[root@ws_monitoring ansible]# more README.TXT
1. 该ansible脚本集成了常用的一些功能
创建 web/cbs/store/download 站点
2.hosts采用分组,并对分组进行了加密,需要输入密码才能编辑
使用示例:创建cbs 站点
ansible-playbook cbs.yaml --ask-vault-pass
3.使用方法
创建 cbs 示例
如果要创建 cbs.chinasoft.com 这个站点
修改如下内容 roles/cbs/vars/main.yaml 变量中的 cbs_domain_name 为 需要创建的域名即可(顶级域名)
# vim roles/cbs/vars/main.yaml
cbs_domain_name: chinasoft.com
# cd /usr/local/src/ansible
# 创建 www 站点
# ansible-playbook chinasoft_co.yaml --ask-vault-pass
ansible-vault加密工具使用方法
# ansible对文件进行加密
ansible-vault encrypt /usr/local/src/ansible/hosts
# 查看加密文件
[root@node1 ansible]# ansible-vault view hosts
Vault password:
[webservers]
localhost
10.11.0.215
[nodes]
node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
# 编辑加密文件
[root@node1 ansible]# ansible-vault edit hosts
Vault password:
# ansible-playbook 结合 ansible-vault,和之前用法一样,只是加一个 --ask-vault-pass 参数输入密码即可
ansible-playbook wondershare_co.yaml --ask-vault-pass
4.目录说明:
ansible的文件目录列表
├── cbs.yaml # 创建 cbs 站点入口文件
├── download.yaml # 创建download 站点入口文件
├── hosts
├── roles
│ ├── cbs
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ ├── commom.yaml
│ │ │ └── main.yaml
│ │ ├── templates
│ │ │ ├── cbs_apache_chinasoft.co.conf.j2
│ │ │ ├── cbs_nginx_index.html.j2
│ │ │ ├── cbs_nginx_chinasoft.co.conf.j2
│ │ │ ├── cbs_rewrite_chinasoft.co.conf.j2
│ │ │ ├── cbs_chinasoft_co_jp.crt.j2
│ │ │ ├── cbs_chinasoft_co_jp.key.j2
│ │ │ └── nginx_config_grammaer_check_test_and_reload.sh.j2
│ │ └── vars
│ │ └── main.yaml
...
├── store.yaml # 创建购物车的入口文件
└── chinasoft_co.yaml # 创建www站点入口文件
1.ansible的目录结构
[root@ws_monitoring ansible]# tree . ├── cbs.yaml ├── download.yaml ├── hosts ├── README.TXT ├── roles │ ├── cbs │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── commom.yaml │ │ │ └── main.yaml │ │ ├── templates │ │ │ ├── cbs_apache_chinasoft.co.conf.j2 │ │ │ ├── cbs_domain_check.sh.j2 │ │ │ ├── cbs_nginx_index.html.j2 │ │ │ ├── cbs_nginx_chinasoft.co.conf.j2 │ │ │ ├── cbs_rewrite_chinasoft.co.conf.j2 │ │ │ ├── cbs_chinasoft_co_jp.crt.j2 │ │ │ ├── cbs_chinasoft_co_jp.key.j2 │ │ │ └── nginx_config_grammaer_check_test_and_reload.sh.j2 │ │ └── vars │ │ └── main.yaml │ ├── download │ │ ├── tasks │ │ │ ├── commom.yaml │ │ │ └── main.yaml │ │ ├── templates │ │ │ ├── dl_apache_htaccess.j2 │ │ │ ├── dl_apache_chinasoft.co.conf.j2 │ │ │ ├── dl_download_new.php.j2 │ │ │ ├── dl_nginx_index.html.j2 │ │ │ ├── dl_nginx_chinasoft.co.conf.j2 │ │ │ ├── dl_rewrite_chinasoft.co.conf.j2 │ │ │ ├── dl_chinasoft_co_jp.crt.j2 │ │ │ └── dl_chinasoft_co_jp.key.j2 │ │ └── vars │ │ └── main.yaml │ ├── store │ │ ├── tasks │ │ │ ├── commom.yaml │ │ │ └── main.yaml │ │ ├── templates │ │ │ ├── sto_apache_chinasoft.co.conf.j2 │ │ │ ├── sto_chinasoft_com.crt.j2 │ │ │ ├── sto_chinasoft_com.key.j2 │ │ │ ├── sto_nginx_index.html.j2 │ │ │ ├── sto_nginx_chinasoft.co.conf.j2 │ │ │ ├── sto_rewrite_chinasoft.co.conf.j2 │ │ │ ├── sto_chinasoft_co_jp.crt.j2 │ │ │ └── sto_chinasoft_co_jp.key.j2 │ │ └── vars │ │ └── main.yaml │ └── chinasoft_co │ ├── tasks │ │ ├── commom.yaml │ │ └── main.yaml │ ├── templates │ │ ├── apache_chinasoft.co.conf.j2 │ │ ├── nginx_index.html.j2 │ │ ├── nginx_chinasoft.co.conf.j2 │ │ ├── rewrite_chinasoft.co.conf.j2 │ │ ├── chinasoft_co_jp.crt.j2 │ │ ├── chinasoft_co_jp.key.j2 │ │ ├── chinasoft_kr.crt.j2 │ │ ├── chinasoft_kr.key.j2 │ │ ├── chinasoft_net.crt.j2 │ │ └── chinasoft_net.key.j2 │ └── vars │ └── main.yaml ├── store.yaml └── chinasoft_co.yaml
2.编辑hosts目标服务器文件
[root@ws_monitoring ansible]# ansible-vault view hosts Vault password: [nodes] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root' node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root' [cbs_servers] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root' node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root' [store_servers] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root' node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root' [download_servers] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root' node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root' [ws_www_webs] node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root' node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
3.入口yaml文件
创建 www 站点
[root@ws_monitoring ansible]# more chinasoft_co.yaml - hosts: ws_www_webs remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: chinasoft_co #- import_role: # name: download #- import_role: # name: store #- import_role: # name: uniconverter #- import_role: # name: shopcart
cbs 站点 [root@ws_monitoring ansible]# more cbs.yaml - hosts: cbs_servers remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: cbs store 站点 [root@ws_monitoring ansible]# more store.yaml - hosts: store_servers remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: store download 站点 [root@ws_monitoring ansible]# more download.yaml - hosts: download_servers remote_user: root become: yes become_method: sudo become_user: root gather_facts: no tasks: - import_role: name: download
# 参数配置
[root@ws_monitoring ansible]# more roles/chinasoft_co/vars/main.yaml domain_name: chinasoft.com.br is_ori_needed: true backup_dest_path: /opt nginx_dest_path: /usr/local/nginx/conf/vhost.d rewrite_nginx_dest_path: /usr/local/nginx/conf/rewrite.d http_dest_path: /usr/local/httpd-2.2.26/conf/vhost.d http_data_dest_path: /data/www/vhosts certification_dest_path: /usr/local/nginx/conf/cert2016 production_download: download production_store: store production_shopcart: shopcart production_uniconverter: uniconverter production_list: #- www #- images #- filmora #- pdf - recoverit #- drfone #- static-fr #- static-de #- static-es #- static-it #- static-pt
模板项目:
# apache 的模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/apache_chinasoft.co.conf.j28080> ServerName {{item.item}}.{{domain_name}} ## for CDN Origin_site {% if is_ori_needed %}ServerAlias ori-{{item.item}}.{{domain_name}}{% endif %} {# ServerAlias downpool.{{domain_name}} #} {# ServerAlias ssl-{{item.item}}.{{domain_name}} #} UseCanonicalName Off ServerAdmin "[email protected]" DocumentRoot /data/www/vhosts/{{item.item}}.{{domain_name}}/httpdocs DirectoryIndex index.html index.shtml index.php CustomLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/access/{{item.item}}.{{domain_name}}_access.log.%Y-%m-%d 86400" combined ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/error/{{item.item}}.{{domain_name}}_error.log.%Y-%m-%d 86400" SSLEngine off php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/{{item.item}}.{{domain_name}}:/tmp" php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/{{item.item}}.{{domain_name}}:/tmp" Options -ExecCGI FollowSymLinks +Includes AllowOverride All Alias /servers "/data/www/vhosts/www_servers""/data/www/vhosts/www_servers/"> Options -ExecCGI FollowSymLinks +Includes AllowOverride All ErrorDocument 404 /404.html
# nginx 的配置模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/nginx_chinasoft.co.conf.j2 server { listen 80; server_name {% if item.item == 'www' %}{{domain_name}} {% endif %}{{item.item}}.{{domain_name}} {% if is_ori_needed %}ori-{{item.item}}.{{domain_name}}{% endif %}; index index.html index.shtml index.php ; include rewrite.d/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}.conf ; root /data/www/vhosts/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/httpdocs ; access_log /data/www/logs/nginx_log/access/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_access.log main ; error_log /data/www/logs/nginx_log/error/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_error.log ; error_page 404 403 /404.html; rewrite ^/(.*)$ https://{% if item.item == 'www' %}www.{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/$1 permanent; if ($http_user_agent ~ Ezooms) { return 403; } location ~ ^.*\.(htaccess|htpasswd|ini|sh)$ { deny all; } location ~ \.php$ { proxy_pass http://php_pool; include proxy_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ proxy_pass http://php_pool; expires -1; } } } server { listen 443; server_name {% if item.item == 'www' %}{{domain_name}} {% endif %}{{ item.item }}.{{domain_name}} {% if is_ori_needed %}ori-{{ item.item }}.{{domain_name}}{% endif %}; ssl on; ssl_certificate cert2016/{{domain_name|regex_replace('\.' , '_')}}.crt; ssl_certificate_key cert2016/{{domain_name|regex_replace('\.' , '_')}}.key; ssl_dhparam cert2016/dh_2048.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RS A-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on; add_header 'Access-Control-Allow-Origin' '*'; access_log /data/www/logs/nginx_log/access/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_access.log main ; error_log /data/www/logs/nginx_log/error/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_error.log ; root /data/www/vhosts/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/{% if item.item == 'www' %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}.conf ; error_page 404 403 /404.html; if ($http_user_agent ~ Ezooms) { return 403; } location ~ ^.*\.(htaccess|htpasswd|ini|sh)$ { deny all; } location ~ \.php$ { proxy_pass http://php_pool; include proxy_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ proxy_pass http://php_pool; expires -1; } } }
# index.html 首页模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/nginx_index.html.j2this is {{ item.item }}.{{domain_name}} on the server
# 默认跳转规则模板
[root@ws_monitoring ansible]# more roles/chinasoft_co/templates/rewrite_chinasoft.co.conf.j2 {% if item.item == 'www' %} if ($host ~* ^{{domain_name}}$){ rewrite ^(.*)$ https://www.{{domain_name}}$1 permanent;} {% endif %} if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1 permanent;} if ($request_uri ~ ^/(index|indice).html) { rewrite ^ / permanent;} # 主要的任务规则 [root@ws_monitoring ansible]# more roles/chinasoft_co/tasks/main.yaml - name: Deploy common site import_tasks: commom.yaml [root@ws_monitoring ansible]# more roles/chinasoft_co/tasks/commom.yaml #- name : let shell command result registe to be current time # command : "echo `date +%Y%m%d%H%M%S`" # register : current_time # #- name: Copy multiple files in Ansible with different permissions # copy: # src: "{{ item.src }}" # dest: "{{ item.dest }}" # mode: "{{ item.mode }}" # with_items: # - { src: "{{nginx_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'} # - { src: "{{rewrite_nginx_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'} # - { src: "{{certification_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'} # - { src: "{{http_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'} - name: Checking nginx configuration file if exists stat: path: "{{nginx_dest_path}}/{%if item == 'www' %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}" register: nginx_ws_cn_fcheck with_items: "{{ production_list }}" - name: upload nginx configuration file to server template: src: nginx_chinasoft.co.conf.j2 dest: "{{nginx_dest_path}}/{%if item.item == 'www' %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ nginx_ws_cn_fcheck.results}}" - name: Checking nginx's rewrite rule file if exists stat: path: "{{rewrite_nginx_dest_path}}/{%if item == 'www' %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}" register: rewrite_ws_fcheck with_items: "{{ production_list }}" - name: upload nginx's rewrite rule file to server template: src: rewrite_chinasoft.co.conf.j2 dest: "{{rewrite_nginx_dest_path}}/{%if item.item == 'www' %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ rewrite_ws_fcheck.results}}" - name: Checking apache configuration file if exists stat: path: "{{http_dest_path}}/{%if item == 'www' %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}" register: apache_ws_fcheck with_items: "{{ production_list }}" - name: upload apache configuration file to server template: src: apache_chinasoft.co.conf.j2 dest: "{{http_dest_path}}/{%if item.item == 'www' %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ apache_ws_fcheck.results}}" - name: Checking web data httpdocs and create if not exists file: path: "{{http_data_dest_path}}/{%if item == 'www' %}{{domain_name}}{% else %}{{item}}.{{domain_name}}{% endif %}/httpdocs" state: directory owner: apache group: users mode: 0755 with_items: "{{ production_list }}" #- name: Checking data link and create if not exists # file: # src: "{{http_data_dest_path}}/download.{{domain_name}}.conf/httpdocs" # dest: "{{http_data_dest_path}}/download.{{domain_name}}.conf/httpdocs/cbs_down" # state: link # owner: apache # group: users # mode: 0755 - name: Checking data index.html and create if not exists stat: path: "{{http_data_dest_path}}/{%if item == 'www' %}{{domain_name}}{% else %}{{item}}.{{domain_name}}{% endif %}/httpdocs/index.html" register: apache_data_ws_fcheck with_items: "{{ production_list }}" - name: upload www test data file to server template: src: nginx_index.html.j2 dest: "{{http_data_dest_path}}/{%if item.item == 'www' %}{{domain_name}}{% else %}{{item.item}}.{{domain_name}}{% endif %}/httpdocs/index.html" owner: apache group: users mode: 0644 when: not item.stat.exists with_items: "{{ apache_data_ws_fcheck.results}}" - name: Checking certification path if not exists file: path: "/usr/local/nginx/conf/cert2016" state: directory owner: apache group: users mode: 0755 - name: upload certification file to server template: src: "{{item.src}}" dest: "{{certification_dest_path}}/{{item.dest}}" owner: apache group: users mode: 0644 with_items: - { src: "{{domain_name|regex_replace('\\.' , '_')}}.crt.j2", dest: "{{domain_name|regex_replace('\\.' , '_')}}.crt" } - { src: "{{domain_name|regex_replace('\\.' , '_')}}.key.j2", dest: "{{domain_name|regex_replace('\\.' , '_')}}.key" }
# cbs相关的目录结构
[root@ws_monitoring roles]# tree cbs/ cbs/ ├── handlers │ └── main.yml ├── tasks │ ├── commom.yaml │ └── main.yaml ├── templates │ ├── cbs_apache_chinasoft.com.conf.j2 │ ├── cbs_domain_check.sh.j2 │ ├── cbs_nginx_index.html.j2 │ ├── cbs_nginx_chinasoft.com.conf.j2 │ ├── cbs_rewrite_chinasoft.com.conf.j2 │ ├── cbs_chinasoft.com_jp.crt.j2 │ ├── cbs_chinasoft.com_jp.key.j2 │ └── nginx_config_grammaer_check_test_and_reload.sh.j2 └── vars └── main.yaml
# 变量配置
[root@ws_monitoring cbs]# more vars/main.yaml cbs_domain_name: chinasoft.com.jp cbs_is_ori_needed: false cbs_nginx_dest_path: /usr/local/nginx/conf/vhost.d cbs_rewrite_nginx_dest_path: /usr/local/nginx/conf/rewrite.d #cbs_http_dest_path: /usr/local/httpd-2.2.26/conf/vhost.d cbs_http_data_dest_path: /data/www/vhosts cbs_certification_dest_path: /usr/local/nginx/conf/cert2016 shell_dest_path: /usr/local/worksh nginx_check_shell_name: nginx_config_grammaer_check_test_and_reload cbs_domain_check_shell_name: cbs_domain_check #cbs_production_store: store #cbs_production_shopcart: shopcart #cbs_production_uniconverter: uniconverter cbs_production_name: cbs
# apache相关的配置
[root@ws_monitoring cbs]# more templates/cbs_apache_chinasoft.com.conf.j28080> ServerName {{sto_production_name}}.{{sto_domain_name}} ## for CDN Origin_site {% if sto_is_ori_needed %}ServerAlias ori-{{sto_production_name}}.{{sto_domain_name}}{% endif %} ServerAlias downpool.{{sto_domain_name}} ServerAlias ssl-{{sto_production_name}}.{{sto_domain_name}} UseCanonicalName Off ServerAdmin "[email protected]" DocumentRoot /data/www/vhosts/{{sto_production_name}}.{{sto_domain_name}}/httpdocs DirectoryIndex index.html index.shtml index.php CustomLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/access/{{sto_production_name}}.{{sto_domain_name}}_access.log.%Y-%m-%d 86400" combined ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/error/{{sto_production_name}}.{{sto_domain_name}}_error.log.%Y-%m-%d 86400" SSLEngine off php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/{{sto_production_name}}.{{sto_domain_name}}:/tmp" php_admin_flag engine on php_admin_flag safe_mode on php_admin_value open_basedir ".:/data/www/vhosts/{{sto_production_name}}.{{sto_domain_name}}:/tmp" Options -ExecCGI FollowSymLinks +Includes AllowOverride All ErrorDocument 404 /404.html
# 首页模板
[root@ws_monitoring cbs]# more templates/cbs_nginx_index.html.j2this is {{ cbs_production_name }}.{{cbs_domain_name}} on the server
# 检查域名绑定不同的服务器ip后是否正常
[root@ws_monitoring cbs]# more templates/cbs_domain_check.sh.j2 #!/bin/bash # cbs_servers="1.1.1.1:ws_cbs_frontend_web01 1.1.1.2:ws_cbs_frontend_web02" for cbs_server in ${cbs_servers};do ip=${cbs_server%:*} server_name=${cbs_server#*:} curl --head --resolve {{cbs_production_name}}{{cbs_domain_name}}:443:${ip} "https://{{cbs_production_name}}{{cbs_domain_name}}/" if [ $? == 0 ];then echo "${server_name}-${ip} is ok" else echo "${server_name}-${ip} config error" exit 1 fi done
# nginx 相关配置
[root@ws_monitoring cbs]# more templates/cbs_nginx_chinasoft.com.conf.j2 server { listen 80; server_name {{cbs_production_name}}.{{cbs_domain_name}} {% if cbs_is_ori_needed %}ori-{{cbs_production_name}}.{{cbs_domain_name}}{% endif %}; access_log on; access_log /data/www/logs/nginx_log/access/{{ cbs_production_name }}.{{cbs_domain_name}}_access.log main ; error_log /data/www/logs/nginx_log/error/{{ cbs_production_name }}.{{cbs_domain_name}}_error.log ; root /data/www/vhosts/cbs.chinasoft.comm/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/{{ cbs_production_name }}.{{cbs_domain_name}}.conf ; if ($http_user_agent ~ Ezooms) { return 403; } location ~ ^.*\.(htaccess|htpasswd|ini|sh)$ { deny all; } location ~ \.php$ { fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ^~ /logs { deny all; } } server { listen 443 ssl; #ssl on; ssl_certificate cert2016/{{cbs_domain_name|regex_replace('\.' , '_')}}.crt; ssl_certificate_key cert2016/{{cbs_domain_name|regex_replace('\.' , '_')}}.key; ssl_dhparam cert2016/dh_2048.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3 -SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on; #ssl_stapling on; #ssl_stapling_verify on; server_name {{cbs_production_name}}.{{cbs_domain_name}} {% if cbs_is_ori_needed %}ori-{{cbs_production_name}}.{{cbs_domain_name}}{% endif %}; access_log on; access_log /data/www/logs/nginx_log/access/{{ cbs_production_name }}.{{cbs_domain_name}}_access.log main ; error_log /data/www/logs/nginx_log/error/{{ cbs_production_name }}.{{cbs_domain_name}}_error.log ; root /data/www/vhosts/cbs.chinasoft.comm/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/{{ cbs_production_name }}.{{cbs_domain_name}}.conf ; error_page 404 403 /404.html; if ($http_user_agent ~ Ezooms) { return 403; } location ~ ^.*\.(htaccess|htpasswd|ini|sh)$ { deny all; } location ~ \.php$ { fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ^~ /logs { deny all; } }
# 重启nginx的脚本
[root@ws_monitoring cbs]# more templates/nginx_config_grammaer_check_test_and_reload.sh.j2 #!/bin/bash # function nginx_config_check_reload() { /usr/local/nginx/sbin/nginx -t status=$? echo $status if [ $status == 0 ];then echo " start web01 nginx reload !!!" /etc/init.d/nginx reload; else echo " web01 nginx configure error ... " exit 1 fi } nginx_config_check_reload
# 处理重启的判断
[root@ws_monitoring cbs]# more handlers/main.yml - name: reload nginx shell: /bin/bash {{shell_dest_path}}/{{nginx_check_shell_name}}.sh - name: cbs domain check shell: /bin/bash {{shell_dest_path}}/{{cbs_domain_check}}.sh
# 主要的站点配置逻辑入口
[root@ws_monitoring cbs]# more tasks/main.yaml - name: Deploy common site import_tasks: commom.yaml
# 主要的站点配置逻辑
[root@ws_monitoring cbs]# more tasks/commom.yaml - name: "{{cbs_production_name}}=====Checking certification path if not exists" file: path: "/usr/local/nginx/conf/cert2016" state: directory owner: apache group: users mode: 0755 - name: "{{cbs_production_name}}=====upload certification file to server" template: src: "{{item.src}}" dest: "{{cbs_certification_dest_path}}/{{item.dest}}" owner: apache group: users mode: 0644 with_items: - { src: "cbs_{{cbs_domain_name|regex_replace('\\.' , '_')}}.crt.j2", dest: "{{cbs_domain_name|regex_replace('\\.' , '_')}}.crt" } - { src: "cbs_{{cbs_domain_name|regex_replace('\\.' , '_')}}.key.j2", dest: "{{cbs_domain_name|regex_replace('\\.' , '_')}}.key" } - name: "{{cbs_production_name}}=====Checking nginx's rewrite rule file if exists" stat: path: "{{cbs_rewrite_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf" register: cbs_rewrite_ws_fcheck - name: "{{cbs_production_name}}=====upload nginx's rewrite rule file to server" template: src: cbs_rewrite_chinasoft.com.conf.j2 dest: "{{cbs_rewrite_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf" owner: apache group: users mode: 0644 when: not cbs_rewrite_ws_fcheck.stat.exists - name: "{{shell_dest_path}}=====Checking shell directory and create if not exists" file: path: "{{shell_dest_path}}" state: directory owner: root group: root mode: 0755 - name: "{{shell_dest_path}}/{{nginx_check_shell_name}}.sh=======check nginx config shell file and create it if not exists" stat: path: "{{shell_dest_path}}/{{nginx_check_shell_name}}.sh" register: nginx_grammar_check - name: "upload nginx grammar check shell file to server" template: src: nginx_config_grammaer_check_test_and_reload.sh.j2 dest: "{{shell_dest_path}}/{{nginx_check_shell_name}}.sh" owner: apache group: users mode: 0755 when: not nginx_grammar_check.stat.exists - name: "{{shell_dest_path}}/{{cbs_domain_check_shell_name}}.sh=======check cbs domain check shell file and create it if not exists" stat: path: "{{shell_dest_path}}/{{cbs_domain_check_shell_name}}.sh" register: cbs_domain_check - name: "upload cbs domain check shell file to server" template: src: cbs_domain_check.sh.j2 dest: "{{shell_dest_path}}/{{cbs_domain_check_shell_name}}.sh" owner: apache group: users mode: 0755 when: not cbs_domain_check.stat.exists #- name: "{{sto_production_name}}=====Checking apache configuration file if exists" # stat: # path: "{{sto_http_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}.conf" # register: sto_apache_ws_fcheck # #- name: "{{sto_production_name}}=====upload apache configuration file to server" # template: # src: sto_apache_chinasoft.com.conf.j2 # dest: "{{sto_http_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}.conf" # owner: apache # group: users # mode: 0644 # when: not sto_apache_ws_fcheck.stat.exists # 现在的应用统一使用 cbs.chinasoft.comm 不需要创建 #- name: "{{cbs_production_name}}=====Checking web data httpdocs and create if not exists" # file: # path: "{{cbs_http_data_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}/httpdocs" # state: directory # owner: apache # group: users # mode: 0755 #- name: "{{sto_production_name}}=====Checking data link and create if not exists" # file: # src: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs" # dest: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs/cbs_down" # state: link # owner: apache # group: users # mode: 0755 #- name: "{{sto_production_name}}=====Checking data index.html and create if not exists" # stat: # path: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs/index.html" # register: sto_apache_data_ws_fcheck # #- name: "{{sto_production_name}}=====upload www test data file to server" # template: # src: sto_nginx_index.html.j2 # dest: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs/index.html" # owner: apache # group: users # mode: 0644 # when: not sto_apache_data_ws_fcheck.stat.exists - name: "{{cbs_production_name}}=====Checking nginx configuration file if exists" stat: path: "{{cbs_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf" register: cbs_nginx_ws_fcheck - name: "{{cbs_production_name}}=====upload nginx configuration file to server" template: src: cbs_nginx_chinasoft.com.conf.j2 dest: "{{cbs_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf" owner: apache group: users mode: 0644 when: not cbs_nginx_ws_fcheck.stat.exists notify: reload nginx notify: cbs domain check