first commit
This commit is contained in:
sujiba
commit
3bfbd3f7f9
10 changed files with 329 additions and 0 deletions
11
templates/http_redirect.conf.j2
Normal file
11
templates/http_redirect.conf.j2
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
# {{ ansible_managed }}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
19
templates/proxy_params.j2
Normal file
19
templates/proxy_params.j2
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Set headers
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
{#
|
||||
# Hide headers
|
||||
proxy_hide_header Server;
|
||||
proxy_hide_header X-Powered-By;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
proxy_hide_header X-XSS-Protection;
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
proxy_hide_header Referrer-Policy;
|
||||
proxy_hide_header Strict-Transport-Security;
|
||||
#}
|
||||
78
templates/reverse_proxy.conf.j2
Normal file
78
templates/reverse_proxy.conf.j2
Normal file
|
|
@ -0,0 +1,78 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# generated 2024-03-26, Mozilla Guideline v5.7, nginx 1.22.1, OpenSSL 3.0.11, modern configuration
|
||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=modern&openssl=3.0.11&guideline=5.7
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
|
||||
ssl_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.fullchain;
|
||||
ssl_certificate_key {{ tls_cert_path }}/{{ item.value.certificate }}.key;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.ca;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
# modern configuration
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
# replace with the IP address of your resolver
|
||||
resolver 127.0.0.1;
|
||||
|
||||
# Logs
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log warn;
|
||||
|
||||
{% if item.value.sec_headers is not defined or item.value.sec_headers %}
|
||||
# Additional security headers
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP
|
||||
# https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header Referrer-Policy "no-referrer";
|
||||
add_header X-XSS-Protection "0";
|
||||
{% endif %}
|
||||
{% if item.value.no_index is not defined or item.value.no_index %}
|
||||
# If you don't want to get indexed
|
||||
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive, noimageindex";
|
||||
{% endif %}
|
||||
{% if item.value.enable_csp is defined and item.value.enable_csp %}
|
||||
add_header Content-Security-Policy "default-src 'self' {{ item.value.certificate }} *.{{ item.value.certificate }};";
|
||||
{% endif %}
|
||||
|
||||
{% for item in item.value.locations %}
|
||||
{% if item.comments is defined %}
|
||||
{% for comment in item.comments %}
|
||||
{{ comment }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
location {% if item.location_name is defined %}{{ item.location_name }}{% else %}/{% endif %} {
|
||||
{% if item.protocol is defined %}
|
||||
proxy_pass {{ item.protocol }}://{{ item.ip }}:{{ item.port }}{% if item.path is defined %}/{{ item.path }}{% endif %};
|
||||
include proxy_params;
|
||||
{% endif %}
|
||||
{% if item.websocket is defined and item.websocket %}
|
||||
include ws_params;
|
||||
{% endif %}
|
||||
{% if item.extra_settings is defined %}
|
||||
{% for extra_setting in item.extra_settings %}
|
||||
{{ extra_setting }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
||||
}
|
||||
10
templates/security.conf.j2
Normal file
10
templates/security.conf.j2
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Rate limiting
|
||||
# https://blog.nginx.org/blog/rate-limiting-nginx
|
||||
# https://www.techgrube.de/news-und-infos/nginx-rate-limiting-einstellungen-und-funktion
|
||||
limit_req_zone $binary_remote_addr zone=conn_limit:10m rate=5r/s;
|
||||
|
||||
# extras
|
||||
server_tokens off;
|
||||
6
templates/ws_params.j2
Normal file
6
templates/ws_params.j2
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
# {{ ansible_managed }}
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
Loading…
Add table
Add a link
Reference in a new issue