From ee907705a8a75eda17cb73ce4765e1ba8c8316c5 Mon Sep 17 00:00:00 2001 From: phil Date: Sat, 11 Mar 2023 18:18:27 +0100 Subject: [PATCH] Add more configuration files and templates --- README.md | 14 +++++++- defaults/main.yaml | 1 + files/add_headers.cof | 7 ++++ files/letsencrypt.conf | 6 ++++ files/request_limits.conf | 7 ++++ meta/main.yml | 8 ++--- tasks/configure.yml | 37 +++++++++++++++++++++ tasks/main.yaml | 10 ++++-- tasks/monitoring.yml | 20 +++++++----- tasks/packages.yml | 10 ++++-- templates/bad_clients.conf.j2 | 7 ++++ templates/local-statistics.j2 | 6 +--- templates/monit.j2 | 2 +- templates/nginx.conf.j2 | 58 +++++++++++++++++++++++++++++++++ templates/revers2_proxy.conf.j2 | 22 +++++++++++++ templates/ssl.conf.j2 | 22 +++++++++++++ 16 files changed, 213 insertions(+), 24 deletions(-) create mode 100644 defaults/main.yaml create mode 100644 files/add_headers.cof create mode 100644 files/letsencrypt.conf create mode 100644 files/request_limits.conf create mode 100644 tasks/configure.yml create mode 100644 templates/bad_clients.conf.j2 create mode 100644 templates/nginx.conf.j2 create mode 100644 templates/revers2_proxy.conf.j2 create mode 100644 templates/ssl.conf.j2 diff --git a/README.md b/README.md index 62d4363..d364e87 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,16 @@ Nginx ===== -Diese Rolle dient zur grundlegenden Einrichtung von Nginx. +Role to install Nginx. + +## Variables + +| Name | Default | Notes | +|--|--|--| +| `nginx_port` | `80` | Listen port for Nginx | +| `nginx_package_name` | `nginx-full` | Name of the Debian package to install | +| `nginx_bad_client_ip` | | List of IP address to deny access | +| `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) | +| `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file | + + diff --git a/defaults/main.yaml b/defaults/main.yaml new file mode 100644 index 0000000..3d1454a --- /dev/null +++ b/defaults/main.yaml @@ -0,0 +1 @@ +dhparam_path: /etc/ssl/private/dhparam.pem diff --git a/files/add_headers.cof b/files/add_headers.cof new file mode 100644 index 0000000..50f4613 --- /dev/null +++ b/files/add_headers.cof @@ -0,0 +1,7 @@ +# Managed by Ansible + +add_header Referrer-Policy $referrerpolicy; +add_header Strict-Transport-Security $sts; +add_header X-Content-Type-Options $xcontentoptions; +add_header X-XSS-Protection $xxssprotection; +add_header X-Frame-Options $xframeoptions; diff --git a/files/letsencrypt.conf b/files/letsencrypt.conf new file mode 100644 index 0000000..1c43776 --- /dev/null +++ b/files/letsencrypt.conf @@ -0,0 +1,6 @@ +# Managed by Ansible + +location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/lib/dehydrated/acme-challenges/; +} diff --git a/files/request_limits.conf b/files/request_limits.conf new file mode 100644 index 0000000..851d05a --- /dev/null +++ b/files/request_limits.conf @@ -0,0 +1,7 @@ +# Managed by Ansible + +limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; +limit_req_zone $binary_remote_addr zone=wordpress:10m rate=10r/m; +limit_req_zone $server_name zone=perserver:10m rate=20r/m; +limit_req_status 444; +limit_conn_zone $binary_remote_addr zone=addr:10m; diff --git a/meta/main.yml b/meta/main.yml index 16cdee7..4d7176d 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,10 +1,10 @@ galaxy_info: - author: systemausfall.org - description: Ersteinrichtung von Nginx + author: Sense.Lab e.V. admins + description: Installation of Nginx company: Sense.Lab e.V. license: GPLv3 - min_ansible_version: 2.9 + min_ansible_version: "2.9" platforms: - name: Debian version: - - Bullseye + - bullseye diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..a463cfa --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,37 @@ +--- +- name: "Configuration | Copy main configuration" + ansible.builtin.template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + mode: 0644 + notify: reload nginx + +- name: "Configuration | Copy configuration snippets" + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/nginx/snippets/{{ item }}" + mode: 0644 + loop: + - add_headers.conf + - letsentcrypt.conf + notify: reload nginx + +- name: "Configuration | Copy configuration templates" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/etc/nginx/conf.d/{{ item }}" + mode: 0644 + loop: + - bad_clients.conf + - reverse_proxy.conf + - ssl.conf + notify: reload nginx + when: nginx_type is 'gateway' or nginx_type is 'standalone' + +- name: "Configuration | Copy request limit configuration" + ansible.builtin.copy: + src: request_limits.conf + dest: /etc/nginx/conf.d/ + mode: 0644 + notify: reload nginx + when: nginx_type is 'gateway' or nginx_type is 'standalone' diff --git a/tasks/main.yaml b/tasks/main.yaml index 90250cf..848579a 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,6 +1,12 @@ --- -- import_tasks: packages.yml +- name: "Install packages" + ansible.builtin.import_tasks: packages.yml tags: packages -- import_tasks: monitoring.yml +- name: "Configure" + ansible.builtin.import_tasks: configure.yml + tags: configure + +- name: "Enable monitoring" + ansible.builtin.import_tasks: monitoring.yml tags: monitoring diff --git a/tasks/monitoring.yml b/tasks/monitoring.yml index 24c1a9b..fd1f547 100644 --- a/tasks/monitoring.yml +++ b/tasks/monitoring.yml @@ -1,6 +1,6 @@ --- -- name: "monitoring | Aktiviere Munin-Plugin" - file: +- name: "Monitoring | Enable Munin plugin" + ansible.builtin.file: src: "/usr/share/munin/plugins/nginx_{{ item }}" dest: "/etc/munin/plugins/nginx_{{ item }}" state: link @@ -8,22 +8,26 @@ - request - status notify: restart munin-node + when: "'munin-node' in ansible_facts.packages" -- name: "monitoring | Kopiere Datei für lokale Statusausgabe" - template: +- name: "Monitoring | Copy statistics configuration file" + ansible.builtin.template: src: local-statistics.j2 dest: /etc/nginx/sites-available/local-statistics + mode: 0644 notify: reload nginx -- name: "monitoring | Aktiviere Lokale Status-Ausgabe" - file: +- name: "Monitoring | Enable local statistics" + ansible.builtin.file: src: /etc/nginx/sites-available/local-statistics dest: /etc/nginx/sites-enabled/local-statistics state: link notify: reload nginx -- name: "monitoring | Kopiere Monit-Überwachung" - template: +- name: "Monitoring | Copy Monit configuration" + ansible.builtin.template: src: monit.j2 dest: /etc/monit/conf-enabled/nginx + mode: 0644 notify: reload monit + when: "'monit' in ansible_facts.packages" diff --git a/tasks/packages.yml b/tasks/packages.yml index d1b5c60..88c64af 100644 --- a/tasks/packages.yml +++ b/tasks/packages.yml @@ -1,6 +1,10 @@ --- -- name: "packages | Installiere Debian-Pakete" - apt: +- name: "Packages | Get installed packages" + ansible.builtin.package_facts: + manager: apt + +- name: "Packages | Install deb packages" + ansible.builtin.apt: pkg: - liblwp-useragent-determined-perl - - "{{ nginx.version | default('nginx-full') }}" + - "{{ nginx_package_name | default('nginx-full') }}" diff --git a/templates/bad_clients.conf.j2 b/templates/bad_clients.conf.j2 new file mode 100644 index 0000000..27f4d03 --- /dev/null +++ b/templates/bad_clients.conf.j2 @@ -0,0 +1,7 @@ +# Managed by Ansible + +{% if nginx_bad_client_ip is defined %} +{% for client in nginx_bad_client_ip %} +deny {{ client }}; +{% endfor %} +{% endif %} diff --git a/templates/local-statistics.j2 b/templates/local-statistics.j2 index 24427b4..7a367a8 100644 --- a/templates/local-statistics.j2 +++ b/templates/local-statistics.j2 @@ -1,9 +1,5 @@ server { -{% if inventory_hostname == "sl-nextcloud.kahlo" %} - listen 127.0.0.1:81; -{% else %} - listen 127.0.0.1; -{% endif %} + listen 127.0.0.1:{{ nginx_port | default(80) }}; server_name localhost; location /nginx_status { stub_status on; diff --git a/templates/monit.j2 b/templates/monit.j2 index 19a4af7..0215ec7 100644 --- a/templates/monit.j2 +++ b/templates/monit.j2 @@ -4,5 +4,5 @@ check process nginx with pidfile /var/run/nginx.pid group webserver start program = "/usr/sbin/service nginx start" stop program = "/usr/sbin/service nginx stop" - if failed host 127.0.0.1 port {{ nginx.port |default(80) }} for 3 cycles then restart + if failed host 127.0.0.1 port {{ nginx_port | default(80) }} for 3 cycles then restart if 5 restarts with 5 cycles then timeout diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 new file mode 100644 index 0000000..419c4c8 --- /dev/null +++ b/templates/nginx.conf.j2 @@ -0,0 +1,58 @@ +# Managed by Ansible + +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + multi_accept on; +} + +http { + + ## + # Basic Settings + ## + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + map_hash_max_size 4096; + map_hash_bucket_size 128; + + server_names_hash_bucket_size 128; + + client_max_body_size 0; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + log_format noip '0.0.0.0 - $remote_user [$time_local] ' + '"$host" "$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$request_time" seconds'; + + #access_log /var/log/nginx/access.log noip if=$log_ip; + access_log off; + + error_log /var/log/nginx/error.log; + + + ## + # Gzip Settings + ## + gzip off; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/templates/revers2_proxy.conf.j2 b/templates/revers2_proxy.conf.j2 new file mode 100644 index 0000000..61dde0b --- /dev/null +++ b/templates/revers2_proxy.conf.j2 @@ -0,0 +1,22 @@ +# Managed by Ansible + +proxy_http_version 1.1; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Proto $scheme; +#proxy_set_header X-HTTPS-Protocol $ssl_protocol; +#proxy_set_header Accept ""; # Problems with Redmine, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810144 +proxy_set_header Connection ""; +#proxy_set_header Referer ""; + +#proxy_cache STATIC; +proxy_cache_valid 200 301 302 4h; +proxy_cache_valid 404 10m; +proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +proxy_buffering off; + +proxy_connect_timeout 600; +proxy_send_timeout 600; +proxy_read_timeout 600; diff --git a/templates/ssl.conf.j2 b/templates/ssl.conf.j2 new file mode 100644 index 0000000..c86eecf --- /dev/null +++ b/templates/ssl.conf.j2 @@ -0,0 +1,22 @@ +# Managed by Ansible + +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_protocols TLSv1.3 TLSv1.2; +ssl_ciphers EECDH+AESGCM:EDH+AESGCM; +ssl_ecdh_curve secp384r1; + +# fetch OCSP records from URL in ssl_certificate and cache them +ssl_stapling on; +ssl_stapling_verify on; + +ssl_dhparam {{ dhparam_path }}; + +# Security Headers +# Add secure header values if not set upstream +map $upstream_http_referrer_policy $referrerpolicy {'' no-referrer;} +map $upstream_http_strict_transport_security $sts {'' "max-age=63072000; includeSubDomains; preload"; } +map $upstream_http_x_content_type_options $xcontentoptions {'' nosniff;} +map $upstream_http_x_xss_protection $xxssprotection {'' "1; mode=block";} +map $upstream_http_x_frame_options $xframeoptions {'' SAMEORIGIN;}