paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nginx state

Browse Source
This commit is contained in:
Paul 2021-11-07 23:37:17 +01:00
parent bde50a789b
commit 0063d09424
8 changed files with 105 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
states/nginx/install.sls
View File

@ -2,4 +2,20 @@
{%- from "nginx/map.jinja" import nginx with context %}
nginx-pkg:
pkg.installed:
- pkgs: {{ nginx.packages }}
- pkgs: {{ nginx.packages }}
nginx-logs-user-acl:
acl.present:
- name: /var/log/nginx
- acl_type: user
- acl_name: www-data
- perms: rwx
- recurse: true
nginx-logs-group-acl:
acl.present:
- name: /var/log/nginx
- acl_type: group
- acl_name: www-data
- perms: rwx
- recurse: true

57
states/nginx/templates/nginx.conf.j2
View File

@ -4,51 +4,50 @@ user www-data;
worker_processes 4;
error_log /var/log/nginx/error.log;
error_log syslog:server=localhost:514 info;
error_log /var/log/nginx/error.log;
error_log syslog:server=localhost:514 info;
events {
worker_connections 1024;
}
http {
include fastcgi_params;
include proxy_params;
include mime.types;
include ssl_params;
charset utf-8;
include fastcgi_params;
include proxy_params;
include mime.types;
include ssl_params;
charset utf-8;
include sites-enabled/*;
include sites-enabled/*;
access_log /var/log/nginx/$host.access.log;
access_log syslog:server=localhost:514 combined;
access_log /var/log/nginx/$host.access.log;
access_log syslog:server=localhost:514 combined;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 60;
server_tokens off;
#more_set_headers 'Server: PaulBSD Fast Webserver';
default_type application/octet-stream;
sendfile on;
keepalive_timeout 60;
server_tokens off;
proxy_intercept_errors on;
fastcgi_intercept_errors on;
fastcgi_read_timeout 300;
proxy_intercept_errors on;
fastcgi_intercept_errors on;
fastcgi_read_timeout 300;
server {
listen 80 default_server;
listen 443 default_server ssl;
listen 80 default_server;
listen 443 default_server ssl;
listen [::]:80 default_server;
listen [::]:443 default_server ssl;
listen [::]:80 default_server;
listen [::]:443 default_server ssl;
root /var/www/html;
index index.html;
root /var/www/html;
index index.html;
location /status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
}
}

28
states/nginx/templates/proxy_params.j2
View File

@ -1,17 +1,17 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1024m;
client_body_buffer_size 8192k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffers 32 4k;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1024m;
client_body_buffer_size 8192k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffers 32 4k;
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g;
proxy_cache cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1d;
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g;
proxy_cache cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1d;

38
states/nginx/templates/ssl_params.j2
View File

@ -1,23 +1,19 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
ssl_certificate /etc/acme/certs/paulbsd.com.cert;
ssl_certificate_key /etc/acme/keys/paulbsd.com.key;
ssl_session_timeout 5m;
#ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/acme/dh/dh.pem;
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
resolver_timeout 5s;
ssl_certificate /etc/acme/certs/paulbsd.com.cert;
ssl_certificate_key /etc/acme/keys/paulbsd.com.key;
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20;
ssl_dhparam /etc/acme/dh/dh.pem;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;

16
states/nginx/templates/types/dokuwiki.j2
View File

@ -1,20 +1,20 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
server {
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
}
server {
include https;
server_name {{ vhost_name }};
root {{ root_dir }};
include https;
server_name {{ vhost_name }};
root {{ root_dir }};
index index.php index.html;
index index.php index.html;
location ~ /(conf|bin|inc)/ {
deny all;
deny all;
}
location ~ /data/ {

24
states/nginx/templates/types/nextcloud.j2
View File

@ -1,15 +1,15 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
server {
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
}
server {
include https;
server_name {{ vhost_name }};
root {{ root_dir }};
include https;
server_name {{ vhost_name }};
root {{ root_dir }};
index index.php;
error_page 403 /core/templates/403.php;
@ -22,12 +22,12 @@ server {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ index.php;
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ index.php;
}
location = /robots.txt {

16
states/nginx/templates/types/rainloop.j2
View File

@ -1,20 +1,20 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
server {
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
}
server {
include https;
server_name {{ vhost_name }};
root {{ root_dir }};
include https;
server_name {{ vhost_name }};
root {{ root_dir }};
index index.php index.html;
index index.php index.html;
location ~ /(conf|bin|inc)/ {
deny all;
deny all;
}
location ~ /data/ {

2
states/nginx/templates/types/zabbix.j2
View File

@ -21,7 +21,7 @@ server {
include fastcgi_params;
fastcgi_pass unix:{{ php_socket_file }};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
location /robots.txt {