aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Add proxy snippets and use nginx-light

Browse source
This commit is contained in:
Alexandre Iooss 2019-03-14 10:53:44 +01:00
parent f9473d0769
commit a8fa5d69ff
5 changed files with 82 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
roles/nginx-reverse-proxy/tasks/main.yml
View file

@ -1,18 +1,31 @@
--- ---
# nginx is the proxy server # nginx is the proxy server
# nginx-light contains less modules
# but also reduces the surface of attack
- name: Install NGINX server - name: Install NGINX server
apt: apt:
name: nginx name: nginx-light
update_cache: true update_cache: true
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
# Install proxy snippets
- name: Configure NGINX proxy snippets
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
mode: 0644
loop:
- proxy-common.conf
- proxy-common-ssl.conf
notify: Reload NGINX service
# Install sites # Install sites
- name: Configure NGINX sites - name: Configure NGINX sites
template: template:
src: nginx-sites-available.j2 src: nginx/nginx-sites-available.j2
dest: /etc/nginx/sites-available/{{ item.name }} dest: "/etc/nginx/sites-available/{{ item.name }}"
mode: 0644 mode: 0644
loop: "{{ reversed_proxy_subdomains }}" loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service notify: Reload NGINX service
@ -27,8 +40,8 @@
# Activate sites # Activate sites
- name: Activate sites - name: Activate sites
file: file:
src: /etc/nginx/sites-available/{{ item.name }} src: "/etc/nginx/sites-available/{{ item.name }}"
dest: /etc/nginx/sites-enabled/{{ item.name }} dest: "/etc/nginx/sites-enabled/{{ item.name }}"
state: link state: link
loop: "{{ reversed_proxy_subdomains }}" loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service notify: Reload NGINX service
@ -36,7 +49,7 @@
# Install main site # Install main site
- name: Configure NGINX main site - name: Configure NGINX main site
template: template:
src: nginx-sites-available-main.j2 src: nginx/nginx-sites-available-main.j2
dest: /etc/nginx/sites-available/main dest: /etc/nginx/sites-available/main
mode: 0644 mode: 0644
notify: Reload NGINX service notify: Reload NGINX service

19
roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 → roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2
View file

@ -1,16 +1,21 @@
# {{ ansible_managed }} # {{ ansible_managed }}
server { server {
server_name auro.re; # Common proxy snippet
include "snippets/proxy-common.conf"; include "snippets/proxy-common.conf";
location / { # Set witch server name we define
return 302 https://$host$request_uri; server_name auro.re;
}
# Permanentely moved to HTTPS
return 301 https://$host$request_uri;
} }
server { server {
# Common proxy snippet
include "snippets/proxy-common-ssl.conf"; include "snippets/proxy-common-ssl.conf";
# Set witch server name we define
server_name auro.re; server_name auro.re;
# Separate log files # Separate log files
@ -48,8 +53,10 @@ server {
} }
server { server {
listen 8448 ssl default_server; listen 8448 ssl;
listen [::]:8448 ssl default_server; listen [::]:8448 ssl;
# Set witch server name we define
server_name auro.re; server_name auro.re;
# Separate log files # Separate log files

13
roles/nginx-reverse-proxy/templates/nginx-sites-available.j2 → roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2
View file

@ -1,16 +1,21 @@
# {{ ansible_managed }} # {{ ansible_managed }}
server { server {
server_name {{ item.from }}; # Common proxy snippet
include "snippets/proxy-common.conf"; include "snippets/proxy-common.conf";
location / { # Set witch server name we define
return 302 https://$host$request_uri; server_name {{ item.from }};
}
# Permanentely moved to HTTPS
return 301 https://$host$request_uri;
} }
server { server {
# Common proxy snippet
include "snippets/proxy-common-ssl.conf"; include "snippets/proxy-common-ssl.conf";
# Set witch server name we define
server_name {{ item.from }}; server_name {{ item.from }};
# Separate log files # Separate log files

29
roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 Normal file
View file

@ -0,0 +1,29 @@
# {{ ansible_managed }}
# Listen for IPv4 and IPv6 with HTTP2
listen [::]:443 ssl http2;
listen 443 ssl http2;
# Hide NGINX version
server_tokens off;
# Reverse Proxy Adm
set_real_ip_from 10.128.0.0/16;
real_ip_header P-Real-Ip;
# SSL
ssl on;
ssl_session_timeout 5m;
ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES";
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
# In buster we will be able to use TLSv1.3
ssl_protocols TLSv1.2;
# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;

12
roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2 Normal file
View file

@ -0,0 +1,12 @@
# {{ ansible_managed }}
# Listen for IPv4 and IPv6 with HTTP2
listen 80 http2;
listen [::]:80 http2;
# Hide NGINX version
server_tokens off;
# Reverse Proxy Adm
set_real_ip_from 10.128.0.0/16;
real_ip_header P-Real-Ip;