2023-02-05 19:19:27 +01:00
|
|
|
{%- from slspath ~ '/../map.jinja' import listen_ips, listen_ips4, listen_ips6 -%}
|
2023-02-04 11:47:09 +01:00
|
|
|
|
|
|
|
nginx:
|
2023-02-05 19:59:04 +01:00
|
|
|
server:
|
|
|
|
config:
|
|
|
|
daemon: 'off'
|
|
|
|
user: []
|
|
|
|
events:
|
|
|
|
worker_connections: 1024
|
|
|
|
use: epoll
|
|
|
|
http:
|
|
|
|
include: snippets/modsecurity
|
|
|
|
tcp_nopush: []
|
|
|
|
tcp_nodelay: []
|
|
|
|
types_hash_max_size: []
|
|
|
|
access_log: []
|
|
|
|
error_log: []
|
|
|
|
gzip: []
|
|
|
|
gzip_disable: []
|
|
|
|
log_format main: |-
|
|
|
|
'$remote_addr - $remote_user [$time_local] $http_host "$request" '
|
|
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
|
|
'"$http_user_agent" "$http_x_forwarded_for"'
|
|
|
|
log_format main-with_ip: |-
|
|
|
|
'$remote_addr - $remote_user [$time_local] $http_host "$request" '
|
|
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
|
|
'"$http_user_agent" "$http_x_forwarded_for"'
|
|
|
|
|
2023-02-04 11:47:09 +01:00
|
|
|
snippets:
|
|
|
|
robots:
|
|
|
|
- location /robots.txt:
|
|
|
|
- root: /srv/www/htdocs
|
2023-02-05 10:05:20 +01:00
|
|
|
tls:
|
|
|
|
- ssl_session_timeout: 1d
|
|
|
|
- ssl_session_cache: shared:Lysergic:10m
|
|
|
|
- ssl_session_tickets: 'off'
|
|
|
|
- ssl_protocols: TLSv1.3
|
|
|
|
- ssl_prefer_server_ciphers: 'off'
|
|
|
|
- add_header: Strict-Transport-Security "max-age=63072000" always
|
|
|
|
- ssl_stapling: 'on'
|
|
|
|
- ssl_stapling_verify: 'on'
|
|
|
|
- ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
|
2023-02-04 11:47:09 +01:00
|
|
|
php-fastcgi:
|
|
|
|
- 'location ~* \.php$':
|
|
|
|
- fastcgi_index: index.php
|
|
|
|
- fastcgi_pass: unix:/run/php-fpm/php-fpm.sock
|
|
|
|
- 'include': fastcgi_params
|
|
|
|
- fastcgi_param: SCRIPT_FILENAME $document_root$fastcgi_script_name
|
|
|
|
{%- if listen_ips | length %}
|
|
|
|
listen:
|
2023-02-05 19:19:27 +01:00
|
|
|
{%- for ip4 in listen_ips4 %}
|
|
|
|
- listen: {{ ip4 }}:443 ssl http2
|
2023-02-04 11:47:09 +01:00
|
|
|
{%- endfor %}
|
2023-02-05 19:19:27 +01:00
|
|
|
{%- if listen_ips6 | length %}
|
|
|
|
{%- for ip6 in listen_ips6 %}
|
|
|
|
- listen: '[{{ ip6 }}]:443 ssl http2'
|
|
|
|
{%- endfor %}
|
|
|
|
{%- endif %}
|
2023-02-04 11:47:09 +01:00
|
|
|
{%- endif %}
|
|
|
|
|
2023-02-05 14:29:25 +01:00
|
|
|
firewalld:
|
|
|
|
zones:
|
|
|
|
internal:
|
|
|
|
services:
|
|
|
|
- http
|
|
|
|
- https
|