alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
7b9536838c
ansible-personal/roles/nginx/templates/vhost.conf.j2
Alan Orth 27a4abfcfd
roles/nginx: Add comments about defaults in templates 
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00

99 lines
3.8 KiB
Django/Jinja
Raw Blame History

{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.nginx_domain_name %}
{% set domain_aliases = item.nginx_domain_aliases | default("") %}
{% set enable_https = item.nginx_enable_https | default("no") %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.nginx_enable_hsts | default("no") %}
{% set has_wordpress = item.has_wordpress | default("no") %}
{% if enable_https == "yes" %}
# http -> https vhost
server {
listen 80;
listen [::]:80;
server_name {{ domain_name }} {{ domain_aliases }};
# redirect http -> https
location / {
# ? in rewrite makes sure nginx doesn't append query string again
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
}
}
{% endif %}
server {
listen {% if enable_https == "yes" %} 443 ssl http2{% else %} 80{% endif %};
listen [::]{% if enable_https == "yes" %}:443 ssl http2{% else %}:80{% endif %};
root {{ nginx_root_prefix }}/{{ domain_name }};
{# assumes you only want the main domain name listening for https #}
server_name {{ domain_name }} {% if enable_https == "no" %} {{ domain_aliases }}{% endif %};
index index.php index.html;
access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log;
{% if enable_https == "yes" %}
{% include 'https.j2' %}
{% endif %}
{% if has_wordpress == "yes" %}
{% include 'wordpress.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ [^/]\.php(/|$) {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
fastcgi_index index.php;
# set script path relative to document root in server block
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_cache global;
# Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
add_header X-Fastcgi-Cache $upstream_cache_status;
# Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if enable_https == "yes" and enable_hsts == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
{% endif %}
include extra-security.conf;
}
include extra-security.conf;
}
# Check if a user is logged in
# if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
map $http_cookie $wordpress_logged_in {
default 0;
~wordpress_logged_in 1;
}
Reference in New Issue View Git Blame Copy Permalink