ISTI-ansible-roles
/
ansible-roles
4
0
Fork 3
Code Issues Pull Requests Releases Wiki Activity

nginx: create the document root if different from the default. Deny access to the filenames that start with a .

This commit is contained in:
Andrea Dell'Amico 2017-11-07 00:09:01 +01:00
parent fe75249c69
commit 14f4fc2c08
3 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nginx/defaults/main.yml
View File

@ -76,6 +76,7 @@ nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' } - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid # nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn: # nginx_ldap_pam_groupdn:
nginx_webroot: /usr/share/nginx/html
nginx_letsencrypt_managed: True nginx_letsencrypt_managed: True
nginx_websockets_support: False nginx_websockets_support: False
nginx_use_common_virthost: False nginx_use_common_virthost: False
@ -96,7 +97,7 @@ nginx_ssl_type: ssl
# ssl_enabled: False # ssl_enabled: False
# ssl_only: False # ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}' # ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: /usr/share/nginx/html/ # root: {{ nginx_webroot }}
# server_tokens: 'off' # server_tokens: 'off'
# proxy_standard_setup: True # proxy_standard_setup: True
# proxy_additional_options: # proxy_additional_options:

7
nginx/tasks/nginx-virtualhosts.yml
View File

@ -1,12 +1,17 @@
--- ---
- block:
- name: Create the nginx webroot if different from the default
file: dest={{ nginx_webroot }} mode=0755
when: nginx_webroot != '/usr/share/nginx/html'
- name: Install the nginx virtualhost files - name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444 template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}' with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ]
- name: Enable the nginx virtualhosts - name: Enable the nginx virtualhosts
file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
with_items: '{{ nginx_virthosts | default(omit) }}' with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ] tags: [ 'nginx', 'virtualhost' ]

14
nginx/templates/nginx-virthost.j2
View File

@ -1,7 +1,13 @@
server { server {
listen {{ item.http_port | default (80) }}; listen {{ item.http_port | default (80) }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
{% if letsencrypt_acme_install %} {% if letsencrypt_acme_install %}
## Disable .htaccess and other hidden files
include /etc/nginx/snippets/letsencrypt-proxy.conf; include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %} {% endif %}
{% if item.access_log is defined %} {% if item.access_log is defined %}
@ -36,6 +42,11 @@ server {
log_not_found off; log_not_found off;
access_log off; access_log off;
} }
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
{% if haproxy_ips is defined %} {% if haproxy_ips is defined %}
# We are behind haproxy # We are behind haproxy
{% for ip in haproxy_ips %} {% for ip in haproxy_ips %}
@ -128,6 +139,9 @@ server {
log_not_found off; log_not_found off;
access_log off; access_log off;
} }
location ~ /\. {
deny all;
}
{% if haproxy_ips is defined %} {% if haproxy_ips is defined %}
# We are behind haproxy # We are behind haproxy
{% for ip in haproxy_ips %} {% for ip in haproxy_ips %}