nginx: create the document root if different from the default. Deny access to the filenames that start with a .
This commit is contained in:
parent
fe75249c69
commit
14f4fc2c08
|
@ -76,6 +76,7 @@ nginx_basic_auth_users:
|
|||
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
|
||||
# nginx_ldap_login_attribute: uid
|
||||
# nginx_ldap_pam_groupdn:
|
||||
nginx_webroot: /usr/share/nginx/html
|
||||
nginx_letsencrypt_managed: True
|
||||
nginx_websockets_support: False
|
||||
nginx_use_common_virthost: False
|
||||
|
@ -96,7 +97,7 @@ nginx_ssl_type: ssl
|
|||
# ssl_enabled: False
|
||||
# ssl_only: False
|
||||
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
|
||||
# root: /usr/share/nginx/html/
|
||||
# root: {{ nginx_webroot }}
|
||||
# server_tokens: 'off'
|
||||
# proxy_standard_setup: True
|
||||
# proxy_additional_options:
|
||||
|
|
|
@ -1,12 +1,17 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the nginx webroot if different from the default
|
||||
file: dest={{ nginx_webroot }} mode=0755
|
||||
when: nginx_webroot != '/usr/share/nginx/html'
|
||||
|
||||
- name: Install the nginx virtualhost files
|
||||
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
|
||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||
notify: Reload nginx
|
||||
tags: [ 'nginx', 'virtualhost' ]
|
||||
|
||||
- name: Enable the nginx virtualhosts
|
||||
file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
|
||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||
notify: Reload nginx
|
||||
|
||||
tags: [ 'nginx', 'virtualhost' ]
|
||||
|
|
|
@ -1,7 +1,13 @@
|
|||
server {
|
||||
listen {{ item.http_port | default (80) }};
|
||||
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
||||
location ~ /\.(?!well-known).* {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
{% if letsencrypt_acme_install %}
|
||||
## Disable .htaccess and other hidden files
|
||||
include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
||||
{% endif %}
|
||||
{% if item.access_log is defined %}
|
||||
|
@ -36,6 +42,11 @@ server {
|
|||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
{% if haproxy_ips is defined %}
|
||||
# We are behind haproxy
|
||||
{% for ip in haproxy_ips %}
|
||||
|
@ -128,6 +139,9 @@ server {
|
|||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
||||
{% if haproxy_ips is defined %}
|
||||
# We are behind haproxy
|
||||
{% for ip in haproxy_ips %}
|
||||
|
|
Loading…
Reference in New Issue