nginx-formula/pillar.example

306 lines
12 KiB
Plaintext
Raw Normal View History

2019-01-26 12:59:24 +01:00
#=====
# nginx: see `nginx.ng` state instead.
#======
nginx:
install_from_source: True
use_upstart: True
use_sysvinit: False
user_auth_enabled: True
with_luajit: False
with_openresty: True
repo_version: development # Must be using ppa install by setting `repo_source = ppa`
set_real_ips: # NOTE: to use this, nginx must have http_realip module enabled
from_ips:
- 10.10.10.0/24
real_ip_header: X-Forwarded-For
modules:
headers-more:
source: http://github.com/agentzh/headers-more-nginx-module/tarball/v0.21
source_hash: sha1=dbf914cbf3f7b6cb7e033fa7b7c49e2f8879113b
#pid: /var/run/nginx.pid
# Directory location must exist (i.e. it's /run/nginx.pid on EL7)
2014-05-16 00:06:48 +02:00
# ========
# nginx.ng
# ========
nginx:
2014-05-19 19:04:43 +02:00
ng:
# The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided
# package will be installed. If one of the `install_from` option is set to `True`, the state will
# make sure the other two repos are removed.
# Use the official's nginx repo binaries
install_from_repo: false
# Use Phusionpassenger's repo to install nginx and passenger binaries
# Debian, Centos, Ubuntu and Redhat are currently available
install_from_phusionpassenger: false
# PPA install
install_from_ppa: false
2015-02-23 22:16:41 +01:00
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx )
ppa_version: 'stable'
# Source install
source_version: '1.10.0'
source_hash: ''
2017-12-12 21:10:51 +01:00
2014-05-19 19:04:43 +02:00
# These are usually set by grains in map.jinja
# Typically you can comment these out.
2014-05-19 19:04:43 +02:00
lookup:
package: nginx-custom (can be a list)
service: nginx
webuser: www-data
conf_file: /etc/nginx/nginx.conf
server_available: /etc/nginx/sites-available
server_enabled: /etc/nginx/sites-enabled
server_use_symlink: True
# If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed
passenger_package: libnginx-mod-http-passenger
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
# This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever
rh_os_releasever: '6'
# Currently it can be used on rhel/centos/suse when installing from repo
gpg_check: True
2019-01-26 12:59:24 +01:00
pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ###
2017-12-12 21:10:51 +01:00
2014-05-16 00:06:48 +02:00
2014-05-19 19:04:43 +02:00
# Source compilation is not currently a part of nginx.ng
from_source: False
2014-05-16 00:06:48 +02:00
source:
opts: {}
2014-05-19 19:04:43 +02:00
package:
opts: {} # this partially exposes parameters of pkg.installed
2014-05-16 00:06:48 +02:00
2014-05-19 19:04:43 +02:00
service:
enable: True # Whether or not the service will be enabled/running or dead
opts: {} # this partially exposes parameters of service.running / service.dead
2014-05-16 00:06:48 +02:00
2019-01-26 17:06:59 +01:00
##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
## You can use snippets to define often repeated configuration once and include it later
## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'"
##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
snippets:
letsencrypt:
2018-10-20 16:36:16 +02:00
- location ^~ /.well-known/acme-challenge/:
- proxy_pass: http://localhost:9999
2019-01-26 17:06:59 +01:00
cloudflare_proxy:
- set_real_ip_from: 103.21.244.0/22
- set_real_ip_from: 103.22.200.0/22
- set_real_ip_from: 104.16.0.0/12
- set_real_ip_from: 108.162.192.0/18
blacklist:
- map $http_user_agent $bad_bot:
- default: 0
- '~*^Lynx': 0
- '~*malicious': 1
- '~*bot': 1
- '~*crawler': 1
- '~*bandit': 1
- libwww-perl: 1
- '~(?i)(httrack|htmlparser|libwww)': 1
upstream_netdata_tcp:
- upstream netdata:
- server: 127.0.0.1:19999
- keepalive: 64
2018-10-20 16:36:16 +02:00
2014-05-19 19:04:43 +02:00
server:
opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file
2014-05-16 00:06:48 +02:00
2019-01-26 17:06:59 +01:00
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
2014-05-19 19:04:43 +02:00
# nginx.conf (main server) declarations
# dictionaries map to blocks {} and lists cause the same declaration to repeat with different values
2019-01-25 16:41:57 +01:00
# see also http://nginx.org/en/docs/example.html
2019-01-26 17:06:59 +01:00
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
2017-12-12 21:10:51 +01:00
config:
2019-01-26 17:06:59 +01:00
include 'snippets/letsencrypt.conf'
source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the
2017-12-12 21:10:51 +01:00
# options; if it is found other options (worker_processes: 4 and so
# on) are not processed and just upload the file from source
2014-05-19 19:04:43 +02:00
worker_processes: 4
2019-01-26 12:59:24 +01:00
load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start
#pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
2014-05-19 19:04:43 +02:00
events:
worker_connections: 768
http:
sendfile: 'on'
2014-05-19 19:04:43 +02:00
include:
#### Note: Syntax issues in these files generate nginx [emerg] errors on startup. ####
2014-05-19 19:04:43 +02:00
- /etc/nginx/mime.types
2014-05-16 00:06:48 +02:00
2019-01-25 20:49:19 +01:00
### module ngx_http_log_module example
2019-01-25 16:41:57 +01:00
log_format: |-
main '...';
access_log /var/log/nginx/access_log main
access_log: [] #suppress default access_log option from being added
2019-01-25 20:49:19 +01:00
### module nngx_stream_core_module
2019-01-25 23:50:00 +01:00
### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
2019-01-25 20:49:19 +01:00
stream:
upstream lb-1000:
- server:
- hostname1.example.com:1000
- hostname2.example.com:1000
2019-01-25 23:50:00 +01:00
upstream stream_backend:
least_conn: ''
2019-01-26 17:06:59 +01:00
'server backend1.example.com:12345 weight=5':
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s':
'server backend3.example.com:12345 max_conns=3':
2019-01-25 23:50:00 +01:00
upstream dns_servers:
least_conn:
2019-01-26 17:06:59 +01:00
'server 192.168.136.130:53':
'server 192.168.136.131:53':
'server 192.168.136.132:53':
2019-01-25 20:49:19 +01:00
server:
listen: 1000
proxy_pass: lb-1000
2019-01-25 23:50:00 +01:00
'server ':
listen: '53 udp'
proxy_pass: dns_servers
2019-01-26 17:06:59 +01:00
'server ':
2019-01-25 23:50:00 +01:00
listen: 12346
proxy_pass: backend4.example.com:12346
2019-01-25 20:49:19 +01:00
servers:
2014-05-19 19:04:43 +02:00
disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling
symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites
rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites
managed_opts: {} # partially exposes file.managed params for managed server files
2017-08-30 00:26:31 +02:00
dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs
2014-05-16 00:06:48 +02:00
2019-01-25 20:20:58 +01:00
#####################
# server declarations; placed by default in server "available" directory
#####################
2014-05-19 19:04:43 +02:00
managed:
2019-01-25 20:20:58 +01:00
mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite')
2014-05-19 19:04:43 +02:00
# may be True, False, or None where True is enabled, False, disabled, and None indicates no action
enabled: True
2019-01-25 20:20:58 +01:00
# Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default)
# It also remove the symlink (if it is exists).
# The site MUST be disabled before delete it (if not the nginx is not reloaded).
2019-01-25 20:20:58 +01:00
#deleted: True
#available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename
#enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename
disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking
overwrite: True # overwrite an existing server file or not
2017-12-12 21:10:51 +01:00
# May be a list of config options or None, if None, no server file will be managed/templated
2014-05-19 19:04:43 +02:00
# Take server directives as lists of dictionaries. If the dictionary value is another list of
# dictionaries a block {} will be started with the dictionary key name
config:
- server:
- server_name: localhost
2017-12-12 21:10:51 +01:00
- listen:
- '80 default_server'
- listen:
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include 'snippets/letsencrypt.conf'
# Or a slightly more compact alternative syntax:
- server:
- server_name: localhost
- listen:
- '80 default_server'
- '443 ssl'
- index: 'index.html index.htm'
2014-05-19 19:04:43 +02:00
- location ~ .htm:
- try_files: '$uri $uri/ =404'
2014-05-19 19:04:43 +02:00
- test: something else
2018-10-20 16:36:16 +02:00
- include 'snippets/letsencrypt.conf'
2017-12-12 21:10:51 +01:00
# both of those output:
2014-05-19 19:04:43 +02:00
# server {
# server_name localhost;
# listen 80 default_server;
# listen 443 ssl;
2014-05-19 19:04:43 +02:00
# index index.html index.htm;
# location ~ .htm {
# try_files $uri $uri/ =404;
# test something else;
# }
2017-12-12 21:10:51 +01:00
# }
mysite2: # Using source_path options to upload the file instead of templating all the file
enabled: True
available_dir: /etc/nginx/sites-available
enabled_dir: /etc/nginx/sites-enabled
config:
source_path: salt://path-to-site-file/mysite2
2015-06-23 21:17:52 +02:00
# Below configuration becomes handy if you want to create custom configuration files
# for example if you want to create /usr/local/etc/nginx/http_options.conf with
# the following content:
# sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
# send_iowait 12000;
http_options.conf:
enabled: True
available_dir: /usr/local/etc/nginx
enabled_dir: /usr/local/etc/nginx
config:
- sendfile: 'on'
- tcp_nopush: 'on'
- tcp_nodelay: 'on'
- send_iowait: 12000
2017-07-31 20:51:58 +02:00
certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path.
2015-06-23 21:17:52 +02:00
# If you're doing SSL termination, you can deploy certificates this way.
# The private one(s) should go in a separate pillar file not in version
# control (or use encrypted pillar data).
certificates:
'www.example.com':
# choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree)
# public_cert_pillar: certs:example.com:fullchain.pem
# private_key_pillar: certs:example.com:privkey.pem
# or directly pasting the cert
2015-06-23 21:17:52 +02:00
public_cert: |
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: www.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: ExampleCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: www.example.com.key)
-----END RSA PRIVATE KEY-----
dh_param:
'mydhparam1.pem': |
-----BEGIN DH PARAMETERS-----
(Your custom DH prime)
-----END DH PARAMETERS-----
# or to generate one on-the-fly
'mydhparam2.pem':
keysize: 2048
2017-05-04 18:34:22 +02:00
# Passenger configuration
# Default passenger configuration is provided, and will be deployed in
# /etc/nginx/conf.d/passenger.conf
passenger:
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
passenger_ruby: /usr/bin/ruby
passenger_instance_registry_dir: /var/run/passenger-instreg