From 3c917ce4b2e072fa8b3ee27a7af7ea4abacc1bc0 Mon Sep 17 00:00:00 2001 From: baldo Date: Sat, 14 Nov 2015 18:48:41 +0100 Subject: [PATCH] nginx Basis-Setup --- .../base/files/etc/nginx/conf.d/gzip.conf | 18 +++ .../base/files/etc/nginx/conf.d/logging.conf | 11 ++ .../files/etc/nginx/conf.d/optimizations.conf | 9 ++ .../base/files/etc/nginx/conf.d/security.conf | 12 ++ .../base/files/etc/nginx/include/ssl.rewrite | 2 +- .../base/files/etc/nginx/nginx.conf | 20 --- roles/web-server/base/tasks/main.yml | 114 ++++++++++-------- ...nf.j2 => ssl_hamburg_freifunk_net.conf.j2} | 0 8 files changed, 117 insertions(+), 69 deletions(-) create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/gzip.conf create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/logging.conf create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/security.conf rename roles/web-server/base/templates/etc/nginx/include/{ssl_hamburg.freifunk.net.conf.j2 => ssl_hamburg_freifunk_net.conf.j2} (100%) diff --git a/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf b/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf new file mode 100644 index 0000000..125aeed --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf @@ -0,0 +1,18 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Gzip settings + +gzip on; +gzip_disable "msie6"; +gzip_static on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 9; +gzip_buffers 256 8k; +gzip_http_version 1.1; +gzip_min_length 0; +gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; \ No newline at end of file diff --git a/roles/web-server/base/files/etc/nginx/conf.d/logging.conf b/roles/web-server/base/files/etc/nginx/conf.d/logging.conf new file mode 100644 index 0000000..4f16c2c --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/conf.d/logging.conf @@ -0,0 +1,11 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +## +# Logging Settings +## + +include /etc/nginx/include/no_logging.conf; \ No newline at end of file diff --git a/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf b/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf new file mode 100644 index 0000000..4702ba9 --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf @@ -0,0 +1,9 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Server optimizations + +server_names_hash_bucket_size 128; \ No newline at end of file diff --git a/roles/web-server/base/files/etc/nginx/conf.d/security.conf b/roles/web-server/base/files/etc/nginx/conf.d/security.conf new file mode 100644 index 0000000..6b02fae --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/conf.d/security.conf @@ -0,0 +1,12 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Global security settings for nginx + +ignore_invalid_headers on; +sendfile on; +server_name_in_redirect off; +server_tokens off; \ No newline at end of file diff --git a/roles/web-server/base/files/etc/nginx/include/ssl.rewrite b/roles/web-server/base/files/etc/nginx/include/ssl.rewrite index aef70f8..fd611d1 100644 --- a/roles/web-server/base/files/etc/nginx/include/ssl.rewrite +++ b/roles/web-server/base/files/etc/nginx/include/ssl.rewrite @@ -5,4 +5,4 @@ # # Generischer Rewrite von HTTP nach HTTPS -rewrite ^ https://$server_name$request_uri? permanent; +rewrite ^ https://$server_name$request_uri? permanent; diff --git a/roles/web-server/base/files/etc/nginx/nginx.conf b/roles/web-server/base/files/etc/nginx/nginx.conf index 503dd32..83bff5e 100644 --- a/roles/web-server/base/files/etc/nginx/nginx.conf +++ b/roles/web-server/base/files/etc/nginx/nginx.conf @@ -38,26 +38,6 @@ http { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; - ## - # Logging Settings - ## - - include /etc/nginx/include/no_logging.conf; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - ## # Virtual Host Configs ## diff --git a/roles/web-server/base/tasks/main.yml b/roles/web-server/base/tasks/main.yml index 71ebaad..7b63634 100644 --- a/roles/web-server/base/tasks/main.yml +++ b/roles/web-server/base/tasks/main.yml @@ -1,7 +1,7 @@ --- -#- name: be sure nginx is installed -# apt: name=nginx state=latest -# tags: nginx +- name: be sure nginx is installed + apt: name=nginx state=latest + tags: nginx - name: check ssl directories exist an have correct permissions file: > @@ -37,48 +37,66 @@ - nginx - ssl -#- name: copy includes -# copy: > -# src=etc/nginx/include -# dest=/etc/nginx -# mode=0644 -# owner=root -# group=root -# notify: -# - restart nginx -# tags: nginx -# -#- name: apply templates -# template: > -# src="etc/nginx/{{ item }}.j2" -# dest="/etc/nginx/{{ item }}" -# mode=0644 -# owner=root -# group=root -# items: -# - include/ssl_wildcard.conf -# - include/ssl_hamburg.freifunk.net.conf -# notify: -# - restart nginx -# tags: nginx -# -#- name: remove default site -# file: path={{ item }} state=absent -# with_items: -# - /etc/nginx/sites-available/default -# - /etc/nginx/sites-enabled/default -# - /var/www/html -# notify: -# - restart nginx -# tags: nginx -# -#- name: configure nginx -# copy: > -# src=etc/nginx/nginx.conf -# dest=/etc/nginx/nginx.conf -# mode=0644 -# owner=root -# group=root -# notify: -# - restart nginx -# tags: nginx +- name: copy includes + copy: > + backup=yes + src=etc/nginx/include + dest=/etc/nginx + mode=0644 + owner=root + group=root + notify: + - restart nginx + tags: nginx + +- name: copy configs + copy: > + backup=yes + src=etc/nginx/conf.d + dest=/etc/nginx + mode=0644 + owner=root + group=root + notify: + - restart nginx + tags: nginx + +- name: apply templates + template: > + backup=yes + src="etc/nginx/{{ item }}.j2" + dest="/etc/nginx/{{ item }}" + mode=0644 + owner=root + group=root + with_items: + - include/ssl_wildcard.conf + - include/ssl_hamburg_freifunk_net.conf + notify: + - restart nginx + tags: nginx + +- name: remove default sites / configs + file: path={{ item }} state=absent + with_items: + - /etc/nginx/conf.d/default.conf_disabled + - /etc/nginx/conf.d/example_ssl.conf_disabled + - /etc/nginx/conf.d/mail.conf + - /etc/nginx/sites-available/default + - /etc/nginx/sites-enabled/default + - /var/www/html + notify: + - restart nginx + tags: nginx + +- name: configure nginx + copy: > + backup=yes + src=etc/nginx/nginx.conf + dest=/etc/nginx/nginx.conf + mode=0644 + owner=root + group=root + notify: + - restart nginx + tags: nginx diff --git a/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2 b/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg_freifunk_net.conf.j2 similarity index 100% rename from roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2 rename to roles/web-server/base/templates/etc/nginx/include/ssl_hamburg_freifunk_net.conf.j2