diff --git a/roles/cups/README.md b/roles/cups/README.md new file mode 100644 index 000000000..ce0a736b0 --- /dev/null +++ b/roles/cups/README.md @@ -0,0 +1,44 @@ +# CUPS Printing README + +## Web Administration + +Please administer CUPS at http://box/print using: + +- Username: `Admin` +- Password: `changeme` + +Or use any Linux user that is a member of the Linux group: `lpadmin` + +## Security + +The above uses 'SystemGroup lpadmin' in `/etc/cups/cups-files.conf` — in coordination with about 15 '@SYSTEM' lines and 'DefaultAuthType Basic' in `/etc/cups/cupsd.conf` + +CUPS creates a 10-year (unsigned) https certificate during installation, that will be very confusing to non-technical users when they log in, as a result of modern browser warnings. + +## How it Works + +http://localhost:631 can be useful if NGINX redirects or CUPS permissions are set wrong. + +Beware that http://box:631 and http://box.lan:631 will not work, due to a [known issue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027) with CUPS since 2009. + +Understand how IIAB configures CUPS for all IP addresses and all hostnames (despite the above CUPS problem!) by reading these in-line explanations: + +- [/opt/iiab/iiab/roles/cups/tasks/install.yml](tasks/install.yml) + +Modify these 2 files at your own risk: + +- [/etc/cups/cupsd.conf](https://www.cups.org/doc/man-cupsd.conf.html) (run `sudo cupsctl` and `sudo cupsd -t` to verify the file!) +- [/etc/nginx/conf.d/cups.conf](templates/cups.conf.j2) + +If you make modifications to the above files, don't forget to restart systemd services: + +``` +systemctl restart cups cups-browsed nginx +``` + +## Docs and Updates + +- https://www.cups.org/documentation.html + - https://github.com/apple/cups/releases +- https://openprinting.github.io/cups/ + - https://github.com/OpenPrinting/cups/releases/ diff --git a/roles/cups/tasks/enable-or-disable.yml b/roles/cups/tasks/enable-or-disable.yml index 74a9ee702..2fb18c59d 100644 --- a/roles/cups/tasks/enable-or-disable.yml +++ b/roles/cups/tasks/enable-or-disable.yml @@ -1,9 +1,6 @@ -- name: systemd daemon-reload - systemd: - daemon_reload: yes - -- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (OS's other than Fedora 18) +- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (if cups_enabled) systemd: + #daemon_reload: yes name: "{{ item }}" enabled: yes state: restarted @@ -11,21 +8,10 @@ - cups - cups-browsed when: cups_enabled - #when: cups_enabled and not is_F18 -# - name: Enable & Start 'cups' systemd service (Fedora 18, for XO laptops) -# systemd: -# name: cups -# state: started -# enabled: yes -# when: cups_enabled and is_F18 - -- name: Permit headless admin of CUPS -- only works when CUPS daemon is running (if cups_enabled) - shell: "cupsctl --remote-admin" - when: cups_enabled - -- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (OS's other than Fedora 18) +- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (if not cups_enabled) systemd: + #daemon_reload: yes name: "{{ item }}" enabled: no state: stopped @@ -33,11 +19,7 @@ - cups - cups-browsed when: not cups_enabled - #when: not cups_enabled and not is_F18 -# - name: Disable & Stop 'cups' systemd service (Fedora 18, for XO laptops) -# systemd: -# name: cups -# enabled: no -# state: stopped -# when: not cups_enabled and is_F18 + +- name: Enable/Disable/Restart NGINX + include_tasks: nginx.yml diff --git a/roles/cups/tasks/install.yml b/roles/cups/tasks/install.yml index 91655f789..46856c37f 100644 --- a/roles/cups/tasks/install.yml +++ b/roles/cups/tasks/install.yml @@ -1,12 +1,125 @@ +# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme' +# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW... + + - name: Install 'cups' package package: name: cups state: present -- name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin - template: - src: cupsd.conf +# WARNING: 'apt install cups' AND 'apt install --reinstall cups' +# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR +# INSTALL OF CUPS EXISTED! SO OPTION #1 OR #2 ARE NEEDED BELOW: + +# OPTION #1: OLD WAY (BRITTLE) +# +# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin +# template: +# src: cupsd.conf.j2 +# dest: /etc/cups/cupsd.conf + +# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!) + +- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT! The file will now be created -- by ~4 stanzas below. Also keep an eye on /var/log/cups/error_log + meta: noop + +- name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' will be saved in /etc/cups + copy: + src: /usr/share/cups/cupsd.conf.default dest: /etc/cups/cupsd.conf + owner: root + group: lp + mode: 0640 + backup: yes + +# 2021-07-12: lineinfile fails to insert the needed lines, as these same 2 lines +# already appear throughout /etc/cups/cupsd.conf -- so we use blockinfile below. +# +# - name: Insert 2 lines into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings) +# lineinfile: +# path: /etc/cups/cupsd.conf +# #regexp: +# line: "{{ item }}" +# insertafter: '^$' +# with_items: +# - " Require user @SYSTEM" # Will appear BELOW, in /etc/cups/cupsd.conf +# - " AuthType Default" # Will appear ABOVE, in /etc/cups/cupsd.conf + +- name: "CUPS web administration: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin TO LINUX GROUP 'lpadmin' -- to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings. This uses 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines and 'DefaultAuthType Basic' in /etc/cups/cupsd.conf" + blockinfile: + path: /etc/cups/cupsd.conf + insertafter: '^$' + block: |2 # Indent with 2 spaces, and surround block with 2 comment lines: "# BEGIN ANSIBLE MANAGED BLOCK", "# END ANSIBLE MANAGED BLOCK" + AuthType Default + Require user @SYSTEM + +- name: "CUPS web administration: Create Linux username 'Admin' with password 'changeme' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)" + user: + name: Admin + append: yes # Don't clobber other groups, that other IIAB Apps might need. + groups: lpadmin + password: "{{ 'changeme' | password_hash('sha512') }}" # Random salt. Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#encrypting-and-checksumming-strings-and-passwords + create_home: no + shell: /usr/sbin/nologin # Debian/Ubuntu norm -- instead of /sbin/nologin, /bin/false + +# - name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' -- for CUPS web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf) +# #command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin" +# #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin" +# user: +# name: "{{ iiab_admin_user }}" # iiab-admin +# append: yes +# groups: lpadmin + +- name: Start 'cups' systemd service as nec -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW + systemd: + #daemon_reload: yes + name: cups + state: started + +# - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --remote-admin --share-printers --user-cancel-any + +# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER: +# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW. +# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!) + +- name: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf + command: cupsctl --remote-any --share-printers --user-cancel-any + +# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml +# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* +# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) +# +# FYI repeated use of 'cupsctl' commands also removes comments and blank lines. +# +# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf +# command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging +# when: not cups_enabled + +# - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'. As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx'). Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!) RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)" +# lineinfile: +# path: /etc/cups/cupsd.conf +# line: "{{ item }}" +# insertbefore: '^Listen .*/run/cups/cups.sock$' # Also matches old form: '^Listen /var/run/cups/cups.sock$' +# with_items: +# - "HostNameLookups On" # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027 +# - "ServerAlias *" +# - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}" # box.lan +# - "#Listen {{ lan_ip }}:631" # 172.18.96.1 +# - "#Listen 127.0.0.1:631" +# - "#Listen 0.0.0.0:631" +# - "#Listen *:631" + +# - name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)" +# lineinfile: +# path: /etc/cups/cupsd.conf +# regexp: '^MaxLogSize ' +# insertbefore: 'Listen ' +# firstmatch: yes +# line: "MaxLogSize 1m" # CUPS Documentation (claims!) log rotation at "1m" is the default. But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default + +# REMINDER: 3 SYSTEMD SERVICES WILL BE RESTARTED (cups, cups-browsed, nginx) +# LATER IN enable-or-disable.yml, SO /etc/cups/cupsd.conf (ETC) TAKE EFFECT! # RECORD CUPS AS INSTALLED diff --git a/roles/cups/tasks/main.yml b/roles/cups/tasks/main.yml index 32e65e4e6..2c9531814 100644 --- a/roles/cups/tasks/main.yml +++ b/roles/cups/tasks/main.yml @@ -1,10 +1,5 @@ -# Administer CUPS at http://box:631 -# Above URL does NOT work over OpenVPN (ANYONE KNOW WHY?) - -# TO DO: -# -# - CREATE /etc/nginx/conf.d/cups-nginx.conf as SHIM to Apache on port 8090. -# SEE OTHERS @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md +# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme' +# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml # "How do i fail a task in Ansible if the variable contains a boolean value? diff --git a/roles/cups/tasks/nginx.yml b/roles/cups/tasks/nginx.yml new file mode 100644 index 000000000..886a15c14 --- /dev/null +++ b/roles/cups/tasks/nginx.yml @@ -0,0 +1,16 @@ +- name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template + template: + src: cups.conf.j2 + dest: "{{ nginx_conf_dir }}/cups.conf" # /etc/nginx/conf.d + when: cups_enabled + +- name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf + file: + path: "{{ nginx_conf_dir }}/cups.conf" + state: absent + when: not cups_enabled + +- name: Restart 'nginx' systemd service + systemd: + name: nginx + state: restarted diff --git a/roles/cups/templates/cups.conf b/roles/cups/templates/cups.conf deleted file mode 100644 index 8cf2b199f..000000000 --- a/roles/cups/templates/cups.conf +++ /dev/null @@ -1,2 +0,0 @@ -ProxyPass /cups http://localhost:631 -ProxyPassReverse /cups http://localhost:631 diff --git a/roles/cups/templates/cups.conf.j2 b/roles/cups/templates/cups.conf.j2 new file mode 100644 index 000000000..abec5152d --- /dev/null +++ b/roles/cups/templates/cups.conf.j2 @@ -0,0 +1,73 @@ +# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme' +# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml + + +# 2021-07-13: Let's redirect to CUPS' own web server for now, as proxying +# (commented out below) has many glitches, e.g. CUPS' https connections etc. + +location ~ ^/print(|/.*)$ { # '~' -> '~*' for case-insensitive regex + + # 2021-07-13: Work around CUPS failure to serve http://box[.lan]:631 "since + # 2009" -- e.g. '400 Bad Request' error 'Request from "localhost" using + # invalid Host: field "box[.lan]:631".' in /var/log/cups/error_log, DESPITE + # adding 'HostNameLookups On', 'ServerAlias *' etc to /etc/cups/cupsd.conf + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027 + + if ($host ~ '{{ iiab_hostname }}(|.{{ iiab_domain }})') { + return 301 http://localhost:631; # Or http://127.0.0.1:631 + } + + if ($host ~ 'box(|.lan)') { # /etc/hosts may have BOTH above AND box.lan + return 301 http://localhost:631; + } + + return 301 http://$host:631; # For 192.168.0.x, 172.18.96.1, 10.8.0.y ETC +} + + +# https://anthe.studio/blog/en/cups-nginx-reverse-proxy +# https://toggen.com.au/it-tips/reverse-proxy-cups-in-nginx/ +# https://www.robpeck.com/2020/09/proxying-cups-ipp-using-nginx/ + +# location = /print { +# return 301 /print/; # "Moved Permanently" redirect +# #rewrite /print /print/; # Faster, if links are fixed! +# } + +## location ~ ^/print(|/.*)$ { +## proxy_pass https://127.0.0.1:631$1; # Fails: trailing slash nec here +# location ~ ^/print/(.*) { +# proxy_pass https://127.0.0.1:631/$1; +# +# #proxy_http_version 1.1; +# #proxy_set_header Accept-Encoding ""; +# #proxy_set_header Upgrade $http_upgrade; +# #proxy_set_header Connection 'upgrade'; +# proxy_set_header Host '127.0.0.1'; +# proxy_cache_bypass $http_upgrade; +# +# proxy_set_header X-Real-IP $remote_addr; +# #proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; +# #proxy_set_header X-Forwarded-Host $server_name; +# +# sub_filter ' href="/' ' href="/print/'; +# sub_filter ' action="/' ' action="/print/'; +# sub_filter ' src="/' ' src="/print/'; +# #sub_filter 'ACTION="/' 'ACTION="/print/'; +# #sub_filter 'URL=/' 'URL=/print/'; +# sub_filter_types *; +# sub_filter_once off; +# } + +# location ~ /cups/(.*) { +# proxy_pass http://127.0.0.1:631/$1; +# proxy_set_header Host '127.0.0.1'; +# proxy_cache_bypass $http_upgrade; +# proxy_set_header X-Real-IP $remote_addr; +# +# sub_filter ' href="/' ' href="/cups/'; +# sub_filter ' action="/' ' action="/cups/'; +# sub_filter ' src="/' ' src="/cups/'; +# sub_filter_types *; +# sub_filter_once off; +# } diff --git a/roles/cups/templates/cupsd.conf b/roles/cups/templates/cupsd.conf.j2.unused similarity index 98% rename from roles/cups/templates/cupsd.conf rename to roles/cups/templates/cupsd.conf.j2.unused index 92a395cb8..254f7d4a8 100644 --- a/roles/cups/templates/cupsd.conf +++ b/roles/cups/templates/cupsd.conf.j2.unused @@ -1,8 +1,8 @@ ServerAlias * LogLevel warn MaxLogSize 1m -Listen {{ lan_ip }}:631 -Listen localhost:631 +#Listen {{ lan_ip }}:631 +Listen 127.0.0.1:631 Listen /var/run/cups/cups.sock Browsing On BrowseLocalProtocols dnssd diff --git a/roles/gitea/templates/gitea-nginx.conf.j2 b/roles/gitea/templates/gitea-nginx.conf.j2 index 7276bd543..18c3185bd 100644 --- a/roles/gitea/templates/gitea-nginx.conf.j2 +++ b/roles/gitea/templates/gitea-nginx.conf.j2 @@ -1,3 +1,3 @@ location {{ gitea_url }}/ { - proxy_pass http://127.0.0.1:{{ gitea_port }}/; + proxy_pass http://127.0.0.1:{{ gitea_port }}/; } diff --git a/roles/kiwix/templates/kiwix-nginx.conf.j2 b/roles/kiwix/templates/kiwix-nginx.conf.j2 index 000a3dcc2..0b830daf2 100644 --- a/roles/kiwix/templates/kiwix-nginx.conf.j2 +++ b/roles/kiwix/templates/kiwix-nginx.conf.j2 @@ -1,11 +1,11 @@ location {{ kiwix_url }} { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_connect_timeout {{ kiwix_nginx_timeout }}; - proxy_send_timeout {{ kiwix_nginx_timeout }}; - proxy_read_timeout {{ kiwix_nginx_timeout }}; - send_timeout {{ kiwix_nginx_timeout }}; - proxy_pass http://127.0.0.1:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_connect_timeout {{ kiwix_nginx_timeout }}; + proxy_send_timeout {{ kiwix_nginx_timeout }}; + proxy_read_timeout {{ kiwix_nginx_timeout }}; + send_timeout {{ kiwix_nginx_timeout }}; + proxy_pass http://127.0.0.1:3000; } diff --git a/roles/kolibri/templates/kolibri-nginx.conf.j2 b/roles/kolibri/templates/kolibri-nginx.conf.j2 index c3326aeaf..e82f23478 100644 --- a/roles/kolibri/templates/kolibri-nginx.conf.j2 +++ b/roles/kolibri/templates/kolibri-nginx.conf.j2 @@ -1,8 +1,8 @@ location {{ kolibri_url }} { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Script-Name {{ kolibri_url_without_slash }}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name {{ kolibri_url_without_slash }}; proxy_pass http://127.0.0.1:8009; } diff --git a/roles/lokole/templates/lokole-nginx.conf.j2 b/roles/lokole/templates/lokole-nginx.conf.j2 index 1cd58eb80..a2084a160 100644 --- a/roles/lokole/templates/lokole-nginx.conf.j2 +++ b/roles/lokole/templates/lokole-nginx.conf.j2 @@ -1,14 +1,14 @@ location = {{ lokole_url }}/favicon.ico { - alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico; + alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico; } location ~ ^{{ lokole_url }}/static/(.*)$ { - alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1; + alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1; } location {{ lokole_url }}/ { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://unix:/{{ lokole_domain_socket }}; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://unix:/{{ lokole_domain_socket }}; } diff --git a/roles/mediawiki/templates/mediawiki-nginx.conf.j2 b/roles/mediawiki/templates/mediawiki-nginx.conf.j2 index fdb19dba2..877982c49 100644 --- a/roles/mediawiki/templates/mediawiki-nginx.conf.j2 +++ b/roles/mediawiki/templates/mediawiki-nginx.conf.j2 @@ -5,25 +5,28 @@ # $wgUsePathInfo = true; location ~ ^/{{ mediawiki_symlink }}/(index|load|api|thumb|opensearch_desc)\.php$ { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass php; # or whatever port your PHP-FPM listens on + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass php; # or whatever port your PHP-FPM listens on } # Images location /{{ mediawiki_symlink }}/images { # Separate location for images/ so .php execution won't apply } + location /{{ mediawiki_symlink }}/images/deleted { # Deny access to deleted images folder deny all; } + # MediaWiki assets (usually images) location ~ ^/{{ mediawiki_symlink }}/resources/(assets|lib|src) { try_files $uri 404; add_header Cache-Control "public"; expires 7d; } + # Assets, scripts and styles from skins and extensions location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|ttf|woff|woff2)$ { try_files $uri 404; @@ -31,16 +34,15 @@ location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg expires 7d; } - ## Uncomment the following code if you wish to use the installer/updater ## installer/updater #location /{{ mediawiki_symlink }}/mw-config/ { -# # Do this inside of a location so it can be negated -# location ~ \.php$ { -# include /etc/nginx/fastcgi_params; -# fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name; -# fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on -# } +# # Do this inside of a location so it can be negated +# location ~ \.php$ { +# include /etc/nginx/fastcgi_params; +# fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name; +# fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on +# } #} # Handling for the article path (pretty URLs) diff --git a/roles/munin/templates/munin24-nginx.conf.j2 b/roles/munin/templates/munin24-nginx.conf.j2 index dbbcc2795..28a930f8f 100644 --- a/roles/munin/templates/munin24-nginx.conf.j2 +++ b/roles/munin/templates/munin24-nginx.conf.j2 @@ -1,4 +1,4 @@ -location /munin { - alias /var/cache/munin/www/ ; - try_files $uri $uri/ /index.html; +location /munin { + alias /var/cache/munin/www/ ; + try_files $uri $uri/ /index.html; } diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 0865e4d9d..43bd5dc6e 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -10,7 +10,7 @@ 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX. -3. Current state of IIAB App/Service migrations as of 2021-07-06: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))* +3. Current state of IIAB App/Service migrations as of 2021-07-13: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))* 1. These support "Native" NGINX but ***NOT*** Apache @@ -41,13 +41,13 @@ 3. These support Apache but ***NOT*** "Native" NGINX. They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090. See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache. - * elgg + * elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?] 4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations). In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite) * bluetooth * calibre (menu goes directly to port 8080) - * cups (menu goes directly to port 631) [*, shim not yet in place, [PR #2775](https://github.com/iiab/iiab/pull/2775)] + * cups (NGINX redirects http://box/print to port 631, changing hostname as appropriate, per [PR #2858](https://github.com/iiab/iiab/pull/2858)) * internetarchive (menu goes directly to port 4244) [*, [PR #2120](https://github.com/iiab/iiab/pull/2120)] * kalite (menu goes directly to ports 8006-8008) * minetest @@ -60,4 +60,4 @@ * transmission * vnstat -[*] The 4 above starred roles could use improvement, as of 2021-07-06. +[*] The 4 above starred roles could use improvement, as of 2021-07-13. diff --git a/roles/nginx/templates/iiab.conf.j2 b/roles/nginx/templates/iiab.conf.j2 index 954d0f805..b66f69cfa 100644 --- a/roles/nginx/templates/iiab.conf.j2 +++ b/roles/nginx/templates/iiab.conf.j2 @@ -30,11 +30,11 @@ location /js-menu/ { location /software/ { fancyindex on; # Enable fancy indexes. fancyindex_exact_size off; # Output human-readable file sizes. - location ~* \.(apk)$ { + location ~* \.(apk)$ { add_header Content-Type application/vnd.android.package-archive; - } + } - location ~* \.(zim)$ { + location ~* \.(zim)$ { add_header Content-Type application/zip; - } + } } diff --git a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 index b9c3b634e..c130e75d5 100644 --- a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 +++ b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2 @@ -1,7 +1,8 @@ # For downloadable regional vector tilesets location ~ ^/maps { - rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1; + rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1; } + location ~ ^/osm-vector-maps(.*)\.php(.*)$ { alias /library/www/osm-vector-maps$1.php$2; # /library/www/osm-vector-maps proxy_set_header X-Real-IP $remote_addr; @@ -11,10 +12,11 @@ location ~ ^/osm-vector-maps(.*)\.php(.*)$ { fastcgi_index index.html; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(.*)$; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param PATH_INFO $2; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param PATH_INFO $2; } + location ~ ^/osm-vector-maps/ { - root /library/www; + root /library/www; } diff --git a/roles/sugarizer/templates/sugarizer-nginx.conf.j2 b/roles/sugarizer/templates/sugarizer-nginx.conf.j2 index 29fb7a212..a4f936119 100644 --- a/roles/sugarizer/templates/sugarizer-nginx.conf.j2 +++ b/roles/sugarizer/templates/sugarizer-nginx.conf.j2 @@ -2,9 +2,9 @@ # If you need to change this, edit /etc/iiab/local_vars.yml prior to installing location /sugarizer { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Script-Name /sugarizer; - proxy_pass http://127.0.0.1:{{ sugarizer_port }}; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name /sugarizer; + proxy_pass http://127.0.0.1:{{ sugarizer_port }}; } diff --git a/roles/wordpress/templates/wordpress-nginx.conf.j2 b/roles/wordpress/templates/wordpress-nginx.conf.j2 index 2c023dc2e..d3dd4e789 100644 --- a/roles/wordpress/templates/wordpress-nginx.conf.j2 +++ b/roles/wordpress/templates/wordpress-nginx.conf.j2 @@ -1,20 +1,19 @@ -location {{ wp_url }} { +location {{ wp_url }} { #rewrite_log on; root {{ content_base }}; try_files $uri $uri/ /wordpress/index.php$is_args$args; - + location ~ .*\.php$ { - - include fastcgi_params; - fastcgi_pass php; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - } - - location ~ ^({{ wp_url }})(/.*)/$ { - include fastcgi_params; - fastcgi_pass php; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php; - } + include fastcgi_params; + fastcgi_pass php; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + location ~ ^({{ wp_url }})(/.*)/$ { + include fastcgi_params; + fastcgi_pass php; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php; + } } diff --git a/test.yml b/test.yml new file mode 100644 index 000000000..be808dc92 --- /dev/null +++ b/test.yml @@ -0,0 +1,35 @@ +# TEST ANSIBLE COMMANDS/MODULES IN SECONDS -- BY RUNNING: +# ansible-playbook -i ansible_hosts test.yml --connection=local + +- hosts: all + become: yes # Optional privilege escalation + + #vars_files: + #- roles/0-init/defaults/main.yml + #- vars/default_vars.yml + #- vars/{{ ansible_local.local_facts.os_ver }}.yml + #- /etc/iiab/local_vars.yml + #- /etc/iiab/iiab_state.yml + + #roles: + # - { role: 0-init } + + tasks: + + #- include_role: + # name: 0-init + + - debug: + msg: "{{ 'changeme' | password_hash('sha512') }}" + + #- pause: + + - name: DOUBLE UP to escape single quotes... '"''"' e.g. iiab.ini Munin description + debug: + msg: '"''"' # FAILS: '"\'"' + + - name: BACKSLASH to escape double quotes... "'\"'" e.g. cups/tasks/install.yml + debug: + msg: "'\"'" # FAILS: "'""'" + + # TEST ANSIBLE COMMANDS/MODULES HERE!