xoxys.nginx/defaults/main.yml
Robert Kaussow 701d2282a8
All checks were successful
continuous-integration/drone/push Build is passing
rework security header
2021-05-20 11:00:24 +02:00

184 lines
4.3 KiB
YAML

---
nginx_official_repo_enabled: True
nginx_user: nginx
nginx_group: nginx
nginx_worker_processes: 1
nginx_worker_connections: 1024
nginx_error_log:
enabled: True
file: /var/log/nginx/error.log
level: error
nginx_access_log:
enabled: True
file: /var/log/nginx/access.log
format: main
nginx_client_body_buffer_size: 10k
nginx_client_header_buffer_size: 1k
nginx_client_max_body_size: 8m
nginx_client_body_timeout: 60
nginx_client_header_timeout: 60
nginx_keepalive_timeout: 65
nginx_send_timeout: 60
nginx_reset_timedout_connection: True
nginx_gzip_enabled: True
nginx_gzip_comp_level: 2
nginx_gzip_min_length: 1000
nginx_gzip_proxied:
- expired
- no-cache
- no-store
- private
- auth
nginx_gzip_types:
- text/plain
- application/x-javascript
- text/xml
- text/css
- application/xml
nginx_tls_enabled: False
nginx_tls_versions:
- TLSv1.2
nginx_tls_certificates: []
# @var nginx_tls_certificates:example: >
# nginx_tls_certificates:
# - source: "{{ ansible_user_dir }}/files/mycert.pem"
# dest: /etc/pki/tls/certs/mycert.pem
# mode: 0644
# - source: "{{ ansible_user_dir }}/files/mykey.pem"
# dest: /etc/pki/tls/private/mykey.pem
# mode: 0600
# @end
nginx_tls_certificates_extra: []
# @var nginx_tls_dhparam_file: $ "_unset_"
nginx_tls_dhparam_size: 2048
nginx_tls_ciphers:
- ECDHE-RSA-AES256-GCM-SHA512
- DHE-RSA-AES256-GCM-SHA512
- ECDHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
# @var nginx_tls_ecdh_curve: $ "_unset_"
nginx_tls_ocsp_enabled: False
# @var nginx_tls_ocsp_trusted_certificate: $ "_unset_"
nginx_tls_hsts_enabled: False
nginx_hsts_options:
- max-age=63072000
- includeSubDomains
nginx_xfo_enabled: True
nginx_xfo_policy: deny
nginx_xcto_enabled: True
nginx_csp_enabled: False
# @ var nginx_csp_options: $ "_unset_"
# @var nginx_csp_options:example: >
# nginx_csp_options:
# - directive: frame-ancestors
# parameters:
# - https://example.com
# - https://mypage.com
nginx_xxxsp_enabled: True
nginx_xxxsp_parameters:
- 1
- mode=block
nginx_maps: []
# @var nginx_maps:example: >
# nginx_maps:
# - input: $input
# output: $output
# parameters:
# - "default 0"
# - "/old/path /new_path"
# @end
nginx_maps_extra: []
nginx_error_page: []
# @var nginx_error_page:example:
# nginx_error_page:
# - code:
# - 404
# - 403
# dest: /4xx.html
# @end
nginx_error_location: []
# @var nginx_error_location: description: >
# Default error location. If set, the defined location will be automatically added once
# to every server block to handle custom error sites.
# @end
# @var nginx_error_location: example: >
# nginx_error_location:
# - match: /
# root: /var/www/vhosts/default
# index: index.html
# custom_options:
# @end
nginx_vhosts_dir: /var/www/vhosts
nginx_vhosts_default:
- file: default
servers:
- port: 80
server_name: "{{ ansible_fqdn }}"
locations:
- match: /
root: /var/www/vhosts/default
index: index.html
- match: /50x.html
root: "/usr/share/nginx/html"
custom_options:
- "error_page 500 502 503 504 /50x.html"
# @var nginx_vhosts_default:example: >
# nginx_vhosts_default:
# - file: default
# upstreams:
# - name: my_pool
# servers: []
# servers:
# - port: 80
# server_name: demo.example.com
# tls_redirect: False # skips locations if enabled
# tls_redirect_url:
# tls:
# cert: /etc/pki/tls/certs/mycert.pem
# key: /etc/pki/tls/private/mykey.pem
# dhparam:
# client_max_body_size:
# send_timeout:
# locations:
# - match: /
# root: /var/www/vhosts/default
# index: index.html
# add_headers: []
# proxy_pass:
# proxy_http_version: "1.1"
# proxy_buffering: "off"
# proxy_connect_timeout: 3600s
# proxy_read_timeout: 3600s
# proxy_send_timeout: 3600s
# proxy_set_headers: []
# proxy_hide_headers: []
# proxy_ignore_headers: []
# proxy_intercept_errors: "off"
# custom_options:
# custom_options:
# - 'deny: all'
nginx_vhosts_extra: []
nginx_server_names_hash_bucket_size: 32