mirror of
https://github.com/HanXHX/ansible-nginx.git
synced 2026-02-28 09:22:10 +07:00
Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
d49e41652c | ||
|
|
9b19231d8b | ||
|
|
80d1d82acc | ||
|
|
5445d66172 | ||
|
|
9a5afd09fa | ||
|
|
96e406c791 | ||
|
|
02994af5ee | ||
|
|
ee79ec9845 |
@@ -15,7 +15,7 @@ Common
|
||||
- `delete`: (O) Delete the vhost (default is false)
|
||||
- `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
|
||||
- `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
|
||||
- `headers`: (O) Set additionals header as key/value list.
|
||||
- `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
|
||||
- `redirect_to_code`: Redirect code (default: 302)
|
||||
- `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```.
|
||||
- `location`: (O) Add new custom locations (it does not overwrite!)
|
||||
@@ -26,6 +26,7 @@ Common
|
||||
- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
|
||||
- `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
|
||||
- `ssl_name`: (D) name of the key used when using TLS/SSL. Mandatory when `proto` contains "https"
|
||||
- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
|
||||
|
||||
(O): Optional
|
||||
(M): Mandatory
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
---
|
||||
|
||||
# Reload wrapper
|
||||
- name: reload nginx
|
||||
action: service name=nginx state=reloaded enabled=yes
|
||||
command: nginx -t
|
||||
notify: real-reload nginx
|
||||
|
||||
- name: real-reload nginx
|
||||
service: name=nginx state=reloaded
|
||||
|
||||
@@ -2,11 +2,11 @@
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
|
||||
{% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
@@ -2,11 +2,11 @@
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
ssl_ciphers "AES256+EECDH:AES256+EDH";
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
|
||||
{% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
{% set __listen = item.listen | default(['80']) %}
|
||||
{% set __listen_ssl = item.listen_ssl | default(['443']) %}
|
||||
{% set __location = item.location | default({}) %}
|
||||
{% set __headers = item.headers | default({'X-Frame-Options': 'DENY', 'X-Content-Type-Options': 'nosniff' }) %}
|
||||
{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
|
||||
{% macro htpasswd(htpasswd_name, indent=1) -%}
|
||||
{% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
|
||||
{{ "\t" * indent }}auth_basic "{{ ht.description }}";
|
||||
@@ -34,7 +34,9 @@ server {
|
||||
listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
|
||||
{% endfor %}
|
||||
{{ ssl(item.ssl_name) }}
|
||||
{% if item.ssl_template is not defined or item.ssl_template != false %}
|
||||
include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
|
||||
{% block root %}
|
||||
@@ -58,11 +60,13 @@ server {
|
||||
{{ htpasswd(item.htpasswd, 1) }}
|
||||
{% endif %}
|
||||
|
||||
{% block template_headers %}
|
||||
# --> Custom headers
|
||||
{% for key, value in __headers.iteritems() %}
|
||||
add_header {{ key }} {{ value }};
|
||||
add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
|
||||
{% endfor %}
|
||||
# <-- Custom headers
|
||||
{% endblock %}
|
||||
|
||||
{% if not __location.has_key('/') %}
|
||||
location / {
|
||||
|
||||
@@ -11,6 +11,20 @@
|
||||
index index.php index.html;
|
||||
{% endblock %}
|
||||
|
||||
{% block template_headers %}
|
||||
# --> Custom headers
|
||||
{% for key, value in __headers.iteritems() %}
|
||||
{% if key == "X-Frame-Options" %}
|
||||
# X-Frame-Options forced by Ansible
|
||||
add_header {{ key }} SAMEORIGIN{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
|
||||
{% else %}
|
||||
add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
# <-- Custom headers
|
||||
{% endblock %}
|
||||
|
||||
|
||||
{% block template_local_content %}
|
||||
location ~ /\.ht {
|
||||
deny all;
|
||||
|
||||
@@ -108,7 +108,7 @@
|
||||
filename : 'first-test'
|
||||
override_try_files: '$uri $uri index.htm index.html'
|
||||
headers:
|
||||
'X-Frame-Options': 'deny'
|
||||
'X-Frame-Options': 'deny always'
|
||||
'X-ansible-default': '1'
|
||||
manage_local_content: false
|
||||
use_error_log: false
|
||||
@@ -152,8 +152,8 @@
|
||||
- 8080
|
||||
template: '_proxy'
|
||||
upstream_name: 'test'
|
||||
more:
|
||||
- 'add_header X-proxyfied 1;'
|
||||
headers:
|
||||
'X-proxyfied': '1'
|
||||
- name: 'deleted.local'
|
||||
delete: true
|
||||
- name: 'redirect-to.local'
|
||||
@@ -172,8 +172,9 @@
|
||||
proto: ['http', 'https']
|
||||
template: '_base'
|
||||
ssl_name: 'test-ssl-predeployed.local'
|
||||
more:
|
||||
- 'add_header X-ansible-default 1;'
|
||||
headers:
|
||||
'X-ansible-default': '1'
|
||||
ssl_template: false
|
||||
- name: 'test-ssl-redirect.local'
|
||||
proto: ['https']
|
||||
template: '_base'
|
||||
|
||||
Reference in New Issue
Block a user