384 lines
12 KiB
Django/Jinja
384 lines
12 KiB
Django/Jinja
{% if nginx_websockets_support is defined and nginx_websockets_support %}
|
|
include /etc/nginx/snippets/nginx-websockets.conf;
|
|
{% else %}
|
|
{% if item.websockets is defined and item.websockets %}
|
|
include /etc/nginx/snippets/nginx-websockets.conf;
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if item.global_additional_options is defined %}
|
|
{% for add_opt in item.global_additional_options %}
|
|
{{ add_opt }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if item.proxy_global_additional_options is defined %}
|
|
{% for popt in item.proxy_global_additional_options %}
|
|
{{ popt }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if item.upstream_backends is defined %}
|
|
{% for u_bk in item.upstream_backends %}
|
|
upstream {{ u_bk.name }} {
|
|
{% for srv in u_bk.servers %}
|
|
server {{ srv }};
|
|
{% endfor %}
|
|
}
|
|
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if item.plain_http_enabled | default(True) %}
|
|
server {
|
|
listen {{ item.http_port | default ('80') }};
|
|
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
|
{% if nginx_block_dotfiles %}
|
|
location ~ /\.(?!well-known).* {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
return 404;
|
|
}
|
|
{% endif %}
|
|
|
|
{% if letsencrypt_acme_install %}
|
|
include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
|
{% endif %}
|
|
|
|
{% if item.access_log is defined %}
|
|
access_log {{ item.access_log }};
|
|
{% else %}
|
|
access_log /var/log/nginx/{{ item.server_name }}_access.log;
|
|
{% endif %}
|
|
|
|
{% if item.error_log is defined %}
|
|
error_log {{ item.error_log }};
|
|
{% else %}
|
|
error_log /var/log/nginx/{{ item.server_name }}_error.log;
|
|
{% endif %}
|
|
|
|
{% if nginx_set_xss_protection %}
|
|
proxy_hide_header X-XSS-Protection;
|
|
add_header X-XSS-Protection "1; mode=block;";
|
|
{% endif %}
|
|
{% if nginx_set_frame_origin %}
|
|
proxy_hide_header X-Frame-Options;
|
|
add_header X-Frame-Options "{{ nginx_x_frame_options }}";
|
|
{% endif %}
|
|
{% if nginx_set_content_security_options %}
|
|
proxy_hide_header Content-Security-Policy;
|
|
{% if nginx_disable_content_security_options %}
|
|
add_header Content-Security-Policy "";
|
|
{% else %}
|
|
add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ s }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
|
|
{% endif %}
|
|
{% endif %}
|
|
server_tokens {{ item.server_tokens | default('off') }};
|
|
|
|
{% if item.ssl_enabled and item.ssl_only %}
|
|
location / {
|
|
return 301 https://{{ item.server_name }}$request_uri;
|
|
}
|
|
{% else %}
|
|
root {{ item.root | default('/usr/share/nginx/html/') }};
|
|
index {{ item.index | default('index.html index.htm') }};
|
|
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
|
location = /50x.html {
|
|
root {{ item.error_path | default('/usr/share/nginx/html') }};
|
|
}
|
|
location = /favicon.ico {
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
location = /robots.txt {
|
|
allow all;
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
{% if haproxy_ips is defined %}
|
|
# We are behind haproxy
|
|
{% for ip in haproxy_ips %}
|
|
set_real_ip_from {{ ip }};
|
|
{% endfor %}
|
|
real_ip_header X-Forwarded-For;
|
|
{% endif %}
|
|
|
|
{% if item.max_body is defined %}
|
|
client_max_body_size {{ item.max_body }};
|
|
{% else %}
|
|
client_max_body_size {{ nginx_client_max_body_size }};
|
|
{% endif %}
|
|
|
|
{% if item.body_timeout is defined %}
|
|
client_body_timeout {{ item.body_timeout }};
|
|
{% else %}
|
|
client_body_timeout {{ nginx_client_body_timeout }};
|
|
{% endif %}
|
|
|
|
{% if nginx_cors_enabled %}
|
|
{% if nginx_cors_global %}
|
|
include /etc/nginx/snippets/nginx-cors.conf;
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if item.additional_options is defined %}
|
|
{% for add_opt in item.additional_options %}
|
|
{{ add_opt }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if item.http_acls is defined %}
|
|
{% for acl in item.http_acls %}
|
|
{{ acl }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if nginx_websockets_support is defined and nginx_websockets_support %}
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
{% else %}
|
|
{% if item.websockets is defined and item.websockets %}
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
|
# Proxy stuff
|
|
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
|
|
{% else %}
|
|
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if item.locations is defined %}
|
|
{% for location in item.locations -%}
|
|
|
|
location {{ location.location }} {
|
|
|
|
{% if nginx_cors_enabled %}
|
|
{% if not nginx_cors_global %}
|
|
{% if location.cors is defined and location.cors %}
|
|
include /etc/nginx/snippets/nginx-cors.conf;
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if location.target is defined %}
|
|
proxy_pass {{ location.target }};
|
|
{% elif location.php_target is defined %}
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass {% if phpfpm_listen_on_socket is defined and phpfpm_listen_on_socket %}unix:{% endif %}{{ location.php_target }};
|
|
fastcgi_index index.php;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
|
|
#fastcgi_param REMOTE_ADDR $remote_addr;
|
|
include fastcgi_params;
|
|
{% endif %}
|
|
|
|
{% if location.websockets is defined and location.websockets %}
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
{% endif %}
|
|
|
|
{% if location.extra_conf is defined %}
|
|
{{ location.extra_conf }}
|
|
{% endif %}
|
|
|
|
{% if location.acls is defined %}
|
|
{% for acl in location.acls %}
|
|
{{ acl }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if location.other_opts is defined %}
|
|
{% for opt in location.other_opts %}
|
|
{{ opt }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if item.extra_parameters is defined %}
|
|
{{ item.extra_parameters }}
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
}
|
|
{% endif %}
|
|
|
|
{% if item.ssl_enabled %}
|
|
server {
|
|
listen {% if item.https_port is defined %} {{ item.https_port }} {% else %} {{ https_port | default('443') }} {% endif %} ssl {% if ansible_distribution_release != "trusty" %} http2{% endif %};
|
|
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
|
|
|
{% if item.access_log is defined %}
|
|
access_log {{ item.access_log }};
|
|
{% else %}
|
|
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
|
|
{% endif %}
|
|
|
|
{% if item.error_log is defined %}
|
|
error_log {{ item.error_log }};
|
|
{% else %}
|
|
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
|
|
{% endif %}
|
|
|
|
root {{ item.root | default('/usr/share/nginx/html/') }};
|
|
index {{ item.index | default('index.html index.htm') }};
|
|
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
|
location = /50x.html {
|
|
root {{ item.error_path | default('/usr/share/nginx/html') }};
|
|
}
|
|
location = /favicon.ico {
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
location = /robots.txt {
|
|
allow all;
|
|
log_not_found off;
|
|
access_log off;
|
|
}
|
|
{% if nginx_block_dotfiles %}
|
|
location ~ /\.(?!well-known).* {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
return 404;
|
|
}
|
|
{% endif %}
|
|
|
|
{% if haproxy_ips is defined %}
|
|
# We are behind haproxy
|
|
{% for ip in haproxy_ips %}
|
|
set_real_ip_from {{ ip }};
|
|
{% endfor %}
|
|
real_ip_header X-Forwarded-For;
|
|
{% endif %}
|
|
|
|
{% if item.max_body is defined %}
|
|
client_max_body_size {{ item.max_body }};
|
|
{% else %}
|
|
client_max_body_size {{ nginx_client_max_body_size }};
|
|
{% endif %}
|
|
{% if item.body_timeout is defined %}
|
|
client_body_timeout {{ item.body_timeout }};
|
|
{% else %}
|
|
client_body_timeout {{ nginx_client_body_timeout }};
|
|
{% endif %}
|
|
|
|
include /etc/nginx/snippets/nginx-server-ssl.conf;
|
|
|
|
{% if nginx_set_xss_protection %}
|
|
proxy_hide_header X-XSS-Protection;
|
|
add_header X-XSS-Protection "1; mode=block;";
|
|
{% endif %}
|
|
{% if nginx_set_frame_origin %}
|
|
proxy_hide_header X-Frame-Options;
|
|
add_header X-Frame-Options "{{ nginx_x_frame_options }}";
|
|
{% endif %}
|
|
{% if nginx_set_content_security_options %}
|
|
proxy_hide_header Content-Security-Policy;
|
|
{% if nginx_disable_content_security_options %}
|
|
add_header Content-Security-Policy "";
|
|
{% else %}
|
|
add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ s }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
|
|
{% endif %}
|
|
{% endif %}
|
|
server_tokens {{ item.server_tokens | default('off') }};
|
|
|
|
{% if nginx_cors_enabled %}
|
|
{% if nginx_cors_global %}
|
|
include /etc/nginx/snippets/nginx-cors.conf;
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if nginx_websockets_support is defined and nginx_websockets_support %}
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
{% else %}
|
|
{% if item.websockets is defined and item.websockets %}
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if item.additional_options is defined %}
|
|
{% for add_opt in item.additional_options %}
|
|
{{ add_opt }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if item.https_acls is defined %}
|
|
{% for acl in item.https_acls %}
|
|
{{ acl }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
|
|
|
# Proxy stuff
|
|
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
|
|
{% else %}
|
|
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if item.locations is defined %}
|
|
{% for location in item.locations -%}
|
|
location {{ location.location }} {
|
|
|
|
{% if nginx_cors_enabled %}
|
|
{% if not nginx_cors_global %}
|
|
{% if location.cors is defined and location.cors %}
|
|
include /etc/nginx/snippets/nginx-cors.conf;
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if location.target is defined %}
|
|
proxy_pass {{ location.target }};
|
|
{% elif location.php_target is defined %}
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass {% if phpfpm_listen_on_socket is defined and phpfpm_listen_on_socket %}unix:{% endif %}{{ location.php_target }};
|
|
fastcgi_index index.php;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
|
|
#fastcgi_param REMOTE_ADDR $remote_addr;
|
|
include fastcgi_params;
|
|
{% endif %}
|
|
|
|
{% if location.websockets is defined and location.websockets %}
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
{% endif %}
|
|
|
|
{% if location.extra_conf is defined %}
|
|
{{ location.extra_conf }}
|
|
{% endif %}
|
|
|
|
{% if location.acls is defined %}
|
|
{% for acl in location.acls %}
|
|
{{ acl }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if location.other_opts is defined %}
|
|
{% for opt in location.other_opts %}
|
|
{{ opt }};
|
|
{% endfor %}
|
|
{% endif %}
|
|
}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if item.extra_parameters is defined %}
|
|
{{ item.extra_parameters }}
|
|
{% endif %}
|
|
}
|
|
|
|
{% endif %}
|