first commit

2024-09-17 00:47:41 +02:00 · 2024-09-17 00:47:41 +02:00 · 3bfbd3f7f9
commit 3bfbd3f7f9
10 changed files with 329 additions and 0 deletions
--- a/templates/reverse_proxy.conf.j2
+++ b/templates/reverse_proxy.conf.j2
@ -0,0 +1,78 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+
+# generated 2024-03-26, Mozilla Guideline v5.7, nginx 1.22.1, OpenSSL 3.0.11, modern configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=modern&openssl=3.0.11&guideline=5.7
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ item.value.domains | join(' ') }};
+
+    ssl_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.fullchain;
+    ssl_certificate_key {{ tls_cert_path }}/{{ item.value.certificate }}.key;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.ca;
+    
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # replace with the IP address of your resolver
+    resolver 127.0.0.1;
+
+    # Logs
+    access_log /var/log/nginx/{{ item.key }}_access.log;
+    error_log /var/log/nginx/{{ item.key }}_error.log warn;
+
+    {% if item.value.sec_headers is not defined or item.value.sec_headers %}
+    # Additional security headers
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP
+    # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "no-referrer";
+    add_header X-XSS-Protection "0";
+    {% endif %}
+    {% if item.value.no_index is not defined or item.value.no_index %}
+    # If you don't want to get indexed
+    add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive, noimageindex";
+    {% endif %}
+    {% if item.value.enable_csp is defined and item.value.enable_csp %}
+    add_header Content-Security-Policy "default-src 'self' {{ item.value.certificate }} *.{{ item.value.certificate }};";
+    {% endif %}
+
+{% for item in item.value.locations %}
+    {% if item.comments is defined %}
+    {% for comment in item.comments %}
+    {{ comment }}
+    {% endfor %}
+    {% endif %}
+    location {% if item.location_name is defined %}{{ item.location_name }}{% else %}/{% endif %} {
+        {% if item.protocol is defined %}
+        proxy_pass {{ item.protocol }}://{{ item.ip }}:{{ item.port }}{% if item.path is defined %}/{{ item.path }}{% endif %};
+        include proxy_params;
+        {% endif %}
+        {% if item.websocket is defined and item.websocket %}
+        include ws_params;
+        {% endif %}
+        {% if item.extra_settings is defined %}
+        {% for extra_setting in item.extra_settings %}
+        {{ extra_setting }}
+        {% endfor %}
+        {% endif %}
+    }
+
+{% endfor %}
+}