Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Files Issues 0 Pull Requests 0
Browse Source

Add nginx.conf, restrict SSL settings.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm 7 years ago
parent
dde006dac4
commit
bd84821ab1
2 changed files with 104 additions and 4 deletions
Split View Show Diff Stats
  1. 17 4
      nginx/init.sls
  2. 87 0
      nginx/nginx.conf

+ 17 - 4
nginx/init.sls
View File 

@@ -13,10 +13,6 @@ nginx:
 
   service.running:
 
     - enable: TRUE
 
     - reload: TRUE
 
-    - watch:
 
-      - file: /etc/nginx/sites-*
 
-  file.absent:
 
-    - name: /etc/nginx/sites-enabled/default
 
 
 {% if grains['saltversion'] >= '2014.7.0' %}
 
 nginx-dhparam:
 
@@ -27,6 +23,21 @@ nginx-dhparam:
 
       - serivce: nginx
 
 {% endif %}
 
 
+
 
+# Install meaningful main configuration (SSL tweaks 'n stuff)
 
+/etc/nginx/nginx.conf:
 
+  file.managed:
 
+    - source: salt://nginx/nginx.conf
 
+    - watch_in:
 
+      - service: nginx
 
+
 
+
 
+# Disable default configuration
 
+/etc/nginx/sites-enabled/default:
 
+  file.absent
 
+
 
+
 
+# Install website configuration files configured for this node
 
 {% for website in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':nginx:websites', []) %}
 
 /etc/nginx/sites-enabled/{{website}}:
 
   file.managed:
 
@@ -34,4 +45,6 @@ nginx-dhparam:
 
     - template: jinja
 
     - require:
 
       - pkg: nginx
 
+    - watch_in:
 
+      - service: nginx
 
 {% endfor %}

+ 87 - 0
nginx/nginx.conf
View File 

@@ -0,0 +1,87 @@
 
+user www-data;
 
+worker_processes 4;
 
+pid /run/nginx.pid;
 
+
 
+events {
 
+	worker_connections 768;
 
+	# multi_accept on;
 
+}
 
+
 
+http {
 
+
 
+	##
 
+	# Basic Settings
 
+	##
 
+	# increase body size that nextcloud can receive large files
 
+	client_max_body_size 64m;
 
+
 
+	sendfile on;
 
+	tcp_nopush on;
 
+	tcp_nodelay on;
 
+	keepalive_timeout 65;
 
+	types_hash_max_size 2048;
 
+	# server_tokens off;
 
+
 
+	# server_names_hash_bucket_size 64;
 
+	# server_name_in_redirect off;
 
+
 
+	include /etc/nginx/mime.types;
 
+	default_type application/octet-stream;
 
+
 
+	##
 
+	# SSL Settings
 
+	##
 
+
 
+	ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3/TLSv1, ref: POODLE
 
+	ssl_prefer_server_ciphers on;
 
+
 
+	##
 
+	# Logging Settings
 
+	##
 
+
 
+	access_log /var/log/nginx/access.log;
 
+	error_log /var/log/nginx/error.log;
 
+
 
+	##
 
+	# Gzip Settings
 
+	##
 
+
 
+	gzip on;
 
+	gzip_disable "msie6";
 
+
 
+	# gzip_vary on;
 
+	# gzip_proxied any;
 
+	# gzip_comp_level 6;
 
+	# gzip_buffers 16 8k;
 
+	# gzip_http_version 1.1;
 
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
+
 
+	##
 
+	# Virtual Host Configs
 
+	##
 
+
 
+	include /etc/nginx/conf.d/*.conf;
 
+	include /etc/nginx/sites-enabled/*;
 
+}
 
+
 
+
 
+#mail {
 
+#	# See sample authentication script at:
 
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
 
+# 
+#	# auth_http localhost/auth.php;
 
+#	# pop3_capabilities "TOP" "USER";
 
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
 
+# 
+#	server {
 
+#		listen     localhost:110;
 
+#		protocol   pop3;
 
+#		proxy      on;
 
+#	}
 
+# 
+#	server {
 
+#		listen     localhost:143;
 
+#		protocol   imap;
 
+#		proxy      on;
 
+#	}
 
+#}