From 7bdc08222d8fe995c352470e16db2edebac9d233 Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Fri, 10 Mar 2023 00:05:57 +0100 Subject: [PATCH] updated nginx state --- states/nginx/config.sls | 2 +- states/nginx/templates/access.j2 | 20 ++--- states/nginx/templates/http.j2 | 4 +- states/nginx/templates/https.j2 | 4 +- states/nginx/templates/nginx.conf.j2 | 14 ++-- states/nginx/templates/proxy_params.j2 | 4 +- states/nginx/templates/types/dip.j2 | 92 --------------------- states/nginx/templates/types/rd.j2 | 2 +- states/nginx/templates/types/simple.j2 | 12 +-- states/nginx/templates/types/vaultwarden.j2 | 50 ----------- 10 files changed, 32 insertions(+), 172 deletions(-) delete mode 100644 states/nginx/templates/types/dip.j2 delete mode 100644 states/nginx/templates/types/vaultwarden.j2 diff --git a/states/nginx/config.sls b/states/nginx/config.sls index 3121dcb..645e090 100644 --- a/states/nginx/config.sls +++ b/states/nginx/config.sls @@ -60,7 +60,7 @@ nginx-sites-available-{{ name }}: cache: {{ vhost.cache|default(true) }} autoindex: {{ vhost.autoindex|default(false) }} root_dir: {{ vhost.root_dir|default(none) }} - internal_access: {{ vhost.internal_access|default(false) }} + internal: {{ vhost.internal|default(false) }} auth: {{ vhost.auth|default(false) }} dirs: {{ vhost.dirs|default([]) }} headers: {{ vhost.headers|default({}) }} diff --git a/states/nginx/templates/access.j2 b/states/nginx/templates/access.j2 index abae1af..f1a38c3 100644 --- a/states/nginx/templates/access.j2 +++ b/states/nginx/templates/access.j2 @@ -1,14 +1,14 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} {%- from "nginx/map.jinja" import net with context %} -real_ip_header X-Forwarded-For; + geo $allow { - {%- for key, value in net.ipv4_networks.items() %} - #allow {{ value.ip }}/{{ value.mask }}; - {{ value.ip }}/{{ value.mask }} 1; + proxy ::1/128; + proxy 127.0.0.1/32; + proxy 192.168.0.0/16; + + {%- for network in net.ip_networks %} + {{ network }} true; {%- endfor %} - {%- for key, value in net.ipv6_networks.items() %} - #allow {{ value.ip }}/{{ value.mask }}; - {{ value.ip }}/{{ value.mask }} 1; - {%- endfor %} - default 0; -} \ No newline at end of file + + default false; +} diff --git a/states/nginx/templates/http.j2 b/states/nginx/templates/http.j2 index 491e2c2..93fc405 100644 --- a/states/nginx/templates/http.j2 +++ b/states/nginx/templates/http.j2 @@ -1,5 +1,5 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} {%- from "nginx/map.jinja" import nginx with context %} -listen {{ nginx.config.http_port }}; -listen [::]:{{ nginx.config.http_port }}; \ No newline at end of file +listen {{ nginx.config.http_port }} proxy_protocol; +listen [::]:{{ nginx.config.http_port }} proxy_protocol; diff --git a/states/nginx/templates/https.j2 b/states/nginx/templates/https.j2 index 3efdf7f..38e11b9 100644 --- a/states/nginx/templates/https.j2 +++ b/states/nginx/templates/https.j2 @@ -1,5 +1,5 @@ ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} {%- from "nginx/map.jinja" import nginx with context %} -listen {{ nginx.config.https_port }} ssl http2; -listen [::]:{{ nginx.config.https_port }} ssl http2; \ No newline at end of file +listen {{ nginx.config.https_port }} ssl http2 proxy_protocol; +listen [::]:{{ nginx.config.https_port }} ssl http2 proxy_protocol; diff --git a/states/nginx/templates/nginx.conf.j2 b/states/nginx/templates/nginx.conf.j2 index fc9d96f..b5c8c40 100644 --- a/states/nginx/templates/nginx.conf.j2 +++ b/states/nginx/templates/nginx.conf.j2 @@ -17,14 +17,13 @@ events { } http { + include access; include fastcgi_params; include proxy_params; include mime.types; include ssl_params; charset utf-8; - include access; - {%- if nginx.config.geoip %} geoip2 /usr/share/GeoIP/GeoLite2-ASN.mmdb { $geoip2_asn default=0 autonomous_system_number; @@ -47,6 +46,7 @@ http { access_log syslog:server=localhost:514 main; default_type application/octet-stream; + tcp_nodelay on; sendfile on; keepalive_timeout 60; server_tokens off; @@ -57,16 +57,16 @@ http { gzip on; gzip_vary on; - gzip_min_length 1024; + gzip_min_length 1023; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; server { - listen {{ nginx.config.http_port }} default_server; - listen [::]:{{ nginx.config.http_port }} default_server; + listen {{ nginx.config.http_port }} default_server proxy_protocol; + listen [::]:{{ nginx.config.http_port }} default_server proxy_protocol; - listen {{ nginx.config.https_port }} default_server ssl http2; - listen [::]:{{ nginx.config.https_port }} default_server ssl http2; + listen {{ nginx.config.https_port }} default_server ssl http2 proxy_protocol; + listen [::]:{{ nginx.config.https_port }} default_server ssl http2 proxy_protocol; root /var/www/html; index index.html; diff --git a/states/nginx/templates/proxy_params.j2 b/states/nginx/templates/proxy_params.j2 index 935c3e7..cf8caf2 100644 --- a/states/nginx/templates/proxy_params.j2 +++ b/states/nginx/templates/proxy_params.j2 @@ -4,8 +4,10 @@ proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + client_max_body_size 0; client_body_buffer_size 8192k; + proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; @@ -14,4 +16,4 @@ proxy_buffers 32 4k; proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g; proxy_cache cache; proxy_cache_valid 200 302 1h; -proxy_cache_valid 404 1d; \ No newline at end of file +proxy_cache_valid 404 1d; diff --git a/states/nginx/templates/types/dip.j2 b/states/nginx/templates/types/dip.j2 deleted file mode 100644 index d35bba1..0000000 --- a/states/nginx/templates/types/dip.j2 +++ /dev/null @@ -1,92 +0,0 @@ -## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} - -server { - include http; - - server_name {{ vhost_name }}; - {%- if not proxy %} - root "{{ root_dir }}"; - {%- endif %} - - if ($http_accept != '*/*') { - return 301 https://$server_name$request_uri; - } - - {%- for key,value in headers.items() %} - add_header {{ key }} "{{ value }}"; - {%- endfor %} - - location / { - {%- if proxy %} - proxy_pass {{ proxy_pass }}; - {%- if not cache %} - proxy_no_cache 1; - proxy_cache_bypass 1; - {%- endif %} - {%- endif %} - {%- if autoindex %} - autoindex on; - autoindex_localtime on; - {%- else %} - index index.html; - {% endif %} - } - - {%- for dir in dirs %} - location {{ dir.name }} { - alias {{ dir.alias }}; - } - {%- endfor %} - - location /robots.txt { - return 200 "User-agent: *\r\nDisallow: /"; - } -} - -server { - include https; - {%- if internal_access %} - #include access; - if ($allow = 0) { - return 403; - } - {%- endif %} - server_name {{ vhost_name }}; - {%- if not proxy %} - root "{{ root_dir }}"; - {%- endif %} - - {%- for key,value in headers.items() %} - add_header {{ key }} "{{ value }}"; - {%- endfor %} - - location / { - {%- if proxy %} - proxy_pass {{ proxy_pass }}; - {%- if not cache %} - proxy_no_cache 1; - proxy_cache_bypass 1; - {%- endif %} - {%- endif %} - {%- if autoindex %} - autoindex on; - autoindex_localtime on; - {%- else %} - index index.html index.rss; - {% endif %} - {%- if auth %} - auth_basic "Restricted area"; - auth_basic_user_file {{ config_dir }}/auth/htpasswd; - {%- endif %} - } - - {%- for dir in dirs %} - location {{ dir.name }} { - alias {{ dir.alias }}; - } - {%- endfor %} - - location /robots.txt { - return 200 "User-agent: *\r\nDisallow: /"; - } -} diff --git a/states/nginx/templates/types/rd.j2 b/states/nginx/templates/types/rd.j2 index 23a882f..3537f4a 100644 --- a/states/nginx/templates/types/rd.j2 +++ b/states/nginx/templates/types/rd.j2 @@ -8,7 +8,7 @@ server { server { include https; - {%- if internal_access %} + {%- if internal %} #include access; if ($allow = 0) { return 403; diff --git a/states/nginx/templates/types/simple.j2 b/states/nginx/templates/types/simple.j2 index 8475273..c834600 100644 --- a/states/nginx/templates/types/simple.j2 +++ b/states/nginx/templates/types/simple.j2 @@ -8,17 +8,17 @@ server { server { include https; - {%- if internal_access %} - #include access; - if ($allow = 0) { - return 403; - } - {%- endif %} server_name {{ vhost_name }}{% for i in sub %} {{ "%s.%s"|format(i,vhost_name) }} {% endfor %}; {%- if not proxy %} root "{{ root_dir }}"; {%- endif %} + {%- if internal %} + if ($allow = false) { + return 403; + } + {%- endif %} + {%- for key,value in headers.items() %} add_header {{ key }} "{{ value }}"; {%- endfor %} diff --git a/states/nginx/templates/types/vaultwarden.j2 b/states/nginx/templates/types/vaultwarden.j2 deleted file mode 100644 index e92d5c5..0000000 --- a/states/nginx/templates/types/vaultwarden.j2 +++ /dev/null @@ -1,50 +0,0 @@ -## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} - -server { - include http; - server_name {{ vhost_name }}; - return 301 https://$server_name$request_uri; -} - -server { - include https; - {%- if internal_access %} - #include access; - if ($allow = 0) { - return 403; - } - {%- endif %} - server_name {{ vhost_name }}; - {%- if not proxy %} - root "{{ root_dir }}"; - {%- endif %} - location / { - {%- if proxy %} - proxy_pass {{ proxy_pass }}; - {%- if not cache %} - proxy_no_cache 1; - proxy_cache_bypass 1; - {%- endif %} - {%- endif %} - {%- if autoindex %} - autoindex on; - autoindex_localtime on; - {%- else %} - index index.html; - {% endif %} - {%- if auth %} - auth_basic "Restricted area"; - auth_basic_user_file {{ config_dir }}/auth/htpasswd; - {%- endif %} - } - - {%- for dir in dirs %} - location {{ dir.name }} { - alias {{ dir.alias }}; - } - {%- endfor %} - - location /robots.txt { - return 200 "User-agent: *\r\nDisallow: /"; - } -}