diff options
Diffstat (limited to 'ansible/roles/nginx/templates')
-rw-r--r-- | ansible/roles/nginx/templates/basic-site.conf.j2 | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/ansible/roles/nginx/templates/basic-site.conf.j2 b/ansible/roles/nginx/templates/basic-site.conf.j2 new file mode 100644 index 0000000..454b2bd --- /dev/null +++ b/ansible/roles/nginx/templates/basic-site.conf.j2 | |||
@@ -0,0 +1,68 @@ | |||
1 | server { | ||
2 | listen {{ item.domain }}:443 ssl http2 fastopen=4096 reuseport; | ||
3 | server_name {{ item.domain }}; | ||
4 | |||
5 | access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k; | ||
6 | error_log /var/log/nginx/{{ item.domain }}.error.log error; | ||
7 | |||
8 | ssl on; | ||
9 | |||
10 | include /etc/nginx/ssl_params; | ||
11 | |||
12 | {% if nginx.ssl == "modern" %} | ||
13 | include /etc/nginx/ssl_ciphers_modern; | ||
14 | {% elif nginx.ssl == "tls13" %} | ||
15 | include /etc/nginx/ssl_ciphers_tls13; | ||
16 | {% else %} | ||
17 | # Default, just use commonly accepted options: | ||
18 | include /etc/nginx/ssl_ciphers_intermediate; | ||
19 | {% endif %} | ||
20 | |||
21 | ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem; | ||
22 | ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem; | ||
23 | |||
24 | # nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you | ||
25 | # can serve modern EC clients and less modern RSA clients at the same time. | ||
26 | ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem; | ||
27 | ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem; | ||
28 | |||
29 | root /srv/web/{{ item.domain }}; | ||
30 | |||
31 | {% if nginx.google is defined %} | ||
32 | location /{{ nginx.google.siteKey }}.html { | ||
33 | root {{ nginx.google.siteKeyServeDir }}}; | ||
34 | } | ||
35 | {% endif %} | ||
36 | |||
37 | {% if item.customConfig is defined %} | ||
38 | {{ item.customConfig }} | ||
39 | {% endif %} | ||
40 | |||
41 | {% for location in item.uri %} | ||
42 | location {{ location.path }} { | ||
43 | {% if location.appServer is defined %} | ||
44 | proxy_pass {{ location.appServer }}/$request_uri; | ||
45 | proxy_set_header Host $host; | ||
46 | {% else %} | ||
47 | root /srv/web/{{ item.domain }}; | ||
48 | {% endif %} | ||
49 | } | ||
50 | {% endfor %} | ||
51 | } | ||
52 | |||
53 | server { | ||
54 | listen {{ item.domain }} fastopen=4096 reuseport; | ||
55 | server_name www.{{ item.domain }} {{ item.domain }}; | ||
56 | |||
57 | access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k; | ||
58 | error_log /var/log/nginx/{{ item.domain }}.error.log error; | ||
59 | |||
60 | location /.well-known/acme-challenge/ { | ||
61 | alias /srv/web/challenges/; | ||
62 | try_files $uri =404; | ||
63 | } | ||
64 | |||
65 | location / { | ||
66 | return 301 https://{{ item.domain }}$request_uri; | ||
67 | } | ||
68 | } | ||