12dfb7e98d
I need this to hide X-Frame-Options for a single location block. From nginx docs: By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed.
317 lines
9.4 KiB
Puppet
317 lines
9.4 KiB
Puppet
# Class: nginx::config
|
|
#
|
|
# This module manages NGINX bootstrap and configuration
|
|
#
|
|
# Parameters:
|
|
#
|
|
# There are no default parameters for this class.
|
|
#
|
|
# Actions:
|
|
#
|
|
# Requires:
|
|
#
|
|
# Sample Usage:
|
|
#
|
|
# This class file is not called directly
|
|
class nginx::config(
|
|
### START Module/App Configuration ###
|
|
$client_body_temp_path = $::nginx::params::client_body_temp_path,
|
|
$confd_purge = false,
|
|
$conf_dir = $::nginx::params::conf_dir,
|
|
$daemon_user = $::nginx::params::daemon_user,
|
|
$global_owner = $::nginx::params::global_owner,
|
|
$global_group = $::nginx::params::global_group,
|
|
$global_mode = $::nginx::params::global_mode,
|
|
$log_dir = $::nginx::params::log_dir,
|
|
$http_access_log = $::nginx::params::http_access_log,
|
|
$nginx_error_log = $::nginx::params::nginx_error_log,
|
|
$nginx_error_log_severity = 'error',
|
|
$pid = $::nginx::params::pid,
|
|
$proxy_temp_path = $::nginx::params::proxy_temp_path,
|
|
$root_group = $::nginx::params::root_group,
|
|
$run_dir = $::nginx::params::run_dir,
|
|
$sites_available_owner = $::nginx::params::sites_available_owner,
|
|
$sites_available_group = $::nginx::params::sites_available_group,
|
|
$sites_available_mode = $::nginx::params::sites_available_mode,
|
|
$super_user = $::nginx::params::super_user,
|
|
$temp_dir = $::nginx::params::temp_dir,
|
|
$vhost_purge = false,
|
|
|
|
# Primary Templates
|
|
$conf_template = 'nginx/conf.d/nginx.conf.erb',
|
|
$proxy_conf_template = undef,
|
|
### END Module/App Configuration ###
|
|
|
|
### START Nginx Configuration ###
|
|
$accept_mutex = 'on',
|
|
$accept_mutex_delay = '500ms',
|
|
$client_body_buffer_size = '128k',
|
|
$client_max_body_size = '10m',
|
|
$events_use = false,
|
|
$fastcgi_cache_inactive = '20m',
|
|
$fastcgi_cache_key = false,
|
|
$fastcgi_cache_keys_zone = 'd3:100m',
|
|
$fastcgi_cache_levels = '1',
|
|
$fastcgi_cache_max_size = '500m',
|
|
$fastcgi_cache_path = false,
|
|
$fastcgi_cache_use_stale = false,
|
|
$gzip = 'on',
|
|
$gzip_buffers = undef,
|
|
$gzip_comp_level = 1,
|
|
$gzip_disable = 'msie6',
|
|
$gzip_min_length = 20,
|
|
$gzip_http_version = 1.1,
|
|
$gzip_proxied = 'off',
|
|
$gzip_types = undef,
|
|
$gzip_vary = 'off',
|
|
$http_cfg_append = false,
|
|
$http_tcp_nodelay = 'on',
|
|
$http_tcp_nopush = 'off',
|
|
$keepalive_timeout = '65',
|
|
$log_format = {},
|
|
$mail = false,
|
|
$stream = false,
|
|
$multi_accept = 'off',
|
|
$names_hash_bucket_size = '64',
|
|
$names_hash_max_size = '512',
|
|
$nginx_cfg_prepend = false,
|
|
$proxy_buffers = '32 4k',
|
|
$proxy_buffer_size = '8k',
|
|
$proxy_cache_inactive = '20m',
|
|
$proxy_cache_keys_zone = 'd2:100m',
|
|
$proxy_cache_levels = '1',
|
|
$proxy_cache_max_size = '500m',
|
|
$proxy_cache_path = false,
|
|
$proxy_connect_timeout = '90',
|
|
$proxy_headers_hash_bucket_size = '64',
|
|
$proxy_http_version = undef,
|
|
$proxy_read_timeout = '90',
|
|
$proxy_redirect = 'off',
|
|
$proxy_send_timeout = '90',
|
|
$proxy_set_header = [
|
|
'Host $host',
|
|
'X-Real-IP $remote_addr',
|
|
'X-Forwarded-For $proxy_add_x_forwarded_for',
|
|
],
|
|
$proxy_hide_header = [],
|
|
$sendfile = 'on',
|
|
$server_tokens = 'on',
|
|
$spdy = 'off',
|
|
$http2 = 'off',
|
|
$ssl_stapling = 'off',
|
|
$types_hash_bucket_size = '512',
|
|
$types_hash_max_size = '1024',
|
|
$worker_connections = '1024',
|
|
$worker_processes = '1',
|
|
$worker_rlimit_nofile = '1024',
|
|
### END Nginx Configuration ###
|
|
) inherits ::nginx::params {
|
|
|
|
### Validations ###
|
|
if ($worker_processes != 'auto') and (!is_integer($worker_processes)) {
|
|
fail('$worker_processes must be an integer or have value "auto".')
|
|
}
|
|
if (!is_integer($worker_connections)) {
|
|
fail('$worker_connections must be an integer.')
|
|
}
|
|
if (!is_integer($worker_rlimit_nofile)) {
|
|
fail('$worker_rlimit_nofile must be an integer.')
|
|
}
|
|
if (!is_string($events_use)) and ($events_use != false) {
|
|
fail('$events_use must be a string or false.')
|
|
}
|
|
validate_string($multi_accept)
|
|
validate_array($proxy_set_header)
|
|
validate_array($proxy_hide_header)
|
|
if ($proxy_http_version != undef) {
|
|
validate_string($proxy_http_version)
|
|
}
|
|
if ($proxy_conf_template != undef) {
|
|
warning('The $proxy_conf_template parameter is deprecated and has no effect.')
|
|
}
|
|
validate_bool($confd_purge)
|
|
validate_bool($vhost_purge)
|
|
if ( $proxy_cache_path != false) {
|
|
if ( is_string($proxy_cache_path) or is_hash($proxy_cache_path)) {}
|
|
else {
|
|
fail('proxy_cache_path must be a string or a hash')
|
|
}
|
|
}
|
|
validate_re($proxy_cache_levels, '^[12](:[12])*$')
|
|
validate_string($proxy_cache_keys_zone)
|
|
validate_string($proxy_cache_max_size)
|
|
validate_string($proxy_cache_inactive)
|
|
|
|
if ($fastcgi_cache_path != false) {
|
|
validate_string($fastcgi_cache_path)
|
|
}
|
|
validate_re($fastcgi_cache_levels, '^[12](:[12])*$')
|
|
validate_string($fastcgi_cache_keys_zone)
|
|
validate_string($fastcgi_cache_max_size)
|
|
validate_string($fastcgi_cache_inactive)
|
|
if ($fastcgi_cache_key != false) {
|
|
validate_string($fastcgi_cache_key)
|
|
}
|
|
if ($fastcgi_cache_use_stale != false) {
|
|
validate_string($fastcgi_cache_use_stale)
|
|
}
|
|
|
|
validate_bool($mail)
|
|
validate_string($server_tokens)
|
|
validate_string($client_max_body_size)
|
|
if (!is_integer($names_hash_bucket_size)) {
|
|
fail('$names_hash_bucket_size must be an integer.')
|
|
}
|
|
if (!is_integer($names_hash_max_size)) {
|
|
fail('$names_hash_max_size must be an integer.')
|
|
}
|
|
validate_string($proxy_buffers)
|
|
validate_string($proxy_buffer_size)
|
|
if ($http_cfg_append != false) {
|
|
if !(is_hash($http_cfg_append) or is_array($http_cfg_append)) {
|
|
fail('$http_cfg_append must be either a hash or array')
|
|
}
|
|
}
|
|
|
|
if ($nginx_cfg_prepend != false) {
|
|
if !(is_hash($nginx_cfg_prepend) or is_array($nginx_cfg_prepend)) {
|
|
fail('$nginx_cfg_prepend must be either a hash or array')
|
|
}
|
|
}
|
|
|
|
validate_string($nginx_error_log)
|
|
validate_re($nginx_error_log_severity,['debug','info','notice','warn','error','crit','alert','emerg'],'$nginx_error_log_severity must be debug, info, notice, warn, error, crit, alert or emerg')
|
|
validate_string($http_access_log)
|
|
validate_string($proxy_headers_hash_bucket_size)
|
|
validate_bool($super_user)
|
|
### END VALIDATIONS ###
|
|
|
|
|
|
### CONFIGURATION ###
|
|
File {
|
|
owner => $global_owner,
|
|
group => $global_group,
|
|
mode => $global_mode,
|
|
}
|
|
|
|
file { $conf_dir:
|
|
ensure => directory,
|
|
}
|
|
|
|
file { "${conf_dir}/conf.stream.d":
|
|
ensure => directory,
|
|
}
|
|
if $confd_purge == true {
|
|
File["${conf_dir}/conf.stream.d"] {
|
|
purge => true,
|
|
recurse => true,
|
|
}
|
|
}
|
|
|
|
file { "${conf_dir}/conf.d":
|
|
ensure => directory,
|
|
}
|
|
if $confd_purge == true {
|
|
File["${conf_dir}/conf.d"] {
|
|
purge => true,
|
|
recurse => true,
|
|
notify => Class['::nginx::service'],
|
|
}
|
|
}
|
|
|
|
file { "${conf_dir}/conf.mail.d":
|
|
ensure => directory,
|
|
}
|
|
if $confd_purge == true {
|
|
File["${conf_dir}/conf.mail.d"] {
|
|
purge => true,
|
|
recurse => true,
|
|
}
|
|
}
|
|
|
|
file { "${conf_dir}/conf.d/vhost_autogen.conf":
|
|
ensure => absent,
|
|
}
|
|
|
|
file { "${conf_dir}/conf.mail.d/vhost_autogen.conf":
|
|
ensure => absent,
|
|
}
|
|
|
|
file {$run_dir:
|
|
ensure => directory,
|
|
}
|
|
|
|
file { $log_dir:
|
|
ensure => directory,
|
|
}
|
|
|
|
file {$client_body_temp_path:
|
|
ensure => directory,
|
|
owner => $daemon_user,
|
|
}
|
|
|
|
file {$proxy_temp_path:
|
|
ensure => directory,
|
|
owner => $daemon_user,
|
|
}
|
|
|
|
file { "${conf_dir}/sites-available":
|
|
ensure => directory,
|
|
owner => $sites_available_owner,
|
|
group => $sites_available_group,
|
|
mode => $sites_available_mode,
|
|
}
|
|
|
|
if $vhost_purge == true {
|
|
File["${conf_dir}/sites-available"] {
|
|
purge => true,
|
|
recurse => true,
|
|
}
|
|
}
|
|
|
|
file { "${conf_dir}/sites-enabled":
|
|
ensure => directory,
|
|
}
|
|
|
|
if $vhost_purge == true {
|
|
File["${conf_dir}/sites-enabled"] {
|
|
purge => true,
|
|
recurse => true,
|
|
}
|
|
}
|
|
|
|
file { "${conf_dir}/sites-enabled/default":
|
|
ensure => absent,
|
|
}
|
|
|
|
file { "${conf_dir}/nginx.conf":
|
|
ensure => file,
|
|
content => template($conf_template),
|
|
}
|
|
|
|
file { "${conf_dir}/conf.d/proxy.conf":
|
|
ensure => absent,
|
|
}
|
|
|
|
file { "${conf_dir}/conf.d/default.conf":
|
|
ensure => absent,
|
|
}
|
|
|
|
file { "${conf_dir}/conf.d/example_ssl.conf":
|
|
ensure => absent,
|
|
}
|
|
|
|
file { "${temp_dir}/nginx.d":
|
|
ensure => absent,
|
|
purge => true,
|
|
recurse => true,
|
|
force => true,
|
|
}
|
|
|
|
file { "${temp_dir}/nginx.mail.d":
|
|
ensure => absent,
|
|
purge => true,
|
|
recurse => true,
|
|
force => true,
|
|
}
|
|
}
|