Add support for ACLs

This commit is contained in:
Andrea Dell'Amico 2018-07-03 17:03:10 +02:00
parent 202340fe65
commit 92622b285e
1 changed files with 61 additions and 7 deletions

View File

@ -7,21 +7,25 @@ server {
log_not_found off; log_not_found off;
return 404; return 404;
} }
{% if letsencrypt_acme_install %} {% if letsencrypt_acme_install %}
## Disable .htaccess and other hidden files
include /etc/nginx/snippets/letsencrypt-proxy.conf; include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %} {% endif %}
{% if item.access_log is defined %} {% if item.access_log is defined %}
access_log {{ item.access_log }}; access_log {{ item.access_log }};
{% else %} {% else %}
access_log /var/log/nginx/{{ item.server_name }}_access.log; access_log /var/log/nginx/{{ item.server_name }}_access.log;
{% endif %} {% endif %}
{% if item.error_log is defined %} {% if item.error_log is defined %}
error_log {{ item.error_log }}; error_log {{ item.error_log }};
{% else %} {% else %}
error_log /var/log/nginx/{{ item.server_name }}_error.log; error_log /var/log/nginx/{{ item.server_name }}_error.log;
{% endif %} {% endif %}
server_tokens {{ item.server_tokens | default('off') }}; server_tokens {{ item.server_tokens | default('off') }};
{% if item.ssl_enabled and item.ssl_only %} {% if item.ssl_enabled and item.ssl_only %}
location / { location / {
return 301 https://{{ item.server_name }}$request_uri; return 301 https://{{ item.server_name }}$request_uri;
@ -55,17 +59,21 @@ server {
{% endfor %} {% endfor %}
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
{% endif %} {% endif %}
{% if item.max_body is defined %} {% if item.max_body is defined %}
client_max_body_size {{ item.max_body }}; client_max_body_size {{ item.max_body }};
{% else %} {% else %}
client_max_body_size {{ nginx_client_max_body_size }}; client_max_body_size {{ nginx_client_max_body_size }};
{% endif %} {% endif %}
{% if item.body_timeout is defined %} {% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }}; client_body_timeout {{ item.body_timeout }};
{% else %} {% else %}
client_body_timeout {{ nginx_client_body_timeout }}; client_body_timeout {{ nginx_client_body_timeout }};
{% endif %} {% endif %}
server_tokens {{ item.server_tokens | default('off') }};
{% if nginx_cors_enabled %} {% if nginx_cors_enabled %}
{% if nginx_cors_global %} {% if nginx_cors_global %}
include /etc/nginx/snippets/nginx-cors.conf; include /etc/nginx/snippets/nginx-cors.conf;
@ -74,9 +82,13 @@ server {
{% if item.additional_options is defined %} {% if item.additional_options is defined %}
{% for add_opt in item.additional_options %} {% for add_opt in item.additional_options %}
{{ add_opt }}; {{ add_opt }};
{% endfor %}
{% endif %}
{% if item.http_acls is defined %}
{% for acl in item.http_acls %}
{{ acl }};
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -84,20 +96,26 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
{% endif %} {% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff # Proxy stuff
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %} {% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
{% else %} {% else %}
include /etc/nginx/snippets/nginx-proxy-params.conf; include /etc/nginx/snippets/nginx-proxy-params.conf;
{% endif %} {% endif %}
{% if item.proxy_additional_options is defined %} {% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %} {% for popt in item.proxy_additional_options %}
{{ popt }}; {{ popt }};
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if item.locations is defined %} {% if item.locations is defined %}
{% for location in item.locations %} {% for location in item.locations %}
location {{ location.location }} { location {{ location.location }} {
{% if nginx_cors_enabled %} {% if nginx_cors_enabled %}
{% if not nginx_cors_global %} {% if not nginx_cors_global %}
{% if location.cors is defined and location.cors %} {% if location.cors is defined and location.cors %}
@ -105,24 +123,35 @@ server {
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if location.target is defined %} {% if location.target is defined %}
proxy_pass {{ location.target }}; proxy_pass {{ location.target }};
{% endif %} {% endif %}
{% if location.extra_conf is defined %} {% if location.extra_conf is defined %}
{{ location.extra_conf }} {{ location.extra_conf }}
{% endif %} {% endif %}
{% if location.other_opts is defined %}
{% if location.acls is defined %}
{% for acl in location.acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %} {% for opt in location.other_opts %}
{{ opt }}; {{ opt }};
{% endfor %} {% endfor %}
{% endif %} {% endif %}
} }
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if item.extra_parameters is defined %} {% if item.extra_parameters is defined %}
{{ item.extra_parameters }} {{ item.extra_parameters }}
{% endif %} {% endif %}
{% endif %} {% endif %}
} }
@ -131,16 +160,19 @@ server {
server { server {
listen {{ https_port | default('443') }} {{ nginx_ssl_type }}; listen {{ https_port | default('443') }} {{ nginx_ssl_type }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if item.access_log is defined %} {% if item.access_log is defined %}
access_log {{ item.access_log }}; access_log {{ item.access_log }};
{% else %} {% else %}
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log; access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
{% endif %} {% endif %}
{% if item.error_log is defined %} {% if item.error_log is defined %}
error_log {{ item.error_log }}; error_log {{ item.error_log }};
{% else %} {% else %}
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log; error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
{% endif %} {% endif %}
root {{ item.root | default('/usr/share/nginx/html/') }}; root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }}; index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
@ -159,6 +191,7 @@ server {
location ~ /\. { location ~ /\. {
deny all; deny all;
} }
{% if haproxy_ips is defined %} {% if haproxy_ips is defined %}
# We are behind haproxy # We are behind haproxy
{% for ip in haproxy_ips %} {% for ip in haproxy_ips %}
@ -166,6 +199,7 @@ server {
{% endfor %} {% endfor %}
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
{% endif %} {% endif %}
{% if item.max_body is defined %} {% if item.max_body is defined %}
client_max_body_size {{ item.max_body }}; client_max_body_size {{ item.max_body }};
{% else %} {% else %}
@ -176,6 +210,7 @@ server {
{% else %} {% else %}
client_body_timeout {{ nginx_client_body_timeout }}; client_body_timeout {{ nginx_client_body_timeout }};
{% endif %} {% endif %}
server_tokens {{ item.server_tokens | default('off') }}; server_tokens {{ item.server_tokens | default('off') }};
include /etc/nginx/snippets/nginx-server-ssl.conf; include /etc/nginx/snippets/nginx-server-ssl.conf;
@ -188,26 +223,34 @@ server {
{% if item.additional_options is defined %} {% if item.additional_options is defined %}
{% for add_opt in item.additional_options %} {% for add_opt in item.additional_options %}
{{ add_opt }}; {{ add_opt }};
{% endfor %}
{% endif %}
{% if item.https_acls is defined %}
{% for acl in item.https_acls %}
{{ acl }};
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff # Proxy stuff
{% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %} {% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %}
{% else %} {% else %}
include /etc/nginx/snippets/nginx-proxy-params.conf; include /etc/nginx/snippets/nginx-proxy-params.conf;
{% endif %} {% endif %}
{% if item.proxy_additional_options is defined %} {% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %} {% for popt in item.proxy_additional_options %}
{{ popt }} {{ popt }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if item.locations is defined %} {% if item.locations is defined %}
{% for location in item.locations %} {% for location in item.locations %}
location {{ location.location }} { location {{ location.location }} {
{% if nginx_cors_enabled %} {% if nginx_cors_enabled %}
{% if not nginx_cors_global %} {% if not nginx_cors_global %}
{% if location.cors is defined and location.cors %} {% if location.cors is defined and location.cors %}
@ -215,25 +258,36 @@ server {
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if location.target is defined %} {% if location.target is defined %}
proxy_pass {{ location.target }}; proxy_pass {{ location.target }};
{% endif %} {% endif %}
{% if location.websockets is defined and location.websockets %} {% if location.websockets is defined and location.websockets %}
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
{% endif %} {% endif %}
{% if location.extra_conf is defined %} {% if location.extra_conf is defined %}
{{ location.extra_conf }} {{ location.extra_conf }}
{% endif %} {% endif %}
{% if location.other_opts is defined %}
{% if location.acls is defined %}
{% for acl in location.acls %}
{{ acl }};
{% endfor %}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %} {% for opt in location.other_opts %}
{{ opt }}; {{ opt }};
{% endfor %} {% endfor %}
{% endif %} {% endif %}
} }
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if item.extra_parameters is defined %} {% if item.extra_parameters is defined %}
{{ item.extra_parameters }} {{ item.extra_parameters }}
{% endif %} {% endif %}