Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx_locations appearing in the wrong location in the config file #1142

Closed
martinrw opened this issue Nov 6, 2017 · 6 comments
Closed

nginx_locations appearing in the wrong location in the config file #1142

martinrw opened this issue Nov 6, 2017 · 6 comments
Labels
bug Something isn't working

Comments

@martinrw
Copy link
Contributor

martinrw commented Nov 6, 2017

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 4.10.8
  • Ruby:
  • Distribution: Centos 7.4
  • Module version: 0.8.0

How to reproduce (e.g Puppet code you use)

In the Puppet manifest:

class { 'nginx': }

In the Hiera yaml file:

nginx::nginx_servers:
  redirect:
    listen_port: 443
    ssl: true
    ssl_cert: '/etc/pki/tls/certs/xxx.cert.pem'
    ssl_key: '/etc/pki/tls/private/xxx.key.pem'
nginx::nginx_locations:
  block:
    location: '^/api/(.*)$'
    server: redirect
    location_cfg_append:
      deny: all
  activation:
    server: redirect
    location_cfg_append:
      rewrite: '^/(.*) https://xxx.xxx.net/xxx/ permanent'

What are you seeing

In the nginx config file that gets output the locations are appearing above the sever declaration and causing nginx not to start

  location activation {
    index     index.html index.htm index.php;
    rewrite ^/(.*) https://xxx.xxx/xxx/ permanent;
  }

  location ^/api/(.*)$ {
    index     index.html index.htm index.php;
    deny all;
  }
# MANAGED BY PUPPET
server {
  listen       *:443 ssl;

...
...

What behaviour did you expect instead

Locations should be inside the server block

Output log

errors from the puppet run:

systemd[1]: Starting nginx - high performance web server...
nginx[26287]: nginx: [emerg] "location" directive is not allowed here in /etc/nginx/sites-enabled/redirect.conf:2

Any additional information you'd like to impart
@wyardley
Copy link
Collaborator

wyardley commented Nov 6, 2017

If you set ssl_only on the locations, I think it will work; following works for me on current master in the acceptance test beaker:

nginx::nginx_servers:
  redirect:
    ssl_port: 443
    listen_port: 443
    use_default_location: false
    ssl: true
    ssl_cert: /etc/pki/tls/certs/blah.cert
    ssl_key: /etc/pki/tls/private/blah.key

nginx::nginx_locations:
  block:
    ssl_only: true
    location: '^/api/(.*)$'
    server: redirect
    location_cfg_append:
      deny: all
  activation:
    ssl_only: true
    server: redirect
    location_cfg_append:
      rewrite: '^/(.*) https://xxx.xxx.net/xxx/ permanent'

I do seem to be able to reproduce this problem. FWIW, this (though less in line with the documentation on how to do it, but also supported) seems to also work:

---
nginx::nginx_servers:
  'redirect.example.com':
    listen_port: 443
    ssl: true
    ssl_cert: /etc/pki/tls/certs/blah.cert
    ssl_key: /etc/pki/tls/private/blah.key
    locations:
      '^/api/(.*)$':
        location_cfg_append:
          deny: all
      activation:
        location_cfg_append:
[...]

@wyardley wyardley added the bug Something isn't working label Nov 6, 2017
@wyardley
Copy link
Collaborator

wyardley commented Nov 6, 2017

It seems like there's some logic in the server manifest that affects the create_resources() call on nginx::resource::location when it's called indirectly:
https://github.com/voxpupuli/puppet-nginx/blob/master/manifests/resource/server.pp#L325-L327
https://github.com/voxpupuli/puppet-nginx/blob/master/manifests/resource/server.pp#L452

Otherwise, the priority is wrong when calling nginx::resource::location directly without ssl_only. I'm not sure if this is going to be easy to fix there, though, since location.pp doesn't know what context it's in.

https://github.com/voxpupuli/puppet-nginx/blob/master/manifests/resource/location.pp#L279-L297

@martinrw
Copy link
Contributor Author

martinrw commented Nov 7, 2017

Thanks for the suggestion, by including ssl_only: true It worked.

My hiera yaml looks like this now:

nginx::nginx_servers:
  redirect:
    listen_port: 443
    ssl: true
    ssl_cert: '/etc/pki/tls/certs/xxx.cert.pem'
    ssl_key: '/etc/pki/tls/private/xxx.key.pem'
    location_cfg_append:
      rewrite: '^/(.*) https://xxx.xxx.net/activation/ permanent'
nginx::nginx_locations:
  block:
    location: '^/api/(.*)$'
    ssl_only: true
    server: redirect
    location_cfg_append:
      deny: all

@wyardley
Copy link
Collaborator

wyardley commented Nov 8, 2017

I'm going to close this issue; I'd love to see a better fix for this, but I'm not clear how it could be implemented when calling the locations this way.

@wyardley wyardley closed this as completed Nov 8, 2017
@lesinigo
Copy link

FYI this is the same behavior (location outside server) and has the same workaround (explicitly setting ssl_only) as #648

But I did not compare the two in details so I'm not saying that I'm sure it is the very same problem :)

@dutchwhizzman dutchwhizzman mentioned this issue Nov 5, 2018
Open
@linusbrimstedtellos
Copy link

Hello,
I experienced the same problem and the ssl_only workaround worked. I suggest a documentation note about this here:

puppet-nginx/manifests/resource/location.pp

Line 2 in f6e3c3f

#

Perhaps something like:

Note that if your server is ssl_only, your location needs to be ssl_only as well. See #1142 for more info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lesinigo @wyardley @martinrw @linusbrimstedtellos