nginx: create the document root if different from the default. Deny access to the filenames that start with a .

This commit is contained in:
Andrea Dell'Amico 2017-11-07 00:09:01 +01:00
parent fe75249c69
commit 14f4fc2c08
3 changed files with 30 additions and 10 deletions

View File

@ -76,6 +76,7 @@ nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn:
nginx_webroot: /usr/share/nginx/html
nginx_letsencrypt_managed: True
nginx_websockets_support: False
nginx_use_common_virthost: False
@ -96,7 +97,7 @@ nginx_ssl_type: ssl
# ssl_enabled: False
# ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: /usr/share/nginx/html/
# root: {{ nginx_webroot }}
# server_tokens: 'off'
# proxy_standard_setup: True
# proxy_additional_options:

View File

@ -1,12 +1,17 @@
---
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ]
- block:
- name: Create the nginx webroot if different from the default
file: dest={{ nginx_webroot }} mode=0755
when: nginx_webroot != '/usr/share/nginx/html'
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
- name: Enable the nginx virtualhosts
file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
- name: Enable the nginx virtualhosts
file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ]

View File

@ -1,7 +1,13 @@
server {
listen {{ item.http_port | default (80) }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
{% if letsencrypt_acme_install %}
## Disable .htaccess and other hidden files
include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %}
{% if item.access_log is defined %}
@ -36,6 +42,11 @@ server {
log_not_found off;
access_log off;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
@ -128,6 +139,9 @@ server {
log_not_found off;
access_log off;
}
location ~ /\. {
deny all;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}