Git Product home page Git Product logo

ansible_role_nginx's Introduction

Build Status

Nginx

This role is built to deploy Nginx on an Ubuntu 16.04.

Requirements

Ansible 2.4

Configuration

All options in this section are configured as defaults for Nginx and are defined in defaults.yml so that they can easly be overwritten within the playbook.

Self Signed Cert Generation

The Role has an option for generating a self signed TLS cert for testing. This setting is set to false defaultly to prevent unwanted self signed cert generation.

selfsigned_cert: false # Generate self signed SSL cert.

Configuratoin Files

All options in this section are configured as defaults for Nginx and are defind in defaults.yml so that they can easly be overwritten within the playbook.

This role currently creates three conf files.

  • nginx.conf
  • general.conf
  • server.conf (vhost)

nginx.conf

This file contains options for cofiguring global options pretaining to the Nginx service.

# Service
nginx_user: www-data
worker_processes: auto
nginx_pid_file: /var/run/nginx.pid
worker_rlimit_nofile: 8192

# Events
event_multi_accept: "on"
worker_connections: 4096

# http
charset: utf-8
sendfile: "on"
tcp_nopush: "on"
tcp_nodelay: "on"
types_hash_max_size: 2048
client_max_body_size: 16M
server_tokens: "off"

# MIME
include: mime.types
default_type: application/octet-stream

# Logging
access_log: /var/log/nginx/access.log
error_log: /var/log/nginx/error.log warn

# Limits
limit_req_log_level: warn
limit_req_zone: $binary_remote_addr zone=login:10m rate=10r/m

# SSL
ssl_session_timeout: 1d
ssl_session_cache: shared:SSL:50m
ssl_session_tickets: "off"

# Modern Config
ssl_protocols: TLSv1.2
ssl_ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_prefer_server_ciphers: "on"

# OSCP Stapling
stapling: "on"
stapling_verify: "on"
resolver: 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s
resolver_timeout: 2s

# Load Configs
conf_files: /etc/nginx/conf.d/*.conf
sites_enabled: /etc/nginx/sites-enabled/*

general.conf

This conf file is used to set security headers, restrict access to . files, and compression options.

# Security Headers
header_options: |
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "no-referrer-when-downgrade" always;
  add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
dot_file_location: "deny all"

# Assets media
media_expires: 7d
media_access_log: "off"

# svg, fonts
fonts_headrer_options: 'Access-Control-Allow-Origin "*"'
fonts_expire: 78
fonts_access_log: "off"

# Gzip
gzip_status: "on"
gzip_vary: "on"
gzip_proxied: any
gzip_comp_level: 6
gzip_types: 'text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml'

**NOTE:** This file is likely to be deprecated in future when I have time to rewrite the conf file tasks.

server.conf

This file is used to configure Nginx to actually server the web application. This role generates these files from a template in the task tasks/configure.yml.

Currently the options below are required for Nginx to be able to run the app

  • server_name
  • listen_port
  • root_dir
  • index_name
vhost: []
  - server_name: test.com
    listen_port: 80
    root_dir: /var/www
    index_name: index.html

    ssl:
      cert_dir: /etc/nginx/ssl
      crt: '/etc/nginx/ssl/server.crt'
      key: '/etc/nginx/ssl/server.key'

    security_headers:
      transport_security: Strict-Transport-Security "max-age=15768000; includeSubdomains",
      xframe_options: X-Frame-Options SAMEORIGIN

    try_files: '$uri $uri/'

    fastcgi_php:
      fastcgi_split_path_info: fastcgi_split_path_info ^(.+\.php)(/.+)$
      fastcgi_pass: 'fastcgi_pass unix:/var/run/php7.0-fpm.sock'
      fastcgi_index: fastcgi_index index.php,
      include_fastcgi: include fastcgi.conf

Example Playbook

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

playbook.yml

- hosts: servers
  roles:
     - { role: ecaepp.nginx }

  vars:

  vhost:
      - server_name: test.com
        listen_port: 80
        root_dir: /var/www/someapp/app/webroot/
        index_name: index.html

        ssl:
          cert_dir: /etc/nginx/ssl
          crt: '/etc/nginx/ssl/someapp.com.crt'
          key: '/etc/nginx/ssl/someapp.com.key'

        security_headers:
          transport_security: Strict-Transport-Security "max-age=15768000;  includeSubdomains",
          xframe_options: X-Frame-Options SAMEORIGIN

        try_files: '$uri $uri/ /index.html'

License

MIT

ansible_role_nginx's People

Contributors

ecaepp avatar

Watchers

avatar avatar

ansible_role_nginx's Issues

Build Failure - ansible-lint 

--> Executing Ansible Lint on /home/travis/build/ecaepp/ansible_role_nginx/molecule/default/playbook.yml...
    [206] Variables should have spaces before and after: {{ var_name }}
    /home/travis/build/ecaepp/ansible_role_nginx/tasks/installation.yml:24
        repo: "{{ nginx_repo_url }} {{ansible_distribution_release }} nginx "
    
    [601] Don't compare to literal True/False
    /home/travis/build/ecaepp/ansible_role_nginx/tasks/main.yml:10
      when: selfsigned_cert == true

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.