nginx-Setup WIP
This commit is contained in:
baldo
parent
96fa7430e6
commit
ed703884ec
33 changed files with 267 additions and 253 deletions
13
roles/web-server/base/files/etc/nginx/include/listing.conf
Normal file
13
roles/web-server/base/files/etc/nginx/include/listing.conf
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Directory-Listing für den Host aktivieren.
|
||||
|
||||
location / {
|
||||
autoindex on;
|
||||
autoindex_exact_size on;
|
||||
autoindex_localtime off;
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Do not serve dotfiles.
|
||||
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Deaktiviert Logging
|
||||
|
||||
access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
|
||||
|
||||
# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
|
||||
# So stellen wir sicher, dass keine IPs geloggt werden.
|
||||
error_log /dev/null crit;
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Keine Symlinks erlauben.
|
||||
|
||||
disable_symlinks on from=$document_root;
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Generischer Rewrite von HTTP nach HTTPS
|
||||
rewrite ^ https://$server_name$request_uri? permanent;
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Basis Konfiguration für SSL. Wird von allen vhosts includet.
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# Only strong ciphers in PFS mode
|
||||
ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
67
roles/web-server/base/files/etc/nginx/nginx.conf
Normal file
67
roles/web-server/base/files/etc/nginx/nginx.conf
Normal file
|
|
@ -0,0 +1,67 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
user www-data;
|
||||
worker_processes 4;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
include /etc/nginx/include/no_logging.conf;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
3
roles/web-server/base/handlers/main.yml
Normal file
3
roles/web-server/base/handlers/main.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- name: restart nginx
|
||||
service: name=nginx state=restarted
|
||||
84
roles/web-server/base/tasks/main.yml
Normal file
84
roles/web-server/base/tasks/main.yml
Normal file
|
|
@ -0,0 +1,84 @@
|
|||
---
|
||||
#- name: be sure nginx is installed
|
||||
# apt: name=nginx state=latest
|
||||
# tags: nginx
|
||||
|
||||
- name: check ssl directories exist an have correct permissions
|
||||
file: >
|
||||
path="{{ item.path }}"
|
||||
mode="{{ item.mode }}"
|
||||
state=directory
|
||||
with_items:
|
||||
- { path: "/etc/ssl", mode: "0755" }
|
||||
- { path: "/etc/ssl/certs", mode: "0755" }
|
||||
- { path: "/etc/ssl/dhparam", mode: "0755" }
|
||||
- { path: "/etc/ssl/private", mode: "0700" }
|
||||
tags:
|
||||
- nginx
|
||||
- ssl
|
||||
|
||||
- name: generate dhparams if those do not exist yet (can take a while)
|
||||
command: "openssl dhparam -out {{ item }} 2048 creates={{ item }}"
|
||||
with_items: "{{ web.ssl.values() | map(attribute = 'dhparam') | list }}"
|
||||
tags:
|
||||
- nginx
|
||||
- ssl
|
||||
|
||||
- name: check certificates exist and have correct permissions
|
||||
file: >
|
||||
path="{{ item }}"
|
||||
mode="0400"
|
||||
state=file
|
||||
with_flattened:
|
||||
- "{{ web.ssl.values() | map(attribute = 'cert') | list }}"
|
||||
- "{{ web.ssl.values() | map(attribute = 'key') | list }}"
|
||||
- "{{ web.ssl.values() | map(attribute = 'dhparam') | list }}"
|
||||
tags:
|
||||
- nginx
|
||||
- ssl
|
||||
|
||||
#- name: copy includes
|
||||
# copy: >
|
||||
# src=etc/nginx/include
|
||||
# dest=/etc/nginx
|
||||
# mode=0644
|
||||
# owner=root
|
||||
# group=root
|
||||
# notify:
|
||||
# - restart nginx
|
||||
# tags: nginx
|
||||
#
|
||||
#- name: apply templates
|
||||
# template: >
|
||||
# src="etc/nginx/{{ item }}.j2"
|
||||
# dest="/etc/nginx/{{ item }}"
|
||||
# mode=0644
|
||||
# owner=root
|
||||
# group=root
|
||||
# items:
|
||||
# - include/ssl_wildcard.conf
|
||||
# - include/ssl_hamburg.freifunk.net.conf
|
||||
# notify:
|
||||
# - restart nginx
|
||||
# tags: nginx
|
||||
#
|
||||
#- name: remove default site
|
||||
# file: path={{ item }} state=absent
|
||||
# with_items:
|
||||
# - /etc/nginx/sites-available/default
|
||||
# - /etc/nginx/sites-enabled/default
|
||||
# - /var/www/html
|
||||
# notify:
|
||||
# - restart nginx
|
||||
# tags: nginx
|
||||
#
|
||||
#- name: configure nginx
|
||||
# copy: >
|
||||
# src=etc/nginx/nginx.conf
|
||||
# dest=/etc/nginx/nginx.conf
|
||||
# mode=0644
|
||||
# owner=root
|
||||
# group=root
|
||||
# notify:
|
||||
# - restart nginx
|
||||
# tags: nginx
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
|
||||
|
||||
ssl_certificate {{ web.ssl.hamburg_freifunk_net.cert }};
|
||||
ssl_certificate_key {{ web.ssl.hamburg_freifunk_net.key }};
|
||||
ssl_dhparam {{ web.ssl.hamburg_freifunk_net.dhparam }};
|
||||
|
||||
include /etc/nginx/include/ssl_common.conf;
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
#
|
||||
# ACTHUNG:
|
||||
#
|
||||
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
|
||||
#
|
||||
|
||||
# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
|
||||
|
||||
ssl_certificate {{ web.ssl.wildcard_hamburg_freifunk_net.cert }};
|
||||
ssl_certificate_key {{ web.ssl.wildcard_hamburg_freifunk_net.key }};
|
||||
ssl_dhparam {{ web.ssl.wildcard_hamburg_freifunk_net.dhparam }};
|
||||
|
||||
include /etc/nginx/include/ssl_common.conf;
|
||||
Loading…
Add table
Add a link
Reference in a new issue