146 lines
5.7 KiB
YAML
146 lines
5.7 KiB
YAML
|
---
|
||
|
- name: strfry | Configure nginx
|
||
|
ansible.builtin.import_role:
|
||
|
name: nginx_core.nginx_config
|
||
|
vars:
|
||
|
# afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary.
|
||
|
# See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352
|
||
|
# The only difference between this and the nginx config used in playbooks/nginx/main.yml is the worker_rlimit_nofile value and worker_connections.
|
||
|
nginx_config_main_template_enable: true
|
||
|
nginx_config_main_template:
|
||
|
template_file: nginx.conf.j2
|
||
|
deployment_location: /etc/nginx/nginx.conf
|
||
|
backup: false
|
||
|
config: # https://nginx.org/en/docs/ngx_core_module.html
|
||
|
main:
|
||
|
user:
|
||
|
username: nginx
|
||
|
group: nginx
|
||
|
worker_processes: auto
|
||
|
error_log:
|
||
|
file: /var/log/nginx/error.log
|
||
|
level: notice
|
||
|
#pid: /var/run/nginx.pid
|
||
|
|
||
|
# worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes.
|
||
|
# Used to increase the limit without restarting the main process.
|
||
|
# The recomended value seems to be worker_connections * 2
|
||
|
worker_rlimit_nofile: 12288
|
||
|
|
||
|
events:
|
||
|
worker_connections: 4096
|
||
|
|
||
|
# include: # String or a list of strings
|
||
|
# - /etc/nginx/modules.conf
|
||
|
http: # https://nginx.org/en/docs/http/ngx_http_core_module.html
|
||
|
default_type: application/octet-stream
|
||
|
sendfile: true
|
||
|
server_tokens: false
|
||
|
tcp_nodelay: true
|
||
|
tcp_nopush: true
|
||
|
include:
|
||
|
- /etc/nginx/mime.types
|
||
|
- /etc/nginx/http.conf # These are shared http level configs that nginx_conf refuses to directly configure.
|
||
|
- /etc/nginx/conf.d/*.conf
|
||
|
|
||
|
nginx_config_http_template_enable: true
|
||
|
nginx_config_http_template:
|
||
|
- template_file: http/default.conf.j2
|
||
|
deployment_location: /etc/nginx/http.conf
|
||
|
backup: false
|
||
|
config:
|
||
|
core:
|
||
|
default_type: application/octet-stream
|
||
|
sendfile: true
|
||
|
server_tokens: false
|
||
|
tcp_nodelay: true
|
||
|
tcp_nopush: true
|
||
|
resolver: # required for oscp stapling
|
||
|
address:
|
||
|
- '1.1.1.1'
|
||
|
- '8.8.8.8'
|
||
|
resolver_timeout: 10s
|
||
|
log:
|
||
|
format:
|
||
|
- name: main
|
||
|
format: |
|
||
|
'$remote_addr - $remote_user [$time_local] "$request" '
|
||
|
'$status $body_bytes_sent "$http_referer" '
|
||
|
'"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"'
|
||
|
# - name: debugposts
|
||
|
# format: |
|
||
|
# '$remote_addr - $remote_user [$time_local] "$request" '
|
||
|
# '$status $body_bytes_sent "$http_referer" '
|
||
|
# '"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"'
|
||
|
# '"$request_data"'
|
||
|
gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html
|
||
|
enable: true
|
||
|
comp_level: 3
|
||
|
disable: "msie6"
|
||
|
min_length: 1100
|
||
|
proxied: any
|
||
|
types:
|
||
|
- text/plain
|
||
|
- text/css
|
||
|
- application/x-javascript
|
||
|
- text/xml
|
||
|
- application/xml
|
||
|
vary: true
|
||
|
|
||
|
- template_file: http/default.conf.j2
|
||
|
deployment_location: "/etc/nginx/conf.d/mappings.conf"
|
||
|
backup: false
|
||
|
config:
|
||
|
map:
|
||
|
mappings: # https://nginx.org/en/docs/http/websocket.html
|
||
|
- string: $http_upgrade
|
||
|
variable: $connection_upgrade
|
||
|
content:
|
||
|
- value: default
|
||
|
new_value: upgrade
|
||
|
- value: "''"
|
||
|
new_value: close
|
||
|
|
||
|
- template_file: http/default.conf.j2
|
||
|
deployment_location: "/etc/nginx/conf.d/snort_{{ nginx_snort_domain|default(inventory_hostname) }}.conf"
|
||
|
backup: false
|
||
|
config:
|
||
|
servers:
|
||
|
- core:
|
||
|
listen:
|
||
|
- address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nginx_snort_port|default(4451) }} ssl"
|
||
|
include:
|
||
|
- "/etc/nginx/acme_{{ nginx_snort_domain|default(inventory_hostname) }}.conf"
|
||
|
index: index.html
|
||
|
#root: "{{ snort_install_path|default('/var/www/snort') }}"
|
||
|
log:
|
||
|
access:
|
||
|
- off
|
||
|
http2:
|
||
|
enabled: yes
|
||
|
locations:
|
||
|
- location: /
|
||
|
core:
|
||
|
try_files:
|
||
|
files: "{{ snort_install_path|default('/var/www/snort') }}/packages/app/public/ {{ snort_install_path|default('/var/www/snort') }}/packages/app/build/ @proxy"
|
||
|
#files: $uri $uri/ /index.html
|
||
|
- location: '@proxy'
|
||
|
proxy:
|
||
|
pass: http://localhost:8080 # 127.0.0.1 does not work.
|
||
|
http_version: '1.1'
|
||
|
#set_header:
|
||
|
# - field: Host
|
||
|
# value: $http_host
|
||
|
- core:
|
||
|
server_name: "{{ nginx_snort_domain|default(inventory_hostname) }}"
|
||
|
listen:
|
||
|
- address: "{{ ansible_default_ipv4.address|default(ansible_all_ipv4_addresses[0]) }}:80"
|
||
|
log:
|
||
|
access:
|
||
|
- off
|
||
|
locations:
|
||
|
- location: /
|
||
|
rewrite:
|
||
|
return:
|
||
|
url: https://$server_name$request_uri
|
||
|
code: 301
|