Commit Graph

17 Commits

Author SHA1 Message Date
a3e71e75d2
roles/nginx: SPDY -> HTTP/2
nginx 1.9.5 mainline adds support for HTTP/2 and deprecates SPDY.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-22 19:40:30 +03:00
a17cb2a0a0 roles/nginx: Add initial IPv6 support to vhost template
Still need to add ip6tables rules

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 11:53:57 +03:00
caec2440bb
roles/nginx: Fix HSTS header in vhost config
We always want to add the header, not add a header with value
"always"!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:54:10 +03:00
f9ea01ba8f roles/nginx: Use stronger HSTS header
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.

See: https://hstspreload.appspot.com/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-13 18:35:26 +03:00
9ce7ac72f9
roles/nginx: Add extra-security headers to PHP block
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:32:06 +03:00
934db06887 roles/nginx: Add HTTP Strict Transport Security headers to PHP block
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.

[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html

Fixes GitHub #7.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:30:26 +03:00
942f45834f
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-11 13:51:48 +03:00
3dcc5e1411
roles/nginx: Move some common fastcgi settings out of vhost template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-10 11:59:43 +03:00
53d2c85bf0 roles/nginx: Adjust fastcgi_cache_valid
Only cache 200, 301, and 302 requests!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:23:48 +03:00
29f7a76545
roles/nginx: Update location regex for PHP scripts
Just use the same one as the Nginx wiki and some other resources.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:40:38 +03:00
0b90bad6a9
roles/nginx: Add fastcgi caching
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:

    $ siege -d1 -t1M -c50 https://mjanja.ch

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-10 23:04:28 +03:00
4ea152bf51
roles/nginx: Add HTTP headers for web application security
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 13:05:42 +03:00
2156f8b07d
roles/nginx: Tweaks for vhosts with WordPress
My WordPress blogs have a /wordpress subdirectory in the document
root, but I don't serve from the /wordpress URI.

Technically, all we need is the tweaks to the try_files:
    - `?args` passes query strings to php5-fpm
    - removing 404 from the vhost's try_files so we don't return 404
    when the requested file doesn't exist (obviously not all request
    URI's in WordPress are actual files on the disk)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 22:51:34 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
fafd475f6b
roles/nginx: Add index to vhost config
Without this, all requests to directory URIs throw 403 errors due
to directory listings not being allowed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:27:24 +03:00
0b8e0c38bf
roles/nginx: Per-vhost logs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:26:12 +03:00
5bbec6716c
roles/nginx: Use template to configure nginx vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:03:34 +03:00