collection_opnsense icon indicating copy to clipboard operation
collection_opnsense copied to clipboard

Published 20 hours ago verified publisher icon ansibleguy

feat: add nginx upstream server module

Open atammy-narmi opened this issue 11 months ago • 4 comments

Relates: https://github.com/ansibleguy/collection_opnsense/issues/64

atammy-narmi avatar Mar 20 '24 16:03 atammy-narmi

friendly ping

atammy-narmi avatar Mar 27 '24 13:03 atammy-narmi

Sorry for the delay - got pretty sick.

  1. plugins/module_utils/main/nginx_upstream_server.py As the description is already set to required in the modules/nginx_upstream_server.py this additional check is not needed. You may be able to remove the whole check method as it will fall-back to the default module behavior.

  2. plugins/modules/nginx_upstream_server.py Please add aliases=['name'] to the description parameter as this is a basic convention of ansible-modules.

  3. tests/nginx_upstream_server.yml Remove the ipsec_psk tests. If not done yet - try to run the tests on your OPNSense box as seen in the developer docs

ansibleguy avatar Apr 24 '24 17:04 ansibleguy

Ooh, sorry to hear that. Hope you're better now. Thanks for the review, will do the updates this week.

atammy-narmi avatar Apr 29 '24 16:04 atammy-narmi

Thanks. I hope it is understandable how to run the tests. You could also skip the tests, but I like them as they make the maintenance easier

ansibleguy avatar May 13 '24 18:05 ansibleguy

@atammy-narmi Please contact me if there is something unclear to you.

ansibleguy avatar May 29 '24 20:05 ansibleguy

Sorry, irl work has been more pressing so this was on backburner. will try to work some more soon.

atammy-narmi avatar Jun 10 '24 15:06 atammy-narmi

OK, I've added documentation and testing and the nginx_general module. I'm still unable to get everything to work correctly.

  • The nginx_general isn't able to disable/enable nginx. Can I get some pointers on what's wrong with it?
  • nginx_upstream will need nginx reload to work. And it seems like nginx reload isn't supported by the API and will need some kind of custom calls - https://github.com/opnsense/plugins/blob/68039e95fd92cfa8601da30e0c10f8747a6c3724/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php#L32

atammy-narmi avatar Jun 17 '24 18:06 atammy-narmi

Sorry, irl work has been more pressing so this was on backburner. will try to work some more soon.

Understand that. I too currently am pretty held-up in some projects

ansibleguy avatar Jun 20 '24 13:06 ansibleguy

The nginx_general error was only a test-issue. The module seems to work (:

My debug workflow:

  • Disable the failed_when of the failing task
  • Add debug: true to the failing task (is a valid parameter for all of the modules of this collection - shows you some details like performed API calls)
  • Run the tests: bash scripts/test_single.sh "$TEST_FIREWALL" "$TEST_API_KEY" $(pwd) nginx_general 1
  • Analyse the debug output and fix the task or module ;b

ansibleguy avatar Jun 20 '24 13:06 ansibleguy

The service actions like restart and reload seem to be supported by the API: https://docs.opnsense.org/development/api/plugins/nginx.html#id3

You can see those API calls using the developer console: image

This API can be manually triggered using the service module

But if you set debug: true on a single task - you can see that the reconfigure call is done automatically IF some config has changed:

- name: Enabling - should work
  ansibleguy.opnsense.nginx_general:
    enabled: true
    debug: true

[WARNING]: REQUEST: GET | URL: https://172.17.1.52/api/nginx/settings/get
[WARNING]: RESPONSE: '{'status_code': 200, '_request': <Request('GET', 'https://172.17.1.52/api/nginx/settings/get')>, '_num_bytes_downloaded': 840, '_elapsed': datetime.timedelta(microseconds=270299), '_content': b'{"nginx":{"gene
ral":{"enabled":"0","ban_ttl":"0"},"webgui":{"limitnetworks":"0"},"http":{"workerprocesses":"1","workerconnections":"1024","sendfile":"0","keepalive_timeout":"60","reset_timedout":"0","default_type":"","server_names_hash_bucket_siz
e":"","server_names_hash_max_size":"","ban_response":{"403":{"value":"403 Forbidden","selected":1},"444":{"value":"444 Terminate Connection","selected":0}},"headers_more_enable":""},"userlist":[],"credential":[],"upstream":[],"upst
ream_server":[],"location":[],"custom_policy":[],"naxsi_rule":[],"http_server":[],"stream_server":[],"sni_hostname_upstream_map":[],"sni_hostname_upstream_map_item":[],"ip_acl":[],"ip_acl_item":[],"http_rewrite":[],"security_header
":[],"limit_zone":[],"errorpage":[],"tls_fingerprint":[],"limit_request_connection":[],"ban":[],"cache_path":[],"syslog_target":[]}}'}'
[WARNING]: Field changed: 'enabled' 'False' != 'True'
[WARNING]: {'before': {'uuid': None, 'enabled': False, 'ban_ttl': 0}, 'after': {'uuid': None, 'enabled': True, 'ban_ttl': 0}}
[WARNING]: REQUEST: POST | URL: https://<IP>/api/nginx/settings/set | HEADERS: '{'Content-Type': 'application/json'}' | DATA: '{"nginx": {"general": {"enabled": 1, "ban_ttl": 0}}}'
[WARNING]: RESPONSE: '{'status_code': 200, '_request': <Request('POST', 'https://<IP>/api/nginx/settings/set')>, '_num_bytes_downloaded': 18, '_elapsed': datetime.timedelta(microseconds=127178), '_content':
b'{"result":"saved"}'}'
[WARNING]: REQUEST: POST | URL: https://<IP>/api/nginx/service/reconfigure | HEADERS: '{}'
[WARNING]: RESPONSE: '{'status_code': 200, '_request': <Request('POST', 'https://<IP>/api/nginx/service/reconfigure')>, '_num_bytes_downloaded': 15, '_elapsed': datetime.timedelta(microseconds=379274), '_content':
b'{"status":"ok"}'}'

This API call is related to these module variables:

API_CONT_REL = 'service'
API_CMD_REL = 'reconfigure'
# https://<IP>/api/nginx/<API_CONT_REL>/<API_CMD_REL>

ansibleguy avatar Jun 20 '24 13:06 ansibleguy

BTW: Don't worry @superstes is my default user - just forgot to change the git config (;

ansibleguy avatar Jun 20 '24 13:06 ansibleguy

Great, thanks a bunch. That will help a lot with testing!

atammy-narmi avatar Jun 20 '24 13:06 atammy-narmi