From 2b9dde6016a94b352340768288caca3916ba994b Mon Sep 17 00:00:00 2001 From: jack Date: Thu, 4 Aug 2016 22:58:29 +0300 Subject: [PATCH] mod_pagespeed #5 --- config.cfg | 15 +- digitalocean.yml | 5 - features.yml | 64 +++++- inventory_users | 1 + templates/000-default.conf.j2 | 11 + templates/pagespeed.conf.j2 | 369 ++++++++++++++++++++++++++++++++++ templates/ports.conf.j2 | 13 ++ templates/privoxy_config.j2 | 2 + 8 files changed, 459 insertions(+), 21 deletions(-) create mode 100644 templates/000-default.conf.j2 create mode 100644 templates/pagespeed.conf.j2 create mode 100644 templates/ports.conf.j2 diff --git a/config.cfg b/config.cfg index 6fd84bf..bfd3aa2 100644 --- a/config.cfg +++ b/config.cfg @@ -5,17 +5,22 @@ easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 easyrsa_p12_export_password: vpn -# if True re-init all existing certificates. -easyrsa_reinit_existent: True +# If True re-init all existing certificates. (True or False) +easyrsa_reinit_existent: False +vpn_network: 10.19.48.0/24 +vpn_network_ipv6: 'fd9d:bc11:4021:69ce::/64' +server_name: "{{ ansible_ssh_host }}" + +# Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False) +service_dns: True + +# If you don't want to use a local DNS resolver (option `service_dns`) you need to define DNS servers in this list. dns_servers: - 8.8.8.8 - 8.8.4.4 - 2001:4860:4860::8888 - 2001:4860:4860::8844 -vpn_network: 10.19.48.0/24 -vpn_network_ipv6: 'fd9d:bc11:4021:69ce::/64' -server_name: "{{ ansible_ssh_host }}" users: - mr.smith diff --git a/digitalocean.yml b/digitalocean.yml index a435883..d46c175 100644 --- a/digitalocean.yml +++ b/digitalocean.yml @@ -46,11 +46,6 @@ prompt: "Name the vpn server:\n" default: "algo.local" private: no - - - name: "service_dns" - prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N)" - default: "Y" - private: no tasks: - name: "Getting your SSH key ID on Digital Ocean..." diff --git a/features.yml b/features.yml index 03e4afe..12d7625 100644 --- a/features.yml +++ b/features.yml @@ -2,7 +2,6 @@ - name: Other features hosts: vpn-host - gather_facts: false become: true vars_files: - config.cfg @@ -17,7 +16,7 @@ - name: Loopback is running shell: ifdown lo:100 && ifup lo:100 - # Privoxy + #Privoxy - name: Install privoxy apt: name=privoxy state=latest @@ -38,6 +37,46 @@ - name: Privoxy enabled and started service: name=privoxy state=started enabled=yes + # PageSpeed + + - name: Apache installed + apt: name=apache2 state=latest + + - name: PageSpeed installed for x86_64 + apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb + when: ansible_architecture == "x86_64" + + - name: PageSpeed installed for i386 + apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_i386.deb + when: ansible_architecture != "x86_64" + + - name: PageSpeed configured + template: src=pagespeed.conf.j2 dest=/etc/apache2/mods-available/pagespeed.conf + notify: + - restart apache2 + + - name: Modules enabled + apache2_module: state=present name="{{ item }}" + with_items: + - proxy_http + - pagespeed + - cache + - proxy_connect + - proxy_html + - rewrite + notify: + - restart apache2 + + - name: VirtualHost configured for the PageSpeed module + template: src=000-default.conf.j2 dest=/etc/apache2/sites-enabled/000-default.conf + notify: + - restart apache2 + + - name: Apache ports configured + template: src=ports.conf.j2 dest=/etc/apache2/ports.conf + notify: + - restart apache2 + # DNS - name: Install dnsmasq @@ -58,13 +97,16 @@ - name: Adblock script created copy: src=templates/adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755 + when: service_dns is defined and service_dns == "True" - name: Adblock script added to cron cron: name="Adblock hosts update" minute="10" hour="2" job="/opt/adblock.sh" + when: service_dns is defined and service_dns == "True" - name: Update adblock hosts shell: > /opt/adblock.sh + when: service_dns is defined and service_dns == "True" - name: Forward all DNS requests to the local resolver iptables: @@ -77,7 +119,7 @@ to_destination: 172.16.0.1:53 notify: - save iptables - when: service_dns is defined and service_dns == "Y" # TODO: service_dns is not defined, because the variable in vars_prompt + when: service_dns is defined and service_dns == "True" - name: Forward all DNS requests to the local resolver iptables: @@ -91,15 +133,15 @@ ip_version: ipv6 notify: - save iptables - when: service_dns is defined and service_dns == "Y" + when: service_dns is defined and service_dns == "True" - name: Dnsmasq enabled and started service: name=dnsmasq state=started enabled=yes - when: service_dns is defined and service_dns == "Y" + when: service_dns is defined and service_dns == "True" - name: Dnsmasq disabled and stopped service: name=dnsmasq state=stopped enabled=no - when: service_dns is defined and service_dns == "N" + when: service_dns is defined and service_dns == "False" handlers: - name: restart privoxy @@ -109,10 +151,10 @@ service: name=dnsmasq state=restarted - name: restart apparmor - service: name=apparmor state=restarted + service: name=apparmor state=restarted + + - name: restart apache2 + service: name=apache2 state=restarted - name: save iptables - command: service netfilter-persistent save - - - + command: service netfilter-persistent save diff --git a/inventory_users b/inventory_users index cafed48..8e9e7af 100644 --- a/inventory_users +++ b/inventory_users @@ -1 +1,2 @@ [user-management] +37.139.0.99 diff --git a/templates/000-default.conf.j2 b/templates/000-default.conf.j2 new file mode 100644 index 0000000..7aa917b --- /dev/null +++ b/templates/000-default.conf.j2 @@ -0,0 +1,11 @@ + + + Order deny,allow + Allow from all + + RewriteEngine On + RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [NC,P] + ProxyPass / http://$1 + ProxyPassReverse / http://$1 + ProxyPreserveHost On + diff --git a/templates/pagespeed.conf.j2 b/templates/pagespeed.conf.j2 new file mode 100644 index 0000000..3b89b75 --- /dev/null +++ b/templates/pagespeed.conf.j2 @@ -0,0 +1,369 @@ + + # Turn on mod_pagespeed. To completely disable mod_pagespeed, you + # can set this to "off". + ModPagespeed on + + # We want VHosts to inherit global configuration. + # If this is not included, they'll be independent (except for inherently + # global options), at least for backwards compatibility. + ModPagespeedInheritVHostConfig on + + # Direct Apache to send all HTML output to the mod_pagespeed + # output handler. + AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html + + # If you want mod_pagespeed process XHTML as well, please uncomment this + # line. + # AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER application/xhtml+xml + + # The ModPagespeedFileCachePath directory must exist and be writable + # by the apache user (as specified by the User directive). + ModPagespeedFileCachePath "/var/cache/mod_pagespeed/" + + # LogDir is needed to store various logs, including the statistics log + # required for the console. + ModPagespeedLogDir "/var/log/pagespeed" + + # The locations of SSL Certificates is distribution-dependent. + ModPagespeedSslCertDirectory "/etc/ssl/certs" + + + # If you want, you can use one or more memcached servers as the store for + # the mod_pagespeed cache. + # ModPagespeedMemcachedServers localhost:11211 + + # A portion of the cache can be kept in memory only, to reduce load on disk + # (or memcached) from many small files. + # ModPagespeedCreateSharedMemoryMetadataCache "/var/cache/mod_pagespeed/" 51200 + + # Override the mod_pagespeed 'rewrite level'. The default level + # "CoreFilters" uses a set of rewrite filters that are generally + # safe for most web pages. Most sites should not need to change + # this value and can instead fine-tune the configuration using the + # ModPagespeedDisableFilters and ModPagespeedEnableFilters + # directives, below. Valid values for ModPagespeedRewriteLevel are + # PassThrough, CoreFilters and TestingCoreFilters. + # + ModPagespeedRewriteLevel CoreFilters + + ModPagespeedEnableFilters combine_heads + ModPagespeedEnableFilters combine_javascript + ModPagespeedEnableFilters convert_jpeg_to_webp + ModPagespeedEnableFilters convert_png_to_jpeg + ModPagespeedEnableFilters inline_preview_images + ModPagespeedEnableFilters make_google_analytics_async + ModPagespeedEnableFilters move_css_above_scripts + ModPagespeedEnableFilters move_css_to_head + ModPagespeedEnableFilters resize_mobile_images + ModPagespeedEnableFilters sprite_images + + ModPagespeedEnableFilters defer_iframe + ModPagespeedEnableFilters defer_javascript + ModPagespeedEnableFilters lazyload_images + + # Explicitly disables specific filters. This is useful in + # conjuction with ModPagespeedRewriteLevel. For instance, if one + # of the filters in the CoreFilters needs to be disabled for a + # site, that filter can be added to + # ModPagespeedDisableFilters. This directive contains a + # comma-separated list of filter names, and can be repeated. + # + # ModPagespeedDisableFilters rewrite_images + + # Explicitly enables specific filters. This is useful in + # conjuction with ModPagespeedRewriteLevel. For instance, filters + # not included in the CoreFilters may be enabled using this + # directive. This directive contains a comma-separated list of + # filter names, and can be repeated. + # + # ModPagespeedEnableFilters rewrite_javascript,rewrite_css + # ModPagespeedEnableFilters collapse_whitespace,elide_attributes + + # Explicitly forbids the enabling of specific filters using either query + # parameters or request headers. This is useful, for example, when we do + # not want the filter to run for performance or security reasons. This + # directive contains a comma-separated list of filter names, and can be + # repeated. + # + # ModPagespeedForbidFilters rewrite_images + + # How long mod_pagespeed will wait to return an optimized resource + # (per flush window) on first request before giving up and returning the + # original (unoptimized) resource. After this deadline is exceeded the + # original resource is returned and the optimization is pushed to the + # background to be completed for future requests. Increasing this value will + # increase page latency, but might reduce load time (for instance on a + # bandwidth-constrained link where it's worth waiting for image + # compression to complete). If the value is less than or equal to zero + # mod_pagespeed will wait indefinitely for the rewrite to complete before + # returning. + # + # ModPagespeedRewriteDeadlinePerFlushMs 10 + + # ModPagespeedDomain + # authorizes rewriting of JS, CSS, and Image files found in this + # domain. By default only resources with the same origin as the + # HTML file are rewritten. For example: + # + ModPagespeedDomain * + # + # This will allow resources found on http://cdn.myhost.com to be + # rewritten in addition to those in the same domain as the HTML. + # + # Other domain-related directives (like ModPagespeedMapRewriteDomain + # and ModPagespeedMapOriginDomain) can also authorize domains. + # + # Wildcards (* and ?) are allowed in the domain specification. Be + # careful when using them as if you rewrite domains that do not + # send you traffic, then the site receiving the traffic will not + # know how to serve the rewritten content. + + # If you use downstream caches such as varnish or proxy_cache for caching + # HTML, you can configure pagespeed to work with these caches correctly + # using the following directives. Note that the values for + # ModPagespeedDownstreamCachePurgeLocationPrefix and + # ModPagespeedDownstreamCacheRebeaconingKey are deliberately left empty here + # in order to force the webmaster to choose appropriate value for these. + # + # ModPagespeedDownstreamCachePurgeLocationPrefix + # ModPagespeedDownstreamCachePurgeMethod PURGE + # ModPagespeedDownstreamCacheRewrittenPercentageThreshold 95 + # ModPagespeedDownstreamCacheRebeaconingKey + + # Other defaults (cache sizes and thresholds): + # + # ModPagespeedFileCacheSizeKb 102400 + # ModPagespeedFileCacheCleanIntervalMs 3600000 + # ModPagespeedLRUCacheKbPerProcess 1024 + # ModPagespeedLRUCacheByteLimit 16384 + # ModPagespeedCssFlattenMaxBytes 102400 + # ModPagespeedCssInlineMaxBytes 2048 + # ModPagespeedCssImageInlineMaxBytes 0 + # ModPagespeedImageInlineMaxBytes 3072 + # ModPagespeedJsInlineMaxBytes 2048 + # ModPagespeedCssOutlineMinBytes 3000 + # ModPagespeedJsOutlineMinBytes 3000 + # ModPagespeedMaxCombinedCssBytes -1 + # ModPagespeedMaxCombinedJsBytes 92160 + + # Limit the number of inodes in the file cache. Set to 0 for no limit. + # The default value if this paramater is not specified is 0 (no limit). + ModPagespeedFileCacheInodeLimit 500000 + + # Bound the number of images that can be rewritten at any one time; this + # avoids overloading the CPU. Set this to 0 to remove the bound. + # + # ModPagespeedImageMaxRewritesAtOnce 8 + + # You can also customize the number of threads per Apache process + # mod_pagespeed will use to do resource optimization. Plain + # "rewrite threads" are used to do short, latency-sensitive work, + # while "expensive rewrite threads" are used for actual optimization + # work that's more computationally expensive. If you live these unset, + # or use values <= 0 the defaults will be used, which is 1 for both + # values when using non-threaded MPMs (e.g. prefork) and 4 for both + # on threaded MPMs (e.g. worker and event). These settings can only + # be changed globally, and not per virtual host. + # + # ModPagespeedNumRewriteThreads 4 + # ModPagespeedNumExpensiveRewriteThreads 4 + + # Randomly drop rewrites (*) to increase the chance of optimizing + # frequently fetched resources and decrease the chance of optimizing + # infrequently fetched resources. This can reduce CPU load. The default + # value of this parameter is 0 (no drops). 90 means that a resourced + # fetched once has a 10% probability of being optimized while a resource + # that is fetched 50 times has a 99.65% probability of being optimized. + # + # (*) Currently only CSS files and images are randomly dropped. Images + # within CSS files are not randomly dropped. + # + # ModPagespeedRewriteRandomDropPercentage 90 + + # Many filters modify the URLs of resources in HTML files. This is typically + # harmless but pages whose Javascript expects to read or modify the original + # URLs may break. The following parameters prevent filters from modifying + # URLs of their respective types. + # + # ModPagespeedJsPreserveURLs on + # ModPagespeedImagePreserveURLs on + # ModPagespeedCssPreserveURLs on + + # When PreserveURLs is on, it is still possible to enable browser-specific + # optimizations (for example, webp images can be served to browsers that + # will accept them). They'll be served with Vary: Accept or Vary: + # User-Agent headers as appropriate. Note that this may require configuring + # reverse proxy caches such as varnish to handle these headers properly. + # + # ModPagespeedFilters in_place_optimize_for_browser + + # Internet Explorer has difficulty caching resources with Vary: headers. + # They will either be uncached (older IE) or require revalidation. See: + # http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/vary-header-prevents-caching-in-ie.aspx + # As a result we serve them as Cache-Control: private instead by default. + # If you are using a reverse proxy or CDN configured to cache content with + # the Vary: Accept header you should turn this setting off. + # + # ModPagespeedPrivateNotVaryForIE on + + # Settings for image optimization: + # + # Lossy image recompression quality (0 to 100, -1 just strips metadata): + # ModPagespeedImageRecompressionQuality 85 + # + # Jpeg recompression quality (0 to 100, -1 uses ImageRecompressionQuality): + # ModPagespeedJpegRecompressionQuality -1 + # ModPagespeedJpegRecompressionQualityForSmallScreens 70 + + ModPagespeedJpegRecompressionQuality 75 + + # + # WebP recompression quality (0 to 100, -1 uses ImageRecompressionQuality): + # ModPagespeedWebpRecompressionQuality 80 + # ModPagespeedWebpRecompressionQualityForSmallScreens 70 + # + # Timeout for conversions to WebP format, in + # milliseconds. Negative values mean no timeout is applied. The + # default value is -1: + # ModPagespeedWebpTimeoutMs 5000 + # + # Percent of original image size below which optimized images are retained: + # ModPagespeedImageLimitOptimizedPercent 100 + # + # Percent of original image area below which image resizing will be + # attempted: + # ModPagespeedImageLimitResizeAreaPercent 100 + + # Settings for inline preview images + # + # Setting this to n restricts preview images to the first n images found on + # the page. The default of -1 means preview images can appear anywhere on + # the page (if those images appear above the fold). + # ModPagespeedMaxInlinedPreviewImagesIndex -1 + + # Sets the minimum size in bytes of any image for which a low quality image + # is generated. + # ModPagespeedMinImageSizeLowResolutionBytes 3072 + + # The maximum URL size is generally limited to about 2k characters + # due to IE: See http://support.microsoft.com/kb/208427/EN-US. + # Apache servers by default impose a further limitation of about + # 250 characters per URL segment (text between slashes). + # mod_pagespeed circumvents this limitation, but if you employ + # proxy servers in your path you may need to re-impose it by + # overriding the setting here. The default setting is 1024 + # characters. + # + # ModPagespeedMaxSegmentLength 250 + + # Uncomment this if you want to prevent mod_pagespeed from combining files + # (e.g. CSS files) across paths + # + # ModPagespeedCombineAcrossPaths off + + # Renaming JavaScript URLs can sometimes break them. With this + # option enabled, mod_pagespeed uses a simple heuristic to decide + # not to rename JavaScript that it thinks is introspective. + # + # You can uncomment this to let mod_pagespeed rename all JS files. + # + # ModPagespeedAvoidRenamingIntrospectiveJavascript off + + # Certain common JavaScript libraries are available from Google, which acts + # as a CDN and allows you to benefit from browser caching if a new visitor + # to your site previously visited another site that makes use of the same + # libraries as you do. Enable the following filter to turn on this feature. + # + # ModPagespeedEnableFilters canonicalize_javascript_libraries + + # The following line configures a library that is recognized by + # canonicalize_javascript_libraries. This will have no effect unless you + # enable this filter (generally by uncommenting the last line in the + # previous stanza). The format is: + # ModPagespeedLibrary bytes md5 canonical_url + # Where bytes and md5 are with respect to the *minified* JS; use + # js_minify --print_size_and_hash to obtain this data. + # Note that we can register multiple hashes for the same canonical url; + # we do this if there are versions available that have already been minified + # with more sophisticated tools. + # + # Additional library configuration can be found in + # pagespeed_libraries.conf included in the distribution. You should add + # new entries here, though, so that file can be automatically upgraded. + # ModPagespeedLibrary 43 1o978_K0_LNE5_ystNklf http://www.modpagespeed.com/rewrite_javascript.js + + # Explicitly tell mod_pagespeed to load some resources from disk. + # This will speed up load time and update frequency. + # + # This should only be used for static resources which do not need + # specific headers set or other processing by Apache. + # + # Both URL and filesystem path should specify directories and + # filesystem path must be absolute (for now). + # + # ModPagespeedLoadFromFile "http://example.com/static/" "/var/www/static/" + + + # Enables server-side instrumentation and statistics. If this rewriter is + # enabled, then each rewritten HTML page will have instrumentation javacript + # added that sends latency beacons to /mod_pagespeed_beacon. These + # statistics can be accessed at /mod_pagespeed_statistics. You must also + # enable the mod_pagespeed_statistics and mod_pagespeed_beacon handlers + # below. + # + # ModPagespeedEnableFilters add_instrumentation + + # The add_instrumentation filter sends a beacon after the page onload + # handler is called. The user might navigate to a new URL before this. If + # you enable the following directive, the beacon is sent as part of an + # onbeforeunload handler, for pages where navigation happens before the + # onload event. + # + # ModPagespeedReportUnloadTime on + + # Uncomment the following line so that ModPagespeed will not cache or + # rewrite resources with Vary: in the header, e.g. Vary: User-Agent. + # Note that ModPagespeed always respects Vary: headers on html content. + # ModPagespeedRespectVary on + + # Uncomment the following line if you want to disable statistics entirely. + # + # ModPagespeedStatistics off + + # These handlers are central entry-points into the admin pages. + # By default, pagespeed_admin and pagespeed_global_admin present + # the same data, and differ only when + # ModPagespeedUsePerVHostStatistics is enabled. In that case, + # /pagespeed_global_admin sees aggregated data across all vhosts, + # and the /pagespeed_admin sees data only for a particular vhost. + # + # You may insert other "Allow from" lines to add hosts you want to + # allow to look at generated statistics. Another possibility is + # to comment out the "Order" and "Allow" options from the config + # file, to allow any client that can reach your server to access + # and change server state, such as statistics, caches, and + # messages. This might be appropriate in an experimental setup. + + Order allow,deny + Allow from localhost + Allow from 127.0.0.1 + SetHandler pagespeed_admin + + + Order allow,deny + Allow from localhost + Allow from 127.0.0.1 + SetHandler pagespeed_global_admin + + + # Enable logging of mod_pagespeed statistics, needed for the console. + ModPagespeedStatisticsLogging on + + # Page /mod_pagespeed_message lets you view the latest messages from + # mod_pagespeed, regardless of log-level in your httpd.conf + # ModPagespeedMessageBufferSize is the maximum number of bytes you would + # like to dump to your /mod_pagespeed_message page at one time, + # its default value is 100k bytes. + # Set it to 0 if you want to disable this feature. + ModPagespeedMessageBufferSize 100000 + diff --git a/templates/ports.conf.j2 b/templates/ports.conf.j2 new file mode 100644 index 0000000..2618436 --- /dev/null +++ b/templates/ports.conf.j2 @@ -0,0 +1,13 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 172.16.0.1:8080 + + + Listen 172.16.0.1:443 + + + + Listen 172.16.0.1:443 + diff --git a/templates/privoxy_config.j2 b/templates/privoxy_config.j2 index bb38309..dd55f0f 100644 --- a/templates/privoxy_config.j2 +++ b/templates/privoxy_config.j2 @@ -1256,6 +1256,8 @@ enable-proxy-authentication-forwarding 0 # forward / parent-proxy.example.org:8000 # forward ipv6-server.example.org . # forward <[2-3][0-9a-f][0-9a-f][0-9a-f]:*> . +forward / 172.16.0.1:8080 +forward :443 . # # # 5.2. forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t