freifunk/ansible-config
8
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

New nginx role

Browse source
This commit is contained in:
Alexander Dietrich 2018-11-03 16:20:39 +01:00
parent 71caecc508
commit 7956d09b3e
22 changed files with 122 additions and 130 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
basics.yml
View file

@ -1,5 +1,5 @@
--- ---
- hosts: all - hosts: ffhh
roles: roles:
- basics - basics
- ffhh-basics - ffhh-basics
@ -9,3 +9,8 @@
roles: roles:
- certsync - certsync
tags: certsync tags: certsync
- hosts: nginx
roles:
- nginx
tags: nginx

1
host_vars/srv02
View file

@ -4,3 +4,4 @@ basics_autoupdate_origins:
- o=TorProject,n=${distro_codename} - o=TorProject,n=${distro_codename}
hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem
hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem
nginx_resolver: 127.0.0.1

4
production
View file

@ -10,11 +10,15 @@ srv03
[hopglass-frontend] [hopglass-frontend]
srv02 srv02
[nginx]
gw03-new ansible_host=gw03-new.hamburg.freifunk.net
[updates] [updates]
srv01 srv01
srv03 srv03
[vms] [vms]
gw03-new
srv01 srv01
srv02 srv02
srv03 srv03

8
roles/nginx/defaults/main.yml
View file

@ -1,2 +1,6 @@
letsencrypt_webroot: /var/www/letsencrypt ---
nginx_resolver: 127.0.0.1 [::1] nginx_access_log: "off"
nginx_error_log: "/dev/null error"
nginx_package: nginx
nginx_worker_connections: 512
nginx_worker_processes: auto

10
roles/nginx/files/error-pages/502.html Normal file
View file

@ -0,0 +1,10 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>502 Bad Gateway</title>
<link rel="stylesheet" href="/_error-pages/style.css">
</head>
<body>
<img src="/_error-pages/bad_gateway.png" alt="Bad Gateway Sign" class="singleton">
</body>

BIN
roles/nginx/files/error-pages/bad_gateway.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

4
roles/nginx/files/error-pages/style.css Normal file
View file

@ -0,0 +1,4 @@
img.singleton {
display: block;
margin: 10px auto;
}

4
roles/nginx/files/etc/nginx/include/headers_hsts.conf
View file

@ -1,4 +0,0 @@
# Header bitte nur auf "location" Ebene inkludieren:
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
add_header Strict-Transport-Security max-age=31536000;

5
roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf
View file

@ -1,5 +0,0 @@
location ^~ /.well-known/acme-challenge {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://srv02.hamburg.freifunk.net$request_uri;
}

7
roles/nginx/files/etc/nginx/include/no_logging.conf
View file

@ -1,7 +0,0 @@
# Deaktiviert Logging
access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
# So stellen wir sicher, dass keine IPs geloggt werden.
error_log /dev/null crit;

1
roles/nginx/files/etc/nginx/include/no_symlinks.conf
View file

@ -1 +0,0 @@
disable_symlinks on from=$document_root;

4
roles/nginx/files/etc/nginx/include/ssl_rewrite.conf
View file

@ -1,4 +0,0 @@
# Generischer Rewrite von HTTP nach HTTPS
location / {
return 302 https://$server_name$request_uri;
}

0
roles/nginx/files/etc/nginx/include/listing.conf → roles/nginx/files/snippets/autoindex.conf
View file

5
roles/nginx/files/snippets/error-pages.conf Normal file
View file

@ -0,0 +1,5 @@
error_page 502 /_error-pages/502.html;
location ^~ /_error-pages {
root /var/www;
}

1
roles/nginx/files/snippets/header-hsts.conf Normal file
View file

@ -0,0 +1 @@
add_header Strict-Transport-Security 'max-age=31536000';

1
roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf → roles/nginx/files/snippets/location-acme-srv01.conf
View file

@ -2,4 +2,5 @@ location ^~ /.well-known/acme-challenge {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://srv01.hamburg.freifunk.net$request_uri; proxy_pass http://srv01.hamburg.freifunk.net$request_uri;
access_log off;
} }

5
roles/nginx/files/snippets/location-acme.conf Normal file
View file

@ -0,0 +1,5 @@
location ^~ /.well-known/acme-challenge {
root /var/www/_acme-challenge;
try_files $uri $uri/ =404;
access_log off;
}

3
roles/nginx/files/etc/nginx/include/no_dotfiles.conf → roles/nginx/files/snippets/no-unsafe-files.conf
View file

@ -1,7 +1,8 @@
disable_symlinks on from=$document_root;
# Do not serve dotfiles. # Do not serve dotfiles.
location ~ /\. { location ~ /\. {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }

5
roles/nginx/handlers/main.yml
View file

@ -1,9 +1,4 @@
--- ---
- name: restart nginx
service:
name: nginx
state: restarted
- name: reload nginx - name: reload nginx
service: service:
name: nginx name: nginx

49
roles/nginx/tasks/main.yml
View file

@ -1,39 +1,36 @@
--- ---
- name: install nginx - name: install nginx
apt: apt:
name: nginx name: "{{ nginx_package }}"
state: present cache_valid_time: 86400
tags: nginx
- name: disable default site - name: create directories
file: file:
path: /etc/nginx/sites-enabled/default path: "{{ item }}"
state: absent state: directory
notify: restart nginx with_items:
tags: nginx - /var/www/_acme-challenge
- /var/www/_error-pages
- name: copy includes - name: copy error-pages
copy: copy:
src: etc/nginx/include src: error-pages/
dest: /etc/nginx dest: /var/www/_error-pages/
mode: 0644
owner: root
group: root
notify: restart nginx
tags: nginx
- name: template letsencrypt.conf - name: copy snippets
template: copy:
src: letsencrypt.conf.j2 src: snippets/
dest: /etc/nginx/include/letsencrypt.conf dest: /etc/nginx/snippets/
- name: template nginx.conf - name: template nginx.conf
template: template:
src: templates/nginx.conf.j2 src: nginx.conf.j2
dest: /etc/nginx/nginx.conf dest: /etc/nginx/nginx.conf
mode: 0644
owner: root
group: root
backup: yes backup: yes
notify: restart nginx notify: reload nginx
tags: nginx
- name: remove default site
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: reload nginx

4
roles/nginx/templates/letsencrypt.conf.j2
View file

@ -1,4 +0,0 @@
location ^~ /.well-known/acme-challenge {
root {{ letsencrypt_webroot }};
try_files $uri $uri/ =404;
}

124
roles/nginx/templates/nginx.conf.j2
View file

@ -1,91 +1,75 @@
user www-data; user www-data;
worker_processes auto; worker_processes {{ nginx_worker_processes }};
pid /run/nginx.pid; pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events { events {
worker_connections 768; worker_connections {{ nginx_worker_connections }};
# multi_accept on; # multi_accept on;
} }
http { http {
## ##
# Basic Settings # Basic Settings
## ##
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
tcp_nodelay on; tcp_nodelay on;
keepalive_timeout 65; keepalive_timeout 65;
types_hash_max_size 2048; types_hash_max_size 2048;
server_tokens off; server_tokens off;
{% if nginx_resolver is defined %}
resolver {{ nginx_resolver }};
{% endif %}
# server_names_hash_bucket_size 64; # server_names_hash_bucket_size 64;
# server_name_in_redirect off; # server_name_in_redirect off;
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
## ##
# SSL Settings # SSL Settings
## ##
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:+SHA1; ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:1M;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_stapling on; {% if nginx_resolver is defined %}
ssl_stapling_verify on; ssl_stapling on;
ssl_stapling_verify on;
{% endif %}
resolver {{ nginx_resolver }}; ##
# Logging Settings
##
## log_format privacy '$server_name:$server_port 127.0.0.1 - - [$time_local] "$request" $status $body_bytes_sent';
# Logging Settings access_log {{ nginx_access_log }};
## error_log {{ nginx_error_log }};
include /etc/nginx/include/no_logging.conf; ##
# Gzip Settings
##
## gzip on;
# Gzip Settings gzip_disable "msie6";
##
gzip on; # gzip_vary on;
gzip_disable "msie6"; # gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# gzip_vary on; ##
# gzip_proxied any; # Virtual Host Configs
# gzip_comp_level 6; ##
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
## include /etc/nginx/conf.d/*.conf;
# Virtual Host Configs include /etc/nginx/sites-enabled/*;
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
} }
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}