.*) { +# proxy_pass http://127.0.0.1:631/$1; +# proxy_set_header Host '127.0.0.1'; +# proxy_cache_bypass $http_upgrade; +# proxy_set_header X-Real-IP $remote_addr; +# +# sub_filter ' href="/' ' href="/cups/'; +# sub_filter ' action="/' ' action="/cups/'; +# sub_filter ' src="/' ' src="/cups/'; +# sub_filter_types *; +# sub_filter_once off; +# } diff --git a/roles/gitea/templates/gitea-nginx.conf.j2 b/roles/gitea/templates/gitea-nginx.conf.j2 index 7276bd543..18c3185bd 100644 --- a/roles/gitea/templates/gitea-nginx.conf.j2 +++ b/roles/gitea/templates/gitea-nginx.conf.j2 @@ -1,3 +1,3 @@ location {{ gitea_url }}/ { - proxy_pass http://127.0.0.1:{{ gitea_port }}/; + proxy_pass http://127.0.0.1:{{ gitea_port }}/; } diff --git a/roles/kiwix/templates/kiwix-nginx.conf.j2 b/roles/kiwix/templates/kiwix-nginx.conf.j2 index 000a3dcc2..0b830daf2 100644 --- a/roles/kiwix/templates/kiwix-nginx.conf.j2 +++ b/roles/kiwix/templates/kiwix-nginx.conf.j2 @@ -1,11 +1,11 @@ location {{ kiwix_url }} { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_connect_timeout {{ kiwix_nginx_timeout }}; - proxy_send_timeout {{ kiwix_nginx_timeout }}; - proxy_read_timeout {{ kiwix_nginx_timeout }}; - send_timeout {{ kiwix_nginx_timeout }}; - proxy_pass http://127.0.0.1:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_connect_timeout {{ kiwix_nginx_timeout }}; + proxy_send_timeout {{ kiwix_nginx_timeout }}; + proxy_read_timeout {{ kiwix_nginx_timeout }}; + send_timeout {{ kiwix_nginx_timeout }}; + proxy_pass http://127.0.0.1:3000; } diff --git a/roles/kolibri/templates/kolibri-nginx.conf.j2 b/roles/kolibri/templates/kolibri-nginx.conf.j2 index c3326aeaf..e82f23478 100644 --- a/roles/kolibri/templates/kolibri-nginx.conf.j2 +++ b/roles/kolibri/templates/kolibri-nginx.conf.j2 @@ -1,8 +1,8 @@ location {{ kolibri_url }} { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Script-Name {{ kolibri_url_without_slash }}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name {{ kolibri_url_without_slash }}; proxy_pass http://127.0.0.1:8009; } diff --git a/roles/lokole/templates/lokole-nginx.conf.j2 b/roles/lokole/templates/lokole-nginx.conf.j2 index 1cd58eb80..a2084a160 100644 --- a/roles/lokole/templates/lokole-nginx.conf.j2 +++ b/roles/lokole/templates/lokole-nginx.conf.j2 @@ -1,14 +1,14 @@ location = {{ lokole_url }}/favicon.ico { - alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico; + alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico; } location ~ ^{{ lokole_url }}/static/(.*)$ { - alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1; + alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1; } location {{ lokole_url }}/ { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://unix:/{{ lokole_domain_socket }}; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://unix:/{{ lokole_domain_socket }}; } diff --git a/roles/mediawiki/templates/mediawiki-nginx.conf.j2 b/roles/mediawiki/templates/mediawiki-nginx.conf.j2 index fdb19dba2..877982c49 100644 --- a/roles/mediawiki/templates/mediawiki-nginx.conf.j2 +++ b/roles/mediawiki/templates/mediawiki-nginx.conf.j2 @@ -5,25 +5,28 @@ # $wgUsePathInfo = true; location ~ ^/{{ mediawiki_symlink }}/(index|load|api|thumb|opensearch_desc)\.php$ { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass php; # or whatever port your PHP-FPM listens on + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass php; # or whatever port your PHP-FPM listens on } # Images location /{{ mediawiki_symlink }}/images { # Separate location for images/ so .php execution won't apply } + location /{{ mediawiki_symlink }}/images/deleted { # Deny access to deleted images folder deny all; } + # MediaWiki assets (usually images) location ~ ^/{{ mediawiki_symlink }}/resources/(assets|lib|src) { try_files $uri 404; add_header Cache-Control "public"; expires 7d; } + # Assets, scripts and styles from skins and extensions location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|ttf|woff|woff2)$ { try_files $uri 404; @@ -31,16 +34,15 @@ location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg expires 7d; } - ## Uncomment the following code if you wish to use the installer/updater ## installer/updater #location /{{ mediawiki_symlink }}/mw-config/ { -# # Do this inside of a location so it can be negated -# location ~ \.php$ { -# include /etc/nginx/fastcgi_params; -# fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name; -# fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on -# } +# # Do this inside of a location so it can be negated +# location ~ \.php$ { +# include /etc/nginx/fastcgi_params; +# fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name; +# fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on +# } #} # Handling for the article path (pretty URLs) diff --git a/roles/munin/templates/munin24-nginx.conf.j2 b/roles/munin/templates/munin24-nginx.conf.j2 index dbbcc2795..28a930f8f 100644 --- a/roles/munin/templates/munin24-nginx.conf.j2 +++ b/roles/munin/templates/munin24-nginx.conf.j2 @@ -1,4 +1,4 @@ -location /munin { - alias /var/cache/munin/www/ ; - try_files $uri $uri/ /index.html; +location /munin { + alias /var/cache/munin/www/ ; + try_files $uri $uri/ /index.html; } diff --git a/roles/nginx/templates/iiab.conf.j2 b/roles/nginx/templates/iiab.conf.j2 index 954d0f805..b66f69cfa 100644 --- a/roles/nginx/templates/iiab.conf.j2 +++ b/roles/nginx/templates/iiab.conf.j2 @@ -30,11 +30,11 @@ location /js-menu/ { location /software/ { fancyindex on; # Enable fancy indexes. fancyindex_exact_size off; # Output human-readable file sizes. - location ~* \.(apk)$ { + location ~* \.(apk)$ { add_header Content-Type application/vnd.android.package-archive; - } + } - location ~* \.(zim)$ { + location ~* \.(zim)$ { add_header Content-Type application/zip; - } + } } diff --git a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 index b9c3b634e..c130e75d5 100644 --- a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 +++ b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 @@ -1,7 +1,8 @@ # For downloadable regional vector tilesets location ~ ^/maps { - rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1; + rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1; } + location ~ ^/osm-vector-maps(.*)\.php(.*)$ { alias /library/www/osm-vector-maps$1.php$2; # /library/www/osm-vector-maps proxy_set_header X-Real-IP $remote_addr; @@ -11,10 +12,11 @@ location ~ ^/osm-vector-maps(.*)\.php(.*)$ { fastcgi_index index.html; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(.*)$; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param PATH_INFO $2; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param PATH_INFO $2; } + location ~ ^/osm-vector-maps/ { - root /library/www; + root /library/www; } diff --git a/roles/sugarizer/templates/sugarizer-nginx.conf.j2 b/roles/sugarizer/templates/sugarizer-nginx.conf.j2 index 29fb7a212..a4f936119 100644 --- a/roles/sugarizer/templates/sugarizer-nginx.conf.j2 +++ b/roles/sugarizer/templates/sugarizer-nginx.conf.j2 @@ -2,9 +2,9 @@ # If you need to change this, edit /etc/iiab/local_vars.yml prior to installing location /sugarizer { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Script-Name /sugarizer; - proxy_pass http://127.0.0.1:{{ sugarizer_port }}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name /sugarizer; + proxy_pass http://127.0.0.1:{{ sugarizer_port }}; } diff --git a/roles/wordpress/templates/wordpress-nginx.conf.j2 b/roles/wordpress/templates/wordpress-nginx.conf.j2 index 2c023dc2e..d3dd4e789 100644 --- a/roles/wordpress/templates/wordpress-nginx.conf.j2 +++ b/roles/wordpress/templates/wordpress-nginx.conf.j2 @@ -1,20 +1,19 @@ -location {{ wp_url }} { +location {{ wp_url }} { #rewrite_log on; root {{ content_base }}; try_files $uri $uri/ /wordpress/index.php$is_args$args; - + location ~ .*\.php$ { - - include fastcgi_params; - fastcgi_pass php; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - } - - location ~ ^({{ wp_url }})(/.*)/$ { - include fastcgi_params; - fastcgi_pass php; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php; - } + include fastcgi_params; + fastcgi_pass php; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + location ~ ^({{ wp_url }})(/.*)/$ { + include fastcgi_params; + fastcgi_pass php; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php; + } }