paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nginx state
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Paul 2022-10-10 10:19:42 +02:00
parent ebbb961d6d
commit dec9fc6770
17 changed files with 185 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
states/nginx/config.sls
View File

@ -11,10 +11,10 @@ nginx-config-{{ configfile }}:
- group: {{ nginx.config.group }} - group: {{ nginx.config.group }}
- watch_in: - watch_in:
- service: nginx-service - service: nginx-service
- watch: #- watch:
- pki: pki-fetched # - pki: pki-fetched
- require: #- require:
- sls: acme.* # - sls: acme.*
{%- endfor %} {%- endfor %}
nginx-config-wipe-default: nginx-config-wipe-default:
@ -58,6 +58,7 @@ nginx-sites-available-{{ key }}:
dirs: {{ vhost.dirs|default([]) }} dirs: {{ vhost.dirs|default([]) }}
headers: {{ vhost.headers|default({}) }} headers: {{ vhost.headers|default({}) }}
php_socket_file: {{ nginx.config.php_socket_file }} php_socket_file: {{ nginx.config.php_socket_file }}
geoip: {{ nginx.config.geoip }}
nginx-site-enabled-{{ key }}: nginx-site-enabled-{{ key }}:
file.symlink: file.symlink:

4
states/nginx/defaults.yaml
View File

@ -6,8 +6,12 @@ nginx:
- nginx-extras - nginx-extras
config: config:
dir: /etc/nginx dir: /etc/nginx
geoip: false
user: www-data user: www-data
group: www-data group: www-data
workers: 4
http_port: 8080
https_port: 4443
php_socket_file: /run/php/php-fpm.sock php_socket_file: /run/php/php-fpm.sock
subdirs: subdirs:
- auth - auth

2
states/nginx/map.jinja
View File

@ -2,5 +2,5 @@
{%- set nginx = salt['pillar.get']('nginx', default=defaults.nginx, merge=True) -%} {%- set nginx = salt['pillar.get']('nginx', default=defaults.nginx, merge=True) -%}
{%- set users = salt['pillar.get']('htpasswds', merge=True) -%} {%- set users = salt['pillar.get']('htpasswds') -%}
{%- set net = salt['pillar.get']('net') -%} {%- set net = salt['pillar.get']('net') -%}

19
states/nginx/templates/access.j2
View File

@ -1,9 +1,14 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import net with context %} {%- from "nginx/map.jinja" import net with context %}
{%- for key, value in net.ipv4_networks.items() %} real_ip_header X-Forwarded-For;
allow {{ value.ip }}/{{ value.mask }}; geo $allow {
{%- endfor %} {%- for key, value in net.ipv4_networks.items() %}
{%- for key, value in net.ipv6_networks.items() %} #allow {{ value.ip }}/{{ value.mask }};
allow {{ value.ip }}/{{ value.mask }}; {{ value.ip }}/{{ value.mask }} 1;
{%- endfor %} {%- endfor %}
deny all; {%- for key, value in net.ipv6_networks.items() %}
#allow {{ value.ip }}/{{ value.mask }};
{{ value.ip }}/{{ value.mask }} 1;
{%- endfor %}
default 0;
}

40
states/nginx/templates/fastcgi_params.j2
View File

@ -1,27 +1,27 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
fastcgi_param QUERY_STRING $query_string; fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method; fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri; fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty; fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port; fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name; fastcgi_param SERVER_NAME $server_name;
fastcgi_param REDIRECT_STATUS 200; fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass_header Cookie; fastcgi_pass_header Cookie;
fastcgi_ignore_headers Expires Cache-Control Set-Cookie; fastcgi_ignore_headers Expires Cache-Control Set-Cookie;

5
states/nginx/templates/http.j2
View File

@ -1,4 +1,5 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %}
listen 80; listen {{ nginx.config.http_port }};
listen [::]:80; listen [::]:{{ nginx.config.http_port }};

5
states/nginx/templates/https.j2
View File

@ -1,4 +1,5 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %}
listen 443 ssl http2; listen {{ nginx.config.https_port }} ssl http2;
listen [::]:443 ssl http2; listen [::]:{{ nginx.config.https_port }} ssl http2;

91
states/nginx/templates/nginx.conf.j2
View File

@ -1,57 +1,82 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %}
user www-data; {%- if nginx.config.geoip %}
load_module modules/ngx_http_geoip2_module.so;
{%- endif%}
worker_processes 4; user {{ nginx.config.user }};
error_log /var/log/nginx/error.log; worker_processes {{ nginx.config.workers }};
error_log syslog:server=localhost:514 info;
error_log /var/log/nginx/error.log;
error_log syslog:server=localhost:514 info;
events { events {
worker_connections 1024; worker_connections 1024;
} }
http { http {
include fastcgi_params; include fastcgi_params;
include proxy_params; include proxy_params;
include mime.types; include mime.types;
include ssl_params; include ssl_params;
charset utf-8; charset utf-8;
include sites-enabled/*; include access;
log_format main '$remote_addr - $remote_user [$time_iso8601] ' {%- if nginx.config.geoip %}
'"$request" $status $body_bytes_sent ' geoip2 /usr/share/GeoIP/GeoLite2-ASN.mmdb {
'"$http_referer" "$http_user_agent"'; $geoip2_asn default=0 autonomous_system_number;
$geoip2_org default=ISP autonomous_system_organization;
}
access_log /var/log/nginx/$host.access.log main; geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
access_log syslog:server=localhost:514 main; $geoip2_country_name default=England country names en;
$geoip2_city_name default=London city names en;
}
{%- endif %}
default_type application/octet-stream; include sites-enabled/*;
sendfile on;
keepalive_timeout 60;
server_tokens off;
proxy_intercept_errors on; log_format main '$http_x_forwarded_for - $remote_user [$time_iso8601] '
fastcgi_intercept_errors on; '"$request" $status $body_bytes_sent '
fastcgi_read_timeout 300; '"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/$host.access.log main;
access_log syslog:server=localhost:514 main;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 60;
server_tokens off;
proxy_intercept_errors on;
fastcgi_intercept_errors on;
fastcgi_read_timeout 300;
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
server { server {
listen 80 default_server; listen {{ nginx.config.http_port }} default_server;
listen 443 default_server ssl; listen [::]:{{ nginx.config.http_port }} default_server;
listen [::]:80 default_server; listen {{ nginx.config.https_port }} default_server ssl http2;
listen [::]:443 default_server ssl; listen [::]:{{ nginx.config.https_port }} default_server ssl http2;
root /var/www/html; root /var/www/html;
index index.html; index index.html;
location /status { location /status {
stub_status on; stub_status on;
access_log off; access_log off;
allow 127.0.0.1; allow 127.0.0.1;
allow ::1; allow ::1;
deny all; deny all;
} }
} }
} }

28
states/nginx/templates/proxy_params.j2
View File

@ -1,17 +1,17 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
proxy_redirect off; proxy_redirect off;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 0; client_max_body_size 0;
client_body_buffer_size 8192k; client_body_buffer_size 8192k;
proxy_connect_timeout 600; proxy_connect_timeout 600;
proxy_send_timeout 600; proxy_send_timeout 600;
proxy_read_timeout 600; proxy_read_timeout 600;
proxy_buffers 32 4k; proxy_buffers 32 4k;
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g; proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:10m inactive=24h max_size=1g;
proxy_cache cache; proxy_cache cache;
proxy_cache_valid 200 302 1h; proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1d; proxy_cache_valid 404 1d;

28
states/nginx/templates/scgi_params.j2
View File

@ -1,18 +1,18 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
scgi_param REQUEST_METHOD $request_method; scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri; scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string; scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type; scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri; scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root; scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1; scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol; scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme; scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty; scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr; scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port; scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port; scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name; scgi_param SERVER_NAME $server_name;

32
states/nginx/templates/ssl_params.j2
View File

@ -1,19 +1,19 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
resolver_timeout 5s; resolver_timeout 5s;
ssl_certificate /etc/acme/certs/paulbsd.com.cert; ssl_certificate /etc/acme/certs/paulbsd.com.cert;
ssl_certificate_key /etc/acme/keys/paulbsd.com.key; ssl_certificate_key /etc/acme/keys/paulbsd.com.key;
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20;
ssl_dhparam /etc/acme/dh/dh.pem; ssl_dhparam /etc/acme/dh/dh.pem;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2; ssl_protocols TLSv1.3 TLSv1.2;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;

13
states/nginx/templates/types/dip.j2
View File

@ -2,16 +2,16 @@
server { server {
include http; include http;
server_name {{ vhost_name }};
if ($http_accept != '*/*') {
return 301 https://$server_name$request_uri;
}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}
root "{{ root_dir }}"; root "{{ root_dir }}";
{%- endif %} {%- endif %}
if ($http_accept != '*/*') {
return 301 https://$server_name$request_uri;
}
{%- for key,value in headers.items() %} {%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}"; add_header {{ key }} "{{ value }}";
{%- endfor %} {%- endfor %}
@ -46,7 +46,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}

67
states/nginx/templates/types/fdp.j2
View File

@ -1,67 +0,0 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
server {
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
}
server {
include https;
{%- if internal_access %}
include access;
{%- endif %}
server_name {{ vhost_name }};
{%- if not proxy %}
root "{{ root_dir }}";
{%- endif %}
{%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}";
{%- endfor %}
location / {
{%- if proxy %}
proxy_pass {{ proxy_pass }};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header AppVhost $host;
{%- if not cache %}
proxy_no_cache 1;
proxy_cache_bypass 1;
{%- endif %}
{%- endif %}
{%- if autoindex %}
autoindex on;
autoindex_localtime on;
{%- else %}
index index.html index.rss;
{% endif %}
{%- if auth %}
auth_basic "Restricted area";
auth_basic_user_file {{ config_dir }}/auth/htpasswd;
{%- endif %}
}
{%- for dir in dirs %}
location {{ dir.name }} {
alias {{ dir.alias }};
}
{%- endfor %}
location /socket.io {
proxy_pass {{ proxy_pass }};
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header AppVhost $host;
}
location /robots.txt {
return 200 "User-agent: *\r\nDisallow: /";
}
}

5
states/nginx/templates/types/rd.j2
View File

@ -9,7 +9,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}

7
states/nginx/templates/types/simple.j2
View File

@ -9,7 +9,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}
@ -17,7 +20,7 @@ server {
{%- endif %} {%- endif %}
{%- for key,value in headers.items() %} {%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}"; add_header {{ key }} "{{ value }}";
{%- endfor %} {%- endfor %}
location / { location / {

5
states/nginx/templates/types/vaultwarden.j2
View File

@ -9,7 +9,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}

28
states/nginx/templates/uwsgi_params.j2
View File

@ -1,18 +1,18 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
uwsgi_param QUERY_STRING $query_string; uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method; uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type; uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length; uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri; uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri; uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol; uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme; uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty; uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port; uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name; uwsgi_param SERVER_NAME $server_name;