Alan Orth
632aa1cf14
I had created these earlier in this branch before rebasing it on top of the Ansible 2.5.0 readiness branch. See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
113 lines
4.5 KiB
Django/Jinja
113 lines
4.5 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
{# helper variables and per-site defaults that we can't set in role defaults #}
|
|
{% set domain_name = item.domain_name %}
|
|
{% set domain_aliases = item.domain_aliases | default("") %}
|
|
{# assume optional features are off unless a vhost explicitly sets them #}
|
|
{% set enable_hsts = item.enable_hsts | default(False) %}
|
|
{% set has_wordpress = item.has_wordpress | default(False) %}
|
|
{% set needs_php = item.needs_php | default(False) %}
|
|
|
|
# http -> https vhost
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ domain_name }} {{ domain_aliases }};
|
|
|
|
# redirect http -> https
|
|
location / {
|
|
# ? in rewrite makes sure nginx doesn't append query string again
|
|
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
|
|
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
root {{ nginx_root_prefix }}/{{ domain_name }};
|
|
|
|
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
|
|
server_name {{ domain_name }} {{ domain_aliases }};
|
|
|
|
index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %};
|
|
|
|
access_log /var/log/nginx/{{ domain_name }}-access.log;
|
|
error_log /var/log/nginx/{{ domain_name }}-error.log;
|
|
|
|
{% include 'https.j2' %}
|
|
|
|
{% if has_wordpress == True %}
|
|
{% include 'wordpress.j2' %}
|
|
{% endif %}
|
|
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
{% if has_wordpress == True or needs_php == True %}
|
|
location ~ [^/]\.php(/|$) {
|
|
# Zero-day exploit defense.
|
|
# http://forum.nginx.org/read.php?2,88845,page=3
|
|
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
|
|
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
|
|
try_files $uri =404;
|
|
|
|
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
|
|
# Protect against "HTTPoxy" vulnerability in PHP libraries
|
|
# See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
|
|
# See: https://httpoxy.org/
|
|
fastcgi_param HTTP_PROXY "";
|
|
|
|
{# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #}
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version_compare('9', '==')) %}
|
|
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
|
|
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('18.04', '==') %}
|
|
fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
|
|
{% else %}
|
|
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
|
|
{% endif %}
|
|
fastcgi_index index.php;
|
|
# set script path relative to document root in server block
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
|
|
fastcgi_cache global;
|
|
# Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
|
|
add_header X-Fastcgi-Cache $upstream_cache_status;
|
|
# Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
|
|
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
|
|
fastcgi_no_cache $http_pragma $wordpress_logged_in;
|
|
|
|
{% if enable_hsts == True %}
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
|
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
|
# See: https://hstspreload.appspot.com/
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
|
{% endif %}
|
|
|
|
include extra-security.conf;
|
|
}
|
|
{% endif %}
|
|
|
|
include extra-security.conf;
|
|
}
|
|
|
|
{% if has_wordpress == True %}
|
|
# Check if a user is logged in
|
|
# if so, set $wordpress_logged_in = 1
|
|
# otherwise, set $wordpress_logged_in = 0
|
|
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
|
|
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
|
|
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
|
|
map $http_cookie $wordpress_logged_in {
|
|
default 0;
|
|
|
|
~wordpress_logged_in 1;
|
|
}
|
|
{% endif %}
|