Catching up Webserver config
This commit is contained in:
parent
72a62b63eb
commit
890e20c64c
@ -1,21 +1,12 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
server_name default_server;
|
server_name default_server;
|
||||||
include sec.conf;
|
|
||||||
include letsencrypt.conf;
|
|
||||||
include default.csp.conf;
|
|
||||||
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name aninix.net;
|
|
||||||
|
|
||||||
include sec.conf;
|
include sec.conf;
|
||||||
include letsencrypt.conf;
|
|
||||||
include default.csp.conf;
|
include default.csp.conf;
|
||||||
|
|
||||||
|
include letsencrypt.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
|
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
|
||||||
@ -54,3 +45,16 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name foundation.aninix.net;
|
||||||
|
include sec.conf;
|
||||||
|
include letsencrypt.conf;
|
||||||
|
include default.csp.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
@ -4,7 +4,6 @@ server {
|
|||||||
|
|
||||||
include sec.conf;
|
include sec.conf;
|
||||||
include default.csp.conf;
|
include default.csp.conf;
|
||||||
include letsencrypt.conf;
|
|
||||||
|
|
||||||
location /
|
location /
|
||||||
{
|
{
|
||||||
@ -19,4 +18,7 @@ server {
|
|||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Real-PORT $remote_port;
|
proxy_set_header X-Real-PORT $remote_port;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
include letsencrypt.conf;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -2,7 +2,7 @@ server {
|
|||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name lykos.aninix.net;
|
server_name lykos.aninix.net;
|
||||||
|
|
||||||
include letsencrypt.conf;
|
# include local.conf;
|
||||||
|
|
||||||
root /usr/share/webapps/;
|
root /usr/share/webapps/;
|
||||||
|
|
||||||
@ -34,4 +34,6 @@ server {
|
|||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
include letsencrypt.conf;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -6,6 +6,7 @@ server {
|
|||||||
include default.csp.conf;
|
include default.csp.conf;
|
||||||
include letsencrypt.conf;
|
include letsencrypt.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
root /usr/share/webapps/self-service-password/htdocs/;
|
root /usr/share/webapps/self-service-password/htdocs/;
|
||||||
|
|
||||||
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
|
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
|
||||||
@ -28,6 +29,7 @@ server {
|
|||||||
#access_log /dev/stdout info;
|
#access_log /dev/stdout info;
|
||||||
|
|
||||||
include ../conf.d/fastcgi.config;
|
include ../conf.d/fastcgi.config;
|
||||||
|
}
|
||||||
|
|
||||||
# deny access to . files, for security
|
# deny access to . files, for security
|
||||||
#
|
#
|
||||||
|
14
roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf
Normal file
14
roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name travelpawscvt.com;
|
||||||
|
|
||||||
|
#include local.conf;
|
||||||
|
include letsencrypt.conf;
|
||||||
|
include ../conf.d/fastcgi.config;
|
||||||
|
|
||||||
|
root /opt/travelpawscvt;
|
||||||
|
|
||||||
|
client_max_body_size 5m;
|
||||||
|
client_body_timeout 60;
|
||||||
|
|
||||||
|
}
|
@ -4,7 +4,6 @@ server {
|
|||||||
|
|
||||||
include sec.conf;
|
include sec.conf;
|
||||||
include default.csp.conf;
|
include default.csp.conf;
|
||||||
include letsencrypt.conf;
|
|
||||||
|
|
||||||
location /
|
location /
|
||||||
{
|
{
|
||||||
@ -12,4 +11,6 @@ server {
|
|||||||
autoindex on;
|
autoindex on;
|
||||||
autoindex_format html;
|
autoindex_format html;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
include letsencrypt.conf;
|
||||||
}
|
}
|
||||||
|
@ -1,5 +1,4 @@
|
|||||||
location ~ ^/.well-known/acme-challenge
|
location /.well-known/acme-challenge {
|
||||||
{
|
|
||||||
allow all;
|
allow all;
|
||||||
root /var/lib/letsencrypt/;
|
root /var/lib/letsencrypt/;
|
||||||
default_type "text/plain";
|
default_type "text/plain";
|
||||||
|
@ -53,6 +53,17 @@
|
|||||||
mode: 0660
|
mode: 0660
|
||||||
register: conf
|
register: conf
|
||||||
|
|
||||||
|
- name: Populate security config
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: sec.conf.j2
|
||||||
|
dest: /opt/openresty/nginx/conf/sec.conf
|
||||||
|
owner: http
|
||||||
|
group: http
|
||||||
|
mode: 0660
|
||||||
|
register: secconf
|
||||||
|
|
||||||
|
|
||||||
- name: Ensure default openresty service file is off.
|
- name: Ensure default openresty service file is off.
|
||||||
become: yes
|
become: yes
|
||||||
service:
|
service:
|
||||||
@ -62,7 +73,7 @@
|
|||||||
|
|
||||||
- name: Ensure service is started
|
- name: Ensure service is started
|
||||||
become: yes
|
become: yes
|
||||||
when: conf.changed or confd.changed
|
when: conf.changed or confd.changed or secconf.changed
|
||||||
service:
|
service:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem;
|
||||||
|
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers "{{ ssl.ciphersuite }}";
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";
|
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";
|
Loading…
Reference in New Issue
Block a user