--- - name: strfry | Configure nginx ansible.builtin.import_role: name: nginx_core.nginx_config vars: # afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary. # See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352 # The only difference between this and the nginx config used in playbooks/nginx/main.yml is the worker_rlimit_nofile value and worker_connections. nginx_config_main_template_enable: true nginx_config_main_template: template_file: nginx.conf.j2 deployment_location: /etc/nginx/nginx.conf backup: false config: # https://nginx.org/en/docs/ngx_core_module.html main: user: username: nginx group: nginx worker_processes: auto error_log: file: /var/log/nginx/error.log level: notice #pid: /var/run/nginx.pid # worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes. # Used to increase the limit without restarting the main process. # The recomended value seems to be worker_connections * 2 worker_rlimit_nofile: 12288 events: worker_connections: 4096 # include: # String or a list of strings # - /etc/nginx/modules.conf http: # https://nginx.org/en/docs/http/ngx_http_core_module.html default_type: application/octet-stream sendfile: true server_tokens: false tcp_nodelay: true tcp_nopush: true include: - /etc/nginx/mime.types - /etc/nginx/http.conf # These are shared http level configs that nginx_conf refuses to directly configure. - /etc/nginx/conf.d/*.conf nginx_config_http_template_enable: true nginx_config_http_template: - template_file: http/default.conf.j2 deployment_location: /etc/nginx/http.conf backup: false config: core: default_type: application/octet-stream sendfile: true server_tokens: false tcp_nodelay: true tcp_nopush: true resolver: # required for oscp stapling address: - '1.1.1.1' - '8.8.8.8' resolver_timeout: 10s log: format: - name: main format: | '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"' # - name: debugposts # format: | # '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"' # '"$request_data"' gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html enable: true comp_level: 3 disable: "msie6" min_length: 1100 proxied: any types: - text/plain - text/css - application/x-javascript - text/xml - application/xml vary: true - template_file: http/default.conf.j2 deployment_location: "/etc/nginx/conf.d/mappings.conf" backup: false config: map: mappings: # https://nginx.org/en/docs/http/websocket.html - string: $http_upgrade variable: $connection_upgrade content: - value: default new_value: upgrade - value: "''" new_value: close - template_file: http/default.conf.j2 deployment_location: "/etc/nginx/conf.d/snort_{{ nginx_snort_domain|default(inventory_hostname) }}.conf" backup: false config: servers: - core: listen: - address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nginx_snort_port|default(4451) }} ssl" include: - "/etc/nginx/acme_{{ nginx_snort_domain|default(inventory_hostname) }}.conf" index: index.html #root: "{{ snort_install_path|default('/var/www/snort') }}" log: access: - off http2: enabled: yes locations: - location: / core: try_files: files: "{{ snort_install_path|default('/var/www/snort') }}/packages/app/public/ {{ snort_install_path|default('/var/www/snort') }}/packages/app/build/ @proxy" #files: $uri $uri/ /index.html - location: '@proxy' proxy: pass: http://localhost:8080 # 127.0.0.1 does not work. http_version: '1.1' #set_header: # - field: Host # value: $http_host - core: server_name: "{{ nginx_snort_domain|default(inventory_hostname) }}" listen: - address: "{{ ansible_default_ipv4.address|default(ansible_all_ipv4_addresses[0]) }}:80" log: access: - off locations: - location: / rewrite: return: url: https://$server_name$request_uri code: 301