configure www2 nginx

2026-02-24 17:01:25 +01:00 · 2026-02-24 17:01:25 +01:00 · 41dc9c8529
commit 41dc9c8529
parent 3e3cedd357
2 changed files with 85 additions and 0 deletions
--- a/inventories/chaosknoten/host_vars/www2.yaml
+++ b/inventories/chaosknoten/host_vars/www2.yaml
@ -0,0 +1,5 @@
+nginx__version_spec: ""
+nginx__configurations:
+  - name: diday.org
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/www2/nginx/diday.org.conf') }}"
+
--- a/resources/chaosknoten/www2/nginx/diday.org.conf
+++ b/resources/chaosknoten/www2/nginx/diday.org.conf
@ -0,0 +1,80 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name diday.org;
+
+    # use our router as resolver
+    resolver 10.31.208.1;
+
+    # configure the ngx_http_realip_module to set $remote_addr and $remote_port to the
+    # information passed through from public-reverse-proxy.hamburg.ccc.de via proxy-protocol
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    real_ip_header proxy_protocol;
+
+    # configure tls trustchain
+    ssl_certificate /dev/null;
+    ssl_certificate_key /dev/null;
+    ssl_trusted_certificate /dev/null;
+
+    #
+    # configure site
+    #
+    root /var/www/diday.org;
+    error_page 404 /404.html;
+    index index.html;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # return a redirect based on the map loaded from the webroot
+    if ($did_redirect_target ~ ^301:(.*)$) {
+      return 301 $1;
+    }
+    if ($did_redirect_target ~ ^302:(.*)$) {
+      return 302 $1;
+    }
+
+    # deny access to the redirects config file
+    location = /nginx-redirects.conf {
+      deny all;
+      return 404;
+    }
+
+    # dynamically redirect the user to the language they prefer
+    location = / {
+      set $lang "de";
+      if ($http_accept_language ~* "^en") {
+        set $lang "en";
+      }
+      return 302 /$lang/;
+    }
+
+    # configure decap-cms content-type and caching rules
+    location = /admin/cms.js {
+      expires -1;
+      add_header Cache-Control "no-store";
+    }
+    location = /admin/config.yml {
+      expires -1;
+      add_header Cache-Control "no-store";
+      types { }
+      default_type text/yaml;
+    }
+
+    # configure asset caching
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
+    location /admin/src/ {
+        log_not_found off;
+        return 404;
+    }
+
+    location / {
+      try_files $uri $uri/ =404;
+    }
+}
+