diff --git a/docs/examples/nginx_conf.yml b/docs/examples/nginx_conf.yml index 6bf6e31..908fc01 100644 --- a/docs/examples/nginx_conf.yml +++ b/docs/examples/nginx_conf.yml @@ -1,8 +1,48 @@ --- - name: strfry | Configure nginx ansible.builtin.import_role: - name: nginxinc.nginx_core.nginx_config + name: nginx_core.nginx_config vars: + # afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary. + # See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352 + # The only difference between this and the main nginx config is the worker_rlimit_nofile value and worker_connections. + nginx_config_main_template_enable: true + nginx_config_main_template: + template_file: nginx.conf.j2 + deployment_location: /etc/nginx/nginx.conf + backup: false + config: # https://nginx.org/en/docs/ngx_core_module.html + main: + user: + username: nginx + group: nginx + worker_processes: auto + error_log: + file: /var/log/nginx/error.log + level: notice + pid: /var/run/nginx.pid + + # worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes. + # Used to increase the limit without restarting the main process. + # The recomended value seems to be worker_connections * 2 + worker_rlimit_nofile: 12288 + + events: + worker_connections: 4096 + + # include: # String or a list of strings + # - /etc/nginx/modules.conf + http: # https://nginx.org/en/docs/http/ngx_http_core_module.html + default_type: application/octet-stream + sendfile: true + server_tokens: false + tcp_nodelay: true + tcp_nopush: true + include: + - /etc/nginx/mime.types + - /etc/nginx/http.conf # These are shared http level configs that nginx_conf refuses to directly configure. + - /etc/nginx/conf.d/*.conf + nginx_config_http_template_enable: true nginx_config_http_template: - template_file: http/default.conf.j2 @@ -20,8 +60,9 @@ - address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nginx_strfry_https_port|default(443) }} ssl" include: - "/etc/nginx/acme_{{ nginx_strfry_domain }}.conf" - - /etc/nginx/enable_http2.conf client_max_body_size: 0 # Stream request body to backend + http2: + enable: true locations: - location: / proxy: @@ -39,3 +80,53 @@ connect_timeout: 3m send_timeout: 3m read_timeout: 3m + + - template_file: http/default.conf.j2 + deployment_location: /etc/nginx/http.conf + backup: false + config: + core: + default_type: application/octet-stream + sendfile: true + server_tokens: false + tcp_nodelay: true + tcp_nopush: true + resolver: # required for oscp stapling + address: + - '1.1.1.1' + - '8.8.8.8' + resolver_timeout: 10s + log: + format: + - name: main + format: | + '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"' + gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html + enable: true + comp_level: 3 + disable: "msie6" + min_length: 1100 + proxied: any + types: + - text/plain + - text/css + - application/x-javascript + - text/xml + - application/xml + vary: true + + - template_file: http/default.conf.j2 + deployment_location: "/etc/nginx/conf.d/mappings.conf" + backup: false + config: + map: + mappings: # https://nginx.org/en/docs/http/websocket.html + - string: $http_upgrade + variable: $connection_upgrade + content: + - value: default + new_value: upgrade + - value: "''" + new_value: close