• 使用ansible的palybook创建指定的www站点nginx和apache配置

    [root@ws_monitoring ansible]# more README.TXT
    1. 该ansible脚本集成了常用的一些功能
    创建 web/cbs/store/download 站点

    2.hosts采用分组,并对分组进行了加密,需要输入密码才能编辑

    使用示例:创建cbs 站点
    ansible-playbook cbs.yaml --ask-vault-pass

    3.使用方法
    创建 cbs 示例
    如果要创建 cbs.chinasoft.com 这个站点

    修改如下内容 roles/cbs/vars/main.yaml 变量中的 cbs_domain_name 为 需要创建的域名即可(顶级域名)
    # vim roles/cbs/vars/main.yaml
    cbs_domain_name: chinasoft.com

    # cd /usr/local/src/ansible
    # 创建 www 站点
    # ansible-playbook chinasoft_co.yaml --ask-vault-pass

    ansible-vault加密工具使用方法


    # ansible对文件进行加密
    ansible-vault encrypt /usr/local/src/ansible/hosts

    # 查看加密文件
    [root@node1 ansible]# ansible-vault view hosts
    Vault password:
    [webservers]
    localhost
    10.11.0.215

    [nodes]
    node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
    node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'

    # 编辑加密文件
    [root@node1 ansible]# ansible-vault edit hosts
    Vault password:

    # ansible-playbook 结合 ansible-vault,和之前用法一样,只是加一个 --ask-vault-pass 参数输入密码即可
    ansible-playbook wondershare_co.yaml --ask-vault-pass


    4.目录说明:

    ansible的文件目录列表
    ├── cbs.yaml    # 创建 cbs 站点入口文件
    ├── download.yaml    # 创建download 站点入口文件
    ├── hosts
    ├── roles
    │   ├── cbs
    │   │   ├── handlers
    │   │   │   └── main.yml
    │   │   ├── tasks
    │   │   │   ├── commom.yaml
    │   │   │   └── main.yaml
    │   │   ├── templates
    │   │   │   ├── cbs_apache_chinasoft.co.conf.j2
    │   │   │   ├── cbs_nginx_index.html.j2
    │   │   │   ├── cbs_nginx_chinasoft.co.conf.j2
    │   │   │   ├── cbs_rewrite_chinasoft.co.conf.j2
    │   │   │   ├── cbs_chinasoft_co_jp.crt.j2
    │   │   │   ├── cbs_chinasoft_co_jp.key.j2
    │   │   │   └── nginx_config_grammaer_check_test_and_reload.sh.j2
    │   │   └── vars
    │   │       └── main.yaml
    ...
    ├── store.yaml    # 创建购物车的入口文件
    └── chinasoft_co.yaml    # 创建www站点入口文件

    1.ansible的目录结构

    [root@ws_monitoring ansible]# tree
.
├── cbs.yaml
├── download.yaml
├── hosts
├── README.TXT
├── roles
│   ├── cbs
│   │   ├── handlers
│   │   │   └── main.yml
│   │   ├── tasks
│   │   │   ├── commom.yaml
│   │   │   └── main.yaml
│   │   ├── templates
│   │   │   ├── cbs_apache_chinasoft.co.conf.j2
│   │   │   ├── cbs_domain_check.sh.j2
│   │   │   ├── cbs_nginx_index.html.j2
│   │   │   ├── cbs_nginx_chinasoft.co.conf.j2
│   │   │   ├── cbs_rewrite_chinasoft.co.conf.j2
│   │   │   ├── cbs_chinasoft_co_jp.crt.j2
│   │   │   ├── cbs_chinasoft_co_jp.key.j2
│   │   │   └── nginx_config_grammaer_check_test_and_reload.sh.j2
│   │   └── vars
│   │       └── main.yaml
│   ├── download
│   │   ├── tasks
│   │   │   ├── commom.yaml
│   │   │   └── main.yaml
│   │   ├── templates
│   │   │   ├── dl_apache_htaccess.j2
│   │   │   ├── dl_apache_chinasoft.co.conf.j2
│   │   │   ├── dl_download_new.php.j2
│   │   │   ├── dl_nginx_index.html.j2
│   │   │   ├── dl_nginx_chinasoft.co.conf.j2
│   │   │   ├── dl_rewrite_chinasoft.co.conf.j2
│   │   │   ├── dl_chinasoft_co_jp.crt.j2
│   │   │   └── dl_chinasoft_co_jp.key.j2
│   │   └── vars
│   │       └── main.yaml
│   ├── store
│   │   ├── tasks
│   │   │   ├── commom.yaml
│   │   │   └── main.yaml
│   │   ├── templates
│   │   │   ├── sto_apache_chinasoft.co.conf.j2
│   │   │   ├── sto_chinasoft_com.crt.j2
│   │   │   ├── sto_chinasoft_com.key.j2
│   │   │   ├── sto_nginx_index.html.j2
│   │   │   ├── sto_nginx_chinasoft.co.conf.j2
│   │   │   ├── sto_rewrite_chinasoft.co.conf.j2
│   │   │   ├── sto_chinasoft_co_jp.crt.j2
│   │   │   └── sto_chinasoft_co_jp.key.j2
│   │   └── vars
│   │       └── main.yaml
│   └── chinasoft_co
│       ├── tasks
│       │   ├── commom.yaml
│       │   └── main.yaml
│       ├── templates
│       │   ├── apache_chinasoft.co.conf.j2
│       │   ├── nginx_index.html.j2
│       │   ├── nginx_chinasoft.co.conf.j2
│       │   ├── rewrite_chinasoft.co.conf.j2
│       │   ├── chinasoft_co_jp.crt.j2
│       │   ├── chinasoft_co_jp.key.j2
│       │   ├── chinasoft_kr.crt.j2
│       │   ├── chinasoft_kr.key.j2
│       │   ├── chinasoft_net.crt.j2
│       │   └── chinasoft_net.key.j2
│       └── vars
│           └── main.yaml
├── store.yaml
└── chinasoft_co.yaml

    2.编辑hosts目标服务器文件

    [root@ws_monitoring ansible]# ansible-vault view hosts
Vault password: 
[nodes]
node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'

[cbs_servers]
node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'

[store_servers]
node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'

[download_servers]
node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'

[ws_www_webs]
node01 ansible_host=10.11.0.210 ansible_port=22 ansible_user=root ansible_ssh_pass='root'
node02 ansible_host=10.11.0.215 ansible_port=22 ansible_user=root ansible_ssh_pass='root'

    3.入口yaml文件

    创建 www 站点

    [root@ws_monitoring ansible]# more chinasoft_co.yaml 
- hosts: ws_www_webs
  remote_user: root
  become: yes
  become_method: sudo
  become_user: root
  gather_facts: no
  tasks:
    - import_role:
        name: chinasoft_co
    #- import_role:
    #    name: download
    #- import_role:
    #    name: store
    #- import_role:
    #    name: uniconverter
    #- import_role:
    #    name: shopcart
    cbs 站点
[root@ws_monitoring ansible]# more cbs.yaml 
- hosts: cbs_servers
  remote_user: root
  become: yes
  become_method: sudo
  become_user: root
  gather_facts: no
  tasks:
    - import_role:
        name: cbs

store 站点
[root@ws_monitoring ansible]# more store.yaml 
- hosts: store_servers
  remote_user: root
  become: yes
  become_method: sudo
  become_user: root
  gather_facts: no
  tasks:
    - import_role:
        name: store

download 站点
[root@ws_monitoring ansible]# more download.yaml 
- hosts: download_servers
  remote_user: root
  become: yes
  become_method: sudo
  become_user: root
  gather_facts: no
  tasks:
    - import_role:
        name: download

    # 参数配置

    [root@ws_monitoring ansible]# more roles/chinasoft_co/vars/main.yaml
domain_name: chinasoft.com.br
is_ori_needed: true


backup_dest_path: /opt

nginx_dest_path: /usr/local/nginx/conf/vhost.d
rewrite_nginx_dest_path: /usr/local/nginx/conf/rewrite.d
http_dest_path: /usr/local/httpd-2.2.26/conf/vhost.d
http_data_dest_path: /data/www/vhosts
certification_dest_path: /usr/local/nginx/conf/cert2016

production_download: download
production_store: store
production_shopcart: shopcart
production_uniconverter: uniconverter
production_list:
  #- www
  #- images
  #- filmora
  #- pdf
  - recoverit
  #- drfone
  #- static-fr
  #- static-de
  #- static-es
  #- static-it
  #- static-pt

    模板项目:
    # apache 的模板

    [root@ws_monitoring ansible]# more roles/chinasoft_co/templates/apache_chinasoft.co.conf.j2 
<VirtualHost *:8080>
        ServerName   {{item.item}}.{{domain_name}}
        ## for CDN Origin_site
        {% if is_ori_needed %}ServerAlias  ori-{{item.item}}.{{domain_name}}{% endif %}
        {# ServerAlias  downpool.{{domain_name}} #}
        {# ServerAlias  ssl-{{item.item}}.{{domain_name}} #}

        UseCanonicalName Off
        ServerAdmin  "admin@chinasoft.com"
        DocumentRoot /data/www/vhosts/{{item.item}}.{{domain_name}}/httpdocs
        DirectoryIndex index.html index.shtml index.php
        CustomLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/access/{{item.item}}.{{domain_name}}_access.log.%Y-%m-%d 86400" combined
        ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/error/{{item.item}}.{{domain_name}}_error.log.%Y-%m-%d 86400"
        <IfModule mod_ssl.c>
                SSLEngine off
        </IfModule>
        <Directory /data/www/vhosts/{{item.item}}.{{domain_name}}/httpdocs/>
        <IfModule sapi_apache2.c>
                php_admin_flag engine on
                php_admin_flag safe_mode on
                php_admin_value open_basedir ".:/data/www/vhosts/{{item.item}}.{{domain_name}}:/tmp"
        </IfModule>
        <IfModule mod_php5.c>
                php_admin_flag engine on
                php_admin_flag safe_mode on
                php_admin_value open_basedir ".:/data/www/vhosts/{{item.item}}.{{domain_name}}:/tmp"
        </IfModule>
         Options -ExecCGI FollowSymLinks +Includes
         AllowOverride All
        </Directory>
    Alias /servers "/data/www/vhosts/www_servers"
    <Directory "/data/www/vhosts/www_servers/">
    Options -ExecCGI FollowSymLinks +Includes
    AllowOverride All
    </Directory>
ErrorDocument 404 /404.html

</VirtualHost>

    # nginx 的配置模板

    [root@ws_monitoring ansible]# more roles/chinasoft_co/templates/nginx_chinasoft.co.conf.j2 
server {
    listen 80;
    server_name            {% if item.item == 'www'  %}{{domain_name}} {% endif %}{{item.item}}.{{domain_name}} {% if is_ori_needed  %}ori-{{item.item}}.{{domain_name}}{% endif %};

    index                  index.html index.shtml index.php ;
    include                rewrite.d/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}.conf ;
    root                   /data/www/vhosts/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/httpdocs ;
    
    access_log             /data/www/logs/nginx_log/access/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_access.log main ;
    error_log              /data/www/logs/nginx_log/error/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_error.log ;
    error_page  404 403             /404.html;

    rewrite ^/(.*)$ https://{% if item.item == 'www'  %}www.{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/$1 permanent;

    if ($http_user_agent ~ Ezooms) {
        return 403;
    }

    location ~ ^.*.(htaccess|htpasswd|ini|sh)$ {
        deny all;
    }

    location ~ .php$ {
        proxy_pass http://php_pool;
        include proxy_params;
        expires -1;
    }

    location / {
        include proxy_params;
        if (!-d $request_filename){
            set $flag 1$flag;
        }
        if (!-f $request_filename){
            set $flag 2$flag;
        }
        if ($flag = "21"){
            proxy_pass http://php_pool;
            expires -1;
        }
    }
}

server {
    listen 443;
    server_name             {% if item.item == 'www'  %}{{domain_name}} {% endif %}{{ item.item }}.{{domain_name}} {% if is_ori_needed  %}ori-{{ item.item }}.{{domain_name}}{% endif %};

    ssl on;
    ssl_certificate         cert2016/{{domain_name|regex_replace('.' , '_')}}.crt;
    ssl_certificate_key     cert2016/{{domain_name|regex_replace('.' , '_')}}.key;
    ssl_dhparam             cert2016/dh_2048.pem;
    ssl_session_timeout     5m;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RS
A-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-
CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_prefer_server_ciphers       on;

    add_header              'Access-Control-Allow-Origin' '*';

    access_log              /data/www/logs/nginx_log/access/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_access.log main ;
    error_log               /data/www/logs/nginx_log/error/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}_error.log ;
    root                    /data/www/vhosts/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}/httpdocs ;
    index                   index.html index.shtml index.php ;
    include                 rewrite.d/{% if item.item == 'www'  %}{{ domain_name }}{% else %}{{ item.item }}.{{domain_name}}{% endif %}.conf ;
    error_page  404 403     /404.html;

    if ($http_user_agent ~ Ezooms) {
        return 403;
    }

    location ~ ^.*.(htaccess|htpasswd|ini|sh)$ {
        deny all;
    }

    location ~ .php$ {
        proxy_pass http://php_pool;
        include proxy_params;
        expires -1;
    }

    location / {
        include proxy_params;
        if (!-d $request_filename){
            set $flag 1$flag;
        }
        if (!-f $request_filename){
            set $flag 2$flag;
        }
        if ($flag = "21"){
            proxy_pass http://php_pool;
            expires -1;
        }
     }
}

    # index.html 首页模板

    [root@ws_monitoring ansible]# more roles/chinasoft_co/templates/nginx_index.html.j2 
<h1>this is {{ item.item }}.{{domain_name}} on the server <h1>

    # 默认跳转规则模板

    [root@ws_monitoring ansible]# more roles/chinasoft_co/templates/rewrite_chinasoft.co.conf.j2 
{% if item.item == 'www'  %} 
if ($host ~* ^{{domain_name}}$){ rewrite ^(.*)$ https://www.{{domain_name}}$1 permanent;}
{% endif %}
if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1   permanent;}
if ($request_uri ~ ^/(index|indice).html) { rewrite    ^       / permanent;}

# 主要的任务规则
[root@ws_monitoring ansible]# more roles/chinasoft_co/tasks/main.yaml 
- name: Deploy common site
  import_tasks: commom.yaml

[root@ws_monitoring ansible]# more roles/chinasoft_co/tasks/commom.yaml 
#- name : let shell command result registe to be current time
#    command : "echo `date +%Y%m%d%H%M%S`"
#    register : current_time
#
#- name: Copy multiple files in Ansible with different permissions
#  copy:
#    src: "{{ item.src }}"
#    dest: "{{ item.dest }}"
#    mode: "{{ item.mode }}"
#  with_items:
#    - { src: "{{nginx_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'}
#    - { src: "{{rewrite_nginx_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'}
#    - { src: "{{certification_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'}
#    - { src: "{{http_dest_path}}",dest: "{{backup_dest_path}}/{{current_time}}", mode: '0644'}

- name: Checking nginx configuration file if exists
  stat:
    path: "{{nginx_dest_path}}/{%if item == 'www' %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}"
  register: nginx_ws_cn_fcheck
  with_items: "{{ production_list }}"

- name: upload nginx configuration file to server
  template:
    src: nginx_chinasoft.co.conf.j2
    dest: "{{nginx_dest_path}}/{%if item.item == 'www' %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}"
    owner: apache
    group: users
    mode: 0644
  when: not item.stat.exists
  with_items: "{{ nginx_ws_cn_fcheck.results}}"


- name: Checking nginx's rewrite rule file if exists
  stat:
    path: "{{rewrite_nginx_dest_path}}/{%if item == 'www' %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}"
  register: rewrite_ws_fcheck
  with_items: "{{ production_list }}"

- name: upload nginx's rewrite rule file to server
  template:
    src: rewrite_chinasoft.co.conf.j2
    dest: "{{rewrite_nginx_dest_path}}/{%if item.item == 'www' %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}"
    owner: apache
    group: users
    mode: 0644
  when: not item.stat.exists
  with_items: "{{ rewrite_ws_fcheck.results}}"


- name: Checking apache configuration file if exists
  stat:
    path: "{{http_dest_path}}/{%if item == 'www' %}{{domain_name}}.conf{% else %}{{item}}.{{domain_name}}.conf{% endif %}"
  register: apache_ws_fcheck
  with_items: "{{ production_list }}"

- name: upload apache configuration file to server
  template:
    src: apache_chinasoft.co.conf.j2
    dest: "{{http_dest_path}}/{%if item.item == 'www' %}{{domain_name}}.conf{% else %}{{item.item}}.{{domain_name}}.conf{% endif %}"
    owner: apache
    group: users
    mode: 0644
  when: not item.stat.exists
  with_items: "{{ apache_ws_fcheck.results}}"

- name: Checking web data httpdocs and create if not exists
  file:
    path: "{{http_data_dest_path}}/{%if item == 'www' %}{{domain_name}}{% else %}{{item}}.{{domain_name}}{% endif %}/httpdocs"
    state: directory
    owner: apache
    group: users
    mode: 0755
  with_items: "{{ production_list }}"

#- name: Checking data link and create if not exists
#  file:
#    src: "{{http_data_dest_path}}/download.{{domain_name}}.conf/httpdocs"
#    dest: "{{http_data_dest_path}}/download.{{domain_name}}.conf/httpdocs/cbs_down"
#    state: link
#    owner: apache
#    group: users
#    mode: 0755

- name: Checking data index.html and create if not exists
  stat:
    path: "{{http_data_dest_path}}/{%if item == 'www' %}{{domain_name}}{% else %}{{item}}.{{domain_name}}{% endif %}/httpdocs/index.html"
  register: apache_data_ws_fcheck
  with_items: "{{ production_list }}"

- name: upload www test data file to server
  template:
    src: nginx_index.html.j2
    dest: "{{http_data_dest_path}}/{%if item.item == 'www' %}{{domain_name}}{% else %}{{item.item}}.{{domain_name}}{% endif %}/httpdocs/index.html"
    owner: apache
    group: users
    mode: 0644
  when: not item.stat.exists
  with_items: "{{ apache_data_ws_fcheck.results}}"


- name: Checking certification path if not exists
  file:
    path: "/usr/local/nginx/conf/cert2016"
    state: directory
    owner: apache
    group: users
    mode: 0755

- name: upload certification file to server
  template:
    src: "{{item.src}}"
    dest: "{{certification_dest_path}}/{{item.dest}}"
    owner: apache
    group: users
    mode: 0644
  with_items: 
    - { src: "{{domain_name|regex_replace('\.' , '_')}}.crt.j2", dest: "{{domain_name|regex_replace('\.' , '_')}}.crt" }
    - { src: "{{domain_name|regex_replace('\.' , '_')}}.key.j2", dest: "{{domain_name|regex_replace('\.' , '_')}}.key" }

     # cbs相关的目录结构

    [root@ws_monitoring roles]# tree cbs/
cbs/
├── handlers
│   └── main.yml
├── tasks
│   ├── commom.yaml
│   └── main.yaml
├── templates
│   ├── cbs_apache_chinasoft.com.conf.j2
│   ├── cbs_domain_check.sh.j2
│   ├── cbs_nginx_index.html.j2
│   ├── cbs_nginx_chinasoft.com.conf.j2
│   ├── cbs_rewrite_chinasoft.com.conf.j2
│   ├── cbs_chinasoft.com_jp.crt.j2
│   ├── cbs_chinasoft.com_jp.key.j2
│   └── nginx_config_grammaer_check_test_and_reload.sh.j2
└── vars
    └── main.yaml

    # 变量配置

    [root@ws_monitoring cbs]# more vars/main.yaml 
cbs_domain_name: chinasoft.com.jp
cbs_is_ori_needed: false

cbs_nginx_dest_path: /usr/local/nginx/conf/vhost.d
cbs_rewrite_nginx_dest_path: /usr/local/nginx/conf/rewrite.d
#cbs_http_dest_path: /usr/local/httpd-2.2.26/conf/vhost.d
cbs_http_data_dest_path: /data/www/vhosts
cbs_certification_dest_path: /usr/local/nginx/conf/cert2016
shell_dest_path: /usr/local/worksh
nginx_check_shell_name: nginx_config_grammaer_check_test_and_reload
cbs_domain_check_shell_name: cbs_domain_check 

#cbs_production_store: store
#cbs_production_shopcart: shopcart
#cbs_production_uniconverter: uniconverter
cbs_production_name: cbs

    # apache相关的配置

    [root@ws_monitoring cbs]# more templates/cbs_apache_chinasoft.com.conf.j2 
<VirtualHost *:8080>
        ServerName   {{sto_production_name}}.{{sto_domain_name}}
        ## for CDN Origin_site
        {% if sto_is_ori_needed %}ServerAlias  ori-{{sto_production_name}}.{{sto_domain_name}}{% endif %}
        ServerAlias  downpool.{{sto_domain_name}}
        ServerAlias  ssl-{{sto_production_name}}.{{sto_domain_name}}

        UseCanonicalName Off
        ServerAdmin  "admin@chinasoft.comm"
        DocumentRoot /data/www/vhosts/{{sto_production_name}}.{{sto_domain_name}}/httpdocs
        DirectoryIndex index.html index.shtml index.php
        CustomLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/access/{{sto_production_name}}.{{sto_domain_name}}_access.log.%Y-%m-%d 86400" combined
        ErrorLog "|/usr/local/apache2/bin/rotatelogs -l /data/www/logs/apache_log/error/{{sto_production_name}}.{{sto_domain_name}}_error.log.%Y-%m-%d 86400"
        <IfModule mod_ssl.c>
                SSLEngine off
        </IfModule>
        <Directory /data/www/vhosts/{{sto_production_name}}.{{sto_domain_name}}/httpdocs/>
        <IfModule sapi_apache2.c>
                php_admin_flag engine on
                php_admin_flag safe_mode on
                php_admin_value open_basedir ".:/data/www/vhosts/{{sto_production_name}}.{{sto_domain_name}}:/tmp"
        </IfModule>
        <IfModule mod_php5.c>
                php_admin_flag engine on
                php_admin_flag safe_mode on
                php_admin_value open_basedir ".:/data/www/vhosts/{{sto_production_name}}.{{sto_domain_name}}:/tmp"
        </IfModule>
         Options -ExecCGI FollowSymLinks +Includes
         AllowOverride All
        </Directory>
ErrorDocument 404 /404.html

</VirtualHost>

    # 首页模板

    [root@ws_monitoring cbs]# more templates/cbs_nginx_index.html.j2 
<h1>this is {{ cbs_production_name }}.{{cbs_domain_name}} on the server <h1>

    # 检查域名绑定不同的服务器ip后是否正常

    [root@ws_monitoring cbs]# more templates/cbs_domain_check.sh.j2 
#!/bin/bash
#
cbs_servers="1.1.1.1:ws_cbs_frontend_web01 1.1.1.2:ws_cbs_frontend_web02"

for cbs_server in ${cbs_servers};do
ip=${cbs_server%:*}
server_name=${cbs_server#*:}
curl --head --resolve {{cbs_production_name}}{{cbs_domain_name}}:443:${ip} "https://{{cbs_production_name}}{{cbs_domain_name}}/"
    if [ $? == 0 ];then
        echo "${server_name}-${ip} is ok"
    else
        echo "${server_name}-${ip} config error"
        exit 1
    fi
done

    # nginx 相关配置

    [root@ws_monitoring cbs]# more templates/cbs_nginx_chinasoft.com.conf.j2 
server {
        listen 80;
        server_name     {{cbs_production_name}}.{{cbs_domain_name}} {% if cbs_is_ori_needed  %}ori-{{cbs_production_name}}.{{cbs_domain_name}}{% endif %};
    access_log on;
        access_log      /data/www/logs/nginx_log/access/{{ cbs_production_name }}.{{cbs_domain_name}}_access.log main ;
        error_log       /data/www/logs/nginx_log/error/{{ cbs_production_name }}.{{cbs_domain_name}}_error.log ;
        root            /data/www/vhosts/cbs.chinasoft.comm/httpdocs ;
        index           index.html index.shtml index.php ;
    include        rewrite.d/{{ cbs_production_name }}.{{cbs_domain_name}}.conf ;

    if ($http_user_agent ~ Ezooms) {
        return 403;
    }

    location ~ ^.*.(htaccess|htpasswd|ini|sh)$ {
        deny all;
    }

    location ~ .php$ {
        fastcgi_pass   unix:/tmp/php-cgi.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }


        location ^~ /logs
        {
                deny all;
        }

}

server {
        listen 443 ssl;
        #ssl on;

        ssl_certificate         cert2016/{{cbs_domain_name|regex_replace('.' , '_')}}.crt;
        ssl_certificate_key     cert2016/{{cbs_domain_name|regex_replace('.' , '_')}}.key;
        ssl_dhparam     cert2016/dh_2048.pem;

        ssl_session_timeout     5m;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;


        ssl_ciphers     "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE
S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3
-SHA:!KRB5-DES-CBC3-SHA";


        ssl_prefer_server_ciphers       on;

        #ssl_stapling        on;
        #ssl_stapling_verify        on;


        server_name     {{cbs_production_name}}.{{cbs_domain_name}} {% if cbs_is_ori_needed  %}ori-{{cbs_production_name}}.{{cbs_domain_name}}{% endif %};
    access_log on;
        access_log      /data/www/logs/nginx_log/access/{{ cbs_production_name }}.{{cbs_domain_name}}_access.log main ;
        error_log       /data/www/logs/nginx_log/error/{{ cbs_production_name }}.{{cbs_domain_name}}_error.log ;

        root            /data/www/vhosts/cbs.chinasoft.comm/httpdocs ;
        index           index.html index.shtml index.php ;
        include         rewrite.d/{{ cbs_production_name }}.{{cbs_domain_name}}.conf ;
        error_page  404 403              /404.html;

    if ($http_user_agent ~ Ezooms) {
        return 403;
    }

    location ~ ^.*.(htaccess|htpasswd|ini|sh)$ {
        deny all;
    }


    location ~ .php$ {
        fastcgi_pass   unix:/tmp/php-cgi.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

        location ^~ /logs
        {
                deny all;
        }

}

    # 重启nginx的脚本

    [root@ws_monitoring cbs]# more templates/nginx_config_grammaer_check_test_and_reload.sh.j2 
#!/bin/bash
#
function nginx_config_check_reload()
{
    /usr/local/nginx/sbin/nginx -t
        status=$?
    echo $status
    if [ $status == 0 ];then
        echo "  start web01 nginx reload !!!"
        /etc/init.d/nginx reload;
    else
        echo "  web01 nginx configure error ... "
        exit 1
    fi
}

nginx_config_check_reload

    # 处理重启的判断

    [root@ws_monitoring cbs]# more handlers/main.yml 
- name: reload nginx
  shell: /bin/bash {{shell_dest_path}}/{{nginx_check_shell_name}}.sh

- name: cbs domain check
  shell: /bin/bash {{shell_dest_path}}/{{cbs_domain_check}}.sh

    # 主要的站点配置逻辑入口

    [root@ws_monitoring cbs]# more tasks/main.yaml 
- name: Deploy common site
  import_tasks: commom.yaml

    # 主要的站点配置逻辑

    [root@ws_monitoring cbs]# more tasks/commom.yaml 
- name: "{{cbs_production_name}}=====Checking certification path if not exists"
  file:
    path: "/usr/local/nginx/conf/cert2016"
    state: directory
    owner: apache
    group: users
    mode: 0755

- name: "{{cbs_production_name}}=====upload certification file to server"
  template:
    src: "{{item.src}}"
    dest: "{{cbs_certification_dest_path}}/{{item.dest}}"
    owner: apache
    group: users
    mode: 0644
  with_items: 
    - { src: "cbs_{{cbs_domain_name|regex_replace('\.' , '_')}}.crt.j2", dest: "{{cbs_domain_name|regex_replace('\.' , '_')}}.crt" }
    - { src: "cbs_{{cbs_domain_name|regex_replace('\.' , '_')}}.key.j2", dest: "{{cbs_domain_name|regex_replace('\.' , '_')}}.key" }


- name: "{{cbs_production_name}}=====Checking nginx's rewrite rule file if exists"
  stat:
    path: "{{cbs_rewrite_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf"
  register: cbs_rewrite_ws_fcheck

- name: "{{cbs_production_name}}=====upload nginx's rewrite rule file to server"
  template:
    src: cbs_rewrite_chinasoft.com.conf.j2
    dest: "{{cbs_rewrite_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf"
    owner: apache
    group: users
    mode: 0644
  when: not cbs_rewrite_ws_fcheck.stat.exists


- name: "{{shell_dest_path}}=====Checking shell directory and create if not exists"
  file:
    path: "{{shell_dest_path}}"
    state: directory
    owner: root
    group: root
    mode: 0755

- name: "{{shell_dest_path}}/{{nginx_check_shell_name}}.sh=======check nginx config shell file and create it if not exists"
  stat:
    path: "{{shell_dest_path}}/{{nginx_check_shell_name}}.sh"
  register: nginx_grammar_check

- name: "upload nginx grammar check shell file to server"
  template:
    src: nginx_config_grammaer_check_test_and_reload.sh.j2
    dest: "{{shell_dest_path}}/{{nginx_check_shell_name}}.sh"
    owner: apache
    group: users
    mode: 0755
  when: not nginx_grammar_check.stat.exists

- name: "{{shell_dest_path}}/{{cbs_domain_check_shell_name}}.sh=======check cbs domain check shell file and create it if not exists"
  stat:
    path: "{{shell_dest_path}}/{{cbs_domain_check_shell_name}}.sh"
  register: cbs_domain_check

- name: "upload cbs domain check shell file to server"
  template:
    src: cbs_domain_check.sh.j2
    dest: "{{shell_dest_path}}/{{cbs_domain_check_shell_name}}.sh"
    owner: apache
    group: users
    mode: 0755
  when: not cbs_domain_check.stat.exists

#- name: "{{sto_production_name}}=====Checking apache configuration file if exists"
#  stat:
#    path: "{{sto_http_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}.conf"
#  register: sto_apache_ws_fcheck
#
#- name: "{{sto_production_name}}=====upload apache configuration file to server"
#  template:
#    src: sto_apache_chinasoft.com.conf.j2
#    dest: "{{sto_http_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}.conf"
#    owner: apache
#    group: users
#    mode: 0644
#  when: not sto_apache_ws_fcheck.stat.exists

# 现在的应用统一使用 cbs.chinasoft.comm 不需要创建
#- name: "{{cbs_production_name}}=====Checking web data httpdocs and create if not exists"
#  file:
#    path: "{{cbs_http_data_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}/httpdocs"
#    state: directory
#    owner: apache
#    group: users
#    mode: 0755

#- name: "{{sto_production_name}}=====Checking data link and create if not exists"
#  file:
#    src: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs"
#    dest: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs/cbs_down"
#    state: link
#    owner: apache
#    group: users
#    mode: 0755

#- name: "{{sto_production_name}}=====Checking data index.html and create if not exists"
#  stat:
#    path: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs/index.html"
#  register: sto_apache_data_ws_fcheck
#
#- name: "{{sto_production_name}}=====upload www test data file to server"
#  template:
#    src: sto_nginx_index.html.j2
#    dest: "{{sto_http_data_dest_path}}/{{sto_production_name}}.{{sto_domain_name}}/httpdocs/index.html"
#    owner: apache
#    group: users
#    mode: 0644
#  when: not sto_apache_data_ws_fcheck.stat.exists

- name: "{{cbs_production_name}}=====Checking nginx configuration file if exists"
  stat:
    path: "{{cbs_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf"
  register: cbs_nginx_ws_fcheck

- name: "{{cbs_production_name}}=====upload nginx configuration file to server"
  template:
    src: cbs_nginx_chinasoft.com.conf.j2
    dest: "{{cbs_nginx_dest_path}}/{{cbs_production_name}}.{{cbs_domain_name}}.conf"
    owner: apache
    group: users
    mode: 0644
  when: not cbs_nginx_ws_fcheck.stat.exists
  notify: reload nginx
  notify: cbs domain check
  • 相关阅读:
    前端面试
    react 【npx createreactapp myapp】执行错误
    npm yarn安装完成后,查不到版本号
    I love cnblogs
    万万没想到VFP也可以这样硬,调用微信的硬能力,扫码、上报位置、支付都可以
    VFP为公众号添加一个报名功能,代码不多,但谁能得扬名立万
    公众号回复消息不能超过5秒,VFP大数据处理来不及怎么办?
    爆肝怒赞,不会也会了,VFPBS用Form调用webapi和文件上传
    狐友们,万万不可掉队,VFP开发企业微信第一关回调该怎么配
    十行代码完成公众号对话,VFP的能力就是这么强悍,你学会了吗?
  • 原文地址:https://www.cnblogs.com/reblue520/p/13220587.html
Copyright © 2020-2023  润新知