LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
426 Commits
12 Branches
967 KiB
Tree: e8383499bd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e8383499bd'
${ noResults }
lilik_playbook/roles/nginx/templates/base.j2

46 lines
1.8 KiB
Raw Normal View History

Some playbooks full of joy.
9 years ago
roles/nginx: proxy_protocol support If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol HTTPS connections and keedp using port 443 for standard HTTPS connection. New variables: - proxy_protocol | default(true)
5 years ago
reverse_proxy: use PROXY PROTOCOL Original Client IP is correctly passed to upstream nginx instances (nginx role or gitlab). Affected roles: - reverse_proxy: Pass PROXY PROTOCOL by default to all upstream server. May cause problem with upstream server unable to understand PROXY PROTOCOL. We should put a nginx proxy in front in that case. - nginx: Expect PROXY PROTOCOL for all incoming TLS connection on nginx clients. *Warning:* now you can access local server only passing by the firewall reverse proxy, not directly. - gitlab: Built-in nginx instance configured to expect PROXY PROTOCOL for tls incoming connections.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/nginx: proxy_protocol support If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol HTTPS connections and keedp using port 443 for standard HTTPS connection. New variables: - proxy_protocol | default(true)
5 years ago
reverse_proxy: use PROXY PROTOCOL Original Client IP is correctly passed to upstream nginx instances (nginx role or gitlab). Affected roles: - reverse_proxy: Pass PROXY PROTOCOL by default to all upstream server. May cause problem with upstream server unable to understand PROXY PROTOCOL. We should put a nginx proxy in front in that case. - nginx: Expect PROXY PROTOCOL for all incoming TLS connection on nginx clients. *Warning:* now you can access local server only passing by the firewall reverse proxy, not directly. - gitlab: Built-in nginx instance configured to expect PROXY PROTOCOL for tls incoming connections.
5 years ago
roles/nginx: fix indentation in templates
5 years ago
roles/nginx: proxy_protocol support If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol HTTPS connections and keedp using port 443 for standard HTTPS connection. New variables: - proxy_protocol | default(true)
5 years ago
roles/nginx: add alternate fqdn variable
5 years ago
roles/nginx: no tag on service and server_name explicit Do not apply tag `packages` to role `service`. Tags are already applied inside the role. If we apply the tag `package` at the role level handlers defined inside the role (restart, reload) are not available in the play!
5 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
certbot static test for login3
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
certbot static test for login3
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
Force TLSv1.3 when feasible Affected roles: - gitlab - nginx - ldap
5 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
roles/nginx: add tls 1.2 support
5 years ago
Force TLSv1.3 when feasible Affected roles: - gitlab - nginx - ldap
5 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
certbot static test for login3
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
more generic certbot
8 years ago
roles/nginx: security improvements - Don't advertise NGINX version. - Comply with last Mozilla TLS Guidelines, for modern configuration. - More comments for better readability.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
Some playbooks full of joy.
9 years ago
 
  1. server {
  2.     listen 443 ssl http2;
  3.     listen [::]:443 ssl http2;
  4. 

  5. {% if nginx_proxy_protocol %}
  6.     # Alternate Port for PROXY PROTOCOL incoming connections
  7.     listen 10443 ssl http2 proxy_protocol;
  8.     listen [::]:10443 ssl http2 proxy_protocol;
  9. 

  10.     # RealIP rewrite authorized for connection from reverse-proxy
  11.     set_real_ip_from {{ hostvars | ip_from_inventory('vm_gateway') }};
  12.     real_ip_header proxy_protocol;
  13. {% endif %}
  14. 

  15.     server_name {{ nginx_site_fqdn }} {{ nginx_site_alternate_fqdns | join(' ') }};
  16. 

  17.     # Do not advertise nginx version number
  18.     server_tokens off;
  19. 

  20.     # Certificates location from CertBot
  21.     ssl_certificate /etc/letsencrypt/live/{{ nginx_site_fqdn }}/fullchain.pem;
  22.     ssl_certificate_key /etc/letsencrypt/live/{{ nginx_site_fqdn }}/privkey.pem;
  23. 

  24.     # TLS Mozilla Guideline v5.4,
  25.     # nginx 1.14.2, OpenSSL 1.1.1d, modern configuration
  26.     ssl_session_timeout 1d;
  27.     ssl_session_cache shared:MozSSL:10m;
  28.     ssl_session_tickets off;
  29.     # modern configuration
  30.     ssl_protocols TLSv1.3 {{ 'TLSv1.2' if nginx_tls_1_2 }};
  31.     {% if nginx_tls_1_2 %}
  32.     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  33.     {% endif %}
  34.     ssl_prefer_server_ciphers off;
  35.     # HSTS (2 years, no preloading)
  36.     add_header Strict-Transport-Security "max-age=63072000" always;
  37.     # OCSP stapling
  38.     ssl_stapling on;
  39.     ssl_stapling_verify on;
  40. 

  41.     # verify chain of trust of OCSP response using Root CA and Intermediate certs
  42.     ssl_trusted_certificate /etc/letsencrypt/live/{{ nginx_site_fqdn }}/chain.pem;
  43. 

  44.     # Include custom locations
  45.     include     /etc/nginx/locations/{{ nginx_site_fqdn }}/*.conf;
  46. }