622d22f971
Also, check config before applying
383 lines
14 KiB
YAML
383 lines
14 KiB
YAML
# -*- coding: utf-8 -*-
|
|
# vim: ft=yaml
|
|
---
|
|
# ========
|
|
# nginx (previously named nginx:ng)
|
|
# ========
|
|
|
|
nginx:
|
|
# The following three `install_from_` options are mutually exclusive. If none
|
|
# is used, the distro's provided package will be installed. If one of the
|
|
# `install_from` option is set to `true`, the state will make sure the other
|
|
# two repos are removed.
|
|
|
|
# Use the official's nginx repo binaries
|
|
install_from_repo: false
|
|
|
|
# Use Phusionpassenger's repo to install nginx and passenger binaries
|
|
# Debian, Centos, Ubuntu and Redhat are currently available
|
|
install_from_phusionpassenger: false
|
|
|
|
# PPA install
|
|
install_from_ppa: false
|
|
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for
|
|
# each build accordingly ( https://launchpad.net/~nginx )
|
|
ppa_version: 'stable'
|
|
|
|
# Source install
|
|
source_version: '1.10.0'
|
|
source_hash: ''
|
|
|
|
# Check the configuration before applying:
|
|
# To prevent applying a configuration that might break nginx, set this
|
|
# parameter to true so the configuration is checked BEFORE applying. If
|
|
# the check fails, the state will fail and it won't be deployed.
|
|
# CAVEAT: As the configuration file is created in a temp dir, it can't
|
|
# have relative references or it will fail to check. You'll need to
|
|
# specify full paths where required (ie, `include`, `load_module`,
|
|
# `snippets`, etc.0
|
|
# Defaults to false
|
|
check_config_before_apply: false
|
|
|
|
# These are usually set by grains in map.jinja
|
|
# Typically you can comment these out.
|
|
lookup:
|
|
package: nginx-custom (can be a list)
|
|
service: nginx
|
|
webuser: www-data
|
|
conf_file: /etc/nginx/nginx.conf
|
|
server_available: /etc/nginx/sites-available
|
|
server_enabled: /etc/nginx/sites-enabled
|
|
server_use_symlink: true
|
|
# If you install nginx+passenger from phusionpassenger in Debian, these
|
|
# values will probably be needed
|
|
passenger_package: libnginx-mod-http-passenger
|
|
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
|
|
|
|
# This is required for RedHat like distros (Amazon Linux) that don't follow
|
|
# semantic versioning for $releasever
|
|
rh_os_releasever: '6'
|
|
# Currently it can be used on rhel/centos/suse when installing from repo
|
|
gpg_check: true
|
|
### prevents rendering SLS error nginx.server.config.pid undefined ###
|
|
pid_file: /var/run/nginx.pid
|
|
|
|
|
|
# Source compilation is not currently a part of nginx
|
|
from_source: false
|
|
|
|
source:
|
|
opts: {}
|
|
|
|
package:
|
|
opts: {} # this partially exposes parameters of pkg.installed
|
|
|
|
service:
|
|
enable: true # Whether or not the service will be enabled/running or dead
|
|
opts: {} # this partially exposes parameters of service.running / service.dead
|
|
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
## You can use snippets to define often repeated configuration once and
|
|
## include it later # The letsencrypt example below is consumed by "- include:
|
|
## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS
|
|
## with snippet name ( Fallback to server.conf )
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
snippets:
|
|
letsencrypt.conf:
|
|
- location ^~ /.well-known/acme-challenge/:
|
|
- proxy_pass: http://localhost:9999
|
|
cloudflare_proxy.conf:
|
|
- set_real_ip_from: 103.21.244.0/22
|
|
- set_real_ip_from: 103.22.200.0/22
|
|
- set_real_ip_from: 104.16.0.0/12
|
|
- set_real_ip_from: 108.162.192.0/18
|
|
blacklist.conf:
|
|
- map $http_user_agent $bad_bot:
|
|
- default: 0
|
|
- '~*^Lynx': 0
|
|
- '~*malicious': 1
|
|
- '~*bot': 1
|
|
- '~*crawler': 1
|
|
- '~*bandit': 1
|
|
- libwww-perl: 1
|
|
- '~(?i)(httrack|htmlparser|libwww)': 1
|
|
upstream_netdata_tcp.conf:
|
|
- upstream netdata:
|
|
- server: 127.0.0.1:19999
|
|
- keepalive: 64
|
|
|
|
server:
|
|
# this partially exposes file.managed parameters as they relate to the main
|
|
# nginx.conf file
|
|
opts: {}
|
|
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
# nginx.conf (main server) declarations dictionaries map to blocks {} and
|
|
# lists cause the same declaration to repeat with different values see also
|
|
# http://nginx.org/en/docs/example.html Nginx config file or template can
|
|
# be retrieved by TOFS ( Fallback to nginx.conf )
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
config:
|
|
include: 'snippets/letsencrypt.conf'
|
|
# IMPORTANT: This option is mutually exclusive with TOFS and the rest of
|
|
# the options; if it is found other options (worker_processes: 4 and so
|
|
# on) are not processed and just upload the file from source
|
|
source_path: salt://path_to_nginx_conf_file/nginx.conf
|
|
worker_processes: 4
|
|
# pass as very first in configuration; otherwise nginx will fail to start
|
|
load_module: modules/ngx_http_lua_module.so
|
|
# Directory location must exist (i.e. it's /run/nginx.pid on EL7)
|
|
# pid: /var/run/nginx.pid
|
|
events:
|
|
worker_connections: 1024
|
|
http:
|
|
sendfile: 'on'
|
|
include:
|
|
#### Note: Syntax issues in these files generate nginx [emerg] errors
|
|
#### on startup.
|
|
- /etc/nginx/mime.types
|
|
|
|
### module ngx_http_log_module example
|
|
log_format: |-
|
|
main '$remote_addr - $remote_user [$time_local] $status '
|
|
'"$request" $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"'
|
|
access_log: [] # suppress default access_log option from being added
|
|
|
|
# module nngx_stream_core_module
|
|
# yamllint disable-line rule:line-length
|
|
# https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
|
|
stream:
|
|
upstream lb-1000:
|
|
- server:
|
|
- hostname1.example.com:1000
|
|
- hostname2.example.com:1000
|
|
upstream stream_backend:
|
|
least_conn: ''
|
|
'server backend1.example.com:12345 weight=5': ~
|
|
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~
|
|
'server backend3.example.com:12345 max_conns=3': ~
|
|
upstream dns_servers:
|
|
least_conn: ''
|
|
'server 192.168.136.130:53': ~
|
|
'server 192.168.136.131:53': ~
|
|
'server 192.168.136.132:53': ~
|
|
server:
|
|
listen: 1000
|
|
proxy_pass: lb-1000
|
|
'server ':
|
|
listen: '53 udp'
|
|
proxy_pass: dns_servers
|
|
'server ':
|
|
listen: 12346
|
|
proxy_pass: backend4.example.com:12346
|
|
|
|
|
|
servers:
|
|
# a postfix appended to files when doing non-symlink disabling
|
|
disabled_postfix: .disabled
|
|
# partially exposes file.symlink params when symlinking enabled sites
|
|
symlink_opts: {}
|
|
# partially exposes file.rename params when not symlinking disabled/enabled sites
|
|
rename_opts: {}
|
|
# partially exposes file.managed params for managed server files
|
|
managed_opts: {}
|
|
# partially exposes file.directory params for site available/enabled and
|
|
# snippets dirs
|
|
dir_opts: {}
|
|
# let the choice to purge site-available and site-enable folders before add new ones
|
|
# (if True it removes all non-salt-managed files)
|
|
purge_servers_config: false
|
|
|
|
|
|
#####################
|
|
# server declarations; placed by default in server "available" directory
|
|
#####################
|
|
managed:
|
|
|
|
# relative filename of server file
|
|
# (defaults to '/etc/nginx/sites-available/mysite')
|
|
mysite:
|
|
# may be true, false, or None where true is enabled, false, disabled,
|
|
# and None indicates no action
|
|
enabled: true
|
|
|
|
# This let's you add dependencies on other resources being applied for a
|
|
# particular vhost
|
|
# A common case is when you use this formula together with letsencrypt's,
|
|
# validating through nginx: you need nginx running (to validate the vhost) but
|
|
# can't have the ssl vhost up until the certificate is created (because it
|
|
# won't exist and will make nginx fail to load the configuration)
|
|
#
|
|
# An example, when using LE to create the cert for 'some.host.domain':
|
|
# requires:
|
|
# cmd: create-initial-cert-some.host.domain
|
|
requires: {}
|
|
|
|
# Remove the site config file shipped by nginx
|
|
# (i.e. '/etc/nginx/sites-available/default' by default)
|
|
# It also remove the symlink (if it is exists).
|
|
# The site MUST be disabled before delete it (if not the nginx is not
|
|
# reloaded).
|
|
# deleted: true
|
|
|
|
# custom directory (not sites-available) for server filename
|
|
# available_dir: /etc/nginx/sites-available-custom
|
|
# custom directory (not sites-enabled) for server filename
|
|
# enabled_dir: /etc/nginx/sites-enabled-custom
|
|
# an alternative disabled name to be use when not symlinking
|
|
disabled_name: mysite.aint_on
|
|
# overwrite an existing server file or not
|
|
overwrite: true
|
|
|
|
# May be a list of config options or None, if None, no server file will
|
|
# be managed/templated Take server directives as lists of dictionaries.
|
|
# If the dictionary value is another list of dictionaries a block {}
|
|
# will be started with the dictionary key name
|
|
config:
|
|
# both of the methods below lead to the output:
|
|
# server {
|
|
# server_name localhost;
|
|
# listen 80 default_server;
|
|
# listen 443 ssl;
|
|
# index index.html index.htm;
|
|
# location ~ .htm {
|
|
# try_files $uri $uri/ =404;
|
|
# test something else;
|
|
# }
|
|
# }
|
|
|
|
- server:
|
|
- server_name: localhost
|
|
- listen:
|
|
- '80 default_server'
|
|
- listen:
|
|
- '443 ssl'
|
|
- index: 'index.html index.htm'
|
|
- location ~ .htm:
|
|
- try_files: '$uri $uri/ =404'
|
|
- test: something else
|
|
- include: 'snippets/letsencrypt.conf'
|
|
|
|
# Or a slightly more compact alternative syntax:
|
|
- server:
|
|
- server_name: localhost
|
|
- listen:
|
|
- '80 default_server'
|
|
- '443 ssl'
|
|
- index: 'index.html index.htm'
|
|
- location ~ .htm:
|
|
- try_files: '$uri $uri/ =404'
|
|
- test: something else
|
|
- include: 'snippets/letsencrypt.conf'
|
|
|
|
|
|
# Using source_path options to upload the file instead of templating all the file
|
|
mysite2:
|
|
enabled: true
|
|
available_dir: /etc/nginx/sites-available
|
|
enabled_dir: /etc/nginx/sites-enabled
|
|
config:
|
|
# IMPORTANT: This field is mutually exclusive with TOFS and other
|
|
# config options, it just uploads the specified file
|
|
source_path: salt://path-to-site-file/mysite2
|
|
|
|
# Below configuration becomes handy if you want to create custom
|
|
# configuration files for example if you want to create
|
|
# /usr/local/etc/nginx/http_options.conf with the following content:
|
|
|
|
# sendfile on;
|
|
# tcp_nopush on;
|
|
# tcp_nodelay on;
|
|
# send_iowait 12000;
|
|
|
|
http_options.conf:
|
|
enabled: true
|
|
available_dir: /usr/local/etc/nginx
|
|
enabled_dir: /usr/local/etc/nginx
|
|
config:
|
|
- sendfile: 'on'
|
|
- tcp_nopush: 'on'
|
|
- tcp_nodelay: 'on'
|
|
- send_iowait: 12000
|
|
|
|
# Use this if you need to deploy below certificates in a custom path.
|
|
certificates_path: '/etc/nginx/ssl'
|
|
# If you're doing SSL termination, you can deploy certificates this way.
|
|
# The private one(s) should go in a separate pillar file not in version
|
|
# control (or use encrypted pillar data).
|
|
certificates:
|
|
'www.example.com':
|
|
|
|
# choose one of: deploying this cert by pillar (e.g. in combination with
|
|
# ext_pillar and file_tree)
|
|
# public_cert_pillar: certs:example.com:fullchain.pem
|
|
# private_key_pillar: certs:example.com:privkey.pem
|
|
# or directly pasting the cert
|
|
public_cert: |
|
|
-----BEGIN CERTIFICATE-----
|
|
(Your Primary SSL certificate: www.example.com.crt)
|
|
-----END CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
(Your Intermediate certificate: ExampleCA.crt)
|
|
-----END CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
(Your Root certificate: TrustedRoot.crt)
|
|
-----END CERTIFICATE-----
|
|
private_key: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
(Your Private Key: www.example.com.key)
|
|
-----END RSA PRIVATE KEY-----
|
|
|
|
dh_param:
|
|
'mydhparam1.pem': |
|
|
-----BEGIN DH PARAMETERS-----
|
|
(Your custom DH prime)
|
|
-----END DH PARAMETERS-----
|
|
# or to generate one on-the-fly
|
|
'mydhparam2.pem':
|
|
keysize: 2048
|
|
|
|
# Passenger configuration
|
|
# Default passenger configuration is provided, and will be deployed in
|
|
# /etc/nginx/conf.d/passenger.conf
|
|
# Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf )
|
|
passenger:
|
|
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
|
passenger_ruby: /usr/bin/ruby
|
|
passenger_instance_registry_dir: /var/run/passenger-instreg
|
|
|
|
tofs:
|
|
# The files_switch key serves as a selector for alternative
|
|
# directories under the formula files directory. See TOFS pattern
|
|
# doc for more info.
|
|
# Note: Any value not evaluated by `config.get` will be used literally.
|
|
# This can be used to set custom paths, as many levels deep as required.
|
|
# files_switch:
|
|
# - any/path/can/be/used/here
|
|
# - id
|
|
# - role
|
|
# - osfinger
|
|
# - os
|
|
# - os_family
|
|
#
|
|
# All aspects of path/file resolution are customisable using the options below.
|
|
# This is unnecessary in most cases; there are sensible defaults.
|
|
# Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
|
|
# I.e.: salt://nginx/files/default
|
|
# path_prefix: template_alt
|
|
# dirs:
|
|
# files: files_alt
|
|
# default: default_alt
|
|
source_files:
|
|
nginx_config_file_managed:
|
|
- alt_nginx.conf
|
|
passenger_config_file_managed:
|
|
- alt_nginx.conf
|
|
server_conf_file_managed:
|
|
- alt_server.conf
|
|
nginx_systemd_service_file:
|
|
- alt_nginx.service
|
|
nginx_snippet_file_managed:
|
|
- alt_server.conf
|