Merge pull request #2858 from holta/cups-nginx

CUPS Printing: Spring Cleaning + NGINX fix for URL's like http://box/print + hardening of URL's like http://box/print/admin
2025-03-09 15:40:17 +00:00 · 2021-07-14 00:30:36 -04:00 · 2021-07-14 00:30:36 -04:00 · 7fccd87fed
commit 7fccd87fed
parent 9955aeddd4 4fb858bcf2
20 changed files with 364 additions and 105 deletions
--- a/roles/cups/README.md
+++ b/roles/cups/README.md
@ -0,0 +1,44 @@
 # CUPS Printing README
 ## Web Administration
 Please administer CUPS at http://box/print using:
 - Username: `Admin`
 - Password: `changeme`
 Or use any Linux user that is a member of the Linux group: `lpadmin`
 ## Security
 The above uses 'SystemGroup lpadmin' in `/etc/cups/cups-files.conf` &mdash; in coordination with about 15 '@SYSTEM' lines and 'DefaultAuthType Basic' in `/etc/cups/cupsd.conf`
 CUPS creates a 10-year (unsigned) https certificate during installation, that will be very confusing to non-technical users when they log in, as a result of modern browser warnings.
 ## How it Works
 http://localhost:631 can be useful if NGINX redirects or CUPS permissions are set wrong.
 Beware that http://box:631 and http://box.lan:631 will not work, due to a [known issue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027) with CUPS since 2009.
 Understand how IIAB configures CUPS for all IP addresses and all hostnames (despite the above CUPS problem!) by reading these in-line explanations:
 - [/opt/iiab/iiab/roles/cups/tasks/install.yml](tasks/install.yml)
 Modify these 2 files at your own risk:
 - [/etc/cups/cupsd.conf](https://www.cups.org/doc/man-cupsd.conf.html) (run `sudo cupsctl` and `sudo cupsd -t` to verify the file!)
 - [/etc/nginx/conf.d/cups.conf](templates/cups.conf.j2)
 If you make modifications to the above files, don't forget to restart systemd services:
 ```
 systemctl restart cups cups-browsed nginx
 ```
 ## Docs and Updates
 - https://www.cups.org/documentation.html
  - https://github.com/apple/cups/releases
 - https://openprinting.github.io/cups/
  - https://github.com/OpenPrinting/cups/releases/
--- a/roles/cups/tasks/enable-or-disable.yml
+++ b/roles/cups/tasks/enable-or-disable.yml
@ -1,9 +1,6 @@
- name: systemd daemon-reload
+- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (if cups_enabled)
  systemd:
    daemon_reload: yes
 - name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (OS's other than Fedora 18)
  systemd:
    #daemon_reload: yes
    name: "{{ item }}"
    enabled: yes
    state: restarted
@ -11,21 +8,10 @@
    - cups
    - cups-browsed
  when: cups_enabled
  #when: cups_enabled and not is_F18
-# - name: Enable & Start 'cups' systemd service (Fedora 18, for XO laptops)
+- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (if not cups_enabled)
 #   systemd:
 #     name: cups
 #     state: started
 #     enabled: yes
 #   when: cups_enabled and is_F18
 - name: Permit headless admin of CUPS -- only works when CUPS daemon is running (if cups_enabled)
  shell: "cupsctl --remote-admin"
  when: cups_enabled
 - name: Disable & Stop 'cups' & 'cups-browsed' systemd services (OS's other than Fedora 18)
  systemd:
    #daemon_reload: yes
    name: "{{ item }}"
    enabled: no
    state: stopped
@ -33,11 +19,7 @@
    - cups
    - cups-browsed
  when: not cups_enabled
  #when: not cups_enabled and not is_F18
-# - name: Disable & Stop 'cups' systemd service (Fedora 18, for XO laptops)
+
-#   systemd:
+- name: Enable/Disable/Restart NGINX
-#     name: cups
+  include_tasks: nginx.yml
 #     enabled: no
 #     state: stopped
 #   when: not cups_enabled and is_F18
--- a/roles/cups/tasks/install.yml
+++ b/roles/cups/tasks/install.yml
@ -1,12 +1,125 @@
 # ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
 # (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW...
 - name: Install 'cups' package
  package:
    name: cups
    state: present
- name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
+# WARNING: 'apt install cups' AND 'apt install --reinstall cups'
-  template:
+# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR
-    src: cupsd.conf
+# INSTALL OF CUPS EXISTED!  SO OPTION #1 OR #2 ARE NEEDED BELOW:
 # OPTION #1: OLD WAY (BRITTLE)
 #
 # - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
 #   template:
 #     src: cupsd.conf.j2
 #     dest: /etc/cups/cupsd.conf
 # OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!)
 - name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT!  The file will now be created -- by ~4 stanzas below.  Also keep an eye on /var/log/cups/error_log
  meta: noop
 - name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' will be saved in /etc/cups
  copy:
    src: /usr/share/cups/cupsd.conf.default
    dest: /etc/cups/cupsd.conf
    owner: root
    group: lp
    mode: 0640
    backup: yes
 # 2021-07-12: lineinfile fails to insert the needed lines, as these same 2 lines
 # already appear throughout /etc/cups/cupsd.conf -- so we use blockinfile below.
 #
 # - name: Insert 2 lines into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin -- REQUIRING '{{ iiab_admin_user }}' AND ITS LINUX PASSWORD (to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings)
 #   lineinfile:
 #     path: /etc/cups/cupsd.conf
 #     #regexp:
 #     line: "{{ item }}"
 #     insertafter: '^<Location /admin>$'
 #   with_items:
 #     - "  Require user @SYSTEM"    # Will appear BELOW, in /etc/cups/cupsd.conf
 #     - "  AuthType Default"        # Will appear ABOVE, in /etc/cups/cupsd.conf
 - name: "CUPS web administration: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://box/print/admin TO LINUX GROUP 'lpadmin' -- to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings.  This uses 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines and 'DefaultAuthType Basic' in /etc/cups/cupsd.conf"
  blockinfile:
    path: /etc/cups/cupsd.conf
    insertafter: '^<Location /admin>$'
    block: |2    # Indent with 2 spaces, and surround block with 2 comment lines: "# BEGIN ANSIBLE MANAGED BLOCK", "# END ANSIBLE MANAGED BLOCK"
        AuthType Default
        Require user @SYSTEM
 - name: "CUPS web administration: Create Linux username 'Admin' with password 'changeme' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)"
  user:
    name: Admin
    append: yes    # Don't clobber other groups, that other IIAB Apps might need.
    groups: lpadmin
    password: "{{ 'changeme' | password_hash('sha512') }}"    # Random salt.  Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#encrypting-and-checksumming-strings-and-passwords
    create_home: no
    shell: /usr/sbin/nologin    # Debian/Ubuntu norm -- instead of /sbin/nologin, /bin/false
 # - name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' -- for CUPS web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf)
 #   #command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin"
 #   #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin"
 #   user:
 #     name: "{{ iiab_admin_user }}"    # iiab-admin
 #     append: yes
 #     groups: lpadmin
 - name: Start 'cups' systemd service as nec -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW
  systemd:
    #daemon_reload: yes
    name: cups
    state: started
 # - name: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
 #   command: cupsctl --remote-admin --share-printers --user-cancel-any
 # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER:
 # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW.
 # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!)
 - name: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
  command: cupsctl --remote-any --share-printers --user-cancel-any
 # 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml
 # BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE*
 # /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!)
 #
 # FYI repeated use of 'cupsctl' commands also removes comments and blank lines.
 #
 # - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
 #   command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging
 #   when: not cups_enabled
 # - name: "2021-07-12: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S NO LONGER WORK: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631 (now that we're suddenly hewing closer to the default /etc/cups/cupsd.conf)"
 #   lineinfile:
 #     path: /etc/cups/cupsd.conf
 #     line: "{{ item }}"
 #     insertbefore: '^Listen .*/run/cups/cups.sock$'    # Also matches old form: '^Listen /var/run/cups/cups.sock$'
 #   with_items:
 #     - "HostNameLookups On"    # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
 #     - "ServerAlias *"
 #     - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}"    # box.lan
 #     - "#Listen {{ lan_ip }}:631"    # 172.18.96.1
 #     - "#Listen 127.0.0.1:631"
 #     - "#Listen 0.0.0.0:631"
 #     - "#Listen *:631"
 # - name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)"
 #   lineinfile:
 #     path: /etc/cups/cupsd.conf
 #     regexp: '^MaxLogSize '
 #     insertbefore: 'Listen '
 #     firstmatch: yes
 #     line: "MaxLogSize 1m"    # CUPS Documentation (claims!) log rotation at "1m" is the default.  But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default
 # REMINDER: 3 SYSTEMD SERVICES WILL BE RESTARTED (cups, cups-browsed, nginx)
 # LATER IN enable-or-disable.yml, SO /etc/cups/cupsd.conf (ETC) TAKE EFFECT!
 # RECORD CUPS AS INSTALLED
--- a/roles/cups/tasks/main.yml
+++ b/roles/cups/tasks/main.yml
@ -1,10 +1,5 @@
-# Administer CUPS at http://box:631
+# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
-# Above URL does NOT work over OpenVPN (ANYONE KNOW WHY?)
+# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml
 # TO DO:
 #
 # - CREATE /etc/nginx/conf.d/cups-nginx.conf as SHIM to Apache on port 8090.
 #   SEE OTHERS @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
 # "How do i fail a task in Ansible if the variable contains a boolean value?
--- a/roles/cups/tasks/nginx.yml
+++ b/roles/cups/tasks/nginx.yml
@ -0,0 +1,16 @@
 - name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template
  template:
    src: cups.conf.j2
    dest: "{{ nginx_conf_dir }}/cups.conf"    # /etc/nginx/conf.d
  when: cups_enabled
 - name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf
  file:
    path: "{{ nginx_conf_dir }}/cups.conf"
    state: absent
  when: not cups_enabled
 - name: Restart 'nginx' systemd service
  systemd:
    name: nginx
    state: restarted
--- a/roles/cups/templates/cups.conf
+++ b/roles/cups/templates/cups.conf
@ -1,2 +0,0 @@
 ProxyPass /cups http://localhost:631
 ProxyPassReverse /cups http://localhost:631
--- a/roles/cups/templates/cups.conf.j2
+++ b/roles/cups/templates/cups.conf.j2
@ -0,0 +1,73 @@
 # ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
 # (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml
 # 2021-07-13: Let's redirect to CUPS' own web server for now, as proxying
 # (commented out below) has many glitches, e.g. CUPS' https connections etc.
 location ~ ^/print(|/.*)$ {    # '~' -> '~*' for case-insensitive regex
    # 2021-07-13: Work around CUPS failure to serve http://box[.lan]:631 "since
    # 2009" -- e.g. '400 Bad Request' error 'Request from "localhost" using
    # invalid Host: field "box[.lan]:631".' in /var/log/cups/error_log, DESPITE
    # adding 'HostNameLookups On', 'ServerAlias *' etc to /etc/cups/cupsd.conf
    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
    if ($host ~ '{{ iiab_hostname }}(|.{{ iiab_domain }})') {
        return 301 http://localhost:631;    # Or http://127.0.0.1:631
    }
    if ($host ~ 'box(|.lan)') {    # /etc/hosts may have BOTH above AND box.lan
        return 301 http://localhost:631;
    }
    return 301 http://$host:631;   # For 192.168.0.x, 172.18.96.1, 10.8.0.y ETC
 }
 # https://anthe.studio/blog/en/cups-nginx-reverse-proxy
 # https://toggen.com.au/it-tips/reverse-proxy-cups-in-nginx/
 # https://www.robpeck.com/2020/09/proxying-cups-ipp-using-nginx/
 # location = /print {
 #     return 301 /print/;    # "Moved Permanently" redirect
 #     #rewrite /print /print/;    # Faster, if links are fixed!
 # }
 ## location ~ ^/print(|/.*)$ {
 ##     proxy_pass https://127.0.0.1:631$1;    # Fails: trailing slash nec here
 # location ~ ^/print/(.*) {
 #     proxy_pass https://127.0.0.1:631/$1;
 #
 #     #proxy_http_version 1.1;
 #     #proxy_set_header Accept-Encoding "";
 #     #proxy_set_header Upgrade $http_upgrade;
 #     #proxy_set_header Connection 'upgrade';
 #     proxy_set_header Host '127.0.0.1';
 #     proxy_cache_bypass $http_upgrade;
 #
 #     proxy_set_header X-Real-IP $remote_addr;
 #     #proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
 #     #proxy_set_header X-Forwarded-Host $server_name;
 #
 #     sub_filter ' href="/' ' href="/print/';
 #     sub_filter ' action="/' ' action="/print/';
 #     sub_filter ' src="/' ' src="/print/';
 #     #sub_filter 'ACTION="/' 'ACTION="/print/';
 #     #sub_filter 'URL=/' 'URL=/print/';
 #     sub_filter_types *;
 #     sub_filter_once off;
 # }
 # location ~ /cups/(.*) {
 #     proxy_pass http://127.0.0.1:631/$1;
 #     proxy_set_header Host '127.0.0.1';
 #     proxy_cache_bypass $http_upgrade;
 #     proxy_set_header X-Real-IP $remote_addr;
 #
 #     sub_filter ' href="/' ' href="/cups/';
 #     sub_filter ' action="/' ' action="/cups/';
 #     sub_filter ' src="/' ' src="/cups/';
 #     sub_filter_types *;
 #     sub_filter_once off;
 # }
--- a/roles/cups/templates/cupsd.conf.j2.unused
+++ b/roles/cups/templates/cupsd.conf.j2.unused
@ -1,8 +1,8 @@
 ServerAlias *
 LogLevel warn
 MaxLogSize 1m
-Listen {{ lan_ip }}:631
+#Listen {{ lan_ip }}:631
-Listen localhost:631
+Listen 127.0.0.1:631
 Listen /var/run/cups/cups.sock
 Browsing On
 BrowseLocalProtocols dnssd
--- a/roles/mediawiki/templates/mediawiki-nginx.conf.j2
+++ b/roles/mediawiki/templates/mediawiki-nginx.conf.j2
@ -14,16 +14,19 @@ location ~ ^/{{ mediawiki_symlink }}/(index|load|api|thumb|opensearch_desc)\.php
 location /{{ mediawiki_symlink }}/images {
    # Separate location for images/ so .php execution won't apply
 }
 location /{{ mediawiki_symlink }}/images/deleted {
    # Deny access to deleted images folder
    deny all;
 }
 # MediaWiki assets (usually images)
 location ~ ^/{{ mediawiki_symlink }}/resources/(assets|lib|src) {
    try_files $uri 404;
    add_header Cache-Control "public";
    expires 7d;
 }
 # Assets, scripts and styles from skins and extensions
 location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|ttf|woff|woff2)$ {
    try_files $uri 404;
@ -31,7 +34,6 @@ location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg
    expires 7d;
 }
 ## Uncomment the following code if you wish to use the installer/updater
 ## installer/updater
 #location /{{ mediawiki_symlink }}/mw-config/ {
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -10,7 +10,7 @@
 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
-3. Current state of IIAB App/Service migrations as of 2021-07-06: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
+3. Current state of IIAB App/Service migrations as of 2021-07-13: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
   1. These support "Native" NGINX but ***NOT*** Apache
@ -41,13 +41,13 @@
   3. These support Apache but ***NOT*** "Native" NGINX.  They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache.
-      * elgg
+      * elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?]
   4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations).  In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite)
      * bluetooth
      * calibre (menu goes directly to port 8080)
-      * cups (menu goes directly to port 631) [*, shim not yet in place, [PR #2775](https://github.com/iiab/iiab/pull/2775)]
+      * cups (NGINX redirects http://box/print to port 631, changing hostname as appropriate, per [PR #2858](https://github.com/iiab/iiab/pull/2858))
      * internetarchive (menu goes directly to port 4244) [*, [PR #2120](https://github.com/iiab/iiab/pull/2120)]
      * kalite (menu goes directly to ports 8006-8008)
      * minetest
@ -60,4 +60,4 @@
      * transmission
      * vnstat
-[*] The 4 above starred roles could use improvement, as of 2021-07-06.
+[*] The 4 above starred roles could use improvement, as of 2021-07-13.
--- a/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2
+++ b/roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2
@ -2,6 +2,7 @@
 location ~ ^/maps {
    rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1;
 }
 location ~ ^/osm-vector-maps(.*)\.php(.*)$ {
    alias /library/www/osm-vector-maps$1.php$2;    # /library/www/osm-vector-maps
    proxy_set_header X-Real-IP  $remote_addr;
@ -15,6 +16,7 @@ location ~ ^/osm-vector-maps(.*)\.php(.*)$ {
    fastcgi_param SCRIPT_NAME     $fastcgi_script_name;
    fastcgi_param PATH_INFO       $2;
 }
 location ~ ^/osm-vector-maps/ {
    root /library/www;
 }
--- a/roles/wordpress/templates/wordpress-nginx.conf.j2
+++ b/roles/wordpress/templates/wordpress-nginx.conf.j2
@ -4,7 +4,6 @@ location {{ wp_url }} {
    try_files $uri $uri/ /wordpress/index.php$is_args$args;
    location ~ .*\.php$ {
        include fastcgi_params;
        fastcgi_pass php;
        fastcgi_index index.php;
--- a/test.yml
+++ b/test.yml
@ -0,0 +1,35 @@
 # TEST ANSIBLE COMMANDS/MODULES IN SECONDS -- BY RUNNING:
 # ansible-playbook -i ansible_hosts test.yml --connection=local
 - hosts: all
  become: yes    # Optional privilege escalation
  #vars_files:
  #- roles/0-init/defaults/main.yml
  #- vars/default_vars.yml
  #- vars/{{ ansible_local.local_facts.os_ver }}.yml
  #- /etc/iiab/local_vars.yml
  #- /etc/iiab/iiab_state.yml
  #roles:
  #  - { role: 0-init }
  tasks:
  #- include_role:
  #    name: 0-init
  - debug:
      msg: "{{ 'changeme' | password_hash('sha512') }}"
  #- pause:
  - name: DOUBLE UP to escape single quotes... '"''"' e.g. iiab.ini Munin description
    debug:
      msg: '"''"'    # FAILS: '"\'"'
  - name: BACKSLASH to escape double quotes... "'\"'" e.g. cups/tasks/install.yml
    debug:
      msg: "'\"'"    # FAILS: "'""'"
  # TEST ANSIBLE COMMANDS/MODULES HERE!
		`@ -1,2 +0,0 @@`
			`ProxyPass /cups http://localhost:631`
			`ProxyPassReverse /cups http://localhost:631`