Feat: add link role
This commit is contained in:
Ana Custura
parent
051c1ab57f
commit
1730aa5b13
26 changed files with 716 additions and 0 deletions
91
roles/podman_link/templates/nginx.conf
Normal file
91
roles/podman_link/templates/nginx.conf
Normal file
|
|
@ -0,0 +1,91 @@
|
|||
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
|
||||
# scheme used to connect to this server
|
||||
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
||||
default $http_x_forwarded_proto;
|
||||
'' $scheme;
|
||||
}
|
||||
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
|
||||
# server port the client connected to
|
||||
map $http_x_forwarded_port $proxy_x_forwarded_port {
|
||||
default $http_x_forwarded_port;
|
||||
'' $server_port;
|
||||
}
|
||||
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
|
||||
# Connection header that may have been passed to this server
|
||||
map $http_upgrade $proxy_connection {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
# Apply fix for very long server names
|
||||
server_names_hash_bucket_size 128;
|
||||
# Default dhparam
|
||||
# Set appropriate X-Forwarded-Ssl header
|
||||
map $scheme $proxy_x_forwarded_ssl {
|
||||
default off;
|
||||
https on;
|
||||
}
|
||||
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
access_log off;
|
||||
# HTTP 1.1 support
|
||||
proxy_http_version 1.1;
|
||||
proxy_buffering off;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $proxy_connection;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
||||
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
||||
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
||||
# Mitigate httpoxy attack (see README for details)
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ podman_link_web_hostname }};
|
||||
server_tokens off;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ podman_link_web_hostname }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
upstream zammad {
|
||||
server zammad-nginx:8080;
|
||||
}
|
||||
|
||||
server {
|
||||
server_name {{ podman_link_web_hostname }};
|
||||
listen 80 ;
|
||||
access_log /var/log/nginx/access.log vhost;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
server_name {{ podman_link_web_hostname }};
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
server_tokens off;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ podman_link_web_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ podman_link_web_hostname }}/privkey.pem;
|
||||
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
location / {
|
||||
proxy_pass http://zammad;
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue