Install and configure Nginx
Apply configuration to add request time to the access log. Creates virtual hosts for each Keystone service. Enables SSL termination within Nginx. The Uwsgi sockets are updated to match the Keystone developer docs to improve consistency of experience for operators. No Shibboleth integration is included. Not introducing any additional Nginx restarts based on changes in Federation configuration yet for this reason. Change-Id: Iec42810be7ff6d05fa38deb23996e66e0c34da8e Related: blueprint keystone-uwsgi
This commit is contained in:
parent
812ea82d71
commit
4edb378b1e
|
@ -184,6 +184,15 @@ keystone_httpd_mpm_thread_child: 25
|
|||
keystone_httpd_mpm_max_requests: 150
|
||||
keystone_httpd_mpm_max_conn_child: 0
|
||||
|
||||
## Nginx setup
|
||||
keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
|
||||
keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
|
||||
keystone_nginx_ports:
|
||||
keystone-wsgi-public: "{{ keystone_service_port }}"
|
||||
keystone-wsgi-admin: "{{ keystone_admin_port }}"
|
||||
keystone_nginx_extra_conf:
|
||||
- keepalive_timeout 70;
|
||||
|
||||
## uWSGI setup
|
||||
keystone_wsgi_public_program_name: keystone-wsgi-public
|
||||
keystone_wsgi_admin_program_name: keystone-wsgi-admin
|
||||
|
@ -191,8 +200,12 @@ keystone_wsgi_program_names:
|
|||
- "{{ keystone_wsgi_public_program_name }}"
|
||||
- "{{ keystone_wsgi_admin_program_name }}"
|
||||
keystone_uwsgi_ports:
|
||||
keystone-wsgi-public: 37358
|
||||
keystone-wsgi-admin: 37359
|
||||
keystone-wsgi-public:
|
||||
http: 37358
|
||||
socket: 35358
|
||||
keystone-wsgi-admin:
|
||||
http: 37359
|
||||
socket: 5001
|
||||
|
||||
# set keystone_ssl to true to enable SSL configuration on the keystone containers
|
||||
keystone_ssl: false
|
||||
|
|
|
@ -24,6 +24,16 @@
|
|||
delay: 2
|
||||
when: keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Restart Nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
register: keystone_restart
|
||||
until: keystone_restart | success
|
||||
retries: 5
|
||||
delay: 2
|
||||
when: not keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Restart Keystone APIs
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
|
|
|
@ -43,6 +43,17 @@
|
|||
with_items: "{{ keystone_apache_packages }}"
|
||||
when: keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Install Nginx apt packages
|
||||
apt:
|
||||
pkg: "{{ item }}"
|
||||
state: "{{ keystone_package_state }}"
|
||||
register: install_packages
|
||||
until: install_packages|success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: "{{ keystone_nginx_packages }}"
|
||||
when: not keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Install IdP apt packages
|
||||
apt:
|
||||
pkg: "{{ item }}"
|
||||
|
|
|
@ -57,6 +57,17 @@
|
|||
with_items: "{{ keystone_apache_packages }}"
|
||||
when: keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Install Nginx yum packages
|
||||
yum:
|
||||
pkg: "{{ item }}"
|
||||
state: "{{ keystone_package_state }}"
|
||||
register: install_packages
|
||||
until: install_packages|success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: "{{ keystone_nginx_packages }}"
|
||||
when: not keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Install IdP yum packages
|
||||
yum:
|
||||
pkg: "{{ item }}"
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Ensure Apache is not running
|
||||
service:
|
||||
name: "{{ keystone_system_service_name }}"
|
||||
state: stopped
|
||||
pattern: "{{ keystone_system_service_name }}"
|
||||
failed_when: false
|
||||
when: not keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Disable default configuration
|
||||
file:
|
||||
path: /etc/nginx/sites-enabled/default
|
||||
state: absent
|
||||
notify: Restart Nginx
|
||||
|
||||
- name: Configure custom nginx log format
|
||||
lineinfile:
|
||||
insertbefore: access_log
|
||||
dest: "/etc/nginx/nginx.conf"
|
||||
line: "log_format custom '{{ keystone_nginx_access_log_format_combined }} {{ keystone_nginx_access_log_format_extras }}';"
|
||||
notify: Restart Nginx
|
||||
|
||||
# Configure app
|
||||
- name: Configure virtual hosts
|
||||
template:
|
||||
src: keystone_nginx.conf.j2
|
||||
dest: "/etc/nginx/sites-available/{{ item }}.conf"
|
||||
with_items: keystone_wsgi_program_names
|
||||
notify: Restart Nginx
|
||||
|
||||
- name: Link to enable virtual hosts
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ item }}.conf"
|
||||
path: "/etc/nginx/sites-enabled/{{ item }}.conf"
|
||||
state: link
|
||||
with_items: keystone_wsgi_program_names
|
||||
notify: Restart Nginx
|
|
@ -101,6 +101,12 @@
|
|||
- keystone-config
|
||||
when: keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- include: keystone_nginx.yml
|
||||
tags:
|
||||
- keystone-install
|
||||
- keystone-config
|
||||
when: not keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- include: keystone_uwsgi.yml
|
||||
tags:
|
||||
- keystone-install
|
||||
|
|
|
@ -5,7 +5,8 @@ gid = {{ keystone_system_group_name }}
|
|||
|
||||
virtualenv = /openstack/venvs/keystone-{{ keystone_venv_tag }}
|
||||
wsgi-file = {{ keystone_bin }}/{{ item }}
|
||||
http = 0.0.0.0:{{ keystone_uwsgi_ports[item] }}
|
||||
http = :{{ keystone_uwsgi_ports[item]['http'] }}
|
||||
socket = 127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }}
|
||||
|
||||
master = true
|
||||
enable-threads = true
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
# {{ ansible_managed }}
|
||||
server {
|
||||
|
||||
listen {{ keystone_nginx_ports[item] }};
|
||||
|
||||
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" %}
|
||||
ssl on;
|
||||
ssl_protocols {{ keystone_ssl_protocol }};
|
||||
ssl_certificate {{ keystone_ssl_cert }};
|
||||
ssl_certificate_key {{ keystone_ssl_key }};
|
||||
ssl_trusted_certificate {{ keystone_ssl_ca_cert }};
|
||||
ssl_ciphers {{ keystone_ssl_cipher_suite }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:2m;
|
||||
ssl_session_timeout 2m;
|
||||
{%- endif %}
|
||||
|
||||
{% for line in keystone_nginx_extra_conf %}
|
||||
{{ line }}
|
||||
{%- endfor %}
|
||||
|
||||
access_log /var/log/nginx/{{ item }}-access.log custom;
|
||||
error_log /var/log/nginx/{{ item }}-error.log info;
|
||||
|
||||
location / {
|
||||
try_files $uri @yourapplication;
|
||||
}
|
||||
|
||||
location @yourapplication {
|
||||
include uwsgi_params;
|
||||
uwsgi_pass 127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
|
||||
uwsgi_param SCRIPT_NAME {{ item }};
|
||||
}
|
||||
}
|
|
@ -42,6 +42,9 @@ keystone_apache_packages:
|
|||
- httpd
|
||||
- httpd-tools
|
||||
|
||||
keystone_nginx_packages:
|
||||
- nginx
|
||||
|
||||
keystone_idp_packages:
|
||||
- xmlsec1
|
||||
|
||||
|
|
|
@ -38,6 +38,9 @@ keystone_apache_packages:
|
|||
- apache2-utils
|
||||
- libapache2-mod-wsgi
|
||||
|
||||
keystone_nginx_packages:
|
||||
- nginx-full
|
||||
|
||||
# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
|
||||
_keystone_idp_packages:
|
||||
- ssl-cert
|
||||
|
|
|
@ -35,6 +35,9 @@ keystone_apache_packages:
|
|||
- apache2-utils
|
||||
- libapache2-mod-wsgi
|
||||
|
||||
keystone_nginx_packages:
|
||||
- nginx-full
|
||||
|
||||
keystone_idp_packages:
|
||||
- ssl-cert
|
||||
- xmlsec1
|
||||
|
|
Loading…
Reference in New Issue