diff --git a/.kitchen.yml b/.kitchen.yml index 134f397..2367452 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -35,6 +35,24 @@ suites: database: repo: pgdg: true + - name: server-nginx + driver: + networks: + - netdev: user,id=user,net=192.168.1.0/24,hostname=%h,hostfwd=tcp::%p-:22,hostfwd=tcp::8086-:80 + device: virtio-net-pci,netdev=user + run_list: + - recipe[zabbix::database] + - recipe[zabbix::server] + attributes: + tags: [ 'httpd' ] + zabbix: + webserver: + backend: nginx + database: + repo: + pgdg: true + php: + use_fpm: false - name: agent run_list: - recipe[zabbix::default] diff --git a/attributes/default.rb b/attributes/default.rb index 6c29830..2b28e83 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,8 +1,20 @@ default['zabbix']['database']['backend'] = 'postgresql' default['zabbix']['database']['repo']['pgdg'] = false default['zabbix']['webserver']['backend'] = 'apache' +default['zabbix']['webserver']['port'] = '80' default['zabbix']['php']['use_fpm'] = true default['zabbix']['php']['timezone'] = 'America/New_York' +default['zabbix']['ssl']['enable'] = false +default['zabbix']['ssl']['port'] = '443' +default['zabbix']['ssl']['cacert'] = nil +default['zabbix']['ssl']['server_cert'] = nil +default['zabbix']['ssl']['server_key'] = nil +default['zabbix']['ssl']['ssl_protocols'] = [ "TLSv1.2" ] +default['zabbix']['ssl']['ssl_ciphers'] = [ + "HIGH", + "!aNULL", + "!MD5" +] default['zabbix']['version'] = "3.0" default['zabbix']['agent_meta'] = [] diff --git a/recipes/server.rb b/recipes/server.rb index 1d504d6..7e39cf7 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -9,7 +9,6 @@ include_recipe 'chef-vault' include_recipe "#{cookbook_name}::database" -include_recipe 'apache2' ################################# # Include Additional Repositories @@ -84,7 +83,7 @@ directory "/etc/zabbix/web" do when 'apache' node['apache']['group'] when 'nginx' - node['nginx']['group'] + node['php']['fpm_group'] end end end @@ -117,7 +116,7 @@ template "/etc/zabbix/web/zabbix.conf.php" do when 'apache' node['apache']['group'] when 'nginx' - node['nginx']['group'] + node['php']['fpm_group'] end end end @@ -144,7 +143,7 @@ template "/etc/zabbix/web/maintenance.inc.php" do when 'apache' node['apache']['group'] when 'nginx' - node['nginx']['group'] + node['php']['fpm_group'] end end end diff --git a/recipes/server_nginx.rb b/recipes/server_nginx.rb index f9e3b46..262b3cf 100644 --- a/recipes/server_nginx.rb +++ b/recipes/server_nginx.rb @@ -9,24 +9,26 @@ ######################### # Setup and Install nginx +node.default['nginx']['default_site_enabled'] = false include_recipe 'chef_nginx' nginx_site "zabbix" do - tname = node['zabbix']['php']['use_fpm'] ? "zabbix-fpm" : "zabbix-fcgi" - template %W{ - nginx/#{node['platform']}/#{node['platform_version'].to_i}/#{tname}.conf.erb - nginx/#{node['platform']}/#{tname}.conf.erb - nginx/#{node['platform_family']}/#{node['platform_version'].to_i}/#{tname}.conf.erb - nginx/#{node['platform_family']}/#{tname}.conf.erb - nginx/default/#{tname}.conf.erb - nginx/#{tname}.conf.erb - } + template 'nginx/zabbix.conf.erb' variables({ :params => { - :server_port => node['nginx']['port'], - :server_name => "#{node['fqdn']}, zabbix.#{node['domain']}", - :docroot => '/usr/share/zabbix', - + :server_port => node['zabbix']['webserver']['port'], + :ssl_port => node['zabbix']['ssl']['port'], + :server_name => [ "#{node['fqdn']}, zabbix.#{node['domain']}" ], + :docroot => '/usr/share/zabbix', + :cacert => node['zabbix']['ssl']['cacert'], + :server_cert => node['zabbix']['ssl']['server_cert'], + :server_key => node['zabbix']['ssl']['server_key'], + :ssl_proto => node['zabbix']['ssl']['ssl_protocols'], + :ssl_ciphers => node['zabbix']['ssl']['ssl_ciphers'] } }) end + +file "/etc/nginx/conf.d/default.conf" do + action :delete +end diff --git a/recipes/server_php.rb b/recipes/server_php.rb index 388b1b9..0fc8edd 100644 --- a/recipes/server_php.rb +++ b/recipes/server_php.rb @@ -54,7 +54,7 @@ php_fpm_pool 'zabbix' do listen '127.0.0.1:9001' user 'php-fpm' group 'php-fpm' - chdir '/usr/share/zabbix' + #chdir '/usr/share/zabbix' max_children 50 start_servers 5 min_spare_servers 5 @@ -78,5 +78,5 @@ php_fpm_pool 'zabbix' do 'php_value[always_populate_raw_post_data]' => '-1' }) action :install - only_if { node['zabbix']['php']['use_fpm'] } + only_if { node['zabbix']['php']['use_fpm'] || node['zabbix']['webserver']['backend'] == 'nginx' } end diff --git a/templates/nginx/zabbix-fpm.conf.erb b/templates/nginx/zabbix-fpm.conf.erb deleted file mode 100644 index 1501c5c..0000000 --- a/templates/nginx/zabbix-fpm.conf.erb +++ /dev/null @@ -1,52 +0,0 @@ -upstream php-handler { -<% if node['zabbix']['php']['use_fpm'] %> - server 127.0.0.1:9001; -<% else %> - server unix:/var/run/php5-fpm.sock; -<% end %> -} - -#server { -# server_name zabbix.example.com; -# return 301 https://zabbix.example.com$request_uri; -#} - -server { - listen 80; - server_name zabbix.example.com; - access_log /var/log/nginx/zabbix.log; - error_log /var/log/nginx/zabbix.error; - #ssl on; - #ssl_certificate /etc/ssl/certs/zabbix.crt; - #ssl_certificate_key /etc/ssl/private/zabbix.key; - root /var/www/zabbix/; - index index.php index.html; - client_max_body_size 5m; - client_body_buffer_size 128k; - - location ~ \.php$ { - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - #fastcgi_pass unix:/var/run/zabbix.socket; - fastcgi_pass php-handler; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - } - - location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ { - expires max; - log_not_found off; - } - - location ~ /\.ht { - deny all; - } - - location ~ /\. { - deny all; - } -} diff --git a/templates/nginx/zabbix.conf.erb b/templates/nginx/zabbix.conf.erb new file mode 100644 index 0000000..5dd6466 --- /dev/null +++ b/templates/nginx/zabbix.conf.erb @@ -0,0 +1,62 @@ +upstream php-handler { + server 127.0.0.1:9001; +} + +<% if node['zabbix']['ssl']['enable'] %> +server { + listen <%= @params['server_port'] %> default_server; + listen [::]:<%= @params['server_port'] %> default_server; + server_name _; + return 301 https://$host:<%= @params['ssl_port'] %>$request_uri; +} +<% end %> + +server { +<% if node['zabbix']['ssl']['enable'] %> + listen <%= @params[:ssl_port] %> default_server; + listen [::]:<%= @params[:ssl_port] %> default_server; +<% else %> + listen <%= @params[:server_port] %> default_server; + listen [::]:<%= @params[:server_port] %> default_server; +<% end %> + server_name <%= [@params[:server_name]].flatten.join ", " %>; + access_log /var/log/nginx/zabbix.log; + error_log /var/log/nginx/zabbix.error; +<% if node['zabbix']['ssl']['enable'] %> + ssl on; + ssl_certificate <%= @params[:server_cert] %>; + ssl_certificate_key <%= @params[:server_cert] %>; + ssl_protocols <%= [@params[:ssl_proto]].flatten.join " " %>; + #ssl_ciphers <%= [@params[:ssl_ciphers]].flatten.join ":" %>; +<% end %> + root <%= @params[:docroot] %>; + index index.php index.html; + client_max_body_size 5m; + client_body_buffer_size 128k; + + #location ~ \.php$ { + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + #fastcgi_pass unix:/var/run/zabbix.socket; + fastcgi_pass php-handler; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + } + + location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ /\.ht { + deny all; + } + + location ~ /\. { + deny all; + } +}