updated nginx state
This commit is contained in:
parent
bde50a789b
commit
0063d09424
@ -2,4 +2,20 @@
|
|||||||
{%- from "nginx/map.jinja" import nginx with context %}
|
{%- from "nginx/map.jinja" import nginx with context %}
|
||||||
nginx-pkg:
|
nginx-pkg:
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
- pkgs: {{ nginx.packages }}
|
- pkgs: {{ nginx.packages }}
|
||||||
|
|
||||||
|
nginx-logs-user-acl:
|
||||||
|
acl.present:
|
||||||
|
- name: /var/log/nginx
|
||||||
|
- acl_type: user
|
||||||
|
- acl_name: www-data
|
||||||
|
- perms: rwx
|
||||||
|
- recurse: true
|
||||||
|
|
||||||
|
nginx-logs-group-acl:
|
||||||
|
acl.present:
|
||||||
|
- name: /var/log/nginx
|
||||||
|
- acl_type: group
|
||||||
|
- acl_name: www-data
|
||||||
|
- perms: rwx
|
||||||
|
- recurse: true
|
||||||
@ -4,51 +4,50 @@ user www-data;
|
|||||||
|
|
||||||
worker_processes 4;
|
worker_processes 4;
|
||||||
|
|
||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
error_log syslog:server=localhost:514 info;
|
error_log syslog:server=localhost:514 info;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
include proxy_params;
|
include proxy_params;
|
||||||
include mime.types;
|
include mime.types;
|
||||||
include ssl_params;
|
include ssl_params;
|
||||||
charset utf-8;
|
charset utf-8;
|
||||||
|
|
||||||
include sites-enabled/*;
|
include sites-enabled/*;
|
||||||
|
|
||||||
access_log /var/log/nginx/$host.access.log;
|
access_log /var/log/nginx/$host.access.log;
|
||||||
access_log syslog:server=localhost:514 combined;
|
access_log syslog:server=localhost:514 combined;
|
||||||
|
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
sendfile on;
|
sendfile on;
|
||||||
keepalive_timeout 60;
|
keepalive_timeout 60;
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
#more_set_headers 'Server: PaulBSD Fast Webserver';
|
|
||||||
|
|
||||||
proxy_intercept_errors on;
|
proxy_intercept_errors on;
|
||||||
fastcgi_intercept_errors on;
|
fastcgi_intercept_errors on;
|
||||||
fastcgi_read_timeout 300;
|
fastcgi_read_timeout 300;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen 443 default_server ssl;
|
listen 443 default_server ssl;
|
||||||
|
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
listen [::]:443 default_server ssl;
|
listen [::]:443 default_server ssl;
|
||||||
|
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
||||||
location /status {
|
location /status {
|
||||||
stub_status on;
|
stub_status on;
|
||||||
access_log off;
|
access_log off;
|
||||||
allow 127.0.0.1;
|
allow 127.0.0.1;
|
||||||
allow ::1;
|
allow ::1;
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,17 +1,17 @@
|
|||||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||||
|
|
||||||
proxy_redirect off;
|
proxy_redirect off;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
client_max_body_size 1024m;
|
client_max_body_size 1024m;
|
||||||
client_body_buffer_size 8192k;
|
client_body_buffer_size 8192k;
|
||||||
proxy_connect_timeout 600;
|
proxy_connect_timeout 600;
|
||||||
proxy_send_timeout 600;
|
proxy_send_timeout 600;
|
||||||
proxy_read_timeout 600;
|
proxy_read_timeout 600;
|
||||||
proxy_buffers 32 4k;
|
proxy_buffers 32 4k;
|
||||||
|
|
||||||
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g;
|
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g;
|
||||||
proxy_cache cache;
|
proxy_cache cache;
|
||||||
proxy_cache_valid 200 302 1h;
|
proxy_cache_valid 200 302 1h;
|
||||||
proxy_cache_valid 404 1d;
|
proxy_cache_valid 404 1d;
|
||||||
@ -1,23 +1,19 @@
|
|||||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||||
|
|
||||||
ssl_certificate /etc/acme/certs/paulbsd.com.cert;
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||||
ssl_certificate_key /etc/acme/keys/paulbsd.com.key;
|
add_header X-Content-Type-Options nosniff;
|
||||||
ssl_session_timeout 5m;
|
add_header X-Frame-Options DENY;
|
||||||
#ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
resolver_timeout 5s;
|
||||||
#ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_certificate /etc/acme/certs/paulbsd.com.cert;
|
||||||
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
ssl_certificate_key /etc/acme/keys/paulbsd.com.key;
|
||||||
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20;
|
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_dhparam /etc/acme/dh/dh.pem;
|
||||||
ssl_ecdh_curve secp384r1;
|
ssl_ecdh_curve secp384r1;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_session_tickets off;
|
ssl_protocols TLSv1.3 TLSv1.2;
|
||||||
ssl_stapling on;
|
ssl_session_cache shared:SSL:10m;
|
||||||
ssl_stapling_verify on;
|
ssl_session_tickets off;
|
||||||
ssl_dhparam /etc/acme/dh/dh.pem;
|
ssl_session_timeout 5m;
|
||||||
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
|
ssl_stapling on;
|
||||||
resolver_timeout 5s;
|
ssl_stapling_verify on;
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
|
|||||||
@ -1,20 +1,20 @@
|
|||||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
include http;
|
include http;
|
||||||
server_name {{ vhost_name }};
|
server_name {{ vhost_name }};
|
||||||
return 301 https://$server_name$request_uri;
|
return 301 https://$server_name$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
include https;
|
include https;
|
||||||
server_name {{ vhost_name }};
|
server_name {{ vhost_name }};
|
||||||
root {{ root_dir }};
|
root {{ root_dir }};
|
||||||
|
|
||||||
index index.php index.html;
|
index index.php index.html;
|
||||||
|
|
||||||
location ~ /(conf|bin|inc)/ {
|
location ~ /(conf|bin|inc)/ {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /data/ {
|
location ~ /data/ {
|
||||||
|
|||||||
@ -1,15 +1,15 @@
|
|||||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
include http;
|
include http;
|
||||||
server_name {{ vhost_name }};
|
server_name {{ vhost_name }};
|
||||||
return 301 https://$server_name$request_uri;
|
return 301 https://$server_name$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
include https;
|
include https;
|
||||||
server_name {{ vhost_name }};
|
server_name {{ vhost_name }};
|
||||||
root {{ root_dir }};
|
root {{ root_dir }};
|
||||||
|
|
||||||
index index.php;
|
index index.php;
|
||||||
error_page 403 /core/templates/403.php;
|
error_page 403 /core/templates/403.php;
|
||||||
@ -22,12 +22,12 @@ server {
|
|||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||||||
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
|
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
|
||||||
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
|
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
|
||||||
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
|
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
|
||||||
try_files $uri $uri/ index.php;
|
try_files $uri $uri/ index.php;
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /robots.txt {
|
location = /robots.txt {
|
||||||
|
|||||||
@ -1,20 +1,20 @@
|
|||||||
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
include http;
|
include http;
|
||||||
server_name {{ vhost_name }};
|
server_name {{ vhost_name }};
|
||||||
return 301 https://$server_name$request_uri;
|
return 301 https://$server_name$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
include https;
|
include https;
|
||||||
server_name {{ vhost_name }};
|
server_name {{ vhost_name }};
|
||||||
root {{ root_dir }};
|
root {{ root_dir }};
|
||||||
|
|
||||||
index index.php index.html;
|
index index.php index.html;
|
||||||
|
|
||||||
location ~ /(conf|bin|inc)/ {
|
location ~ /(conf|bin|inc)/ {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /data/ {
|
location ~ /data/ {
|
||||||
|
|||||||
@ -21,7 +21,7 @@ server {
|
|||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
fastcgi_pass unix:{{ php_socket_file }};
|
fastcgi_pass unix:{{ php_socket_file }};
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /robots.txt {
|
location /robots.txt {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user