AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Catching up Webserver config

Browse Source
This commit is contained in:
DarkFeather
2022-12-18 22:21:39 -06:00
parent 72a62b63eb
commit 890e20c64c
10 changed files with 81 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
roles/WebServer/files/conf.d/Core/aaa_default.conf
View File

@@ -1,21 +1,12 @@
server {
listen 443 ssl http2;
server_name default_server;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
server {
listen 443 ssl http2;
server_name aninix.net;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
include letsencrypt.conf;
location / {
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
@@ -54,3 +45,16 @@ server {
}
}
server {
listen 443 ssl http2;
server_name foundation.aninix.net;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
location / {
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
}

4
roles/WebServer/files/conf.d/Core/cyberbrain.conf
View File

@@ -4,7 +4,6 @@ server {
include sec.conf;
include default.csp.conf;
include letsencrypt.conf;
location /
{
@@ -19,4 +18,7 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
}
include letsencrypt.conf;
}

20
roles/WebServer/files/conf.d/Core/geth.conf
View File

@@ -15,15 +15,15 @@ server {
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://geth.msn0.aninix.net:8123;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 86400;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://geth.msn0.aninix.net:8123;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 86400;
}
}

4
roles/WebServer/files/conf.d/Core/lykos-wiki.conf
View File

@@ -2,7 +2,7 @@ server {
listen 443 ssl;
server_name lykos.aninix.net;
include letsencrypt.conf;
# include local.conf;
root /usr/share/webapps/;
@@ -34,4 +34,6 @@ server {
deny all;
}
include letsencrypt.conf;
}

34
roles/WebServer/files/conf.d/Core/password.conf
View File

@@ -6,28 +6,30 @@ server {
include default.csp.conf;
include letsencrypt.conf;
root /usr/share/webapps/self-service-password/htdocs/;
location / {
root /usr/share/webapps/self-service-password/htdocs/;
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
index index.php index.html index.htm;
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
index index.php index.html index.htm;
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off;
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off;
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Add stdout logging
# Add stdout logging
#error_log /dev/stdout warn;
#access_log /dev/stdout info;
#error_log /dev/stdout warn;
#access_log /dev/stdout info;
include ../conf.d/fastcgi.config;
include ../conf.d/fastcgi.config;
}
# deny access to . files, for security
#

14
roles/WebServer/files/conf.d/Core/travelpawscvt.com.conf Normal file
View File

@@ -0,0 +1,14 @@
server {
listen 443 ssl;
server_name travelpawscvt.com;
#include local.conf;
include letsencrypt.conf;
include ../conf.d/fastcgi.config;
root /opt/travelpawscvt;
client_max_body_size 5m;
client_body_timeout 60;
}

3
roles/WebServer/files/conf.d/Core/wolfpack.conf
View File

@@ -4,7 +4,6 @@ server {
include sec.conf;
include default.csp.conf;
include letsencrypt.conf;
location /
{
@@ -12,4 +11,6 @@ server {
autoindex on;
autoindex_format html;
}
include letsencrypt.conf;
}

3
roles/WebServer/files/conf/letsencrypt.conf
View File

@@ -1,5 +1,4 @@
location ~ ^/.well-known/acme-challenge
{
location /.well-known/acme-challenge {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";

13
roles/WebServer/tasks/main.yml
View File

@@ -53,6 +53,17 @@
mode: 0660
register: conf
- name: Populate security config
become: yes
template:
src: sec.conf.j2
dest: /opt/openresty/nginx/conf/sec.conf
owner: http
group: http
mode: 0660
register: secconf
- name: Ensure default openresty service file is off.
become: yes
service:
@@ -62,7 +73,7 @@
- name: Ensure service is started
become: yes
when: conf.changed or confd.changed
when: conf.changed or confd.changed or secconf.changed
service:
name: "{{ item }}"
enabled: yes

6
roles/WebServer/files/conf/sec.conf → roles/WebServer/templates/conf/sec.conf.j2
View File

@@ -1,12 +1,12 @@
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
ssl_certificate /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ciphers "{{ ssl.ciphersuite }}";
ssl_prefer_server_ciphers on;
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";