June
f16f8697c2
Because of how Ansible local relative search paths work, the global "files" and "templates" directories need to be next to the playbooks. However its not intuitive to look into the "playbooks" directory to find the files and templates for a host. Therefore move them out of the "playbooks" directory into the root directory and add symlinks so everything still works. Similarly for local roles, they also need to be next to the playbooks. So for a nicer structure, move the "roles" directory out into the root directory as well and add a symlink so everything still works. Also see: https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles
50 lines
2 KiB
Text
50 lines
2 KiB
Text
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
|
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
|
server {
|
|
# Listen on a custom port for the proxy protocol.
|
|
listen 8443 ssl http2 proxy_protocol;
|
|
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
|
# $remote_port to the client address and client port, when using proxy
|
|
# protocol.
|
|
# First set our proxy protocol proxy as trusted.
|
|
set_real_ip_from 172.31.17.140;
|
|
# Then tell the realip_module to get the addreses from the proxy protocol
|
|
# header.
|
|
real_ip_header proxy_protocol;
|
|
|
|
server_name pretalx.hamburg.ccc.de;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/pretalx.hamburg.ccc.de/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/pretalx.hamburg.ccc.de/privkey.pem;
|
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
|
ssl_trusted_certificate /etc/letsencrypt/live/pretalx.hamburg.ccc.de/chain.pem;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Port 443;
|
|
# This is https in any case.
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
# Hide the X-Forwarded header.
|
|
proxy_hide_header X-Forwarded;
|
|
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
|
|
# is transparent).
|
|
# Also provide "_hidden" for by, since it's not relevant.
|
|
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
|
|
|
location /media {
|
|
proxy_pass http://127.0.0.1:8081/media/;
|
|
}
|
|
|
|
location /static {
|
|
proxy_pass http://127.0.0.1:8081/static/;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8080/;
|
|
}
|
|
}
|