diff --git a/Archiv/ReverseProxy-nginx/hispanico.letsencrypt-nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.letsencrypt-nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 new file mode 100644 index 00000000..92747997 --- /dev/null +++ b/Archiv/ReverseProxy-nginx/hispanico.letsencrypt-nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 @@ -0,0 +1,67 @@ +################################################################################ +# This file was generated by Ansible for {{ansible_fqdn}} +# Do NOT modify this file by hand! +################################################################################ + +upstream {{ item.key }}_backend { +{% for upstream in item.value.upstreams %} + server {{upstream.backend_address}}:{{upstream.backend_port}}; +{% endfor %} +} + +server { + listen 80; + listen [::]:80; + server_name {{ item.value.domains | join(' ') }}; + location / { + return 301 https://$server_name$request_uri; + } + + location /.well-known { + alias /var/www/{{ item.key }}/.well-known; + } + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name {{ item.value.domains | join(' ') }}; + +{% if item.value.hsts_max_age is defined %} + add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always; +{% endif %} + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + + ssl on; + ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location /.well-known { + alias /var/www/{{ item.key }}/.well-known; + } + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://{{ item.key }}_backend; + } +} diff --git a/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy.conf.j2 new file mode 100644 index 00000000..47feccad --- /dev/null +++ b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy.conf.j2 @@ -0,0 +1,56 @@ +################################################################################ +# This file was generated by Ansible for {{ansible_fqdn}} +# Do NOT modify this file by hand! +################################################################################ + +{% if item.key == "default" %} +server { + listen {{ item.value.listen | default(80) }} default_server; + listen [::]:{{ item.value.listen | default(80) }} default_server; + server_name _; + return 444; + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +{% else %} +upstream {{ item.key }}_backend { +{% for upstream in item.value.upstreams %} + server {{upstream.backend_address}}:{{upstream.backend_port}}; +{% endfor %} +} + +server { + listen {{ item.value.listen | default(80) }}; + listen [::]:{{ item.value.listen | default(80) }}; + server_name {{ item.value.domains | join(' ') }}; + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://{{ item.key }}_backend; +{% if item.value.auth is defined %} + auth_basic "Restricted Content"; + auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd; +{% endif %} + } + + location /.well-known { + alias /var/www/{{ item.key }}/.well-known; + } + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} +{% endif %} diff --git a/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 new file mode 100644 index 00000000..9a97684f --- /dev/null +++ b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 @@ -0,0 +1,104 @@ +################################################################################ +# This file was generated by Ansible for {{ansible_fqdn}} +# Do NOT modify this file by hand! +################################################################################ + +{% if item.key == "default" %} +server { + listen {{ item.value.listen | default(80) }} default_server; + listen [::]:{{ item.value.listen | default(80) }} default_server; + server_name _; + return 444; + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +server { + listen {{ item.value.listen_ssl | default(443) }} ssl http2 default_server; + listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2 default_server; + server_name _; + return 444; + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + + ssl on; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; +} + +{% else %} +upstream {{ item.key }}_backend { +{% for upstream in item.value.upstreams %} + server {{upstream.backend_address}}:{{upstream.backend_port}}; +{% endfor %} +} + +server { + listen {{ item.value.listen | default(80) }}; + listen [::]:{{ item.value.listen | default(80) }}; + server_name {{ item.value.domains | join(' ') }}; + location / { + return 301 https://$server_name$request_uri; + } + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +server { + listen {{ item.value.listen_ssl | default(443) }} ssl http2; + listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2; + server_name {{ item.value.domains | join(' ') }}; + +{% if item.value.hsts_max_age is defined %} + add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always; +{% endif %} + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + + ssl on; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend; +{% if item.value.auth is defined %} + auth_basic "Restricted Content"; + auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd; +{% endif %} + } +} +{% endif %} diff --git a/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl_letsencrypt.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl_letsencrypt.conf.j2 new file mode 100644 index 00000000..ae06d313 --- /dev/null +++ b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl_letsencrypt.conf.j2 @@ -0,0 +1,71 @@ +################################################################################ +# This file was generated by Ansible for {{ansible_fqdn}} +# Do NOT modify this file by hand! +################################################################################ + +upstream {{ item.key }}_backend { +{% for upstream in item.value.upstreams %} + server {{upstream.backend_address}}:{{upstream.backend_port}}; +{% endfor %} +} + +server { + listen {{ item.value.listen | default(80) }}; + listen [::]:{{ item.value.listen | default(80) }}; + server_name {{ item.value.domains | join(' ') }}; + location / { + return 301 https://$server_name$request_uri; + } + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + +} + +server { + listen {{ item.value.listen_ssl | default(443) }} ssl http2; + listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2; + server_name {{ item.value.domains | join(' ') }}; + +{% if item.value.hsts_max_age is defined %} + add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always; +{% endif %} + + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log error; + + ssl on; + ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location /.well-known/acme-challenge { + alias /var/www/{{ item.key }}/.well-known/acme-challenge; + } + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend; +{% if item.value.auth is defined %} + auth_basic "Restricted Content"; + auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd; +{% endif %} + } +}