LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
351 Commits
12 Branches
967 KiB
Tree: cabcf490ff
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cabcf490ff'
${ noResults }
lilik_playbook/roles/nginx/templates/base.j2

41 lines
1.4 KiB
Raw Normal View History

Some playbooks full of joy.
9 years ago
roles/nginx: proxy_protocol support If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol HTTPS connections and keedp using port 443 for standard HTTPS connection. New variables: - proxy_protocol | default(true)
5 years ago
reverse_proxy: use PROXY PROTOCOL Original Client IP is correctly passed to upstream nginx instances (nginx role or gitlab). Affected roles: - reverse_proxy: Pass PROXY PROTOCOL by default to all upstream server. May cause problem with upstream server unable to understand PROXY PROTOCOL. We should put a nginx proxy in front in that case. - nginx: Expect PROXY PROTOCOL for all incoming TLS connection on nginx clients. *Warning:* now you can access local server only passing by the firewall reverse proxy, not directly. - gitlab: Built-in nginx instance configured to expect PROXY PROTOCOL for tls incoming connections.
5 years ago
roles/nginx: fix indentation in templates
5 years ago
roles/nginx: proxy_protocol support If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol HTTPS connections and keedp using port 443 for standard HTTPS connection. New variables: - proxy_protocol | default(true)
5 years ago
reverse_proxy: use PROXY PROTOCOL Original Client IP is correctly passed to upstream nginx instances (nginx role or gitlab). Affected roles: - reverse_proxy: Pass PROXY PROTOCOL by default to all upstream server. May cause problem with upstream server unable to understand PROXY PROTOCOL. We should put a nginx proxy in front in that case. - nginx: Expect PROXY PROTOCOL for all incoming TLS connection on nginx clients. *Warning:* now you can access local server only passing by the firewall reverse proxy, not directly. - gitlab: Built-in nginx instance configured to expect PROXY PROTOCOL for tls incoming connections.
5 years ago
roles/nginx: fix indentation in templates
5 years ago
roles/nginx: proxy_protocol support If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol HTTPS connections and keedp using port 443 for standard HTTPS connection. New variables: - proxy_protocol | default(true)
5 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
certbot static test for login3
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
Serve fullchain
8 years ago
more generic certbot
8 years ago
certbot static test for login3
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
Force TLSv1.3 when feasible Affected roles: - gitlab - nginx - ldap
5 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
Force TLSv1.3 when feasible Affected roles: - gitlab - nginx - ldap
5 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
certbot static test for login3
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
more generic certbot
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
use nginx include directive to enable support for multiple location from different role on the same domain
7 years ago
Some playbooks full of joy.
9 years ago
 
  1. server {
  2.     listen 443 ssl http2;
  3.     listen [::]:443 ssl http2;
  4. 

  5. {% if proxy_protocol %}
  6.     # Alternate Port for PROXY PROTOCOL incoming connections
  7.     listen 10443 ssl http2 proxy_protocol;
  8.     listen [::]:10443 ssl http2 proxy_protocol;
  9. 

  10.     # RealIP rewrite authorized for connection from reverse-proxy
  11.     set_real_ip_from {{ hostvars | ip_from_inventory('vm_gateway') }};
  12.     real_ip_header proxy_protocol;
  13. {% endif %}
  14. 

  15.     # Do not advertise nginx version number
  16.     server_tokens off;
  17. 

  18.     # Certificates location from CertBot
  19.     ssl_certificate /etc/letsencrypt/live/{{ server_fqdn }}/fullchain.pem;
  20.     ssl_certificate_key /etc/letsencrypt/live/{{ server_fqdn }}/privkey.pem;
  21. 

  22.     # TLS Mozilla Guideline v5.4,
  23.     # nginx 1.14.2, OpenSSL 1.1.1d, modern configuration
  24.     ssl_session_timeout 1d;
  25.     ssl_session_cache shared:MozSSL:10m;
  26.     ssl_session_tickets off;
  27.     # modern configuration
  28.     ssl_protocols TLSv1.3;
  29.     ssl_prefer_server_ciphers off;
  30.     # HSTS (2 years, no preloading)
  31.     add_header Strict-Transport-Security "max-age=63072000" always;
  32.     # OCSP stapling
  33.     ssl_stapling on;
  34.     ssl_stapling_verify on;
  35. 

  36.     # verify chain of trust of OCSP response using Root CA and Intermediate certs
  37.     ssl_trusted_certificate /etc/letsencrypt/live/{{ server_fqdn }}/chain.pem;
  38. 

  39.     # Include custom locations
  40.     include     /etc/nginx/locations/{{ server_fqdn }}/*.conf;
  41. }