oversignts and corrections -- most now seem to work on rpi

roles/nginx/defaults/main.yml

@@ -0,0 +1 @@
+nginx_log_dir: /var/log/nginx

roles/nginx/files/README.md

@@ -0,0 +1,21 @@
+### Transition to NGINX
+1. Initial testing strategy is to move nginx to port 80, and proxy everything to apache on port 8090-- creating a shim.
+2. Without php available via fastcgi, any function at all for php based applications validates nginx.
+3. Current state (7/15/19):
+    1. Principal functions migrated to nginx.
+         * Admin Console
+         * Awstats
+         * kiwix -- goes directly to port 3000
+         * kalite -- goes directly to port 8009
+         * calibre-web
+         * kolibri
+         * usb-lib
+         * maps
+    2. Still proxied to Apache
+         * mediawiki
+         * elgg
+         * nodered
+         * nextcloud
+         * wordpress
+         * moodle
+         * archive.org

roles/nginx/tasks/main.yml

@@ -0,0 +1,62 @@
+- name: Insure that apache2 is not running -- we may need port swap
+  service: 
+      name: apache2
+      enabled: False 
+      state: stopped
+  ignore_errors: True
+
+- name: Install nginx required  and helper packages
+  package: name={{ item }} state=present
+  with_items:
+    - nginx-extras
+    - uwsgi
+    - uwsgi-plugin-python
+    - php-fpm
+    - libnginx-mod-http-subs-filter
+
+- name: Put the config file in place
+  template: 
+      src: '{{ item.src}}'  
+      dest: '{{ item.dest }}'
+  with_items:
+     - { src: "server.conf",dest: "/etc/nginx/" }
+     - { src: "nginx.conf",dest: "/etc/nginx/" }
+     - { src: "usb-lib.conf",dest: "/etc/nginx/conf.d/" }
+     - { src: "admin-console.ini",dest: "/etc/uwsgi/apps-enabled/" }
+     - { src: "uwsgi.unit",dest: "/etc/systemd/system/" }
+# optional services
+     - { src: "kiwix.conf",dest: "/etc/nginx/conf.d/" }
+
+- name: Add http server  user to shadow group, so it can authenticate Admin Console
+  user:
+      name: "{{ apache_user }}"
+      groups: shadow
+
+- name: Remove the nginx default config
+  file: path=/etc/nginx/sites-enabled/default state=absent
+
+- name: Install config for Admin Console
+  template: 
+        src: admin-console-nginx.conf
+# Comment one or the other to revert from nginx back to apache2, if required
+#        src: admin-console-apache.conf
+        dest: /etc/nginx/conf.d/admin-console.conf
+  when: admin_console_enabled | bool
+
+- name: Enable the uwsgi systemd service
+  service:
+      name: uwsgi
+      state: started
+      enabled: True
+
+- name: Make sure nginx picks up the config 
+  service: 
+      name: nginx 
+      state: restarted
+  when: nginx_enabled | bool
+          
+# it might not be installed yet, so ignore errors
+- name: Since we stopped apache2, start it again
+  service: name=apache2 state=started enabled=True
+  when: apache_enabled | bool
+  ignore_errors: True

roles/nginx/templates/admin-console-apache.conf

@@ -0,0 +1,9 @@
+location /admin {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/admin;
+}
+location /cmd-service {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/cmd-service;
+}
+ 
+  
+

roles/nginx/templates/admin-console-nginx.conf

@@ -0,0 +1,29 @@
+location /admin {
+#  proxy_pass http://127.0.0.1:{{ apache_port }}/admin;
+   alias /opt/admin/console;
+   auth_pam                "Secure zone";
+   auth_pam_service_name   "nginx";
+
+}
+
+location ~ /admin/(.*)\.php$ {
+    alias /opt/admin/console/$1.php;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    fastcgi_pass php;
+    fastcgi_index index.php;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
+    include fastcgi_params;
+}
+ 
+location /cmd-service {
+#  proxy_pass http://127.0.0.1:{{ apache_port }}/cmd-service;
+   include uwsgi_params;
+   uwsgi_pass unix:///tmp/admin-console.sock;
+}
+
+  
+

roles/nginx/templates/admin-console.ini

@@ -0,0 +1,8 @@
+[uwsgi]
+	uid = www-data
+	gid = www-data
+	socket = /tmp/admin-console.sock
+	chdir = /opt/admin/console
+	wsgi-file = cmd-service.wsgi
+	master = true
+   plugins = python

roles/nginx/templates/kalite-nginx.conf

@@ -0,0 +1,59 @@
+# NGINX configuration for KA Lite
+#
+# Upstream KA-Lite server uses port 7007
+# Nginx proxy for KA-Lite uses port 8008
+#
+# If you want the website to be accessible at a different port, change
+#  PROXY_PORT = nnnn setting in /var/ka-lite/.kalite/settings.py
+# and change the below accordingly.
+
+
+upstream kalite {
+    server 127.0.0.1:7007;
+}
+
+server {
+
+    listen 8008;
+
+    # Default value, overwritten in nginx.d
+    set $kalite_home {{ kalite_root }};
+    include /etc/ka-lite/nginx.d/*.conf;
+
+    location /static {
+        alias   $kalite_home/httpsrv/static/;
+    }
+
+    location /media {
+        alias   $kalite_home/httpsrv/media/;
+    }
+
+    location /content {
+        alias   $kalite_home/content/;
+    }
+
+    location /favicon.ico {
+        empty_gif;
+    }
+
+    location / {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_pass http://kalite;
+        error_page 502 = @502;
+    }
+
+    location @502 {
+        types { }
+        default_type "text/html";
+        return 502 "
+        <BR>
+        <H1>KA-Lite might be busy - wait a few moments and then reload this page
+        <BR><BR>
+        <H2>If KA-Lite is still busy, get help from the system administrator
+        <H3>Error code: nginx 502 Bad Gateway (maybe the KA-Lite webserver is not working correctly)";
+    }
+
+}
+

roles/nginx/templates/kiwix.conf

@@ -0,0 +1,3 @@
+location /kiwix {
+  proxy_pass http://127.0.0.1:3000;
+}

roles/nginx/templates/nginx.conf

@@ -0,0 +1,80 @@
+# IIAB notes: sites-enabled is for server declarations
+# cond.d is for location declarations within the main server block
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type text/html;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log {{ apache_log_dir }}/access.log;
+	error_log {{ apache_log_dir }}/error.log;
+   log_format scripts '$request > $document_root$fastcgi_script_name $fastcgi_path_info';
+
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+	##
+	# Virtual Host Configs
+	##
+
+
+   # include a server file which in turn includes conf.d/*
+   include /etc/nginx/server.conf;
+        
+   # include other sites
+	include /etc/nginx/sites-enabled/*.conf;
+
+
+   # define the upstream backend fastcgi for php
+   upstream php {
+      server  unix:/run/php/php{{ php_version }}-fpm.sock;
+   }
+           
+}
+

roles/nginx/templates/server.conf

@@ -0,0 +1,40 @@
+server {
+      root {{ doc_root }};
+      server_name {{ iiab_hostname }};
+      listen 80;
+ 
+      access_log {{ apache_log_dir }}/access.log;
+      error_log {{ apache_log_dir }}/error.log;
+      access_log {{ apache_log_dir }}/scripts.log scripts;
+
+      index  index.php index.html index.htm;
+      rewrite ^/$ $scheme://$server_addr/home/;
+
+      # let individual services drop location blocks in conf.d
+      include /etc/nginx/conf.d/*;
+ 
+      location ~ .*\.php$ {
+          proxy_set_header X-Real-IP  $remote_addr;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header Host $host;
+          fastcgi_pass php;
+          fastcgi_index index.php;
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+          fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
+          include fastcgi_params;
+       }
+ 
+      location /cgi-bin {
+         root /usr/lib;
+      }
+
+       # if you don't like seeing all the errors for missing favicon.ico in root
+       location = /favicon.ico { access_log off; log_not_found off; }
+ 
+       # if you don't like seeing errors for a missing robots.txt in root
+       location = /robots.txt { access_log off; log_not_found off; }
+ 
+       # this will prevent files like .htaccess .htpassword .secret etc from being served
+       location ~ /\. { deny all; }
+}

roles/nginx/templates/usb-lib.conf

@@ -0,0 +1,7 @@
+location /usb {
+  alias /library/www/html/local_content/;
+  autoindex on;
+}
+location /local_content/ {
+  autoindex on;
+}

roles/nginx/templates/uwsgi.unit

@@ -0,0 +1,13 @@
+Unit]
+Description=uWSGI Service
+
+[Service]
+ExecStart=/usr/local/bin/uwsgi --ini /etc/uwsgi/admin_console_wsgi.ini
+Restart=always
+RestartSec=5
+KillSignal=SIGQUIT
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target