complete rework of the role structure
This commit is contained in:
parent
ec26de0456
commit
029f70f276
@ -4,17 +4,60 @@ nginx_user: nginx
|
|||||||
nginx_group: nginx
|
nginx_group: nginx
|
||||||
nginx_worker_processes: 1
|
nginx_worker_processes: 1
|
||||||
nginx_worker_connections: 1024
|
nginx_worker_connections: 1024
|
||||||
|
nginx_error_log:
|
||||||
|
enabled: True
|
||||||
|
file: /var/log/nginx/error.log
|
||||||
|
level: error
|
||||||
|
nginx_access_logfile:
|
||||||
|
enabled: True
|
||||||
|
file: /var/log/nginx/access.log
|
||||||
|
level: info
|
||||||
|
|
||||||
|
## nginx buffer sizes
|
||||||
|
nginx_client_body_buffer_size: 10k
|
||||||
|
nginx_client_header_buffer_size: 1k
|
||||||
|
nginx_client_max_body_size: 8m
|
||||||
|
|
||||||
|
## nginx timeout settings
|
||||||
|
nginx_client_body_timeout: 60
|
||||||
|
nginx_client_header_timeout: 60
|
||||||
|
nginx_keepalive_timeout: 65
|
||||||
|
nginx_send_timeout: 60
|
||||||
|
nginx_reset_timedout_connection: True
|
||||||
|
|
||||||
|
## nginx compression
|
||||||
|
nginx_gzip_enabled: True
|
||||||
|
nginx_gzip_comp_level: 2
|
||||||
|
nginx_gzip_min_length: 1000
|
||||||
|
nginx_gzip_proxied:
|
||||||
|
- expired
|
||||||
|
- no-cache
|
||||||
|
- no-store
|
||||||
|
- private
|
||||||
|
- auth
|
||||||
|
nginx_gzip_types:
|
||||||
|
- text/plain
|
||||||
|
- application/x-javascript
|
||||||
|
- text/xml
|
||||||
|
- text/css
|
||||||
|
- application/xml
|
||||||
|
|
||||||
nginx_open_ports:
|
nginx_open_ports:
|
||||||
- 80
|
- 80
|
||||||
- 443
|
- 443
|
||||||
|
|
||||||
nginx_tls_enabled: False
|
nginx_tls_enabled: False
|
||||||
# nginx_tls_cert:
|
nginx_tls_certs_dir: /etc/pki/tls/certs
|
||||||
# nginx_tls_private_key:
|
nginx_tls_key_dir: /etc/pki/tls/private
|
||||||
# nginx_tls_intermediate_ca:
|
nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem"
|
||||||
nginx_vhosts_dir: /var/www/vhosts
|
nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem"
|
||||||
|
|
||||||
nginx_pfs_enabled: False
|
nginx_pfs_enabled: False
|
||||||
nginx_dhparam_size: 4069
|
nginx_dhparam_size: 4069
|
||||||
nginx_dhparam_file: "/etc/pki/tls/certs/dhparam-{{ nginx_dhparam_size }}.pem"
|
nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem"
|
||||||
nginx_tls_cert_file: "/etc/pki/tls/certs/my-chained.crt"
|
|
||||||
nginx_tls_intermediate_ca_file: "/etc/pki/tls/certs/my-intermediate.crt"
|
nginx_vhosts_dir: /var/www/vhosts
|
||||||
nginx_tls_private_key_file: "/etc/pki/tls/private/my-private.key"
|
|
||||||
|
nginx_default_page_enabled: False
|
||||||
|
|
||||||
|
nginx_server_names_hash_bucket_size: 32
|
||||||
|
@ -62,25 +62,31 @@
|
|||||||
notify:
|
notify:
|
||||||
- nginx_reload
|
- nginx_reload
|
||||||
|
|
||||||
- name: Update conf.d files
|
|
||||||
template:
|
|
||||||
src: 'etc/nginx/conf.d/{{ item }}.j2'
|
|
||||||
dest: '/etc/nginx/conf.d/{{ item }}'
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0640
|
|
||||||
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
|
|
||||||
with_items:
|
|
||||||
- header.conf
|
|
||||||
- tls.conf
|
|
||||||
notify:
|
|
||||||
- nginx_reload
|
|
||||||
|
|
||||||
- name: Remove default.conf from conf.d
|
- name: Remove default.conf from conf.d
|
||||||
file:
|
file:
|
||||||
path: /etc/nginx/conf.d/default.conf
|
path: /etc/nginx/conf.d/default.conf
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
|
- name: Update conf.d files
|
||||||
|
template:
|
||||||
|
src: etc/nginx/conf.d/header.conf.j2
|
||||||
|
dest: /etc/nginx/conf.d/header.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0640
|
||||||
|
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
|
||||||
|
notify:
|
||||||
|
- nginx_reload
|
||||||
|
|
||||||
|
- name: Open ports in iptables
|
||||||
|
iptables_raw:
|
||||||
|
name: allow_nginx_ports
|
||||||
|
state: present
|
||||||
|
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
|
||||||
|
become: True
|
||||||
|
become_user: root
|
||||||
|
|
||||||
|
- block:
|
||||||
- name: Add default page configuration file
|
- name: Add default page configuration file
|
||||||
template:
|
template:
|
||||||
src: 'etc/nginx/sites-available/default.j2'
|
src: 'etc/nginx/sites-available/default.j2'
|
||||||
@ -100,77 +106,10 @@
|
|||||||
state: link
|
state: link
|
||||||
notify:
|
notify:
|
||||||
- nginx_reload
|
- nginx_reload
|
||||||
|
when: nginx_default_page_enabled
|
||||||
- name: Open ports in iptables
|
|
||||||
iptables_raw:
|
|
||||||
name: allow_nginx_ports
|
|
||||||
state: present
|
|
||||||
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
|
|
||||||
become: True
|
become: True
|
||||||
become_user: root
|
become_user: root
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Copy tls certificate
|
|
||||||
copy:
|
|
||||||
content: "{{ nginx_tls_cert }}"
|
|
||||||
dest: "{{ nginx_tls_cert_file }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
notify:
|
|
||||||
- nginx_reload
|
|
||||||
|
|
||||||
- name: Copy ssl intermediate cert
|
|
||||||
copy:
|
|
||||||
content: "{{ nginx_tls_intermediate_ca }}"
|
|
||||||
dest: "{{ nginx_tls_intermediate_ca_file }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
notify:
|
|
||||||
- nginx_reload
|
|
||||||
|
|
||||||
- name: Copy tls private key
|
|
||||||
copy:
|
|
||||||
content: "{{ nginx_tls_private_key }}"
|
|
||||||
dest: "{{ nginx_tls_private_key_file }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0600
|
|
||||||
notify:
|
|
||||||
- nginx_reload
|
|
||||||
become: True
|
|
||||||
become_user: root
|
|
||||||
when: nginx_tls_enabled
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Register dhparam file
|
|
||||||
stat:
|
|
||||||
path: "{{ nginx_dhparam_file }}"
|
|
||||||
register: dh_file
|
|
||||||
|
|
||||||
- name: Generate Diffie-Hellman parameter file
|
|
||||||
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
|
|
||||||
async: 3600
|
|
||||||
poll: 60
|
|
||||||
when: not dh_file.stat.exists
|
|
||||||
notify:
|
|
||||||
- nginx_reload
|
|
||||||
become: True
|
|
||||||
become_user: root
|
|
||||||
when: nginx_pfs_enabled
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Add default page
|
|
||||||
template:
|
|
||||||
src: 'var/www/vhosts/default/index.html.j2'
|
|
||||||
dest: '/var/www/vhosts/default/index.html'
|
|
||||||
owner: nginx
|
|
||||||
group: nginx
|
|
||||||
mode: 0750
|
|
||||||
become: True
|
|
||||||
become_user: nginx
|
|
||||||
|
|
||||||
- name: Enable nginx service
|
- name: Enable nginx service
|
||||||
systemd:
|
systemd:
|
||||||
state: started
|
state: started
|
||||||
|
61
tasks/tls.yml
Normal file
61
tasks/tls.yml
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
- block:
|
||||||
|
- name: Copy tls certificate
|
||||||
|
copy:
|
||||||
|
content: "{{ nginx_tls_cert }}"
|
||||||
|
dest: "{{ nginx_tls_cert_file }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify:
|
||||||
|
- nginx_reload
|
||||||
|
|
||||||
|
- name: Copy ssl intermediate cert
|
||||||
|
copy:
|
||||||
|
content: "{{ nginx_tls_intermediate_ca }}"
|
||||||
|
dest: "{{ nginx_tls_intermediate_ca_file }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify:
|
||||||
|
- nginx_reload
|
||||||
|
|
||||||
|
- name: Copy tls private key
|
||||||
|
copy:
|
||||||
|
content: "{{ nginx_tls_private_key }}"
|
||||||
|
dest: "{{ nginx_tls_private_key_file }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0600
|
||||||
|
notify:
|
||||||
|
- nginx_reload
|
||||||
|
become: True
|
||||||
|
become_user: root
|
||||||
|
when: nginx_tls_enabled
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Register dhparam file
|
||||||
|
stat:
|
||||||
|
path: "{{ nginx_dhparam_file }}"
|
||||||
|
register: dh_file
|
||||||
|
|
||||||
|
- name: Generate Diffie-Hellman parameter file
|
||||||
|
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
|
||||||
|
async: 3600
|
||||||
|
poll: 60
|
||||||
|
when: not dh_file.stat.exists
|
||||||
|
notify:
|
||||||
|
- nginx_reload
|
||||||
|
become: True
|
||||||
|
become_user: root
|
||||||
|
when: nginx_pfs_enabled
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Add default page
|
||||||
|
template:
|
||||||
|
src: 'var/www/vhosts/default/index.html.j2'
|
||||||
|
dest: '/var/www/vhosts/default/index.html'
|
||||||
|
owner: nginx
|
||||||
|
group: nginx
|
||||||
|
mode: 0750
|
||||||
|
become: True
|
||||||
|
become_user: nginx
|
@ -1,6 +1,5 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
# default header settings
|
# default header settings
|
||||||
add_header Strict-Transport-Security max-age=63072000;
|
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
@ -1,16 +1,10 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
# certificate settings
|
# certificate settings
|
||||||
ssl_certificate_key /etc/pki/tls/private/my-private.key;
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA';
|
||||||
ssl_certificate /etc/pki/tls/certs/my-chained.crt;
|
|
||||||
|
|
||||||
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
|
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
ssl_session_cache shared:SSL:10m;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
{% if nginx_pfs_enabled and nginx_dhparam_file is defined %}
|
||||||
ssl_dhparam {{ nginx_dhparam_file }};
|
ssl_dhparam {{ nginx_dhparam_file }};
|
||||||
|
{% endif %}
|
||||||
|
@ -2,7 +2,6 @@
|
|||||||
user {{ nginx_user }} {{ nginx_group }};
|
user {{ nginx_user }} {{ nginx_group }};
|
||||||
worker_processes {{ nginx_worker_processes }};
|
worker_processes {{ nginx_worker_processes }};
|
||||||
|
|
||||||
error_log /var/log/nginx/error.log;
|
|
||||||
pid /run/nginx.pid;
|
pid /run/nginx.pid;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
@ -17,7 +16,16 @@ http {
|
|||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
{% if nginx_error_log.enabled %}
|
||||||
|
error_log {{ nginx_error_log.file }} {{ nginx_error_log.level }};
|
||||||
|
{% else %}
|
||||||
|
error_log off;
|
||||||
|
{% endif %}
|
||||||
|
{% if nginx_access_log.enabled %}
|
||||||
|
access_log {{ nginx_access_log.file }} {{ nginx_access_log.level }};
|
||||||
|
{% else %}
|
||||||
|
access_log off;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
@ -26,29 +34,32 @@ http {
|
|||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
## Buffers
|
## Buffers
|
||||||
client_body_buffer_size 10K;
|
client_body_buffer_size {{ nginx_client_body_buffer_size }};
|
||||||
client_header_buffer_size 1k;
|
client_header_buffer_size {{ nginx_client_header_buffer_size }};
|
||||||
client_max_body_size 8m;
|
client_max_body_size {{ nginx_client_max_body_size }};
|
||||||
|
|
||||||
## Timeouts
|
## Timeouts
|
||||||
client_body_timeout 12;
|
client_body_timeout {{ nginx_client_body_timeout }};
|
||||||
client_header_timeout 12;
|
client_header_timeout {{ nginx_client_header_timeout }};
|
||||||
keepalive_timeout 15;
|
keepalive_timeout {{ nginx_keepalive_timeout }};
|
||||||
send_timeout 10;
|
send_timeout {{ nginx_send_timeout }};
|
||||||
|
{% if nginx_reset_timedout_connection %}
|
||||||
|
reset_timedout_connection on;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
## Gzip Settings
|
## Gzip Settings
|
||||||
gzip on;
|
{% if nginx_gzip_enabled %}
|
||||||
gzip_comp_level 2;
|
gzip on;
|
||||||
gzip_min_length 1000;
|
gzip_comp_level {{ nginx_gzip_comp_level }};
|
||||||
gzip_proxied expired no-cache no-store private auth;
|
gzip_min_length {{ nginx_gzip_min_length }};
|
||||||
gzip_types text/plain application/x-javascript text/xml text/css application/xml;
|
gzip_proxied {{ nginx_gzip_proxied | join(" ") }};
|
||||||
|
gzip_types {{ nginx_gzip_types | join(" ") }};
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
# Load modular configuration files from the /etc/nginx/conf.d directory
|
||||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
|
||||||
# for more information.
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
## Virtual Host Configs
|
## Virtual Host Configs
|
||||||
include /etc/nginx/sites-enabled/*;
|
include /etc/nginx/sites-enabled/*;
|
||||||
server_names_hash_bucket_size 64;
|
server_names_hash_bucket_size {{ nginx_server_names_hash_bucket_size }};
|
||||||
}
|
}
|
||||||
|
@ -3,9 +3,23 @@ server {
|
|||||||
listen 80;
|
listen 80;
|
||||||
server_name {{ ansible_fqdn }};
|
server_name {{ ansible_fqdn }};
|
||||||
|
|
||||||
|
{% if nginx_tls_enabled %}
|
||||||
return 301 https://$server_name$request_uri;
|
return 301 https://$server_name$request_uri;
|
||||||
|
{% else %}
|
||||||
|
location / {
|
||||||
|
root /var/www/vhosts/default;
|
||||||
|
index index.html index.htm;
|
||||||
|
}
|
||||||
|
|
||||||
|
# redirect server error pages to the static page /50x.html
|
||||||
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
location = /50x.html {
|
||||||
|
root /usr/share/nginx/html;
|
||||||
|
}
|
||||||
|
{% end if %}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{% if nginx_tls_enabled %}
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name {{ ansible_fqdn }};
|
server_name {{ ansible_fqdn }};
|
||||||
@ -21,3 +35,4 @@ server {
|
|||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user