From f6e623dfae764d15bd93024770ba360937db05b7 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 19 Sep 2016 19:29:58 +0200 Subject: [PATCH] library/roles/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2: Support dataminer and https via letsencrypt. All optional. --- .../generic-smartgears-virtualhost.j2 | 136 ++++++++++++++++-- 1 file changed, 125 insertions(+), 11 deletions(-) diff --git a/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 b/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 index e20b786d..71440722 100644 --- a/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 +++ b/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 @@ -1,16 +1,25 @@ server { listen {{ http_port }}; server_name {{ item.servername }}; - access_log on; +{% if letsencrypt_acme_install %} + location ^~ /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port }}/.well-known/acme-challenge; + access_log /var/log/nginx/letsencrypt_access.log; + error_log /var/log/nginx/letsencrypt_error.log; + } +{% endif %} +{% if not letsencrypt_acme_install %} + access_log /var/log/nginx/{{ item.servername }}_access.log; + error_log /var/log/nginx/{{ item.servername }}_error.log; + root /usr/share/nginx/html/; - # This is the default for nginx on Ubuntu 12.04 - root /usr/share/nginx/www/; + client_max_body_size 100M; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { - root /usr/share/nginx/www; + root /usr/share/nginx/html; } location = /favicon.ico { @@ -42,17 +51,122 @@ server { proxy_connect_timeout {{ nginx_proxy_connect_timeout }}; proxy_read_timeout {{ nginx_proxy_read_timeout }}; proxy_send_timeout {{ nginx_proxy_send_timeout }}; -{% for instance in tomcat_m_instances %} -{% for context in instance.app_contexts %} + + {% if r_connector_install %} + location /auth-sign-in { + rewrite ^/auth-sign-in http://{{ item.servername }}/r-connector/gcube/service/disconnect; + } + {% endif %} + {% for instance in tomcat_m_instances %} + {% for context in instance.app_contexts %} location /{{ context }} { proxy_pass http://localhost:{{ item.http_port }}/{{ context }}; } -{% endfor %} -{% endfor %} -{% if smart_executor_install %} + {% endfor %} + {% endfor %} + {% if smart_executor_install %} location {{ smart_executor_context }} { proxy_pass http://localhost:{{ item.http_port }}{{ smart_executor_context }}; } -{% endif %} - + {% endif %} + {% if rstudio_install_server %} + location / { + proxy_pass http://localhost:8787/; + } + {% endif %} + {% else %} + {% for context in instance.app_contexts %} + {% if context == 'whn-manager' %} + location /{{ context }} { + proxy_pass http://localhost:{{ item.http_port }}/{{ context }}; + } + {% endif %} + {% endfor %} + location / { + return 301 https://{{ item.servername }}$request_uri; + } + {% endif %} +} +{% if letsencrypt_acme_install %} +server { + listen {{ https_port }} ssl; + server_name {{ item.servername }}; + + access_log /var/log/nginx/{{ item.servername }}_access_ssl.log; + error_log /var/log/nginx/{{ item.servername }}_error_ssl.log; + + # This is the default for nginx on Ubuntu 14.04 + root /usr/share/nginx/html/; + + client_max_body_size 100M; + + ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain; + ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + add_header Strict-Transport-Security max-age=15768000; + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # don't send the nginx version number in error pages and Server header + server_tokens off; + + # Proxy stuff + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_buffer_size {{ nginx_proxy_buffer_size }}; + proxy_buffers {{ nginx_proxy_buffers }}; + proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }}; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_redirect {{ nginx_proxy_redirect }}; + proxy_buffering {{ nginx_proxy_buffering }}; + proxy_connect_timeout {{ nginx_proxy_connect_timeout }}; + proxy_read_timeout {{ nginx_proxy_read_timeout }}; + proxy_send_timeout {{ nginx_proxy_send_timeout }}; + + {% if r_connector_install %} + location /auth-sign-in { + rewrite ^/auth-sign-in http://{{ item.servername }}/r-connector/gcube/service/disconnect; + } + {% endif %} + {% for instance in tomcat_m_instances %} + {% for context in instance.app_contexts %} + location /{{ context }} { + proxy_pass http://localhost:{{ item.http_port }}/{{ context }}; + } + {% endfor %} + {% endfor %} + {% if smart_executor_install %} + location {{ smart_executor_context }} { + proxy_pass http://localhost:{{ item.http_port }}{{ smart_executor_context }}; + } + {% endif %} + {% if rstudio_install_server %} + location / { + proxy_pass http://localhost:8787/; + } + {% endif %} }