summaryrefslogtreecommitdiffstats
path: root/pillar/role/web-proxy.sls
blob: 2741fb142431f3a22ecc4b1832423ed3f63c964d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
{%- from slspath ~ '/../map.jinja' import listen_ips, listen_ips4, listen_ips6 -%}

nginx:
  server:
    config:
      daemon: 'off'
      user: []
      events:
        worker_connections: 1024
        use: epoll
      http:
        include: snippets/modsecurity
        tcp_nopush: []
        tcp_nodelay: []
        types_hash_max_size: []
        access_log: []
        error_log: []
        gzip: []
        gzip_disable: []
        log_format main: |-
            '$remote_addr - $remote_user [$time_local] $http_host "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"'
        log_format main-with_ip: |-
            '$remote_addr - $remote_user [$time_local] $http_host "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"'

  snippets:
    robots:
      - location /robots.txt:
        - root: /srv/www/htdocs
    tls:
      - ssl_session_timeout: 1d
      - ssl_session_cache: shared:Lysergic:10m
      - ssl_session_tickets: 'off'
      - ssl_protocols: TLSv1.3
      - ssl_prefer_server_ciphers: 'off'
      - add_header: Strict-Transport-Security "max-age=63072000" always
      - ssl_stapling: 'on'
      - ssl_stapling_verify: 'on'
      - ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
    php-fastcgi:
      - 'location ~* \.php$':
        - fastcgi_index: index.php
        - fastcgi_pass: unix:/run/php-fpm/php-fpm.sock
        - 'include': fastcgi_params
        - fastcgi_param: SCRIPT_FILENAME $document_root$fastcgi_script_name
    {%- if listen_ips | length %}
    listen:
      {%- for ip4 in listen_ips4 %}
      - listen: {{ ip4 }}:443 ssl http2
      {%- endfor %}
      {%- if listen_ips6 | length %}
      {%- for ip6 in listen_ips6 %}
      - listen: '[{{ ip6 }}]:443 ssl http2'
      {%- endfor %}
      {%- endif %}
    {%- endif %}

firewalld:
  zones:
    internal:
      services:
        - http
        - https