nginx Basis-Setup

2015-11-14 18:48:41 +01:00 · 2015-11-14 18:48:41 +01:00 · 3c917ce4b2
commit 3c917ce4b2
parent bc297acd18
8 changed files with 117 additions and 69 deletions
--- a/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf
+++ b/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf
@ -0,0 +1,18 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+# Gzip settings
+
+gzip                    on;
+gzip_disable            "msie6";
+gzip_static             on;
+gzip_vary               on;
+gzip_proxied            any;
+gzip_comp_level         9;
+gzip_buffers            256 8k;
+gzip_http_version       1.1;
+gzip_min_length         0;
+gzip_types              text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
--- a/roles/web-server/base/files/etc/nginx/conf.d/logging.conf
+++ b/roles/web-server/base/files/etc/nginx/conf.d/logging.conf
@ -0,0 +1,11 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+##
+# Logging Settings
+##
+
+include /etc/nginx/include/no_logging.conf;
--- a/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf
+++ b/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf
@ -0,0 +1,9 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+# Server optimizations
+
+server_names_hash_bucket_size 128;
--- a/roles/web-server/base/files/etc/nginx/conf.d/security.conf
+++ b/roles/web-server/base/files/etc/nginx/conf.d/security.conf
@ -0,0 +1,12 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+# Global security settings for nginx
+
+ignore_invalid_headers on;
+sendfile on;
+server_name_in_redirect off;
+server_tokens off;
--- a/roles/web-server/base/files/etc/nginx/include/ssl.rewrite
+++ b/roles/web-server/base/files/etc/nginx/include/ssl.rewrite
@ -5,4 +5,4 @@
 #

 # Generischer Rewrite von HTTP nach HTTPS
-rewrite	^ https://$server_name$request_uri? permanent;
+rewrite ^ https://$server_name$request_uri? permanent;
--- a/roles/web-server/base/files/etc/nginx/nginx.conf
+++ b/roles/web-server/base/files/etc/nginx/nginx.conf
@ -38,26 +38,6 @@ http {
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

-    ##
-    # Logging Settings
-    ##
-
-    include /etc/nginx/include/no_logging.conf;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_disable "msie6";
-
-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
    ##
    # Virtual Host Configs
    ##
--- a/roles/web-server/base/tasks/main.yml
+++ b/roles/web-server/base/tasks/main.yml
@ -1,7 +1,7 @@
 ---
-#- name: be sure nginx is installed
-#  apt: name=nginx state=latest
-#  tags: nginx
+- name: be sure nginx is installed
+  apt: name=nginx state=latest
+  tags: nginx

 - name: check ssl directories exist an have correct permissions
  file: >
@ -37,48 +37,66 @@
    - nginx
    - ssl

-#- name: copy includes
-#  copy: >
-#    src=etc/nginx/include
-#    dest=/etc/nginx
-#    mode=0644
-#    owner=root
-#    group=root
-#  notify:
-#    - restart nginx
-#  tags: nginx
-#
-#- name: apply templates
-#  template: >
-#    src="etc/nginx/{{ item }}.j2"
-#    dest="/etc/nginx/{{ item }}"
-#    mode=0644
-#    owner=root
-#    group=root
-#  items:
-#    - include/ssl_wildcard.conf
-#    - include/ssl_hamburg.freifunk.net.conf
-#  notify:
-#    - restart nginx
-#  tags: nginx
-#
-#- name: remove default site
-#  file: path={{ item }} state=absent
-#  with_items:
-#    - /etc/nginx/sites-available/default
-#    - /etc/nginx/sites-enabled/default
-#    - /var/www/html
-#  notify:
-#    - restart nginx
-#  tags: nginx
-#
-#- name: configure nginx
-#  copy: >
-#    src=etc/nginx/nginx.conf
-#    dest=/etc/nginx/nginx.conf
-#    mode=0644
-#    owner=root
-#    group=root
-#  notify:
-#    - restart nginx
-#  tags: nginx
+- name: copy includes
+  copy: >
+    backup=yes
+    src=etc/nginx/include
+    dest=/etc/nginx
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: copy configs
+  copy: >
+    backup=yes
+    src=etc/nginx/conf.d
+    dest=/etc/nginx
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: apply templates
+  template: >
+    backup=yes
+    src="etc/nginx/{{ item }}.j2"
+    dest="/etc/nginx/{{ item }}"
+    mode=0644
+    owner=root
+    group=root
+  with_items:
+    - include/ssl_wildcard.conf
+    - include/ssl_hamburg_freifunk_net.conf
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: remove default sites / configs
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/nginx/conf.d/default.conf_disabled
+    - /etc/nginx/conf.d/example_ssl.conf_disabled
+    - /etc/nginx/conf.d/mail.conf
+    - /etc/nginx/sites-available/default
+    - /etc/nginx/sites-enabled/default
+    - /var/www/html
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: configure nginx
+  copy: >
+    backup=yes
+    src=etc/nginx/nginx.conf
+    dest=/etc/nginx/nginx.conf
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
--- a/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg_freifunk_net.conf.j2
+++ b/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg_freifunk_net.conf.j2