xoxys.nginx/defaults/main.yml

---
nginx_official_repo_enabled: True
nginx_user: nginx
nginx_group: nginx
nginx_worker_processes: 1
nginx_worker_connections: 1024
nginx_error_log:
  enabled: True
  file: /var/log/nginx/error.log
  level: error
nginx_access_log:
  enabled: True
  file: /var/log/nginx/access.log
  format: main

nginx_client_body_buffer_size: 10k
nginx_client_header_buffer_size: 1k
nginx_client_max_body_size: 8m

nginx_client_body_timeout: 60
nginx_client_header_timeout: 60
nginx_keepalive_timeout: 65
nginx_send_timeout: 60
nginx_reset_timedout_connection: True

nginx_gzip_enabled: True
nginx_gzip_comp_level: 2
nginx_gzip_min_length: 1000
nginx_gzip_proxied:
  - expired
  - no-cache
  - no-store
  - private
  - auth
nginx_gzip_types:
  - text/plain
  - application/x-javascript
  - text/xml
  - text/css
  - application/xml

nginx_iptables_enabled: False
nginx_iptables_rules_default:
  - name: allow_nginx_ports
    rules: |
      -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
    state: present
nginx_iptables_rules_extra: []

nginx_tls_enabled: False
nginx_tls_versions:
  - TLSv1.2

# @var nginx_tls_cert_source:description: Source has to be a file.
# @var nginx_tls_cert_source: $ "_unset_"
# @var nginx_tls_key_source:description: Source has to be a file.
# @var nginx_tls_key_source: $ "_unset_"

# @var nginx_tls_cert_file:description: Set the destination filename.
nginx_tls_cert_file: mycert.pem
# @var nginx_tls_key_file:description: Set the destination filename.
nginx_tls_key_file: mykey.pem
# @var nginx_tls_dhparam_file: $ "_unset_"
nginx_tls_dhparam_size: 2048

nginx_tls_ciphers:
  - ECDHE-RSA-AES256-GCM-SHA512
  - DHE-RSA-AES256-GCM-SHA512
  - ECDHE-RSA-AES256-GCM-SHA384
  - DHE-RSA-AES256-GCM-SHA384
  - ECDHE-RSA-AES256-SHA384
# @var nginx_tls_ecdh_curve: $ "_unset_"

nginx_tls_ocsp_enabled: False
# @var nginx_tls_ocsp_trusted_certificate: $ "_unset_"

nginx_tls_hsts_enabled: False
nginx_hsts_options:
  - max-age=63072000
  - includeSubDomains

nginx_xfo_enabled: True
nginx_xfo_policy: deny

nginx_xcto_enabled: True
nginx_csp_enabled: False
# @ var nginx_csp_options: $ "_unset_"
# @var nginx_csp_options:example: >
# nginx_csp_options:
#   - directive: frame-ancestors
#     parameters:
#       - https://example.com
#       - https://mypage.com

nginx_xxxsp_enabled: True
nginx_xxxsp_parameters:
  - mode=block

nginx_vhosts_dir: /var/www/vhosts

nginx_vhosts_default:
  - file: default
    servers:
      - port: 80
        server_name: "{{ ansible_fqdn }}"
        locations:
          - match: /
            root: /var/www/vhosts/default
            index: index.html

# @var nginx_vhosts_default:example: >
# nginx_vhosts_default:
#   - file: default
#     upstream:
#       name: my_pool
#       servers: []
#     servers:
#       - port: 80
#         server_name: demo.example.com
#         tls_redirect: False # skips locations if enabled
#         tls_redirect_url:
#         tls:
#           cert: /etc/pki/tls/..
#           key: /etc/pki/tls/..
#           dhparam:
#         client_max_body_size:
#         send_timeout:
#         locations:
#           - match: /
#             root: /var/www/vhosts/default
#             index: index.html
#             proxy_pass:
#             proxy_http_version: "1.1"
#             proxy_buffering: "off"
#             proxy_connect_timeout: 3600s
#             proxy_read_timeout: 3600s
#             proxy_send_timeout: 3600s
#             proxy_headers: []
#     error_page: /usr/share/nginx/html

nginx_vhosts_extra: []

nginx_server_names_hash_bucket_size: 32
add iptables rule 2017-07-15 17:39:52 +02:00			`---`
some fixes 2018-08-09 21:20:06 +02:00			`nginx_official_repo_enabled: True`
refactoring 2017-12-24 14:05:27 +01:00			`nginx_user: nginx`
			`nginx_group: nginx`
add config validation 2017-12-24 17:36:43 +01:00			`nginx_worker_processes: 1`
dynamic worker_connections 2017-12-24 17:42:23 +01:00			`nginx_worker_connections: 1024`
complete rework of the role structure 2018-08-11 14:59:43 +02:00			`nginx_error_log:`
			`enabled: True`
			`file: /var/log/nginx/error.log`
			`level: error`
fix typo in dict 2018-08-11 15:22:15 +02:00			`nginx_access_log:`
complete rework of the role structure 2018-08-11 14:59:43 +02:00			`enabled: True`
			`file: /var/log/nginx/access.log`
fix logging settings 2018-08-11 15:27:27 +02:00			`format: main`
complete rework of the role structure 2018-08-11 14:59:43 +02:00
			`nginx_client_body_buffer_size: 10k`
			`nginx_client_header_buffer_size: 1k`
			`nginx_client_max_body_size: 8m`

			`nginx_client_body_timeout: 60`
			`nginx_client_header_timeout: 60`
			`nginx_keepalive_timeout: 65`
			`nginx_send_timeout: 60`
			`nginx_reset_timedout_connection: True`

			`nginx_gzip_enabled: True`
			`nginx_gzip_comp_level: 2`
			`nginx_gzip_min_length: 1000`
			`nginx_gzip_proxied:`
			`- expired`
			`- no-cache`
			`- no-store`
			`- private`
			`- auth`
			`nginx_gzip_types:`
			`- text/plain`
			`- application/x-javascript`
			`- text/xml`
			`- text/css`
			`- application/xml`

make hsts static; make iptables optional; remove some vars 2018-08-14 22:02:35 +02:00			`nginx_iptables_enabled: False`
add generic iptables task 2019-07-19 20:56:09 +02:00			`nginx_iptables_rules_default:`
			`- name: allow_nginx_ports`
			`rules: \|`
			`-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT`
			`state: present`
			`nginx_iptables_rules_extra: []`
complete rework of the role structure 2018-08-11 14:59:43 +02:00
refactoring 2017-12-23 12:25:55 +01:00			`nginx_tls_enabled: False`
[SKIP CI] fix typo 2019-06-11 23:10:16 +02:00			`nginx_tls_versions:`
nginx: update ciphers and tls to v1.3 2019-06-11 22:58:53 +02:00			`- TLSv1.2`
refactor ci pipeline 2019-10-18 10:54:26 +02:00
			`# @var nginx_tls_cert_source:description: Source has to be a file.`
			`# @var nginx_tls_cert_source: $ "_unset_"`
			`# @var nginx_tls_key_source:description: Source has to be a file.`
			`# @var nginx_tls_key_source: $ "_unset_"`

			`# @var nginx_tls_cert_file:description: Set the destination filename.`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`nginx_tls_cert_file: mycert.pem`
refactor ci pipeline 2019-10-18 10:54:26 +02:00			`# @var nginx_tls_key_file:description: Set the destination filename.`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`nginx_tls_key_file: mykey.pem`
refactor ci pipeline 2019-10-18 10:54:26 +02:00			`# @var nginx_tls_dhparam_file: $ "_unset_"`
cleanup 2019-07-18 08:59:41 +02:00			`nginx_tls_dhparam_size: 2048`
fix tls implementation 2018-08-12 11:31:12 +02:00
fix some standards 2018-10-22 10:56:39 +02:00			`nginx_tls_ciphers:`
revert defaults 2019-06-11 23:00:13 +02:00			`- ECDHE-RSA-AES256-GCM-SHA512`
			`- DHE-RSA-AES256-GCM-SHA512`
			`- ECDHE-RSA-AES256-GCM-SHA384`
			`- DHE-RSA-AES256-GCM-SHA384`
			`- ECDHE-RSA-AES256-SHA384`
refactor ci pipeline 2019-10-18 10:54:26 +02:00			`# @var nginx_tls_ecdh_curve: $ "_unset_"`
fix some standards 2018-10-22 10:56:39 +02:00
re-add option for hsts; add option for ocsp stapling 2018-08-14 22:35:00 +02:00			`nginx_tls_ocsp_enabled: False`
refactor ci pipeline 2019-10-18 10:54:26 +02:00			`# @var nginx_tls_ocsp_trusted_certificate: $ "_unset_"`
re-add option for hsts; add option for ocsp stapling 2018-08-14 22:35:00 +02:00
			`nginx_tls_hsts_enabled: False`
webproxy: add hsts variables 2018-08-12 01:14:47 +02:00			`nginx_hsts_options:`
fix default for hsts 2018-12-09 23:12:54 +01:00			`- max-age=63072000`
webproxy: add hsts variables 2018-08-12 01:14:47 +02:00			`- includeSubDomains`

refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`nginx_xfo_enabled: True`
			`nginx_xfo_policy: deny`

			`nginx_xcto_enabled: True`
add content security policy options 2019-06-11 17:01:38 +02:00			`nginx_csp_enabled: False`
refactor ci pipeline 2019-10-18 10:54:26 +02:00			`# @ var nginx_csp_options: $ "_unset_"`
			`# @var nginx_csp_options:example: >`
add content security policy options 2019-06-11 17:01:38 +02:00			`# nginx_csp_options:`
			`# - directive: frame-ancestors`
			`# parameters:`
			`# - https://example.com`
			`# - https://mypage.com`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00
			`nginx_xxxsp_enabled: True`
			`nginx_xxxsp_parameters:`
			`- mode=block`

complete rework of the role structure 2018-08-11 14:59:43 +02:00			`nginx_vhosts_dir: /var/www/vhosts`

refactor templating 2019-07-17 23:32:11 +02:00			`nginx_vhosts_default:`
			`- file: default`
fix some templating issues 2019-07-18 00:16:24 +02:00			`servers:`
refactor templating 2019-07-17 23:32:11 +02:00			`- port: 80`
fix some templating issues 2019-07-18 00:16:24 +02:00			`server_name: "{{ ansible_fqdn }}"`
refactor templating 2019-07-17 23:32:11 +02:00			`locations:`
			`- match: /`
			`root: /var/www/vhosts/default`
			`index: index.html`

refactor ci pipeline 2019-10-18 10:54:26 +02:00			`# @var nginx_vhosts_default:example: >`
refactor templating 2019-07-17 23:32:11 +02:00			`# nginx_vhosts_default:`
			`# - file: default`
			`# upstream:`
			`# name: my_pool`
			`# servers: []`
			`# servers:`
			`# - port: 80`
			`# server_name: demo.example.com`
			`# tls_redirect: False # skips locations if enabled`
			`# tls_redirect_url:`
			`# tls:`
			`# cert: /etc/pki/tls/..`
			`# key: /etc/pki/tls/..`
			`# dhparam:`
			`# client_max_body_size:`
add new options to example 2019-08-28 18:34:01 +02:00			`# send_timeout:`
refactor templating 2019-07-17 23:32:11 +02:00			`# locations:`
			`# - match: /`
			`# root: /var/www/vhosts/default`
			`# index: index.html`
			`# proxy_pass:`
add new options to example 2019-08-28 18:34:01 +02:00			`# proxy_http_version: "1.1"`
			`# proxy_buffering: "off"`
			`# proxy_connect_timeout: 3600s`
			`# proxy_read_timeout: 3600s`
			`# proxy_send_timeout: 3600s`
refactor templating 2019-07-17 23:32:11 +02:00			`# proxy_headers: []`
			`# error_page: /usr/share/nginx/html`

			`nginx_vhosts_extra: []`
complete rework of the role structure 2018-08-11 14:59:43 +02:00
			`nginx_server_names_hash_bucket_size: 32`