--- - name: strfry | Configure nginx ansible.builtin.import_role: name: nginx_core.nginx_config vars: # afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary. # See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352 # The only difference between this and the main nginx config is the worker_rlimit_nofile value and worker_connections. nginx_config_main_template_enable: true nginx_config_main_template: template_file: nginx.conf.j2 deployment_location: /etc/nginx/nginx.conf backup: false config: # https://nginx.org/en/docs/ngx_core_module.html main: user: username: nginx group: nginx worker_processes: auto error_log: file: /var/log/nginx/error.log level: notice pid: /var/run/nginx.pid # worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes. # Used to increase the limit without restarting the main process. # The recomended value seems to be worker_connections * 2 worker_rlimit_nofile: 12288 events: worker_connections: 4096 # include: # String or a list of strings # - /etc/nginx/modules.conf http: # https://nginx.org/en/docs/http/ngx_http_core_module.html default_type: application/octet-stream sendfile: true server_tokens: false tcp_nodelay: true tcp_nopush: true include: - /etc/nginx/mime.types - /etc/nginx/http.conf # These are shared http level configs that nginx_conf refuses to directly configure. - /etc/nginx/conf.d/*.conf nginx_config_http_template_enable: true nginx_config_http_template: - template_file: http/default.conf.j2 deployment_location: "/etc/nginx/conf.d/strfry_{{ nginx_strfry_domain }}.conf" backup: false config: upstreams: - name: strfry servers: - address: "127.0.0.1:{{ strfry_relay.port|default(7777) }}" #- address: unix:/var/lib/strfry/strfry.sock servers: - core: listen: - address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nginx_strfry_https_port|default(443) }} ssl" include: - "/etc/nginx/acme_{{ nginx_strfry_domain }}.conf" client_max_body_size: 0 # Stream request body to backend http2: enable: true locations: - location: / proxy: pass: http://strfry http_version: '1.1' set_header: - field: Host value: $http_host - field: Connection value: $connection_upgrade - field: Upgrade value: $http_upgrade - field: X-Forwarded-For value: $proxy_add_x_forwarded_for connect_timeout: 3m send_timeout: 3m read_timeout: 3m - template_file: http/default.conf.j2 deployment_location: /etc/nginx/http.conf backup: false config: core: default_type: application/octet-stream sendfile: true server_tokens: false tcp_nodelay: true tcp_nopush: true resolver: # required for oscp stapling address: - '1.1.1.1' - '8.8.8.8' resolver_timeout: 10s log: format: - name: main format: | '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"' gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html enable: true comp_level: 3 disable: "msie6" min_length: 1100 proxied: any types: - text/plain - text/css - application/x-javascript - text/xml - application/xml vary: true - template_file: http/default.conf.j2 deployment_location: "/etc/nginx/conf.d/mappings.conf" backup: false config: map: mappings: # https://nginx.org/en/docs/http/websocket.html - string: $http_upgrade variable: $connection_upgrade content: - value: default new_value: upgrade - value: "''" new_value: close