Add support for nginx with reverse proxy to embedded server

This deploys the existing embedded server service but adds a nginx
reverse proxy on top.

Change-Id: I06837e39c20ce9390a39fc1ef2ee046934e6f38a

defaults/main.yml

@@ -33,3 +33,6 @@ ara:
     server: embedded
     # Type (mod_wsgi, standalone, embedded-proxy, etc.)
     type: standalone
+    nginx:
+      # Where nginx will store the proxy cache
+      cache_directory: /var/cache/nginx

handlers/main.yml

@@ -18,13 +18,23 @@
     daemon_reload: yes
 
 - name: restart apache
+  become: true
   service:
    name: "{{ apache_service }}"
    state: restarted
+  when: ara.deployment.server == 'apache'
+
+- name: restart nginx
   become: true
+  service:
+    name: nginx
+    state: restarted
+  when: ara.deployment.server == 'nginx'
 
 - name: restart ara
+  become: true
   service:
     name: ara
     state: restarted
-  become: true
+  when: ara.deployment.server == 'embedded' or
+        ara.deployment.server == 'nginx' and ara.deployment.type == 'embedded_proxy'

tasks/main.yml

@@ -65,6 +65,9 @@
     src: logrotate.conf.j2
     dest: /etc/logrotate.d/ara
 
+- name: Include web server configuration
+  include_tasks: "{{ ara.deployment.server }}/{{ ara.deployment.type }}.yml"
+
 - name: Create the ARA configuration file
   become: true
   ini_file:
@@ -79,6 +82,7 @@
   with_dict: "{{ ara.config }}"
   notify:
     - restart ara
+    - restart nginx
 
 - name: Get ARA installed location
   shell: python -c "import os,ara; print(os.path.dirname(ara.__file__))"
@@ -97,27 +101,26 @@
     - { option: callback_plugins, value: "{{ ara_location.stdout }}/plugins/callbacks" }
     - { option: action_plugins, value: "{{ ara_location.stdout }}/plugins/actions" }
 
-- name: Include web server configuration
-  include_tasks: "{{ ara.deployment.server }}/{{ ara.deployment.type }}.yml"
-
 - name: Provide web application URL
   vars:
     msg: >-
       ARA was installed succesfully !
-      The web application should now be reachable at http://{{ ara.config.host }}:{{ ara.config.port }} !
-      To customize the host and port on which the application listens to, override the defaults for the ara_host and ara_port variables.
-      Data from recorded playbooks will be available in the interface as soon as you run your first ansible-playbook command.
+      The web application should now be reachable at http://{{ ara.config.host_proxy | default(ara.config.host) }}:{{ ara.config.port_proxy | default(ara.config.port) }} !
   debug:
     msg: "{{ msg.split('\n') }}"
 
 - name: Provide instructions
   vars:
     msg: >-
-      We've set up a configuration file for you in /etc/ara/ara.cfg.
-      The ARA service is already using this configuration but you'll need to make sure Ansible is using it so that Ansible knows where ARA is located.
+      To customize the host and port on which the web application is served, supply an 'ara_override' dictionary variables with new host and port keys.
 
-      This can be done from using Ansible or the ARA CLI commands directly from that directory or by using the ANSIBLE_CONFIG environment variable, like so:
-      export ANSIBLE_CONFIG=/etc/ara/ara.cfg
-      ansible-playbook playbook.yml
+      A configuration file was set up automatically in /etc/ara/ara.cfg.
+      The ARA service is already using this configuration file but you'll need to make sure Ansible is using it so that Ansible knows where ARA is located.
+
+      This can be done by exporting the ANSIBLE_CONFIG environment variable, like so:
+      $ export ANSIBLE_CONFIG=/etc/ara/ara.cfg
+      $ ansible-playbook playbook.yml
+
+      Data from recorded playbooks will be available in the interface as soon as you run your first ansible-playbook command.
   debug:
     msg: "{{ msg.split('\n') }}"

tasks/nginx/embedded_proxy.yml

@@ -0,0 +1,41 @@
+# We're setting ara.host to localhost, there's no point in making the web
+# application listen on 0.0.0.0 or other things since it'll be proxied by nginx
+- name: Override ARA host when reverse proxying
+  vars:
+    override:
+      config:
+        host: 127.0.0.1
+        proxy_host: "{{ ara.config.host }}"
+        proxy_port: 80
+  set_fact:
+    ara: "{{ ara | combine(override, recursive=true) }}"
+
+- name: Install the embedded server service
+  include_tasks: ../embedded/standalone.yml
+
+- name: Set selinux boolean to allow nginx to reverse proxy
+  become: yes
+  seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
+  when: ansible_os_family == "RedHat"
+
+- name: Install nginx
+  include_tasks: install.yml
+
+- name: Set up the nginx configuration
+  template:
+    src: nginx_embedded_proxy.conf.j2
+    dest: "{{ nginx_config_path }}/ara.conf"
+  notify:
+    - restart nginx
+
+- name: Enable the nginx configuration on Debian-like systems
+  file:
+    src: "{{ nginx_config_path }}/ara.conf"
+    dest: /etc/nginx/sites-enabled/ara.conf
+    state: link
+  when: ansible_os_family == 'Debian'
+  notify:
+    - restart nginx

tasks/nginx/install.yml

@@ -0,0 +1,46 @@
+# This is designed to be as little invasive as possible since the user might
+# already be installing and configuring nginx.
+
+- when: ansible_os_family == 'RedHat'
+  block:
+    - name: Ensure EPEL is installed on RedHat distributions
+      package:
+        name: epel-release
+        state: installed
+
+    - name: Ensure the EPEL repository is enabled
+      ini_file:
+        path: /etc/yum.repos.d/epel.repo
+        section: epel
+        option: enabled
+        value: 1
+      register: epel_state
+
+- name: Install nginx
+  package:
+    name: nginx
+    state: installed
+
+# We don't want to leave EPEL enabled if it was disabled to begin with
+- name: Disable EPEL on Red Hat distributions if it was disabled
+  ini_file:
+    path: /etc/yum.repos.d/epel.repo
+    section: epel
+    option: enabled
+    value: 0
+  when:
+    - ansible_os_family == 'RedHat'
+    - epel_state is changed
+
+- name: Ensure nginx is started and enabled
+  service:
+    name: nginx
+    state: started
+    enabled: yes
+
+- name: Create the nginx cache directory
+  file:
+    path: "{{ ara.deployment.nginx.cache_directory }}"
+    state: directory
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_group }}"

templates/nginx_embedded_proxy.conf.j2

@@ -0,0 +1,31 @@
+proxy_cache_path {{ ara.deployment.nginx.cache_directory }} levels=1:2
+                 keys_zone=ara:5m max_size=1g inactive=1d use_temp_path=off;
+
+upstream ara {
+    server {{ ara.config.host }}:{{ ara.config.port }};
+}
+
+server {
+    listen {{ ara.config.proxy_port }};
+    server_name {{ ara.config.proxy_host }};
+    access_log /var/log/nginx/ara_access.log;
+    error_log /var/log/nginx/ara_error.log;
+
+    location {{ ara.config.application_root }} {
+        # Define the location of the proxy server to send the request to
+        proxy_pass http://ara;
+
+        # Redefine the header fields that NGINX sends to the upstream server
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_cache ara;
+        proxy_cache_revalidate on;
+        proxy_cache_valid any 15m;
+        proxy_cache_min_uses 1;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_cache_background_update on;
+        proxy_cache_lock on;
+    }
+}

vars/Debian.yml

@@ -32,3 +32,7 @@ apache_user: www-data
 apache_group: www-data
 apache_log_path: /var/log/apache2
 apache_config_path: /etc/apache2/sites-available
+
+nginx_user: www-data
+nginx_group: www-data
+nginx_config_path: /etc/nginx/sites-available

vars/RedHat.yml

@@ -34,3 +34,7 @@ apache_user: apache
 apache_group: apache
 apache_log_path: /var/log/httpd
 apache_config_path: /etc/httpd/conf.d
+
+nginx_user: nginx
+nginx_group: nginx
+nginx_config_path: /etc/nginx/conf.d