Skip to content
Snippets Groups Projects
Commit 1be84914 authored by Lars Beckers's avatar Lars Beckers
Browse files

fix unix proxying and minor changes for asta deployment

parent f073d0ac
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 40 additions and 33 deletions
webserver/templates/location-limit-networks
+ 1
1
View file @ 1be84914
{% if location.allow_only_networks is defined %} {% if location.allow_only_networks is defined %}
satisfy any; satisfy any;
{% for network in location.allow_only_networks %} {% for network in location.allow_only_networks %}
allow {{network.network}}; # {{network.comment}} allow {{network.network}}; # {{network.comment|default('?')}}
{% endfor %} {% endfor %}
deny all; deny all;
......
webserver/templates/locations/fastcgi.conf
+ 12
4
View file @ 1be84914
...@@ -10,12 +10,20 @@ ...@@ -10,12 +10,20 @@
{% if location.pass_real_ip|default(true) %} {% if location.pass_real_ip|default(true) %}
fastcgi_param REMOTE_ADDR $http_x_real_ip; fastcgi_param REMOTE_ADDR $http_x_real_ip;
{% endif %} {% endif %}
{% if location.index is defined %} fastcgi_index {{location.index|default('index.php')}};
fastcgi_index {{location.index}}; {% if location.pass_user|default(true) %}
{% endif %}
{% if location.pass_user is defined and location.pass_user %}
fastcgi_param REMOTE_USER $remote_user; fastcgi_param REMOTE_USER $remote_user;
{% endif %} {% endif %}
proxy_set_header Host {{server.server_name}};
{% if server.forward_http|default(true) %}
fastcgi_param HTTPS on;
fastcgi_param REQUEST_SCHEME https;
proxy_set_header X-Forwarded-Proto https;
{% else %}
proxy_set_header X-Forwarded-Proto $scheme;
{% endif %}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
fastcgi_pass {{location.socket}}; fastcgi_pass {{location.socket}};
{% include "location-nested" %} {% include "location-nested" %}
} }
webserver/templates/locations/proxy.conf
+ 7
5
View file @ 1be84914
...@@ -16,16 +16,18 @@ ...@@ -16,16 +16,18 @@
{% elif server.port is defined %} {% elif server.port is defined %}
proxy_pass http://127.0.0.1:{{server.port}}{% if not location.proxy_relative|default(false) %}/{% endif %}; proxy_pass http://127.0.0.1:{{server.port}}{% if not location.proxy_relative|default(false) %}/{% endif %};
{% elif location.proxy_unix is defined %} {% elif location.proxy_unix is defined %}
proxy_pass http://unix:{{location.proxy_unix}}; proxy_pass http://unix:{{location.proxy_unix}}{% if not location.proxy_relative|default(false) %}:/{% endif %};
{% else %} {% else %}
proxy_pass http://unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}}; proxy_pass http://unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}}{% if not location.proxy_relative|default(false) %}:/{% endif %};
{% endif %} {% endif %}
{% if location.pass_ip|default(true) %}
proxy_set_header Host {{server.server_name}}; proxy_set_header Host {{server.server_name}};
proxy_set_header X-Real-IP $remote_addr; {% if server.forward_http|default(true) %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https;
{% else %}
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
{% endif %} {% endif %}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
{% if location.proxy_headers is defined %} {% if location.proxy_headers is defined %}
{% for key, value in location.proxy_headers.items() %} {% for key, value in location.proxy_headers.items() %}
......
webserver/templates/locations/uwsgi.conf
+ 10
8
View file @ 1be84914
...@@ -5,17 +5,19 @@ ...@@ -5,17 +5,19 @@
{% include "location-params" -%} {% include "location-params" -%}
{%- include "location-limit-networks" -%} {%- include "location-limit-networks" -%}
{%- include "location-auth" -%} {%- include "location-auth" -%}
{% if location.pass_ip|default(true) %}
proxy_set_header Host {{server.server_name}}; proxy_set_header Host {{server.server_name}};
proxy_set_header X-Real-IP $remote_addr; {% if location.pass_real_ip|default(false) %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
{% endif %}
{% if location.pass_real_ip|default(true) %}
proxy_set_header Host {{server.server_name}};
proxy_set_header X-Real-IP $realip_remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
uwsgi_param REMOTE_ADDR $realip_remote_addr; uwsgi_param REMOTE_ADDR $realip_remote_addr;
{% endif %} {% endif %}
{% if server.forward_http|default(true) %}
uwsgi_param HTTPS on;
uwsgi_param REQUEST_SCHEME https;
proxy_set_header X-Forwarded-Proto https;
{% else %}
proxy_set_header X-Forwarded-Proto $scheme;
{% endif %}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
uwsgi_pass {{location.socket}}; uwsgi_pass {{location.socket}};
{% include "location-nested" %} {% include "location-nested" %}
} }
webserver/templates/nginx-proxy.conf
+ 2
4
View file @ 1be84914
...@@ -11,8 +11,6 @@ events { ...@@ -11,8 +11,6 @@ events {
} }
http { http {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_body_temp_path /var/lib/nginx-proxy/body-temp; client_body_temp_path /var/lib/nginx-proxy/body-temp;
fastcgi_cache_path /var/lib/nginx-proxy/fastcgi-cache keys_zone=one:10m; fastcgi_cache_path /var/lib/nginx-proxy/fastcgi-cache keys_zone=one:10m;
fastcgi_temp_path /var/lib/nginx-proxy/fastcgi-temp; fastcgi_temp_path /var/lib/nginx-proxy/fastcgi-temp;
...@@ -40,7 +38,7 @@ http { ...@@ -40,7 +38,7 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
resolver {{nameservers|join(" ")}}; resolver {{nameservers|join(" ")}} ipv6={{ webserver_enable_ipv6 }};
## ##
# SSL Settings # SSL Settings
...@@ -49,7 +47,7 @@ http { ...@@ -49,7 +47,7 @@ http {
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_protocols '{{protocols[cipher_strength]}}';
ssl_ciphers '{{ciphers[cipher_strength]}}'; ssl_ciphers '{{ciphers[cipher_strength]}}';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;
......
webserver/templates/nginx.conf
+ 4
2
View file @ 1be84914
...@@ -11,6 +11,8 @@ events { ...@@ -11,6 +11,8 @@ events {
http { http {
set_real_ip_from 127.0.0.1; set_real_ip_from 127.0.0.1;
set_real_ip_from unix:;
real_ip_recursive on;
## ##
# Basic Settings # Basic Settings
...@@ -29,7 +31,7 @@ http { ...@@ -29,7 +31,7 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
resolver {{nameservers|join(" ")}}; resolver {{nameservers|join(" ")}} ipv6={{ webserver_enable_ipv6 }};
## ##
# SSL Settings # SSL Settings
...@@ -38,7 +40,7 @@ http { ...@@ -38,7 +40,7 @@ http {
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_protocols '{{protocols[cipher_strength]}}';
ssl_ciphers '{{ciphers[cipher_strength]}}'; ssl_ciphers '{{ciphers[cipher_strength]}}';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
#add_header Strict-Transport-Security max-age=15768000; # Only in proxy #add_header Strict-Transport-Security max-age=15768000; # Only in proxy
......
webserver/templates/sites/mediawiki.conf
+ 0
5
View file @ 1be84914
...@@ -13,11 +13,6 @@ server { ...@@ -13,11 +13,6 @@ server {
index {{server.indices|join(" ")}}; index {{server.indices|join(" ")}};
{% endif %} {% endif %}
{% if server.include_acme|default(true) %}
include /etc/nginx/snippets/acmetool.conf;
{% endif -%}
location / { location / {
try_files $uri $uri/ @rewrite; try_files $uri $uri/ @rewrite;
} }
......
webserver/templates/sites/tlsproxy.conf
+ 1
0
View file @ 1be84914
...@@ -14,6 +14,7 @@ server { ...@@ -14,6 +14,7 @@ server {
{% include "ssl-certificate" %} {% include "ssl-certificate" %}
{% endif %} {% endif %}
{% if server.cipher_strength is defined -%} {% if server.cipher_strength is defined -%}
ssl_protocols '{{protocols[server.cipher_strength]}}';
ssl_ciphers '{{ciphers[server.cipher_strength]}}'; ssl_ciphers '{{ciphers[server.cipher_strength]}}';
{% endif %} {% endif %}
{% if server.use_sso is defined and server.use_sso %} {% if server.use_sso is defined and server.use_sso %}
......
webserver/templates/sites/webapp.conf
+ 0
4
View file @ 1be84914
...@@ -18,10 +18,6 @@ server { ...@@ -18,10 +18,6 @@ server {
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if server.include_acme|default(true) %}
include /etc/nginx/snippets/acmetool.conf;
{% endif -%}
{% set server = server %} {% set server = server %}
{% for location in server.internal_locations %} {% for location in server.internal_locations %}
{% include "locations/%s.conf"|format(location.type) %} {% include "locations/%s.conf"|format(location.type) %}
......
webserver/vars/main.yml
+ 3
0
View file @ 1be84914
--- ---
# yamllint disable rule:line-length # yamllint disable rule:line-length
protocols:
modern: 'TLSv1.2'
intermediate: 'TLSv1 TLSv1.1 TLSv1.2'
ciphers: ciphers:
modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment