diff --git a/basics.yml b/basics.yml index 9a52ef0..58772c7 100644 --- a/basics.yml +++ b/basics.yml @@ -1,5 +1,5 @@ --- -- hosts: all +- hosts: ffhh roles: - basics - ffhh-basics @@ -9,3 +9,8 @@ roles: - certsync tags: certsync + +- hosts: nginx + roles: + - nginx + tags: nginx diff --git a/host_vars/srv02 b/host_vars/srv02 index 97c415a..d38f4b1 100644 --- a/host_vars/srv02 +++ b/host_vars/srv02 @@ -4,3 +4,4 @@ basics_autoupdate_origins: - o=TorProject,n=${distro_codename} hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem +nginx_resolver: 127.0.0.1 diff --git a/production b/production index 05513d0..0786974 100644 --- a/production +++ b/production @@ -10,11 +10,15 @@ srv03 [hopglass-frontend] srv02 +[nginx] +gw03-new ansible_host=gw03-new.hamburg.freifunk.net + [updates] srv01 srv03 [vms] +gw03-new srv01 srv02 srv03 diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 3640390..f4915de 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,2 +1,6 @@ -letsencrypt_webroot: /var/www/letsencrypt -nginx_resolver: 127.0.0.1 [::1] +--- +nginx_access_log: "off" +nginx_error_log: "/dev/null error" +nginx_package: nginx +nginx_worker_connections: 512 +nginx_worker_processes: auto diff --git a/roles/nginx/files/error-pages/502.html b/roles/nginx/files/error-pages/502.html new file mode 100644 index 0000000..16fdca7 --- /dev/null +++ b/roles/nginx/files/error-pages/502.html @@ -0,0 +1,10 @@ + + + + + 502 Bad Gateway + + + + Bad Gateway Sign + diff --git a/roles/nginx/files/error-pages/bad_gateway.png b/roles/nginx/files/error-pages/bad_gateway.png new file mode 100644 index 0000000..1bfdffa Binary files /dev/null and b/roles/nginx/files/error-pages/bad_gateway.png differ diff --git a/roles/nginx/files/error-pages/style.css b/roles/nginx/files/error-pages/style.css new file mode 100644 index 0000000..8652fc6 --- /dev/null +++ b/roles/nginx/files/error-pages/style.css @@ -0,0 +1,4 @@ +img.singleton { + display: block; + margin: 10px auto; +} diff --git a/roles/nginx/files/etc/nginx/include/headers_hsts.conf b/roles/nginx/files/etc/nginx/include/headers_hsts.conf deleted file mode 100644 index 01adcb4..0000000 --- a/roles/nginx/files/etc/nginx/include/headers_hsts.conf +++ /dev/null @@ -1,4 +0,0 @@ -# Header bitte nur auf "location" Ebene inkludieren: -# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header - -add_header Strict-Transport-Security max-age=31536000; diff --git a/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf b/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf deleted file mode 100644 index abb27a7..0000000 --- a/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf +++ /dev/null @@ -1,5 +0,0 @@ -location ^~ /.well-known/acme-challenge { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://srv02.hamburg.freifunk.net$request_uri; -} diff --git a/roles/nginx/files/etc/nginx/include/no_logging.conf b/roles/nginx/files/etc/nginx/include/no_logging.conf deleted file mode 100644 index ed0e771..0000000 --- a/roles/nginx/files/etc/nginx/include/no_logging.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Deaktiviert Logging - -access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen. - -# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. -# So stellen wir sicher, dass keine IPs geloggt werden. -error_log /dev/null crit; diff --git a/roles/nginx/files/etc/nginx/include/no_symlinks.conf b/roles/nginx/files/etc/nginx/include/no_symlinks.conf deleted file mode 100644 index 12a2b2a..0000000 --- a/roles/nginx/files/etc/nginx/include/no_symlinks.conf +++ /dev/null @@ -1 +0,0 @@ -disable_symlinks on from=$document_root; diff --git a/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf b/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf deleted file mode 100644 index 16b1e9a..0000000 --- a/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf +++ /dev/null @@ -1,4 +0,0 @@ -# Generischer Rewrite von HTTP nach HTTPS -location / { - return 302 https://$server_name$request_uri; -} diff --git a/roles/nginx/files/etc/nginx/include/listing.conf b/roles/nginx/files/snippets/autoindex.conf similarity index 100% rename from roles/nginx/files/etc/nginx/include/listing.conf rename to roles/nginx/files/snippets/autoindex.conf diff --git a/roles/nginx/files/snippets/error-pages.conf b/roles/nginx/files/snippets/error-pages.conf new file mode 100644 index 0000000..aecc17c --- /dev/null +++ b/roles/nginx/files/snippets/error-pages.conf @@ -0,0 +1,5 @@ +error_page 502 /_error-pages/502.html; + +location ^~ /_error-pages { + root /var/www; +} diff --git a/roles/nginx/files/snippets/header-hsts.conf b/roles/nginx/files/snippets/header-hsts.conf new file mode 100644 index 0000000..a5e357f --- /dev/null +++ b/roles/nginx/files/snippets/header-hsts.conf @@ -0,0 +1 @@ +add_header Strict-Transport-Security 'max-age=31536000'; diff --git a/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf b/roles/nginx/files/snippets/location-acme-srv01.conf similarity index 90% rename from roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf rename to roles/nginx/files/snippets/location-acme-srv01.conf index 60dc5cf..fed6e58 100644 --- a/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf +++ b/roles/nginx/files/snippets/location-acme-srv01.conf @@ -2,4 +2,5 @@ location ^~ /.well-known/acme-challenge { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://srv01.hamburg.freifunk.net$request_uri; + access_log off; } diff --git a/roles/nginx/files/snippets/location-acme.conf b/roles/nginx/files/snippets/location-acme.conf new file mode 100644 index 0000000..fca5835 --- /dev/null +++ b/roles/nginx/files/snippets/location-acme.conf @@ -0,0 +1,5 @@ +location ^~ /.well-known/acme-challenge { + root /var/www/_acme-challenge; + try_files $uri $uri/ =404; + access_log off; +} diff --git a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf b/roles/nginx/files/snippets/no-unsafe-files.conf similarity index 71% rename from roles/nginx/files/etc/nginx/include/no_dotfiles.conf rename to roles/nginx/files/snippets/no-unsafe-files.conf index 4c26b8c..6f00246 100644 --- a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf +++ b/roles/nginx/files/snippets/no-unsafe-files.conf @@ -1,7 +1,8 @@ +disable_symlinks on from=$document_root; + # Do not serve dotfiles. location ~ /\. { deny all; access_log off; log_not_found off; } - diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml index 9b55c2a..d4e42ca 100644 --- a/roles/nginx/handlers/main.yml +++ b/roles/nginx/handlers/main.yml @@ -1,9 +1,4 @@ --- -- name: restart nginx - service: - name: nginx - state: restarted - - name: reload nginx service: name: nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index baf15ab..ef4a286 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,39 +1,36 @@ --- - name: install nginx apt: - name: nginx - state: present - tags: nginx + name: "{{ nginx_package }}" + cache_valid_time: 86400 -- name: disable default site +- name: create directories file: - path: /etc/nginx/sites-enabled/default - state: absent - notify: restart nginx - tags: nginx + path: "{{ item }}" + state: directory + with_items: + - /var/www/_acme-challenge + - /var/www/_error-pages -- name: copy includes +- name: copy error-pages copy: - src: etc/nginx/include - dest: /etc/nginx - mode: 0644 - owner: root - group: root - notify: restart nginx - tags: nginx + src: error-pages/ + dest: /var/www/_error-pages/ -- name: template letsencrypt.conf - template: - src: letsencrypt.conf.j2 - dest: /etc/nginx/include/letsencrypt.conf +- name: copy snippets + copy: + src: snippets/ + dest: /etc/nginx/snippets/ - name: template nginx.conf template: - src: templates/nginx.conf.j2 + src: nginx.conf.j2 dest: /etc/nginx/nginx.conf - mode: 0644 - owner: root - group: root backup: yes - notify: restart nginx - tags: nginx + notify: reload nginx + +- name: remove default site + file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: reload nginx diff --git a/roles/nginx/templates/letsencrypt.conf.j2 b/roles/nginx/templates/letsencrypt.conf.j2 deleted file mode 100644 index 29732db..0000000 --- a/roles/nginx/templates/letsencrypt.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -location ^~ /.well-known/acme-challenge { - root {{ letsencrypt_webroot }}; - try_files $uri $uri/ =404; -} diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 4293b90..d278f8e 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -1,91 +1,75 @@ user www-data; -worker_processes auto; +worker_processes {{ nginx_worker_processes }}; pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; events { - worker_connections 768; - # multi_accept on; + worker_connections {{ nginx_worker_connections }}; + # multi_accept on; } http { - ## - # Basic Settings - ## + ## + # Basic Settings + ## - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - server_tokens off; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; +{% if nginx_resolver is defined %} + resolver {{ nginx_resolver }}; +{% endif %} - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; - include /etc/nginx/mime.types; - default_type application/octet-stream; + include /etc/nginx/mime.types; + default_type application/octet-stream; - ## - # SSL Settings - ## + ## + # SSL Settings + ## - ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:+SHA1; - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_stapling on; - ssl_stapling_verify on; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1; + ssl_session_cache shared:SSL:1M; + ssl_session_timeout 10m; +{% if nginx_resolver is defined %} + ssl_stapling on; + ssl_stapling_verify on; +{% endif %} - resolver {{ nginx_resolver }}; + ## + # Logging Settings + ## - ## - # Logging Settings - ## + log_format privacy '$server_name:$server_port 127.0.0.1 - - [$time_local] "$request" $status $body_bytes_sent'; + access_log {{ nginx_access_log }}; + error_log {{ nginx_error_log }}; - include /etc/nginx/include/no_logging.conf; + ## + # Gzip Settings + ## - ## - # Gzip Settings - ## + gzip on; + gzip_disable "msie6"; - gzip on; - gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + ## + # Virtual Host Configs + ## - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; } - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#}