ansible-edda/plays/services/roles/deploy/rproxy/files/config/nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    # Configuration based on https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html.

    # SSL protocols.
    ssl_protocols TLSv1.2 TLSv1.3;

    # Ciphers suite based on intermediate list from
    # https://wiki.mozilla.org/Security/Server_Side_TLS. To verify OpenSSL names, use
    # https://raw.githubusercontent.com/openssl/openssl/master/include/openssl/tls1.h.
    ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # Prefer server's settings.
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    # Diffie Hellman Ephemeral Parameters: `openssl dhparam -out dhparam.pem 4096`.
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ecdh_curve secp384r1;

    # OCSP Stapling.
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver_timeout 5s;

    # HTTP Strict Transport Security.
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; " always;

    include /etc/nginx/conf.d/*.conf;
}
Playbooks to deploy pod-rproxy and pod-www 2022-09-26 23:10:48 +02:00			`user nginx;`
			`worker_processes auto;`

			`error_log /var/log/nginx/error.log notice;`
			`pid /var/run/nginx.pid;`


			`events {`
			`worker_connections 1024;`
			`}`


			`http {`
			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`

			`log_format main '$remote_addr - $remote_user [$time_local] "$request" '`
			`'$status $body_bytes_sent "$http_referer" '`
			`'"$http_user_agent" "$http_x_forwarded_for"';`

			`access_log /var/log/nginx/access.log main;`

			`sendfile on;`
			`#tcp_nopush on;`

			`keepalive_timeout 65;`

			`#gzip on;`

			`# Configuration based on https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html.`

			`# SSL protocols.`
			`ssl_protocols TLSv1.2 TLSv1.3;`

			`# Ciphers suite based on intermediate list from`
			`# https://wiki.mozilla.org/Security/Server_Side_TLS. To verify OpenSSL names, use`
			`# https://raw.githubusercontent.com/openssl/openssl/master/include/openssl/tls1.h.`
			`ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;`

			`# Prefer server's settings.`
			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`

			# Diffie Hellman Ephemeral Parameters: `openssl dhparam -out dhparam.pem 4096`.
			`ssl_dhparam /etc/ssl/certs/dhparam.pem;`
			`ssl_ecdh_curve secp384r1;`

			`# OCSP Stapling.`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
			`resolver_timeout 5s;`

			`# HTTP Strict Transport Security.`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; " always;`

			`include /etc/nginx/conf.d/*.conf;`
			`}`