New nginx role
This commit is contained in:
parent
71caecc508
commit
7956d09b3e
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- hosts: all
|
- hosts: ffhh
|
||||||
roles:
|
roles:
|
||||||
- basics
|
- basics
|
||||||
- ffhh-basics
|
- ffhh-basics
|
||||||
|
@ -9,3 +9,8 @@
|
||||||
roles:
|
roles:
|
||||||
- certsync
|
- certsync
|
||||||
tags: certsync
|
tags: certsync
|
||||||
|
|
||||||
|
- hosts: nginx
|
||||||
|
roles:
|
||||||
|
- nginx
|
||||||
|
tags: nginx
|
||||||
|
|
|
@ -4,3 +4,4 @@ basics_autoupdate_origins:
|
||||||
- o=TorProject,n=${distro_codename}
|
- o=TorProject,n=${distro_codename}
|
||||||
hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem
|
hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem
|
||||||
hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem
|
hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem
|
||||||
|
nginx_resolver: 127.0.0.1
|
||||||
|
|
|
@ -10,11 +10,15 @@ srv03
|
||||||
[hopglass-frontend]
|
[hopglass-frontend]
|
||||||
srv02
|
srv02
|
||||||
|
|
||||||
|
[nginx]
|
||||||
|
gw03-new ansible_host=gw03-new.hamburg.freifunk.net
|
||||||
|
|
||||||
[updates]
|
[updates]
|
||||||
srv01
|
srv01
|
||||||
srv03
|
srv03
|
||||||
|
|
||||||
[vms]
|
[vms]
|
||||||
|
gw03-new
|
||||||
srv01
|
srv01
|
||||||
srv02
|
srv02
|
||||||
srv03
|
srv03
|
||||||
|
|
|
@ -1,2 +1,6 @@
|
||||||
letsencrypt_webroot: /var/www/letsencrypt
|
---
|
||||||
nginx_resolver: 127.0.0.1 [::1]
|
nginx_access_log: "off"
|
||||||
|
nginx_error_log: "/dev/null error"
|
||||||
|
nginx_package: nginx
|
||||||
|
nginx_worker_connections: 512
|
||||||
|
nginx_worker_processes: auto
|
||||||
|
|
10
roles/nginx/files/error-pages/502.html
Normal file
10
roles/nginx/files/error-pages/502.html
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta charset="utf-8">
|
||||||
|
<title>502 Bad Gateway</title>
|
||||||
|
<link rel="stylesheet" href="/_error-pages/style.css">
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<img src="/_error-pages/bad_gateway.png" alt="Bad Gateway Sign" class="singleton">
|
||||||
|
</body>
|
BIN
roles/nginx/files/error-pages/bad_gateway.png
Normal file
BIN
roles/nginx/files/error-pages/bad_gateway.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 20 KiB |
4
roles/nginx/files/error-pages/style.css
Normal file
4
roles/nginx/files/error-pages/style.css
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
img.singleton {
|
||||||
|
display: block;
|
||||||
|
margin: 10px auto;
|
||||||
|
}
|
|
@ -1,4 +0,0 @@
|
||||||
# Header bitte nur auf "location" Ebene inkludieren:
|
|
||||||
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security max-age=31536000;
|
|
|
@ -1,5 +0,0 @@
|
||||||
location ^~ /.well-known/acme-challenge {
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_pass http://srv02.hamburg.freifunk.net$request_uri;
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
# Deaktiviert Logging
|
|
||||||
|
|
||||||
access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
|
|
||||||
|
|
||||||
# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
|
|
||||||
# So stellen wir sicher, dass keine IPs geloggt werden.
|
|
||||||
error_log /dev/null crit;
|
|
|
@ -1 +0,0 @@
|
||||||
disable_symlinks on from=$document_root;
|
|
|
@ -1,4 +0,0 @@
|
||||||
# Generischer Rewrite von HTTP nach HTTPS
|
|
||||||
location / {
|
|
||||||
return 302 https://$server_name$request_uri;
|
|
||||||
}
|
|
5
roles/nginx/files/snippets/error-pages.conf
Normal file
5
roles/nginx/files/snippets/error-pages.conf
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
error_page 502 /_error-pages/502.html;
|
||||||
|
|
||||||
|
location ^~ /_error-pages {
|
||||||
|
root /var/www;
|
||||||
|
}
|
1
roles/nginx/files/snippets/header-hsts.conf
Normal file
1
roles/nginx/files/snippets/header-hsts.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
add_header Strict-Transport-Security 'max-age=31536000';
|
|
@ -2,4 +2,5 @@ location ^~ /.well-known/acme-challenge {
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_pass http://srv01.hamburg.freifunk.net$request_uri;
|
proxy_pass http://srv01.hamburg.freifunk.net$request_uri;
|
||||||
|
access_log off;
|
||||||
}
|
}
|
5
roles/nginx/files/snippets/location-acme.conf
Normal file
5
roles/nginx/files/snippets/location-acme.conf
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
location ^~ /.well-known/acme-challenge {
|
||||||
|
root /var/www/_acme-challenge;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
access_log off;
|
||||||
|
}
|
|
@ -1,7 +1,8 @@
|
||||||
|
disable_symlinks on from=$document_root;
|
||||||
|
|
||||||
# Do not serve dotfiles.
|
# Do not serve dotfiles.
|
||||||
location ~ /\. {
|
location ~ /\. {
|
||||||
deny all;
|
deny all;
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: restart nginx
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: reload nginx
|
- name: reload nginx
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
|
|
|
@ -1,39 +1,36 @@
|
||||||
---
|
---
|
||||||
- name: install nginx
|
- name: install nginx
|
||||||
apt:
|
apt:
|
||||||
name: nginx
|
name: "{{ nginx_package }}"
|
||||||
state: present
|
cache_valid_time: 86400
|
||||||
tags: nginx
|
|
||||||
|
|
||||||
- name: disable default site
|
- name: create directories
|
||||||
file:
|
file:
|
||||||
path: /etc/nginx/sites-enabled/default
|
path: "{{ item }}"
|
||||||
state: absent
|
state: directory
|
||||||
notify: restart nginx
|
with_items:
|
||||||
tags: nginx
|
- /var/www/_acme-challenge
|
||||||
|
- /var/www/_error-pages
|
||||||
|
|
||||||
- name: copy includes
|
- name: copy error-pages
|
||||||
copy:
|
copy:
|
||||||
src: etc/nginx/include
|
src: error-pages/
|
||||||
dest: /etc/nginx
|
dest: /var/www/_error-pages/
|
||||||
mode: 0644
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
notify: restart nginx
|
|
||||||
tags: nginx
|
|
||||||
|
|
||||||
- name: template letsencrypt.conf
|
- name: copy snippets
|
||||||
template:
|
copy:
|
||||||
src: letsencrypt.conf.j2
|
src: snippets/
|
||||||
dest: /etc/nginx/include/letsencrypt.conf
|
dest: /etc/nginx/snippets/
|
||||||
|
|
||||||
- name: template nginx.conf
|
- name: template nginx.conf
|
||||||
template:
|
template:
|
||||||
src: templates/nginx.conf.j2
|
src: nginx.conf.j2
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/nginx.conf
|
||||||
mode: 0644
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nginx
|
notify: reload nginx
|
||||||
tags: nginx
|
|
||||||
|
- name: remove default site
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/sites-enabled/default
|
||||||
|
state: absent
|
||||||
|
notify: reload nginx
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
location ^~ /.well-known/acme-challenge {
|
|
||||||
root {{ letsencrypt_webroot }};
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
|
@ -1,91 +1,75 @@
|
||||||
user www-data;
|
user www-data;
|
||||||
worker_processes auto;
|
worker_processes {{ nginx_worker_processes }};
|
||||||
pid /run/nginx.pid;
|
pid /run/nginx.pid;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 768;
|
worker_connections {{ nginx_worker_connections }};
|
||||||
# multi_accept on;
|
# multi_accept on;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
|
||||||
##
|
##
|
||||||
# Basic Settings
|
# Basic Settings
|
||||||
##
|
##
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
{% if nginx_resolver is defined %}
|
||||||
|
resolver {{ nginx_resolver }};
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# server_names_hash_bucket_size 64;
|
# server_names_hash_bucket_size 64;
|
||||||
# server_name_in_redirect off;
|
# server_name_in_redirect off;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
##
|
##
|
||||||
# SSL Settings
|
# SSL Settings
|
||||||
##
|
##
|
||||||
|
|
||||||
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:+SHA1;
|
ssl_protocols TLSv1.2;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_cache shared:SSL:1M;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_stapling on;
|
{% if nginx_resolver is defined %}
|
||||||
ssl_stapling_verify on;
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
resolver {{ nginx_resolver }};
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
##
|
log_format privacy '$server_name:$server_port 127.0.0.1 - - [$time_local] "$request" $status $body_bytes_sent';
|
||||||
# Logging Settings
|
access_log {{ nginx_access_log }};
|
||||||
##
|
error_log {{ nginx_error_log }};
|
||||||
|
|
||||||
include /etc/nginx/include/no_logging.conf;
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
##
|
gzip on;
|
||||||
# Gzip Settings
|
gzip_disable "msie6";
|
||||||
##
|
|
||||||
|
|
||||||
gzip on;
|
# gzip_vary on;
|
||||||
gzip_disable "msie6";
|
# gzip_proxied any;
|
||||||
|
# gzip_comp_level 6;
|
||||||
|
# gzip_buffers 16 8k;
|
||||||
|
# gzip_http_version 1.1;
|
||||||
|
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||||
|
|
||||||
# gzip_vary on;
|
##
|
||||||
# gzip_proxied any;
|
# Virtual Host Configs
|
||||||
# gzip_comp_level 6;
|
##
|
||||||
# gzip_buffers 16 8k;
|
|
||||||
# gzip_http_version 1.1;
|
|
||||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
|
||||||
|
|
||||||
##
|
include /etc/nginx/conf.d/*.conf;
|
||||||
# Virtual Host Configs
|
include /etc/nginx/sites-enabled/*;
|
||||||
##
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
include /etc/nginx/sites-enabled/*;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#mail {
|
|
||||||
# # See sample authentication script at:
|
|
||||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
|
||||||
#
|
|
||||||
# # auth_http localhost/auth.php;
|
|
||||||
# # pop3_capabilities "TOP" "USER";
|
|
||||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen localhost:110;
|
|
||||||
# protocol pop3;
|
|
||||||
# proxy on;
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen localhost:143;
|
|
||||||
# protocol imap;
|
|
||||||
# proxy on;
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
Loading…
Reference in a new issue