ansible.roles/nginx.role
1
0
Fork 0
Code Issues Pull requests Releases Activity Actions
nginx.role/templates/reverse_proxy.conf.j2

68 lines
2.6 KiB
Django/Jinja
Raw Permalink Blame History

#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
{% if item.value.cache is defined %}
{{ item.value.cache }}
{% endif %}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ item.value.domains | join(' ') }};
{% if item.value.config_snippet is defined %}
{% for snippet in item.value.config_snippet %}
{{ snippet }}
{% endfor %}
{% endif %}
ssl_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.fullchain;
ssl_certificate_key {{ tls_cert_path }}/{{ item.value.certificate }}.key;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.ca;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# Logs
access_log /var/log/nginx/{{ item.key }}_access.log;
error_log /var/log/nginx/{{ item.key }}_error.log warn;
{% if item.value.sec_headers is not defined or item.value.sec_headers %}
# Additional security headers
# https://developer.mozilla.org/en-US/docs/Web/HTTP
# https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "no-referrer";
add_header X-XSS-Protection "0";
{% endif %}
{% if item.value.no_index is not defined or item.value.no_index %}
# If you don't want to get indexed
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive, noimageindex";
{% endif %}
{% if item.value.enable_csp is defined and item.value.enable_csp %}
add_header Content-Security-Policy "default-src 'self' {{ item.value.certificate }} *.{{ item.value.certificate }};";
{% endif %}
{% for item in item.value.locations %}
{% if item.comments is defined %}
{% for comment in item.comments %}
{{ comment }}
{% endfor %}
{% endif %}
location {% if item.location_name is defined %}{{ item.location_name }}{% else %}/{% endif %} {
{% if item.protocol is defined %}
proxy_pass {{ item.protocol }}://{{ item.ip }}:{{ item.port }}{% if item.path is defined %}{{ item.path }}{% endif %};
include proxy_params;
{% endif %}
{% if item.websocket is defined and item.websocket %}
include ws_params;
{% endif %}
{% if item.extra_settings is defined %}
{% for extra_setting in item.extra_settings %}
{{ extra_setting }}
{% endfor %}
{% endif %}
}
{% endfor %}
}
Reference in a new issue View git blame Copy permalink