190 lines
8.6 KiB
YAML
190 lines
8.6 KiB
YAML
---
|
|
nginx_enabled: true
|
|
nginx_use_ppa: false
|
|
nginx_ppa_repo: ppa:nginx/stable
|
|
nginx_use_nginx_org_repo: false
|
|
nginx_org_repo_key: 'https://nginx.org/keys/nginx_signing.key'
|
|
nginx_org_repo: 'deb http://nginx.org/packages/ubuntu/ bionic nginx'
|
|
nginx_package_state: present
|
|
|
|
nginx_org_modules: []
|
|
# - pkg_name: nginx-module-njs
|
|
# mod_name: ngx_http_js_module.so
|
|
# enabled: yes
|
|
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
nginx_ssl_level: intermediate
|
|
nginx_ssl_session_cache_size: '8096k'
|
|
nginx_ssl_session_timeout: '10m'
|
|
nginx_ssl_stapling: true
|
|
nginx_strict_transport_security_expire: 15768000
|
|
nginx_strict_transport_security_include_subdomains: false
|
|
|
|
nginx_snippets_dir: /etc/nginx/snippets
|
|
|
|
nginx_conf_snippets:
|
|
- nginx-compression.conf
|
|
- nginx-websockets.conf
|
|
- nginx-browser-cache.conf
|
|
- letsencrypt-proxy.conf
|
|
- nginx-proxy-params.conf
|
|
- nginx-server-ssl.conf
|
|
- nginx-cors.conf
|
|
|
|
nginx_conf_remote_snippets: []
|
|
# - url: 'https://example.org/git/template.conf.j2'
|
|
# file: file.conf
|
|
nginx_conf_remote_global_conf: []
|
|
# - url: 'https://example.org/git/template.conf.j2'
|
|
# file: file
|
|
nginx_workers: 4
|
|
nginx_worker_connections: 1024
|
|
nginx_multi_accept: 'off'
|
|
nginx_worker_rlimit_nofile: 2048
|
|
nginx_server_tokens: 'off'
|
|
|
|
nginx_default_max_buffers_size: 16
|
|
nginx_client_header_buffer_size: '{{ nginx_default_max_buffers_size }}k'
|
|
nginx_client_body_buffer_size: '{{ nginx_default_max_buffers_size }}k'
|
|
nginx_large_client_header_buffers: '4 {{ nginx_default_max_buffers_size }}k'
|
|
|
|
nginx_enable_compression: true
|
|
nginx_gzip_vary: "on"
|
|
nginx_gzip_proxied: any
|
|
nginx_gzip_comp_level: 6
|
|
nginx_gzip_buffers: 16 8k
|
|
nginx_gzip_http_version: 1.1
|
|
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
|
|
|
|
nginx_enable_browser_cache: true
|
|
nginx_cache_control: public
|
|
nginx_html_cache_expire: -1
|
|
nginx_feed_cache_expire_enabled: false
|
|
nginx_feed_cache_expire: 1h
|
|
nginx_media_cache_expire: 1M
|
|
nginx_css_js_cache_expire: -1
|
|
|
|
nginx_reverse_proxy: false
|
|
nginx_define_x_real_ip: false
|
|
nginx_proxy_define_header_host: true
|
|
nginx_proxy_header_x_forwarded_proto: "$scheme"
|
|
nginx_set_original_uri: true
|
|
nginx_proxy_buffering: "on"
|
|
nginx_proxy_redirect: "off"
|
|
nginx_x_forwarded_host: "$remote_addr"
|
|
nginx_default_proxy_buffers_size: 8
|
|
nginx_proxy_buffer_size: '{{ nginx_default_proxy_buffers_size }}k'
|
|
nginx_proxy_buffers: '4 {{ nginx_default_proxy_buffers_size }}k'
|
|
nginx_proxy_busy_buffers_size: '{{ nginx_default_proxy_buffers_size * 2 }}k'
|
|
nginx_proxy_connect_timeout: 30s
|
|
nginx_proxy_read_timeout: 480s
|
|
nginx_proxy_send_timeout: 120s
|
|
nginx_proxy_temp_file_write_size: '{{ nginx_default_proxy_buffers_size * 2 }}k'
|
|
nginx_proxy_force_ranges: "off"
|
|
nginx_behind_haproxy_settings: true
|
|
nginx_client_max_body_size: 100M
|
|
nginx_client_body_timeout: 240s
|
|
|
|
nginx_cors_enabled: false
|
|
nginx_cors_global: true
|
|
nginx_cors_limit_origin: true
|
|
nginx_cors_extended_rules: false
|
|
nginx_cors_acl_origin: 'http?://(localhost)'
|
|
# Possible methods:
|
|
# CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK
|
|
nginx_cors_allowed_methods: 'GET, POST, OPTIONS'
|
|
# Possible headers:
|
|
# 'Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With, Observe'
|
|
nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range,Observe'
|
|
|
|
# Set them only if the application behind the server does not set them by itself.
|
|
nginx_set_xss_protection: false
|
|
nginx_set_content_security_options: false
|
|
nginx_disable_content_security_options: false
|
|
# Choiches: 'self', 'none', a list of domains
|
|
nginx_content_security_src_acl:
|
|
- "'self'"
|
|
# - "'none'"
|
|
# - '{{ ansible_domain }}'
|
|
nginx_content_security_ancestor_acl:
|
|
- "'self'"
|
|
# - "'none'"
|
|
# - '{{ ansible_domain }}'
|
|
nginx_set_frame_origin: false
|
|
# SAMEORIGIN, DENY, ''
|
|
nginx_x_frame_options: 'SAMEORIGIN'
|
|
|
|
# Find a set of acceptable defaults for the cache setup
|
|
nginx_cache_enabled: false
|
|
|
|
nginx_use_ldap_pam_auth: false
|
|
nginx_pam_svc_name: nginx
|
|
nginx_ldap_uri: "ldap://ldap.example.org"
|
|
nginx_ldap_base_dn: "dc=example,dc=org"
|
|
nginx_basic_auth: false
|
|
nginx_basic_auth_users: []
|
|
# - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
|
|
# nginx_ldap_login_attribute: uid
|
|
# nginx_ldap_pam_groupdn:
|
|
nginx_webroot: /usr/share/nginx/html
|
|
nginx_letsencrypt_managed: true
|
|
nginx_websockets_support: false
|
|
# When we do not use letsencrypt:
|
|
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
|
|
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
|
|
nginx_block_dotfiles: true
|
|
|
|
# k,M,G
|
|
nginx_logrotate_maxfilesize: "1G"
|
|
nginx_logrotate_retention: "52"
|
|
|
|
nginx_install_robots_txt: false
|
|
nginx_robots_disallow_everything: false
|
|
nginx_robots_enable_crawl_delay: false
|
|
nginx_robots_crawl_delay: 10
|
|
nginx_robots_disallowed_useragent_list:
|
|
- SemrushBot
|
|
- SemrushBot-SA
|
|
- Yandex
|
|
- YandexBot
|
|
|
|
nginx_robots_disallowed_uris: false
|
|
nginx_robots_disallowed_uris_list: []
|
|
|
|
# List any options here, ending with ;
|
|
#
|
|
# Virtualhost example
|
|
nginx_virthosts: []
|
|
# - virthost_name: '{{ ansible_fqdn }}'
|
|
# plain_http_enabled: true
|
|
# listen: '{{ http_port }}'
|
|
# server_name: '{{ ansible_fqdn }}'
|
|
# server_aliases: ''
|
|
# index: index.html
|
|
# upstream_backends:
|
|
# - name: unicorn
|
|
# servers:
|
|
# - 127.0.0.1:4000 fail_timeout=0
|
|
# error_page: /path_to_error_page.html
|
|
# ssl_enabled: false
|
|
# ssl_only: false
|
|
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
|
|
# root: {{ nginx_webroot }}
|
|
# server_tokens: 'off'
|
|
# additional_options: []
|
|
# proxy_standard_setup: true
|
|
# proxy_global_additional_options:
|
|
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m'
|
|
# locations:
|
|
# - location: /
|
|
# target: http://localhost:{{ local_http_port }}
|
|
#
|
|
# extra_parameters: |
|
|
# location ~ \.php$ {
|
|
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
|
# fastcgi_index index.php;
|
|
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
# include fastcgi_params;
|
|
# }
|
|
|