alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
52dc0c357b
ansible-personal/roles/nginx/templates/vhost.conf.j2
Alan Orth 52dc0c357b
roles/nginx: Add HSTS check to vhost template 
We need to actually check if HSTS was requested before setting the
header in the block handing PHP requests. We check in the main vhost
block, but nginx headers are only inherited if you don't set ANY
headers in child blocks (ie, headers set in parent blocks are cleared
if you set any new ones in the child).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:27:41 +03:00

98 lines
3.7 KiB
Django/Jinja
Raw Blame History

{% set domain_name = item.nginx_domain_name %}
{% set domain_aliases = item.nginx_domain_aliases | default("") %}
{% set use_https = item.use_https | default("no") %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.nginx_enable_hsts | default("no") %}
{% set has_wordpress = item.has_wordpress | default("no") %}
{% if use_https == "yes" %}
# http -> https vhost
server {
listen 80;
listen [::]:80;
server_name {{ domain_name }} {{ domain_aliases }};
# redirect http -> https
location / {
# ? in rewrite makes sure nginx doesn't append query string again
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
}
}
{% endif %}
server {
listen {% if use_https == "yes" %} 443 ssl http2{% else %} 80{% endif %};
listen [::]{% if use_https == "yes" %}:443 ssl http2{% else %}:80{% endif %};
root {{ nginx_root_prefix }}/{{ domain_name }};
{# assumes you only want the main domain name listening for https #}
server_name {{ domain_name }} {% if use_https == "no" %} {{ domain_aliases }}{% endif %};
index index.php index.html;
access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log;
{% if use_https == "yes" %}
{% include 'https.j2' %}
{% endif %}
{% if has_wordpress == "yes" %}
{% include 'wordpress.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ [^/]\.php(/|$) {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
fastcgi_index index.php;
# set script path relative to document root in server block
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_cache global;
# Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
add_header X-Fastcgi-Cache $upstream_cache_status;
# Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if use_https == "yes" and enable_hsts == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
{% endif %}
include extra-security.conf;
}
include extra-security.conf;
}
# Check if a user is logged in
# if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
map $http_cookie $wordpress_logged_in {
default 0;
~wordpress_logged_in 1;
}
Reference in New Issue View Git Blame Copy Permalink