Vhost static OK (dirty)

2026-02-24 09:03:29 +07:00 · 2015-07-15 15:18:51 +02:00
parent 64cf8b53a4
commit 4d7c181f06
22 changed files with 425 additions and 5 deletions
--- a/templates/etc/nginx/helpers/no-ht.j2
+++ b/templates/etc/nginx/helpers/no-ht.j2
@@ -0,0 +1,10 @@
+#
+# {{ ansible_managed }}
+#
+
+location  ~ /\.ht {
+	deny all;
+}
+
+
+# vim:filetype=nginx
--- a/templates/etc/nginx/helpers/php.j2
+++ b/templates/etc/nginx/helpers/php.j2
@@ -0,0 +1,19 @@
+#
+# {{ ansible_managed }}
+#
+
+location ~ \.php$ {
+	fastcgi_pass php;
+	fastcgi_index index.php;
+	fastcgi_intercept_errors on;
+	include fastcgi_params;
+
+	# TODO...
+	# Newrelic custom header: https://docs.newrelic.com/docs/apm/other-features/request-queueing/request-queue-server-configuration-examples
+	#fastcgi_param HTTP_X_REQUEST_START "t=${msec}";
+	# Newrelic custom PHP appname: https://docs.newrelic.com/docs/agents/php-agent/configuration/php-directory-ini-settings#perdir-nginx
+	#fastcgi_param PHP_VALUE "newrelic.appname=${host}";
+}
+
+
+# vim:filetype=nginx
--- a/templates/etc/nginx/helpers/ssl-legacy.j2
+++ b/templates/etc/nginx/helpers/ssl-legacy.j2
@@ -0,0 +1,18 @@
+#
+# {{ ansible_managed }}
+#
+
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver {{ nginx_resolver.hosts | default(['208.67.222.222', '208.67.220.220']) | join(' ') }} valid={{ nginx_resolver.valid}}s;
+resolver_timeout {{ nginx_resolver.timeout }}s;
+
+
+# vim:filetype=nginx
--- a/templates/etc/nginx/helpers/ssl-strong.j2
+++ b/templates/etc/nginx/helpers/ssl-strong.j2
@@ -0,0 +1,18 @@
+#
+# {{ ansible_managed }}
+#
+
+ssl_ciphers "AES256+EECDH:AES256+EDH";
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver {{ nginx_resolver.hosts | default(['208.67.222.222', '208.67.220.220']) | join(' ') }} valid={{ nginx_resolver.valid}}s;
+resolver_timeout {{ nginx_resolver.timeout }}s;
+
+
+# vim:filetype=nginx
--- a/templates/etc/nginx/helpers/static-expires.j2
+++ b/templates/etc/nginx/helpers/static-expires.j2
@@ -0,0 +1,10 @@
+#
+# {{ ansible_managed }}
+#
+
+location ~* \.(txt|js|css|png|jpg|jpeg|gif|ico|svg)$ {
+	expires 30d;
+	log_not_found off;
+}
+
+# vim:filetype=nginx