updated nginx state

This commit is contained in:
Paul 2023-03-10 00:05:57 +01:00
parent e9abe574b8
commit 7bdc08222d
10 changed files with 32 additions and 172 deletions

View File

@ -60,7 +60,7 @@ nginx-sites-available-{{ name }}:
cache: {{ vhost.cache|default(true) }} cache: {{ vhost.cache|default(true) }}
autoindex: {{ vhost.autoindex|default(false) }} autoindex: {{ vhost.autoindex|default(false) }}
root_dir: {{ vhost.root_dir|default(none) }} root_dir: {{ vhost.root_dir|default(none) }}
internal_access: {{ vhost.internal_access|default(false) }} internal: {{ vhost.internal|default(false) }}
auth: {{ vhost.auth|default(false) }} auth: {{ vhost.auth|default(false) }}
dirs: {{ vhost.dirs|default([]) }} dirs: {{ vhost.dirs|default([]) }}
headers: {{ vhost.headers|default({}) }} headers: {{ vhost.headers|default({}) }}

View File

@ -1,14 +1,14 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import net with context %} {%- from "nginx/map.jinja" import net with context %}
real_ip_header X-Forwarded-For;
geo $allow { geo $allow {
{%- for key, value in net.ipv4_networks.items() %} proxy ::1/128;
#allow {{ value.ip }}/{{ value.mask }}; proxy 127.0.0.1/32;
{{ value.ip }}/{{ value.mask }} 1; proxy 192.168.0.0/16;
{%- for network in net.ip_networks %}
{{ network }} true;
{%- endfor %} {%- endfor %}
{%- for key, value in net.ipv6_networks.items() %}
#allow {{ value.ip }}/{{ value.mask }}; default false;
{{ value.ip }}/{{ value.mask }} 1; }
{%- endfor %}
default 0;
}

View File

@ -1,5 +1,5 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %} {%- from "nginx/map.jinja" import nginx with context %}
listen {{ nginx.config.http_port }}; listen {{ nginx.config.http_port }} proxy_protocol;
listen [::]:{{ nginx.config.http_port }}; listen [::]:{{ nginx.config.http_port }} proxy_protocol;

View File

@ -1,5 +1,5 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %} {%- from "nginx/map.jinja" import nginx with context %}
listen {{ nginx.config.https_port }} ssl http2; listen {{ nginx.config.https_port }} ssl http2 proxy_protocol;
listen [::]:{{ nginx.config.https_port }} ssl http2; listen [::]:{{ nginx.config.https_port }} ssl http2 proxy_protocol;

View File

@ -17,14 +17,13 @@ events {
} }
http { http {
include access;
include fastcgi_params; include fastcgi_params;
include proxy_params; include proxy_params;
include mime.types; include mime.types;
include ssl_params; include ssl_params;
charset utf-8; charset utf-8;
include access;
{%- if nginx.config.geoip %} {%- if nginx.config.geoip %}
geoip2 /usr/share/GeoIP/GeoLite2-ASN.mmdb { geoip2 /usr/share/GeoIP/GeoLite2-ASN.mmdb {
$geoip2_asn default=0 autonomous_system_number; $geoip2_asn default=0 autonomous_system_number;
@ -47,6 +46,7 @@ http {
access_log syslog:server=localhost:514 main; access_log syslog:server=localhost:514 main;
default_type application/octet-stream; default_type application/octet-stream;
tcp_nodelay on;
sendfile on; sendfile on;
keepalive_timeout 60; keepalive_timeout 60;
server_tokens off; server_tokens off;
@ -57,16 +57,16 @@ http {
gzip on; gzip on;
gzip_vary on; gzip_vary on;
gzip_min_length 1024; gzip_min_length 1023;
gzip_proxied expired no-cache no-store private auth; gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
server { server {
listen {{ nginx.config.http_port }} default_server; listen {{ nginx.config.http_port }} default_server proxy_protocol;
listen [::]:{{ nginx.config.http_port }} default_server; listen [::]:{{ nginx.config.http_port }} default_server proxy_protocol;
listen {{ nginx.config.https_port }} default_server ssl http2; listen {{ nginx.config.https_port }} default_server ssl http2 proxy_protocol;
listen [::]:{{ nginx.config.https_port }} default_server ssl http2; listen [::]:{{ nginx.config.https_port }} default_server ssl http2 proxy_protocol;
root /var/www/html; root /var/www/html;
index index.html; index index.html;

View File

@ -4,8 +4,10 @@ proxy_redirect off;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 0; client_max_body_size 0;
client_body_buffer_size 8192k; client_body_buffer_size 8192k;
proxy_connect_timeout 600; proxy_connect_timeout 600;
proxy_send_timeout 600; proxy_send_timeout 600;
proxy_read_timeout 600; proxy_read_timeout 600;
@ -14,4 +16,4 @@ proxy_buffers 32 4k;
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g; proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g;
proxy_cache cache; proxy_cache cache;
proxy_cache_valid 200 302 1h; proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1d; proxy_cache_valid 404 1d;

View File

@ -1,92 +0,0 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
server {
include http;
server_name {{ vhost_name }};
{%- if not proxy %}
root "{{ root_dir }}";
{%- endif %}
if ($http_accept != '*/*') {
return 301 https://$server_name$request_uri;
}
{%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}";
{%- endfor %}
location / {
{%- if proxy %}
proxy_pass {{ proxy_pass }};
{%- if not cache %}
proxy_no_cache 1;
proxy_cache_bypass 1;
{%- endif %}
{%- endif %}
{%- if autoindex %}
autoindex on;
autoindex_localtime on;
{%- else %}
index index.html;
{% endif %}
}
{%- for dir in dirs %}
location {{ dir.name }} {
alias {{ dir.alias }};
}
{%- endfor %}
location /robots.txt {
return 200 "User-agent: *\r\nDisallow: /";
}
}
server {
include https;
{%- if internal_access %}
#include access;
if ($allow = 0) {
return 403;
}
{%- endif %}
server_name {{ vhost_name }};
{%- if not proxy %}
root "{{ root_dir }}";
{%- endif %}
{%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}";
{%- endfor %}
location / {
{%- if proxy %}
proxy_pass {{ proxy_pass }};
{%- if not cache %}
proxy_no_cache 1;
proxy_cache_bypass 1;
{%- endif %}
{%- endif %}
{%- if autoindex %}
autoindex on;
autoindex_localtime on;
{%- else %}
index index.html index.rss;
{% endif %}
{%- if auth %}
auth_basic "Restricted area";
auth_basic_user_file {{ config_dir }}/auth/htpasswd;
{%- endif %}
}
{%- for dir in dirs %}
location {{ dir.name }} {
alias {{ dir.alias }};
}
{%- endfor %}
location /robots.txt {
return 200 "User-agent: *\r\nDisallow: /";
}
}

View File

@ -8,7 +8,7 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal %}
#include access; #include access;
if ($allow = 0) { if ($allow = 0) {
return 403; return 403;

View File

@ -8,17 +8,17 @@ server {
server { server {
include https; include https;
{%- if internal_access %}
#include access;
if ($allow = 0) {
return 403;
}
{%- endif %}
server_name {{ vhost_name }}{% for i in sub %} {{ "%s.%s"|format(i,vhost_name) }} {% endfor %}; server_name {{ vhost_name }}{% for i in sub %} {{ "%s.%s"|format(i,vhost_name) }} {% endfor %};
{%- if not proxy %} {%- if not proxy %}
root "{{ root_dir }}"; root "{{ root_dir }}";
{%- endif %} {%- endif %}
{%- if internal %}
if ($allow = false) {
return 403;
}
{%- endif %}
{%- for key,value in headers.items() %} {%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}"; add_header {{ key }} "{{ value }}";
{%- endfor %} {%- endfor %}

View File

@ -1,50 +0,0 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
server {
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
}
server {
include https;
{%- if internal_access %}
#include access;
if ($allow = 0) {
return 403;
}
{%- endif %}
server_name {{ vhost_name }};
{%- if not proxy %}
root "{{ root_dir }}";
{%- endif %}
location / {
{%- if proxy %}
proxy_pass {{ proxy_pass }};
{%- if not cache %}
proxy_no_cache 1;
proxy_cache_bypass 1;
{%- endif %}
{%- endif %}
{%- if autoindex %}
autoindex on;
autoindex_localtime on;
{%- else %}
index index.html;
{% endif %}
{%- if auth %}
auth_basic "Restricted area";
auth_basic_user_file {{ config_dir }}/auth/htpasswd;
{%- endif %}
}
{%- for dir in dirs %}
location {{ dir.name }} {
alias {{ dir.alias }};
}
{%- endfor %}
location /robots.txt {
return 200 "User-agent: *\r\nDisallow: /";
}
}