bubblev
/
bubble
9
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 130 Wiki Activity
Browse Source

nginx seems to want each server in its own file

tags/v0.1.8
Jonathan Cobb 5 years ago
parent
8f9772a31d
commit
37b6e7db2c
5 changed files with 77 additions and 66 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +13
    -0
      automation/roles/nginx/tasks/site.yml
  2. +0
    -32
      automation/roles/nginx/templates/site_node.conf.j2
  3. +31
    -0
      automation/roles/nginx/templates/site_node_alias.conf.j2
  4. +1
    -34
      automation/roles/nginx/templates/site_sage.conf.j2
  5. +32
    -0
      automation/roles/nginx/templates/site_sage_alias.conf.j2

+ 13
- 0
automation/roles/nginx/tasks/site.yml View File

@@ -15,6 +15,11 @@
src: "site_{{ install_type }}.conf.j2" src: "site_{{ install_type }}.conf.j2"
dest: "/etc/nginx/sites-available/{{ server_name }}.conf" dest: "/etc/nginx/sites-available/{{ server_name }}.conf"


- name: Create alias nginx site (type={{ install_type }})
template:
src: "site_{{ install_type }}_alias.conf.j2"
dest: "/etc/nginx/sites-available/{{ server_alias }}.conf"

- name: Symlink default site to site-enabled - name: Symlink default site to site-enabled
file: file:
src: /etc/nginx/sites-available/{{ server_name }}.conf src: /etc/nginx/sites-available/{{ server_name }}.conf
@@ -22,3 +27,11 @@
owner: root owner: root
group: root group: root
state: link state: link

- name: Symlink alias site to site-enabled
file:
src: /etc/nginx/sites-available/{{ server_alias }}.conf
dest: /etc/nginx/sites-enabled/{{ server_alias }}.conf
owner: root
group: root
state: link

+ 0
- 32
automation/roles/nginx/templates/site_node.conf.j2 View File

@@ -29,35 +29,3 @@ server {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
} }

server {
server_name {{ server_alias }};
listen {{ ssl_port }} ssl http2;

location / {
proxy_pass http://127.0.0.1:{{ admin_port }}/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host {{ server_name }};
proxy_set_header X-Forwarded-Proto https;
}

location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
}

ssl_certificate /etc/letsencrypt/live/{{ server_alias }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_alias }}/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";

if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}

+ 31
- 0
automation/roles/nginx/templates/site_node_alias.conf.j2 View File

@@ -0,0 +1,31 @@
server {
server_name {{ server_alias }};
listen {{ ssl_port }} ssl http2;

location / {
proxy_pass http://127.0.0.1:{{ admin_port }}/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host {{ server_name }};
proxy_set_header X-Forwarded-Proto https;
}

location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
}

ssl_certificate /etc/letsencrypt/live/{{ server_alias }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_alias }}/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";

if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}

+ 1
- 34
automation/roles/nginx/templates/site_sage.conf.j2 View File

@@ -1,6 +1,6 @@
server { server {
listen 80; listen 80;
server_name {{ server_name }} {{ server_alias }};
server_name {{ server_name }};


location / { location / {
proxy_pass http://127.0.0.1:{{ admin_port }}/; proxy_pass http://127.0.0.1:{{ admin_port }}/;
@@ -30,36 +30,3 @@ server {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
} }

server {
listen 80;
server_name {{ server_alias }};

location / {
proxy_pass http://127.0.0.1:{{ admin_port }}/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host {{ server_name }};
proxy_set_header X-Forwarded-Proto https;
}

location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
}

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ server_alias }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_alias }}/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";

if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}

+ 32
- 0
automation/roles/nginx/templates/site_sage_alias.conf.j2 View File

@@ -0,0 +1,32 @@
server {
listen 80;
server_name {{ server_alias }};

location / {
proxy_pass http://127.0.0.1:{{ admin_port }}/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host {{ server_name }};
proxy_set_header X-Forwarded-Proto https;
}

location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
}

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ server_alias }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_alias }}/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";

if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}

Write Preview
Loading…
Cancel
Save