From 0063d094244e32bf0ebc1082099126d2ce5d39fc Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Sun, 7 Nov 2021 23:37:17 +0100 Subject: [PATCH] updated nginx state --- states/nginx/install.sls | 18 ++++++- states/nginx/templates/nginx.conf.j2 | 57 +++++++++++------------ states/nginx/templates/proxy_params.j2 | 28 +++++------ states/nginx/templates/ssl_params.j2 | 38 +++++++-------- states/nginx/templates/types/dokuwiki.j2 | 16 +++---- states/nginx/templates/types/nextcloud.j2 | 24 +++++----- states/nginx/templates/types/rainloop.j2 | 16 +++---- states/nginx/templates/types/zabbix.j2 | 2 +- 8 files changed, 105 insertions(+), 94 deletions(-) diff --git a/states/nginx/install.sls b/states/nginx/install.sls index 01d9939..145c6eb 100644 --- a/states/nginx/install.sls +++ b/states/nginx/install.sls @@ -2,4 +2,20 @@ {%- from "nginx/map.jinja" import nginx with context %} nginx-pkg: pkg.installed: - - pkgs: {{ nginx.packages }} \ No newline at end of file + - pkgs: {{ nginx.packages }} + +nginx-logs-user-acl: + acl.present: + - name: /var/log/nginx + - acl_type: user + - acl_name: www-data + - perms: rwx + - recurse: true + +nginx-logs-group-acl: + acl.present: + - name: /var/log/nginx + - acl_type: group + - acl_name: www-data + - perms: rwx + - recurse: true \ No newline at end of file diff --git a/states/nginx/templates/nginx.conf.j2 b/states/nginx/templates/nginx.conf.j2 index 35920ce..c9634bf 100644 --- a/states/nginx/templates/nginx.conf.j2 +++ b/states/nginx/templates/nginx.conf.j2 @@ -4,51 +4,50 @@ user www-data; worker_processes 4; -error_log /var/log/nginx/error.log; -error_log syslog:server=localhost:514 info; +error_log /var/log/nginx/error.log; +error_log syslog:server=localhost:514 info; events { worker_connections 1024; } http { - include fastcgi_params; - include proxy_params; - include mime.types; - include ssl_params; - charset utf-8; + include fastcgi_params; + include proxy_params; + include mime.types; + include ssl_params; + charset utf-8; - include sites-enabled/*; + include sites-enabled/*; - access_log /var/log/nginx/$host.access.log; - access_log syslog:server=localhost:514 combined; + access_log /var/log/nginx/$host.access.log; + access_log syslog:server=localhost:514 combined; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 60; - server_tokens off; - #more_set_headers 'Server: PaulBSD Fast Webserver'; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 60; + server_tokens off; - proxy_intercept_errors on; - fastcgi_intercept_errors on; - fastcgi_read_timeout 300; + proxy_intercept_errors on; + fastcgi_intercept_errors on; + fastcgi_read_timeout 300; server { - listen 80 default_server; - listen 443 default_server ssl; + listen 80 default_server; + listen 443 default_server ssl; - listen [::]:80 default_server; - listen [::]:443 default_server ssl; + listen [::]:80 default_server; + listen [::]:443 default_server ssl; - root /var/www/html; - index index.html; + root /var/www/html; + index index.html; location /status { - stub_status on; - access_log off; - allow 127.0.0.1; - allow ::1; - deny all; + stub_status on; + access_log off; + allow 127.0.0.1; + allow ::1; + deny all; } } } diff --git a/states/nginx/templates/proxy_params.j2 b/states/nginx/templates/proxy_params.j2 index f6b540d..84e6fed 100644 --- a/states/nginx/templates/proxy_params.j2 +++ b/states/nginx/templates/proxy_params.j2 @@ -1,17 +1,17 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} -proxy_redirect off; -proxy_set_header Host $host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -client_max_body_size 1024m; -client_body_buffer_size 8192k; -proxy_connect_timeout 600; -proxy_send_timeout 600; -proxy_read_timeout 600; -proxy_buffers 32 4k; +proxy_redirect off; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +client_max_body_size 1024m; +client_body_buffer_size 8192k; +proxy_connect_timeout 600; +proxy_send_timeout 600; +proxy_read_timeout 600; +proxy_buffers 32 4k; -proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g; -proxy_cache cache; -proxy_cache_valid 200 302 1h; -proxy_cache_valid 404 1d; \ No newline at end of file +proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g; +proxy_cache cache; +proxy_cache_valid 200 302 1h; +proxy_cache_valid 404 1d; \ No newline at end of file diff --git a/states/nginx/templates/ssl_params.j2 b/states/nginx/templates/ssl_params.j2 index afe706c..6207986 100644 --- a/states/nginx/templates/ssl_params.j2 +++ b/states/nginx/templates/ssl_params.j2 @@ -1,23 +1,19 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} -ssl_certificate /etc/acme/certs/paulbsd.com.cert; -ssl_certificate_key /etc/acme/keys/paulbsd.com.key; -ssl_session_timeout 5m; -#ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; -ssl_protocols TLSv1.3 TLSv1.2; -#ssl_ciphers HIGH:!aNULL:!MD5; -#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; -ssl_prefer_server_ciphers on; -ssl_ecdh_curve secp384r1; -ssl_session_cache shared:SSL:10m; -ssl_session_tickets off; -ssl_stapling on; -ssl_stapling_verify on; -ssl_dhparam /etc/acme/dh/dh.pem; -#resolver $DNS-IP-1 $DNS-IP-2 valid=300s; -resolver_timeout 5s; -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; -add_header X-Frame-Options DENY; -add_header X-Content-Type-Options nosniff; -add_header X-XSS-Protection "1; mode=block"; +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +add_header X-Content-Type-Options nosniff; +add_header X-Frame-Options DENY; +add_header X-XSS-Protection "1; mode=block"; +resolver_timeout 5s; +ssl_certificate /etc/acme/certs/paulbsd.com.cert; +ssl_certificate_key /etc/acme/keys/paulbsd.com.key; +ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; +ssl_dhparam /etc/acme/dh/dh.pem; +ssl_ecdh_curve secp384r1; +ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.3 TLSv1.2; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_session_timeout 5m; +ssl_stapling on; +ssl_stapling_verify on; diff --git a/states/nginx/templates/types/dokuwiki.j2 b/states/nginx/templates/types/dokuwiki.j2 index 4109301..d194af9 100644 --- a/states/nginx/templates/types/dokuwiki.j2 +++ b/states/nginx/templates/types/dokuwiki.j2 @@ -1,20 +1,20 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} server { - include http; - server_name {{ vhost_name }}; - return 301 https://$server_name$request_uri; + include http; + server_name {{ vhost_name }}; + return 301 https://$server_name$request_uri; } server { - include https; - server_name {{ vhost_name }}; - root {{ root_dir }}; + include https; + server_name {{ vhost_name }}; + root {{ root_dir }}; - index index.php index.html; + index index.php index.html; location ~ /(conf|bin|inc)/ { - deny all; + deny all; } location ~ /data/ { diff --git a/states/nginx/templates/types/nextcloud.j2 b/states/nginx/templates/types/nextcloud.j2 index b3f0884..7ef0755 100644 --- a/states/nginx/templates/types/nextcloud.j2 +++ b/states/nginx/templates/types/nextcloud.j2 @@ -1,15 +1,15 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} server { - include http; - server_name {{ vhost_name }}; - return 301 https://$server_name$request_uri; + include http; + server_name {{ vhost_name }}; + return 301 https://$server_name$request_uri; } server { - include https; - server_name {{ vhost_name }}; - root {{ root_dir }}; + include https; + server_name {{ vhost_name }}; + root {{ root_dir }}; index index.php; error_page 403 /core/templates/403.php; @@ -22,12 +22,12 @@ server { add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ index.php; + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ index.php; } location = /robots.txt { diff --git a/states/nginx/templates/types/rainloop.j2 b/states/nginx/templates/types/rainloop.j2 index 4109301..0e25a4b 100644 --- a/states/nginx/templates/types/rainloop.j2 +++ b/states/nginx/templates/types/rainloop.j2 @@ -1,20 +1,20 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} server { - include http; - server_name {{ vhost_name }}; - return 301 https://$server_name$request_uri; + include http; + server_name {{ vhost_name }}; + return 301 https://$server_name$request_uri; } server { - include https; - server_name {{ vhost_name }}; - root {{ root_dir }}; + include https; + server_name {{ vhost_name }}; + root {{ root_dir }}; - index index.php index.html; + index index.php index.html; location ~ /(conf|bin|inc)/ { - deny all; + deny all; } location ~ /data/ { diff --git a/states/nginx/templates/types/zabbix.j2 b/states/nginx/templates/types/zabbix.j2 index b90923f..52df302 100644 --- a/states/nginx/templates/types/zabbix.j2 +++ b/states/nginx/templates/types/zabbix.j2 @@ -21,7 +21,7 @@ server { include fastcgi_params; fastcgi_pass unix:{{ php_socket_file }}; fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; + fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; } location /robots.txt {