From 724427bb85894c941fd9cc41f2ee849f0e2bf1a6 Mon Sep 17 00:00:00 2001
From: Quotengrote <38253905+quotengrote@users.noreply.github.com>
Date: Mon, 19 Oct 2020 09:35:32 +0200
Subject: [PATCH] Housekeeping (#52)

---
 .../tasks/reverseproxy_ssl.conf.j2            |  67 +++++++++++
 .../tasks/reverseproxy.conf.j2                |  56 ++++++++++
 .../tasks/reverseproxy_ssl.conf.j2            | 104 ++++++++++++++++++
 .../reverseproxy_ssl_letsencrypt.conf.j2      |  71 ++++++++++++
 4 files changed, 298 insertions(+)
 create mode 100644 Archiv/ReverseProxy-nginx/hispanico.letsencrypt-nginx-revproxy/tasks/reverseproxy_ssl.conf.j2
 create mode 100644 Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy.conf.j2
 create mode 100644 Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl.conf.j2
 create mode 100644 Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl_letsencrypt.conf.j2

diff --git a/Archiv/ReverseProxy-nginx/hispanico.letsencrypt-nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.letsencrypt-nginx-revproxy/tasks/reverseproxy_ssl.conf.j2
new file mode 100644
index 00000000..92747997
--- /dev/null
+++ b/Archiv/ReverseProxy-nginx/hispanico.letsencrypt-nginx-revproxy/tasks/reverseproxy_ssl.conf.j2
@@ -0,0 +1,67 @@
+################################################################################
+# This file was generated by Ansible for {{ansible_fqdn}}
+# Do NOT modify this file by hand!
+################################################################################
+
+upstream {{ item.key }}_backend  {
+{% for upstream in item.value.upstreams %}
+    server {{upstream.backend_address}}:{{upstream.backend_port}};
+{% endfor %}
+}
+
+server {
+   listen         80;
+   listen    [::]:80;
+   server_name    {{ item.value.domains | join(' ') }};
+   location / {
+   return         301 https://$server_name$request_uri;
+   }
+
+   location /.well-known {
+      alias /var/www/{{ item.key }}/.well-known;
+   }
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+}
+
+server {
+   listen        443 ssl;
+   listen   [::]:443 ssl;
+   server_name {{ item.value.domains | join(' ') }};
+
+{% if item.value.hsts_max_age is defined %}
+   add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
+{% endif %}
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+   ssl on;
+   ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
+   ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
+   ssl_session_timeout 5m;
+   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+   ssl_prefer_server_ciphers on;
+   ssl_session_cache shared:SSL:10m;
+
+   location /.well-known {
+      alias /var/www/{{ item.key }}/.well-known;
+   }
+
+   location / {
+      gzip off;
+      proxy_set_header X-Forwarded-Ssl on;
+      client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_pass http://{{ item.key }}_backend;
+   }
+}
diff --git a/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy.conf.j2
new file mode 100644
index 00000000..47feccad
--- /dev/null
+++ b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy.conf.j2
@@ -0,0 +1,56 @@
+################################################################################
+# This file was generated by Ansible for {{ansible_fqdn}}
+# Do NOT modify this file by hand!
+################################################################################
+
+{% if item.key == "default" %}
+server {
+    listen        {{ item.value.listen | default(80) }} default_server;
+    listen   [::]:{{ item.value.listen | default(80) }} default_server;
+    server_name _;
+    return        444;
+
+    access_log /var/log/nginx/{{ item.key }}_access.log;
+    error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+}
+
+{% else %}
+upstream {{ item.key }}_backend  {
+{% for upstream in item.value.upstreams %}
+    server {{upstream.backend_address}}:{{upstream.backend_port}};
+{% endfor %}
+}
+
+server {
+   listen         {{ item.value.listen | default(80) }};
+   listen    [::]:{{ item.value.listen | default(80) }};
+   server_name    {{ item.value.domains | join(' ') }};
+
+   location / {
+      gzip off;
+      proxy_set_header X-Forwarded-Ssl on;
+      client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_pass http://{{ item.key }}_backend;
+{% if item.value.auth is defined %}
+      auth_basic "Restricted Content";
+      auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
+{% endif %}
+   }
+
+   location /.well-known {
+      alias /var/www/{{ item.key }}/.well-known;
+   }
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+}
+{% endif %}
diff --git a/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl.conf.j2
new file mode 100644
index 00000000..9a97684f
--- /dev/null
+++ b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl.conf.j2
@@ -0,0 +1,104 @@
+################################################################################
+# This file was generated by Ansible for {{ansible_fqdn}}
+# Do NOT modify this file by hand!
+################################################################################
+
+{% if item.key == "default" %}
+server {
+    listen        {{ item.value.listen | default(80) }} default_server;
+    listen   [::]:{{ item.value.listen | default(80) }} default_server;
+    server_name _;
+    return        444;
+
+    access_log /var/log/nginx/{{ item.key }}_access.log;
+    error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+}
+
+server {
+   listen        {{ item.value.listen_ssl | default(443) }} ssl http2 default_server;
+   listen   [::]:{{ item.value.listen_ssl | default(443) }} ssl http2 default_server;
+   server_name _;
+   return        444;
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+   ssl on;
+   ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+   ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+   ssl_session_timeout 5m;
+   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+   ssl_prefer_server_ciphers on;
+   ssl_session_cache shared:SSL:10m;
+}
+
+{% else %}
+upstream {{ item.key }}_backend  {
+{% for upstream in item.value.upstreams %}
+    server {{upstream.backend_address}}:{{upstream.backend_port}};
+{% endfor %}
+}
+
+server {
+   listen         {{ item.value.listen | default(80) }}; 
+   listen    [::]:{{ item.value.listen | default(80) }};
+   server_name    {{ item.value.domains | join(' ') }};
+   location / {
+   return         301 https://$server_name$request_uri;
+   }
+
+   location /.well-known/acme-challenge {
+      alias /var/www/{{ item.key }}/.well-known/acme-challenge;
+   }
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+}
+
+server {
+   listen        {{ item.value.listen_ssl | default(443) }} ssl http2;
+   listen   [::]:{{ item.value.listen_ssl | default(443) }} ssl http2;
+   server_name {{ item.value.domains | join(' ') }};
+
+{% if item.value.hsts_max_age is defined %}
+   add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
+{% endif %}
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+   ssl on;
+   ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+   ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+   ssl_session_timeout 5m;
+   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+   ssl_prefer_server_ciphers on;
+   ssl_session_cache shared:SSL:10m;
+
+   location /.well-known/acme-challenge {
+      alias /var/www/{{ item.key }}/.well-known/acme-challenge;
+   }
+
+   location / {
+      gzip off;
+      proxy_set_header X-Forwarded-Ssl on;
+      client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend;
+{% if item.value.auth is defined %}
+      auth_basic "Restricted Content";
+      auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
+{% endif %}
+   }
+}
+{% endif %}
diff --git a/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl_letsencrypt.conf.j2 b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl_letsencrypt.conf.j2
new file mode 100644
index 00000000..ae06d313
--- /dev/null
+++ b/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/tasks/reverseproxy_ssl_letsencrypt.conf.j2
@@ -0,0 +1,71 @@
+################################################################################
+# This file was generated by Ansible for {{ansible_fqdn}}
+# Do NOT modify this file by hand!
+################################################################################
+
+upstream {{ item.key }}_backend  {
+{% for upstream in item.value.upstreams %}
+    server {{upstream.backend_address}}:{{upstream.backend_port}};
+{% endfor %}
+}
+
+server {
+   listen         {{ item.value.listen | default(80) }};
+   listen    [::]:{{ item.value.listen | default(80) }};
+   server_name    {{ item.value.domains | join(' ') }};
+   location / {
+   return         301 https://$server_name$request_uri;
+   }
+
+   location /.well-known/acme-challenge {
+      alias /var/www/{{ item.key }}/.well-known/acme-challenge;
+   }
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+}
+
+server {
+   listen        {{ item.value.listen_ssl | default(443) }} ssl http2;
+   listen   [::]:{{ item.value.listen_ssl | default(443) }} ssl http2;
+   server_name {{ item.value.domains | join(' ') }};
+
+{% if item.value.hsts_max_age is defined %}
+   add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
+{% endif %}
+
+   access_log /var/log/nginx/{{ item.key }}_access.log;
+   error_log /var/log/nginx/{{ item.key }}_error.log error;
+
+   ssl on;
+   ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
+   ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
+   ssl_session_timeout 5m;
+   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+   ssl_prefer_server_ciphers on;
+   ssl_session_cache shared:SSL:10m;
+
+   location /.well-known/acme-challenge {
+      alias /var/www/{{ item.key }}/.well-known/acme-challenge;
+   }
+
+   location / {
+      gzip off;
+      proxy_set_header X-Forwarded-Ssl on;
+      client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Frame-Options SAMEORIGIN;
+      proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend;
+{% if item.value.auth is defined %}
+      auth_basic "Restricted Content";
+      auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
+{% endif %}
+   }
+}