Merge pull request #48 from microcosm-cc/master
SSL improvements (default ciphers & caching), server_tokens option, and proxy_set_headers for vhosts
Este commit está contenido en:
commit
7b56556529
Se han modificado 13 ficheros con 53 adiciones y 47 borrados
|
@ -17,7 +17,8 @@ class nginx::config(
|
|||
$worker_processes = $nginx::params::nx_worker_processes,
|
||||
$worker_connections = $nginx::params::nx_worker_connections,
|
||||
$proxy_set_header = $nginx::params::nx_proxy_set_header,
|
||||
$confd_purge = $nginx::params::nx_confd_purge
|
||||
$confd_purge = $nginx::params::nx_confd_purge,
|
||||
$server_tokens = $nginx::params::nx_server_tokens
|
||||
) inherits nginx::params {
|
||||
File {
|
||||
owner => 'root',
|
||||
|
|
|
@ -35,7 +35,8 @@ class nginx (
|
|||
$confd_purge = $nginx::params::nx_confd_purge,
|
||||
$configtest_enable = $nginx::params::nx_configtest_enable,
|
||||
$service_restart = $nginx::params::nx_service_restart,
|
||||
$mail = $nginx::params::nx_mail
|
||||
$mail = $nginx::params::nx_mail,
|
||||
$server_tokens = $nginx::params::nx_server_tokens
|
||||
) inherits nginx::params {
|
||||
|
||||
include stdlib
|
||||
|
@ -45,12 +46,13 @@ class nginx (
|
|||
}
|
||||
|
||||
class { 'nginx::config':
|
||||
worker_processes => $worker_processes,
|
||||
worker_connections => $worker_connections,
|
||||
proxy_set_header => $proxy_set_header,
|
||||
confd_purge => $confd_purge,
|
||||
require => Class['nginx::package'],
|
||||
notify => Class['nginx::service'],
|
||||
worker_processes => $worker_processes,
|
||||
worker_connections => $worker_connections,
|
||||
proxy_set_header => $proxy_set_header,
|
||||
confd_purge => $confd_purge,
|
||||
server_tokens => $server_tokens,
|
||||
require => Class['nginx::package'],
|
||||
notify => Class['nginx::service'],
|
||||
}
|
||||
|
||||
class { 'nginx::service':
|
||||
|
|
|
@ -21,15 +21,20 @@ class nginx::params {
|
|||
$nx_confd_purge = false
|
||||
$nx_worker_processes = 1
|
||||
$nx_worker_connections = 1024
|
||||
$nx_multi_accept = off
|
||||
$nx_multi_accept = on
|
||||
$nx_events_use = epoll # One of [kqueue|rtsig|epoll|/dev/poll|select|poll|eventport] or false to use OS default
|
||||
$nx_sendfile = on
|
||||
$nx_keepalive_timeout = 65
|
||||
$nx_tcp_nodelay = on
|
||||
$nx_gzip = on
|
||||
$nx_server_tokens = off
|
||||
$nx_spdy = on
|
||||
$nx_ssl_stapling = on
|
||||
|
||||
$nx_proxy_redirect = off
|
||||
$nx_proxy_set_header = [
|
||||
'Host $host', 'X-Real-IP $remote_addr',
|
||||
'Host $host',
|
||||
'X-Real-IP $remote_addr',
|
||||
'X-Forwarded-For $proxy_add_x_forwarded_for',
|
||||
]
|
||||
|
||||
|
@ -51,7 +56,7 @@ class nginx::params {
|
|||
}
|
||||
|
||||
$nx_daemon_user = $::operatingsystem ? {
|
||||
/(?i-mx:debian|ubuntu)/ => 'www-data',
|
||||
/(?i-mx:debian|ubuntu)/ => 'www-data',
|
||||
/(?i-mx:fedora|rhel|redhat|centos|scientific|suse|opensuse|amazon)/ => 'nginx',
|
||||
}
|
||||
|
||||
|
|
|
@ -54,6 +54,7 @@ define nginx::resource::vhost (
|
|||
$ssl_port = '443',
|
||||
$proxy = undef,
|
||||
$proxy_read_timeout = $nginx::params::nx_proxy_read_timeout,
|
||||
$proxy_set_header = [],
|
||||
$index_files = [
|
||||
'index.html',
|
||||
'index.htm',
|
||||
|
|
|
@ -14,19 +14,19 @@
|
|||
#
|
||||
# This class file is not called directly
|
||||
class nginx::service(
|
||||
$configtest_enable = $nginx::params::nx_configtest_enable,
|
||||
$service_restart = $nginx::params::nx_service_restart
|
||||
$configtest_enable = $nginx::params::nx_configtest_enable,
|
||||
$service_restart = $nginx::params::nx_service_restart
|
||||
) {
|
||||
exec { 'rebuild-nginx-vhosts':
|
||||
command => "/bin/cat ${nginx::params::nx_temp_dir}/nginx.d/* > ${nginx::params::nx_conf_dir}/conf.d/vhost_autogen.conf",
|
||||
refreshonly => true,
|
||||
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.d/*",
|
||||
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.d/*",
|
||||
subscribe => File["${nginx::params::nx_temp_dir}/nginx.d"],
|
||||
}
|
||||
exec { 'rebuild-nginx-mailhosts':
|
||||
command => "/bin/cat ${nginx::params::nx_temp_dir}/nginx.mail.d/* > ${nginx::params::nx_conf_dir}/conf.mail.d/vhost_autogen.conf",
|
||||
refreshonly => true,
|
||||
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.mail.d/*",
|
||||
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.mail.d/*",
|
||||
subscribe => File["${nginx::params::nx_temp_dir}/nginx.mail.d"],
|
||||
}
|
||||
service { "nginx":
|
||||
|
|
|
@ -7,6 +7,7 @@ pid <%= scope.lookupvar('nginx::params::nx_pid')%>;
|
|||
events {
|
||||
worker_connections <%= worker_connections %>;
|
||||
<% if scope.lookupvar('nginx::params::nx_multi_accept') == 'on' %>multi_accept on;<% end %>
|
||||
<% if scope.lookupvar('nginx::params::nx_events_use') %>use <%= scope.lookupvar('nginx::params::nx_events_use')%>;<% end %>
|
||||
}
|
||||
|
||||
http {
|
||||
|
@ -17,9 +18,8 @@ http {
|
|||
|
||||
sendfile <%= scope.lookupvar('nginx::params::nx_sendfile')%>;
|
||||
|
||||
<% if scope.lookupvar('nginx::params::nx_tcp_nopush') == 'on' %>
|
||||
tcp_nopush on;
|
||||
<% end %>
|
||||
server_tokens <%= server_tokens %>;
|
||||
<% if scope.lookupvar('nginx::params::nx_tcp_nopush') == 'on' %>tcp_nopush on;<% end %>
|
||||
|
||||
keepalive_timeout <%= scope.lookupvar('nginx::params::nx_keepalive_timeout')%>;
|
||||
tcp_nodelay <%= scope.lookupvar('nginx::params::nx_tcp_nodelay')%>;
|
||||
|
|
|
@ -6,5 +6,4 @@ proxy_send_timeout <%= scope.lookupvar('nginx::params::nx_proxy_send_timeou
|
|||
proxy_read_timeout <%= scope.lookupvar('nginx::params::nx_proxy_read_timeout') %>;
|
||||
proxy_buffers <%= scope.lookupvar('nginx::params::nx_proxy_buffers') %>;
|
||||
<% proxy_set_header.each do |header| %>
|
||||
proxy_set_header <%= header %>;
|
||||
<% end %>
|
||||
proxy_set_header <%= header %>;<% end %>
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
upstream <%= name %> {
|
||||
<% if @upstream_cfg_prepend -%><% upstream_cfg_prepend.each do |key,value| -%>
|
||||
<%= key %> <%= value %>;
|
||||
<% end -%><% end -%>
|
||||
<%= key %> <%= value %>;<% end -%><% end -%>
|
||||
<% members.each do |i| %>
|
||||
server <%= i %>;
|
||||
<% end %>
|
||||
server <%= i %>;<% end %>
|
||||
}
|
||||
|
|
|
@ -6,3 +6,6 @@ server {
|
|||
<% end %>
|
||||
server_name <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>;
|
||||
access_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/<%= name %>.access.log;
|
||||
|
||||
<% proxy_set_header.each do |header| %>
|
||||
proxy_set_header <%= header %>;<% end %>
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
location <%= location %> {
|
||||
<% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
|
||||
<%= key %> <%= value %>;
|
||||
<% end -%><% end -%>
|
||||
alias <%= location_alias %>;
|
||||
<%= key %> <%= value %>;<% end -%><% end -%>
|
||||
alias <%= location_alias %>;
|
||||
<% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
|
||||
<%= key %> <%= value %>;
|
||||
<% end -%><% end -%>
|
||||
<%= key %> <%= value %>;<% end -%><% end -%>
|
||||
}
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
location <%= location %> {
|
||||
<% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
|
||||
<%= key %> <%= value %>;
|
||||
<% end -%><% end -%>
|
||||
proxy_pass <%= proxy %>;
|
||||
<%= key %> <%= value %>;<% end -%><% end -%>
|
||||
proxy_pass <%= proxy %>;
|
||||
proxy_read_timeout <%= proxy_read_timeout %>;
|
||||
<% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
|
||||
<%= key %> <%= value %>;
|
||||
<% end -%><% end -%>
|
||||
<%= key %> <%= value %>;<% end -%><% end -%>
|
||||
}
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
location <%= location %> {
|
||||
<% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
|
||||
<%= key %> <%= value %>;
|
||||
<% end -%><% end -%>
|
||||
<%= key %> <%= value %>;<% end -%><% end -%>
|
||||
stub_status on;
|
||||
<% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
|
||||
<%= key %> <%= value %>;
|
||||
<% end -%><% end -%>
|
||||
<%= key %> <%= value %>;<% end -%><% end -%>
|
||||
}
|
||||
|
|
|
@ -1,16 +1,19 @@
|
|||
server {
|
||||
listen <%= ssl_port %>;
|
||||
listen <%= ssl_port %><% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %> ssl spdy<% end %>;
|
||||
<% if ipv6_enable == 'true' && (defined? ipaddress6) %>
|
||||
listen [<%= ipv6_listen_ip %>]:<%= ipv6_listen_port %> <% if @ipv6_listen_options %><%= ipv6_listen_options %><% end %> ipv6only=on;
|
||||
<% end %>
|
||||
server_name <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate <%= ssl_cert %>;
|
||||
ssl_certificate_key <%= ssl_key %>;
|
||||
ssl on;
|
||||
ssl_certificate <%= ssl_cert %>;
|
||||
ssl_certificate_key <%= ssl_key %>;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
|
||||
ssl_prefer_server_ciphers on;
|
||||
<% if scope.lookupvar('nginx::params::nx_ssl_stapling') == 'on' %>ssl_stapling on;<% end %>
|
||||
<% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %>spdy_headers_comp 1;<% end %>
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_protocols SSLv3 TLSv1;
|
||||
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
|
||||
ssl_prefer_server_ciphers on;
|
||||
<% proxy_set_header.each do |header| %>
|
||||
proxy_set_header <%= header %>;<% end %>
|
||||
|
|
Cargando…
Referenciar en una nueva incidencia