Commit d1c165aa authored by MichiK's avatar MichiK

Add all the nginx ssl config

parent 412636df
......@@ -8,24 +8,130 @@ acmetool_cert_domains:
- sso.c3heaven.de
- wiki.c3heaven.de
nginx_https_sites:
- name: "c3heaven.de"
locations:
- location: "/"
config: "root /var/www/html;"
- location: "~ /wiki(.*)$"
config: "return 301 https://wiki.c3heaven.de$1?$args;"
- location: "~ /kanboard(.*)$"
config: "return 301 https://kanboard.c3heaven.de$1?$args;"
- name: "gabriel.c3heaven.de"
locations:
- location: "/"
config: "root /var/www/html;"
- name: "kanboard.c3heaven.de"
options:
- "client_max_body_size 100M;"
- "client_body_buffer_size 128k;"
- "root /var/www/kanboard;"
- "index index.php;"
locations:
- location: "/"
config: "try_files $uri $uri/ /index.php$is_args$args;"
- location: '~ \.php$'
config: |-
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
- location: '~* ^.+\.(log|sqlite)$'
config: "return 404;"
- location: '~ /\.ht'
config: "return 404;"
- location: '~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$'
config: |-
log_not_found off;
expires 7d;
etag on;
- name: "lists.c3heaven.de"
locations:
- location: "/cgi-bin/mailman"
config: |-
root /usr/lib/;
fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
- location: "/images/mailman"
config: "alias /usr/share/images/mailman;"
- location: "= /"
config: "return 301 https://lists.c3heaven.de/cgi-bin/mailman/listinfo/;"
- name: "md.c3heaven.de"
locations:
- location: "/"
config: |-
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:3000;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
- name: "sso.c3heaven.de"
locations:
- location: "/"
config: |-
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
- location: "= /"
config: "return 301 https://sso.c3heaven.de/auth/realms/master/account;"
- name: "wiki.c3heaven.de"
options:
- "client_max_body_size 100M;"
- "client_body_buffer_size 128k;"
- "root /var/www/dokuwiki;"
- "index doku.php;"
locations:
- location: "~ /(conf/|bin/|inc/|install.php)"
config: "deny all;"
- location: "~ ^/data/"
config: "internal;"
- location: '~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$'
config: "expires 365d;"
- location: "/"
config: "try_files $uri $uri/ @dokuwiki;"
- location: "@dokuwiki"
config: |-
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
- location: '~ \.php$'
config: |-
try_files $uri $uri/ /doku.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
nginx_http_locations:
- location: "/"
config: |
config: |-
access_log off;
log_not_found off;
return 301 https://$host$request_uri;
nginx_https_default_headers:
- name: "Strict-Transport-Security"
value: "max-age=31536000; includeSubDomains"
- name: "X-XSS-Protection"
value: "1; mode=block"
- name: "X-Frame-Options"
value: "DENY"
- name: "X-Content-Type-Options"
value: "nosniff"
- name: "Referrer-Policy"
value: "same-origin"
- 'Strict-Transport-Security "max-age=31536000; includeSubDomains"'
- 'X-XSS-Protection "1; mode=block"'
- 'X-Frame-Options "DENY"'
- 'X-Content-Type-Options "nosniff"'
- 'Referrer-Policy "same-origin"'
rspamd_enabled: true
......
......@@ -2,7 +2,7 @@ acmetool_webroot: "/var/lib/acme/webroot"
nginx_http_locations:
- location: "/"
config: |
config: |-
root /var/www/html;
nginx_worker_processes: "auto"
......@@ -4,8 +4,8 @@ server {
listen 80;
listen [::]:80;
{% for location in nginx_http_locations %}
location {{ location.location }} {
{{ location.config | indent(width=4, indentfirst=True) }}
}
......
......@@ -11,4 +11,3 @@ nginx_https_sites:
- location: "/"
config: |
root /var/www/html;
headers: null
......@@ -3,6 +3,12 @@
args:
creates: "{{ nginx_ssl_dhparam }}"
- name: generic ssl configuration
template:
src: "ssl.conf.j2"
dest: "/etc/nginx/ssl.conf"
notify: restart nginx
- name: configure the https sites
template:
src: "https-site.j2"
......
......@@ -2,34 +2,30 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ item.name }};
ssl_certificate /var/lib/acme/live/{{ item.name }}/fullchain;
ssl_certificate_key /var/lib/acme/live/{{ item.name }}/privkey;
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers {{ nginx_ssl_ciphers }};
ssl_prefer_server_ciphers on;
{% if nginx_https_default_headers %}
{% for header in nginx_https_default_headers %}
add_header {{ header.name }} "{{ header.value }}";
include ssl.conf;
{% if "options" in item %}
{% for option in item.options %}
{{ option }}
{% endfor %}
{% endif %}
{% if "headers" in item %}
{% if item.headers %}
{% for header in item.headers %}
add_header {{ header.name }} "{{ header.value }}";
add_header {{ header }};
{% endfor %}
{% endif %}
{% if "locations" in item %}
{% for location in item.locations %}
location {{ location.location }} {
{{ location.config | indent(width=4, indentfirst=True) }}
}
{% endfor %}
{% endif %}
}
# {{ ansible_managed }}
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers {{ nginx_ssl_ciphers }};
ssl_prefer_server_ciphers on;
{% if nginx_https_default_headers %}
{% for header in nginx_https_default_headers %}
add_header {{ header }};
{% endfor %}
{% endif %}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment