From e932842b8d0a07715d4572945ccec166d9626e41 Mon Sep 17 00:00:00 2001 From: les Date: Mon, 28 Dec 2020 17:39:41 +0100 Subject: [PATCH] improve nginx and certbot roles --- inventory.yml | 2 +- roles/stable/nginx/tasks/certbot.yml | 2 +- roles/stable/nginx/tasks/main.yml | 13 +++++++++++++ roles/stable/nginx/templates/default.j2 | 3 +-- roles/stable/nginx/templates/reverse_proxy.conf.j2 | 9 +++------ vars/frontend.yml | 6 +----- 6 files changed, 20 insertions(+), 15 deletions(-) diff --git a/inventory.yml b/inventory.yml index 53b5d14..a43386f 100644 --- a/inventory.yml +++ b/inventory.yml @@ -11,7 +11,7 @@ frontend: hosts: 172.172.0.3 test: - hosts: jolly.roger + hosts: 45.156.24.144 vars: ansible_user: debian diff --git a/roles/stable/nginx/tasks/certbot.yml b/roles/stable/nginx/tasks/certbot.yml index f0d938f..f2da122 100644 --- a/roles/stable/nginx/tasks/certbot.yml +++ b/roles/stable/nginx/tasks/certbot.yml @@ -17,6 +17,6 @@ - name: Generate certificate if needed become: yes - command: certbot-auto --nginx --non-interactive --agree-tos + command: /snap/bin/certbot --nginx --non-interactive --agree-tos --domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }} --email {{certbot_email}} diff --git a/roles/stable/nginx/tasks/main.yml b/roles/stable/nginx/tasks/main.yml index 60b7d0d..885d581 100644 --- a/roles/stable/nginx/tasks/main.yml +++ b/roles/stable/nginx/tasks/main.yml @@ -4,6 +4,19 @@ apt: name: nginx +- name: Default Configuration + become: yes + template: + src: default.j2 + dest: /etc/nginx/sites-available/default + +- name: Link Default NGINX Configuration + become: yes + file: + src: "/etc/nginx/sites-available/default" + dest: "/etc/nginx/sites-enabled/default" + state: link + - name: Configure Reverse Proxies become: yes template: diff --git a/roles/stable/nginx/templates/default.j2 b/roles/stable/nginx/templates/default.j2 index 77e496a..e288269 100644 --- a/roles/stable/nginx/templates/default.j2 +++ b/roles/stable/nginx/templates/default.j2 @@ -1,7 +1,6 @@ # cache - # proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; - keepalive 30; + proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=10g use_temp_path=off; # redirect all http traffic to https server { diff --git a/roles/stable/nginx/templates/reverse_proxy.conf.j2 b/roles/stable/nginx/templates/reverse_proxy.conf.j2 index 6bfcf6b..76251e4 100644 --- a/roles/stable/nginx/templates/reverse_proxy.conf.j2 +++ b/roles/stable/nginx/templates/reverse_proxy.conf.j2 @@ -1,4 +1,3 @@ -# nginx ssl file server { listen 80; @@ -12,12 +11,10 @@ server { proxy_pass {{item.proxy_pass}}; proxy_http_version 1.1; - # hide client ip to backend - proxy_set_header X-Real-IP 42.42.42.42; - # set host + # set host proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-For 42.42.42.42; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; @@ -27,7 +24,7 @@ server { proxy_set_header Connection "upgrade"; # cache - # proxy_cache {{item.server_name}} + proxy_cache STATIC; } } diff --git a/vars/frontend.yml b/vars/frontend.yml index 6f05c2b..8feaf1f 100644 --- a/vars/frontend.yml +++ b/vars/frontend.yml @@ -7,8 +7,4 @@ servers: proxy_pass: http://192.168.199.105:8080 custom_config: | sendfile on; - client_max_body_size 80m; - - - gancio: - server_name: sblinda.cisti.org - proxy_pass: http://192.168.199.104:8000 + client_max_body_size 500m;