stargate-cluster/vm-ansible
stargate-cluster/vm-ansible
1
0
Fork 0
Code Pull Requests Releases Activity

improve nginx security

Browse Source
This commit is contained in:
Torma Kristóf 2022-05-28 19:07:15 +02:00
parent b7d81dc75e
commit ca1aa3dc5e
6 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
host_vars/nextcloud.yaml
View File

@ -1,3 +1,7 @@
--- ---
ansible_host: nextcloud.intra.tormakris.dev ansible_host: nextcloud.intra.tormakris.dev
webserver:
- domain: "nextcloud.tormakristof.eu"
port: 8080
bigrequests: true
... ...

2
host_vars/nexus.yaml
View File

@ -3,6 +3,8 @@ ansible_host: nexus.intra.tormakris.dev
webserver: webserver:
- domain: "nexus.kmlabz.com" - domain: "nexus.kmlabz.com"
port: 8080 port: 8080
bigrequests: true
- domain: "registry.kmlabz.com" - domain: "registry.kmlabz.com"
port: 4269 port: 4269
bigrequests: true
... ...

7
roles/webgateway/templates/nginx.conf
View File

@ -47,7 +47,6 @@ http {
proxy_set_header Connection $http_connection; proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Proto https;
proxy_ssl_server_name on; proxy_ssl_server_name on;
client_max_body_size 8G;
client_body_buffer_size 128k; client_body_buffer_size 128k;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_send_timeout 120; proxy_send_timeout 120;
@ -57,6 +56,7 @@ http {
proxy_busy_buffers_size 256k; proxy_busy_buffers_size 256k;
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
server_tokens off;
server { server {
@ -74,6 +74,11 @@ http {
proxy_ssl_name {{ proxysite.domain}}; proxy_ssl_name {{ proxysite.domain}};
ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
{%- if proxysite.bigrequests %}
client_max_body_size 8G;
{%- endif %}
location /{ location /{
proxy_pass https://{{ proxysite.ip }}; proxy_pass https://{{ proxysite.ip }};
proxy_ssl_verify off; proxy_ssl_verify off;

25
roles/webgateway/vars/main.yaml
View File

@ -1,17 +1,16 @@
proxy: proxy:
- {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev} - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev, bigrequests: false}
- {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev} - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev, bigrequests: true}
- {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev} - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev, bigrequests: false}
- {domain: git.kmlabz.com, ip: git.intra.tormakris.dev} - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev, bigrequests: false}
- {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev} - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev, bigrequests: false}
- {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev} - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false}
- {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev} - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: false}
- {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev} - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true}
- {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev} - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true}
- {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev} - {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev, bigrequests: false}
- {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev} - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
- {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev} - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
- {domain: certauth.fs.tormakris.dev, ip: adfs.intra.tormakris.dev}
static: static:
[] []

1
roles/webserver/defaults/main.yaml
View File

@ -1,4 +1,5 @@
webserver: webserver:
- domain: "_" - domain: "_"
port: 8080 port: 8080
bigrequests: false
... ...

5
roles/webserver/templates/nginx.conf
View File

@ -43,7 +43,6 @@ http {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection; proxy_set_header Connection $http_connection;
client_max_body_size 8G;
client_body_buffer_size 128k; client_body_buffer_size 128k;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_send_timeout 120; proxy_send_timeout 120;
@ -53,6 +52,7 @@ http {
proxy_busy_buffers_size 256k; proxy_busy_buffers_size 256k;
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
server_tokens off;
server { server {
@ -69,6 +69,9 @@ http {
server_name {{ server.domain }}; server_name {{ server.domain }};
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
{%- if server.bigrequests %}
client_max_body_size 8G;
{%- endif %}
location /{ location /{
proxy_pass http://127.0.0.1:{{ server.port }}; proxy_pass http://127.0.0.1:{{ server.port }};
} }