Catching up Webserver config

This commit is contained in:
DarkFeather 2022-12-18 22:21:39 -06:00
parent 72a62b63eb
commit 890e20c64c
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
10 changed files with 81 additions and 46 deletions

View File

@ -1,21 +1,12 @@
server {
listen 443 ssl http2;
server_name default_server;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
server {
listen 443 ssl http2;
server_name aninix.net;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
include letsencrypt.conf;
location / {
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
@ -54,3 +45,16 @@ server {
}
}
server {
listen 443 ssl http2;
server_name foundation.aninix.net;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
location / {
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
}

View File

@ -4,7 +4,6 @@ server {
include sec.conf;
include default.csp.conf;
include letsencrypt.conf;
location /
{
@ -19,4 +18,7 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
}
include letsencrypt.conf;
}

View File

@ -2,7 +2,7 @@ server {
listen 443 ssl;
server_name lykos.aninix.net;
include letsencrypt.conf;
# include local.conf;
root /usr/share/webapps/;
@ -34,4 +34,6 @@ server {
deny all;
}
include letsencrypt.conf;
}

View File

@ -6,6 +6,7 @@ server {
include default.csp.conf;
include letsencrypt.conf;
location / {
root /usr/share/webapps/self-service-password/htdocs/;
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
@ -28,6 +29,7 @@ server {
#access_log /dev/stdout info;
include ../conf.d/fastcgi.config;
}
# deny access to . files, for security
#

View File

@ -0,0 +1,14 @@
server {
listen 443 ssl;
server_name travelpawscvt.com;
#include local.conf;
include letsencrypt.conf;
include ../conf.d/fastcgi.config;
root /opt/travelpawscvt;
client_max_body_size 5m;
client_body_timeout 60;
}

View File

@ -4,7 +4,6 @@ server {
include sec.conf;
include default.csp.conf;
include letsencrypt.conf;
location /
{
@ -12,4 +11,6 @@ server {
autoindex on;
autoindex_format html;
}
include letsencrypt.conf;
}

View File

@ -1,5 +1,4 @@
location ~ ^/.well-known/acme-challenge
{
location /.well-known/acme-challenge {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";

View File

@ -53,6 +53,17 @@
mode: 0660
register: conf
- name: Populate security config
become: yes
template:
src: sec.conf.j2
dest: /opt/openresty/nginx/conf/sec.conf
owner: http
group: http
mode: 0660
register: secconf
- name: Ensure default openresty service file is off.
become: yes
service:
@ -62,7 +73,7 @@
- name: Ensure service is started
become: yes
when: conf.changed or confd.changed
when: conf.changed or confd.changed or secconf.changed
service:
name: "{{ item }}"
enabled: yes

View File

@ -1,12 +1,12 @@
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
ssl_certificate /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ciphers "{{ ssl.ciphersuite }}";
ssl_prefer_server_ciphers on;
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";