complete rework of the role structure
This commit is contained in:
parent
ec26de0456
commit
029f70f276
@ -4,17 +4,60 @@ nginx_user: nginx
|
||||
nginx_group: nginx
|
||||
nginx_worker_processes: 1
|
||||
nginx_worker_connections: 1024
|
||||
nginx_error_log:
|
||||
enabled: True
|
||||
file: /var/log/nginx/error.log
|
||||
level: error
|
||||
nginx_access_logfile:
|
||||
enabled: True
|
||||
file: /var/log/nginx/access.log
|
||||
level: info
|
||||
|
||||
## nginx buffer sizes
|
||||
nginx_client_body_buffer_size: 10k
|
||||
nginx_client_header_buffer_size: 1k
|
||||
nginx_client_max_body_size: 8m
|
||||
|
||||
## nginx timeout settings
|
||||
nginx_client_body_timeout: 60
|
||||
nginx_client_header_timeout: 60
|
||||
nginx_keepalive_timeout: 65
|
||||
nginx_send_timeout: 60
|
||||
nginx_reset_timedout_connection: True
|
||||
|
||||
## nginx compression
|
||||
nginx_gzip_enabled: True
|
||||
nginx_gzip_comp_level: 2
|
||||
nginx_gzip_min_length: 1000
|
||||
nginx_gzip_proxied:
|
||||
- expired
|
||||
- no-cache
|
||||
- no-store
|
||||
- private
|
||||
- auth
|
||||
nginx_gzip_types:
|
||||
- text/plain
|
||||
- application/x-javascript
|
||||
- text/xml
|
||||
- text/css
|
||||
- application/xml
|
||||
|
||||
nginx_open_ports:
|
||||
- 80
|
||||
- 443
|
||||
|
||||
nginx_tls_enabled: False
|
||||
# nginx_tls_cert:
|
||||
# nginx_tls_private_key:
|
||||
# nginx_tls_intermediate_ca:
|
||||
nginx_vhosts_dir: /var/www/vhosts
|
||||
nginx_tls_certs_dir: /etc/pki/tls/certs
|
||||
nginx_tls_key_dir: /etc/pki/tls/private
|
||||
nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem"
|
||||
nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem"
|
||||
|
||||
nginx_pfs_enabled: False
|
||||
nginx_dhparam_size: 4069
|
||||
nginx_dhparam_file: "/etc/pki/tls/certs/dhparam-{{ nginx_dhparam_size }}.pem"
|
||||
nginx_tls_cert_file: "/etc/pki/tls/certs/my-chained.crt"
|
||||
nginx_tls_intermediate_ca_file: "/etc/pki/tls/certs/my-intermediate.crt"
|
||||
nginx_tls_private_key_file: "/etc/pki/tls/private/my-private.key"
|
||||
nginx_dhparam_file: "{{ nginx_tls_certs_dir }}/dhparam-{{ nginx_dhparam_size }}.pem"
|
||||
|
||||
nginx_vhosts_dir: /var/www/vhosts
|
||||
|
||||
nginx_default_page_enabled: False
|
||||
|
||||
nginx_server_names_hash_bucket_size: 32
|
||||
|
@ -62,25 +62,31 @@
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Update conf.d files
|
||||
template:
|
||||
src: 'etc/nginx/conf.d/{{ item }}.j2'
|
||||
dest: '/etc/nginx/conf.d/{{ item }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
|
||||
with_items:
|
||||
- header.conf
|
||||
- tls.conf
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Remove default.conf from conf.d
|
||||
file:
|
||||
path: /etc/nginx/conf.d/default.conf
|
||||
state: absent
|
||||
|
||||
- name: Update conf.d files
|
||||
template:
|
||||
src: etc/nginx/conf.d/header.conf.j2
|
||||
dest: /etc/nginx/conf.d/header.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Open ports in iptables
|
||||
iptables_raw:
|
||||
name: allow_nginx_ports
|
||||
state: present
|
||||
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- block:
|
||||
- name: Add default page configuration file
|
||||
template:
|
||||
src: 'etc/nginx/sites-available/default.j2'
|
||||
@ -100,77 +106,10 @@
|
||||
state: link
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Open ports in iptables
|
||||
iptables_raw:
|
||||
name: allow_nginx_ports
|
||||
state: present
|
||||
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
|
||||
when: nginx_default_page_enabled
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- block:
|
||||
- name: Copy tls certificate
|
||||
copy:
|
||||
content: "{{ nginx_tls_cert }}"
|
||||
dest: "{{ nginx_tls_cert_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Copy ssl intermediate cert
|
||||
copy:
|
||||
content: "{{ nginx_tls_intermediate_ca }}"
|
||||
dest: "{{ nginx_tls_intermediate_ca_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Copy tls private key
|
||||
copy:
|
||||
content: "{{ nginx_tls_private_key }}"
|
||||
dest: "{{ nginx_tls_private_key_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
notify:
|
||||
- nginx_reload
|
||||
become: True
|
||||
become_user: root
|
||||
when: nginx_tls_enabled
|
||||
|
||||
- block:
|
||||
- name: Register dhparam file
|
||||
stat:
|
||||
path: "{{ nginx_dhparam_file }}"
|
||||
register: dh_file
|
||||
|
||||
- name: Generate Diffie-Hellman parameter file
|
||||
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
|
||||
async: 3600
|
||||
poll: 60
|
||||
when: not dh_file.stat.exists
|
||||
notify:
|
||||
- nginx_reload
|
||||
become: True
|
||||
become_user: root
|
||||
when: nginx_pfs_enabled
|
||||
|
||||
- block:
|
||||
- name: Add default page
|
||||
template:
|
||||
src: 'var/www/vhosts/default/index.html.j2'
|
||||
dest: '/var/www/vhosts/default/index.html'
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0750
|
||||
become: True
|
||||
become_user: nginx
|
||||
|
||||
- name: Enable nginx service
|
||||
systemd:
|
||||
state: started
|
||||
|
61
tasks/tls.yml
Normal file
61
tasks/tls.yml
Normal file
@ -0,0 +1,61 @@
|
||||
- block:
|
||||
- name: Copy tls certificate
|
||||
copy:
|
||||
content: "{{ nginx_tls_cert }}"
|
||||
dest: "{{ nginx_tls_cert_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Copy ssl intermediate cert
|
||||
copy:
|
||||
content: "{{ nginx_tls_intermediate_ca }}"
|
||||
dest: "{{ nginx_tls_intermediate_ca_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- nginx_reload
|
||||
|
||||
- name: Copy tls private key
|
||||
copy:
|
||||
content: "{{ nginx_tls_private_key }}"
|
||||
dest: "{{ nginx_tls_private_key_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
notify:
|
||||
- nginx_reload
|
||||
become: True
|
||||
become_user: root
|
||||
when: nginx_tls_enabled
|
||||
|
||||
- block:
|
||||
- name: Register dhparam file
|
||||
stat:
|
||||
path: "{{ nginx_dhparam_file }}"
|
||||
register: dh_file
|
||||
|
||||
- name: Generate Diffie-Hellman parameter file
|
||||
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
|
||||
async: 3600
|
||||
poll: 60
|
||||
when: not dh_file.stat.exists
|
||||
notify:
|
||||
- nginx_reload
|
||||
become: True
|
||||
become_user: root
|
||||
when: nginx_pfs_enabled
|
||||
|
||||
- block:
|
||||
- name: Add default page
|
||||
template:
|
||||
src: 'var/www/vhosts/default/index.html.j2'
|
||||
dest: '/var/www/vhosts/default/index.html'
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0750
|
||||
become: True
|
||||
become_user: nginx
|
@ -1,6 +1,5 @@
|
||||
# {{ ansible_managed }}
|
||||
# default header settings
|
||||
add_header Strict-Transport-Security max-age=63072000;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
@ -1,16 +1,10 @@
|
||||
# {{ ansible_managed }}
|
||||
# certificate settings
|
||||
ssl_certificate_key /etc/pki/tls/private/my-private.key;
|
||||
ssl_certificate /etc/pki/tls/certs/my-chained.crt;
|
||||
|
||||
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
|
||||
|
||||
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
{% if nginx_pfs_enabled and nginx_dhparam_file is defined %}
|
||||
ssl_dhparam {{ nginx_dhparam_file }};
|
||||
{% endif %}
|
||||
|
@ -2,7 +2,6 @@
|
||||
user {{ nginx_user }} {{ nginx_group }};
|
||||
worker_processes {{ nginx_worker_processes }};
|
||||
|
||||
error_log /var/log/nginx/error.log;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events {
|
||||
@ -17,7 +16,16 @@ http {
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
{% if nginx_error_log.enabled %}
|
||||
error_log {{ nginx_error_log.file }} {{ nginx_error_log.level }};
|
||||
{% else %}
|
||||
error_log off;
|
||||
{% endif %}
|
||||
{% if nginx_access_log.enabled %}
|
||||
access_log {{ nginx_access_log.file }} {{ nginx_access_log.level }};
|
||||
{% else %}
|
||||
access_log off;
|
||||
{% endif %}
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
@ -26,29 +34,32 @@ http {
|
||||
server_tokens off;
|
||||
|
||||
## Buffers
|
||||
client_body_buffer_size 10K;
|
||||
client_header_buffer_size 1k;
|
||||
client_max_body_size 8m;
|
||||
client_body_buffer_size {{ nginx_client_body_buffer_size }};
|
||||
client_header_buffer_size {{ nginx_client_header_buffer_size }};
|
||||
client_max_body_size {{ nginx_client_max_body_size }};
|
||||
|
||||
## Timeouts
|
||||
client_body_timeout 12;
|
||||
client_header_timeout 12;
|
||||
keepalive_timeout 15;
|
||||
send_timeout 10;
|
||||
client_body_timeout {{ nginx_client_body_timeout }};
|
||||
client_header_timeout {{ nginx_client_header_timeout }};
|
||||
keepalive_timeout {{ nginx_keepalive_timeout }};
|
||||
send_timeout {{ nginx_send_timeout }};
|
||||
{% if nginx_reset_timedout_connection %}
|
||||
reset_timedout_connection on;
|
||||
{% endif %}
|
||||
|
||||
## Gzip Settings
|
||||
{% if nginx_gzip_enabled %}
|
||||
gzip on;
|
||||
gzip_comp_level 2;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain application/x-javascript text/xml text/css application/xml;
|
||||
gzip_comp_level {{ nginx_gzip_comp_level }};
|
||||
gzip_min_length {{ nginx_gzip_min_length }};
|
||||
gzip_proxied {{ nginx_gzip_proxied | join(" ") }};
|
||||
gzip_types {{ nginx_gzip_types | join(" ") }};
|
||||
{% endif %}
|
||||
|
||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||
# for more information.
|
||||
# Load modular configuration files from the /etc/nginx/conf.d directory
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
## Virtual Host Configs
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
server_names_hash_bucket_size 64;
|
||||
server_names_hash_bucket_size {{ nginx_server_names_hash_bucket_size }};
|
||||
}
|
||||
|
@ -3,9 +3,23 @@ server {
|
||||
listen 80;
|
||||
server_name {{ ansible_fqdn }};
|
||||
|
||||
{% if nginx_tls_enabled %}
|
||||
return 301 https://$server_name$request_uri;
|
||||
{% else %}
|
||||
location / {
|
||||
root /var/www/vhosts/default;
|
||||
index index.html index.htm;
|
||||
}
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
{% end if %}
|
||||
}
|
||||
|
||||
{% if nginx_tls_enabled %}
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name {{ ansible_fqdn }};
|
||||
@ -21,3 +35,4 @@ server {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
}
|
||||
{% endif %}
|
||||
|
Loading…
Reference in New Issue
Block a user