xoxys.nginx/defaults/main.yml

---
nginx_official_repo_enabled: True
nginx_user: nginx
nginx_group: nginx
nginx_worker_processes: 1
nginx_worker_connections: 1024
nginx_error_log:
  enabled: True
  file: /var/log/nginx/error.log
  level: error
nginx_access_log:
  enabled: True
  file: /var/log/nginx/access.log
  format: main

## nginx buffer sizes
nginx_client_body_buffer_size: 10k
nginx_client_header_buffer_size: 1k
nginx_client_max_body_size: 8m

## nginx timeout settings
nginx_client_body_timeout: 60
nginx_client_header_timeout: 60
nginx_keepalive_timeout: 65
nginx_send_timeout: 60
nginx_reset_timedout_connection: True

## nginx compression
nginx_gzip_enabled: True
nginx_gzip_comp_level: 2
nginx_gzip_min_length: 1000
nginx_gzip_proxied:
  - expired
  - no-cache
  - no-store
  - private
  - auth
nginx_gzip_types:
  - text/plain
  - application/x-javascript
  - text/xml
  - text/css
  - application/xml

nginx_iptables_enabled: False
nginx_open_ports:
  - 80
  - 443

nginx_tls_enabled: False
# You can deploy your certificates from a file or from content.
# If you enable nginx_tls_source_use_content you have to put the content of your cert files into
# nginx_tls_cert_file and nginx_tls_cert_file.
nginx_tls_source_use_content: False
# If you enable nginx_tls_source_use_files theses variables have to contain the path to your
# certificate files located on the ansible "master" host
nginx_tls_source_use_files: True
nginx_tls_cert_source: mycert.pem
nginx_tls_key_source: mykey.pem
nginx_tls_cert_file: mycert.pem
nginx_tls_key_file: mykey.pem
# nginx_tls_dhparam_file: # defaults to not set
# nginx_tls_dhparam_size: # defaults to 2048

nginx_tls_ciphers:
  - ECDHE-ECDSA-CHACHA20-POLY1305
  - ECDHE-ECDSA-AES128-GCM-SHA256
  - ECDHE-ECDSA-AES128-SHA

nginx_tls_ocsp_enabled: False
# nginx_tls_ocsp_trusted_certificate: # defaults to not set

nginx_tls_hsts_enabled: False
nginx_hsts_options:
  - nginx_hsts_max_age=63072000
  - includeSubDomains

nginx_xfo_enabled: True
nginx_xfo_policy: deny

nginx_xcto_enabled: True

nginx_xxxsp_enabled: True
nginx_xxxsp_parameters:
  - mode=block

nginx_vhosts_dir: /var/www/vhosts

nginx_default_page_enabled: False

nginx_server_names_hash_bucket_size: 32
add iptables rule 2017-07-15 15:39:52 +00:00			`---`
some fixes 2018-08-09 19:20:06 +00:00			`nginx_official_repo_enabled: True`
refactoring 2017-12-24 13:05:27 +00:00			`nginx_user: nginx`
			`nginx_group: nginx`
add config validation 2017-12-24 16:36:43 +00:00			`nginx_worker_processes: 1`
dynamic worker_connections 2017-12-24 16:42:23 +00:00			`nginx_worker_connections: 1024`
complete rework of the role structure 2018-08-11 12:59:43 +00:00			`nginx_error_log:`
			`enabled: True`
			`file: /var/log/nginx/error.log`
			`level: error`
fix typo in dict 2018-08-11 13:22:15 +00:00			`nginx_access_log:`
complete rework of the role structure 2018-08-11 12:59:43 +00:00			`enabled: True`
			`file: /var/log/nginx/access.log`
fix logging settings 2018-08-11 13:27:27 +00:00			`format: main`
complete rework of the role structure 2018-08-11 12:59:43 +00:00
			`## nginx buffer sizes`
			`nginx_client_body_buffer_size: 10k`
			`nginx_client_header_buffer_size: 1k`
			`nginx_client_max_body_size: 8m`

			`## nginx timeout settings`
			`nginx_client_body_timeout: 60`
			`nginx_client_header_timeout: 60`
			`nginx_keepalive_timeout: 65`
			`nginx_send_timeout: 60`
			`nginx_reset_timedout_connection: True`

			`## nginx compression`
			`nginx_gzip_enabled: True`
			`nginx_gzip_comp_level: 2`
			`nginx_gzip_min_length: 1000`
			`nginx_gzip_proxied:`
			`- expired`
			`- no-cache`
			`- no-store`
			`- private`
			`- auth`
			`nginx_gzip_types:`
			`- text/plain`
			`- application/x-javascript`
			`- text/xml`
			`- text/css`
			`- application/xml`

make hsts static; make iptables optional; remove some vars 2018-08-14 20:02:35 +00:00			`nginx_iptables_enabled: False`
add iptables rule 2017-07-15 15:39:52 +00:00			`nginx_open_ports:`
			`- 80`
			`- 443`
complete rework of the role structure 2018-08-11 12:59:43 +00:00
refactoring 2017-12-23 11:25:55 +00:00			`nginx_tls_enabled: False`
refactor tls from source/file handling 2018-10-22 08:11:35 +00:00			`# You can deploy your certificates from a file or from content.`
			`# If you enable nginx_tls_source_use_content you have to put the content of your cert files into`
			`# nginx_tls_cert_file and nginx_tls_cert_file.`
fix tls implementation 2018-08-12 09:31:12 +00:00			`nginx_tls_source_use_content: False`
refactor tls from source/file handling 2018-10-22 08:11:35 +00:00			`# If you enable nginx_tls_source_use_files theses variables have to contain the path to your`
			`# certificate files located on the ansible "master" host`
fix tls implementation 2018-08-12 09:31:12 +00:00			`nginx_tls_source_use_files: True`
fix variables 2018-10-22 19:31:38 +00:00			`nginx_tls_cert_source: mycert.pem`
			`nginx_tls_key_source: mykey.pem`
refactor tls from source/file handling 2018-10-22 08:11:35 +00:00			`nginx_tls_cert_file: mycert.pem`
			`nginx_tls_key_file: mykey.pem`
add ssl_dhparam if enabled 2018-12-09 22:12:03 +00:00			`# nginx_tls_dhparam_file: # defaults to not set`
			`# nginx_tls_dhparam_size: # defaults to 2048`
fix tls implementation 2018-08-12 09:31:12 +00:00
fix some standards 2018-10-22 08:56:39 +00:00			`nginx_tls_ciphers:`
			`- ECDHE-ECDSA-CHACHA20-POLY1305`
			`- ECDHE-ECDSA-AES128-GCM-SHA256`
			`- ECDHE-ECDSA-AES128-SHA`

re-add option for hsts; add option for ocsp stapling 2018-08-14 20:35:00 +00:00			`nginx_tls_ocsp_enabled: False`
refactor tls from source/file handling 2018-10-22 08:11:35 +00:00			`# nginx_tls_ocsp_trusted_certificate: # defaults to not set`
re-add option for hsts; add option for ocsp stapling 2018-08-14 20:35:00 +00:00
			`nginx_tls_hsts_enabled: False`
webproxy: add hsts variables 2018-08-11 23:14:47 +00:00			`nginx_hsts_options:`
			`- nginx_hsts_max_age=63072000`
			`- includeSubDomains`

refactor tls from source/file handling 2018-10-22 08:11:35 +00:00			`nginx_xfo_enabled: True`
			`nginx_xfo_policy: deny`

			`nginx_xcto_enabled: True`

			`nginx_xxxsp_enabled: True`
			`nginx_xxxsp_parameters:`
			`- mode=block`

complete rework of the role structure 2018-08-11 12:59:43 +00:00			`nginx_vhosts_dir: /var/www/vhosts`

			`nginx_default_page_enabled: False`

			`nginx_server_names_hash_bucket_size: 32`