Advance SSL and proxy SSL settings (#100)
* Added stream template variables * Added logic in Stream template * Add udp variable * Add ssl protocols and ciphers * Add advance ssl to template * Add SSL variables
This commit is contained in:
parent
b7913c6c4d
commit
328318bc19
26
README.md
26
README.md
@ -328,6 +328,10 @@ nginx_http_template:
|
|||||||
ssl:
|
ssl:
|
||||||
cert: /etc/ssl/certs/default.crt
|
cert: /etc/ssl/certs/default.crt
|
||||||
key: /etc/ssl/private/default.key
|
key: /etc/ssl/private/default.key
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
ciphers: HIGH:!aNULL:!MD5
|
||||||
|
session_cache: none
|
||||||
|
session_timeout: 5m
|
||||||
web_server:
|
web_server:
|
||||||
locations:
|
locations:
|
||||||
default:
|
default:
|
||||||
@ -362,6 +366,17 @@ nginx_http_template:
|
|||||||
backend:
|
backend:
|
||||||
location: /
|
location: /
|
||||||
proxy_pass: http://backend
|
proxy_pass: http://backend
|
||||||
|
proxy_ssl:
|
||||||
|
cert: /etc/ssl/certs/proxy_default.crt
|
||||||
|
key: /etc/ssl/private/proxy_default.key
|
||||||
|
trusted_cert: /etc/ssl/certs/proxy_ca.crt
|
||||||
|
server_name: false
|
||||||
|
name: server_name
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
ciphers: HIGH:!aNULL:!MD5
|
||||||
|
verify: false
|
||||||
|
verify_depth: 1
|
||||||
|
session_reuse: true
|
||||||
proxy_cache: frontend_proxy_cache
|
proxy_cache: frontend_proxy_cache
|
||||||
proxy_temp_path:
|
proxy_temp_path:
|
||||||
path: /var/cache/nginx/proxy/backend/temp
|
path: /var/cache/nginx/proxy/backend/temp
|
||||||
@ -434,6 +449,17 @@ nginx_stream_template:
|
|||||||
proxy_timeout: 3s
|
proxy_timeout: 3s
|
||||||
proxy_connect_timeout: 1s
|
proxy_connect_timeout: 1s
|
||||||
proxy_protocol: false
|
proxy_protocol: false
|
||||||
|
proxy_ssl:
|
||||||
|
cert: /etc/ssl/certs/proxy_default.crt
|
||||||
|
key: /etc/ssl/private/proxy_default.key
|
||||||
|
trusted_cert: /etc/ssl/certs/proxy_ca.crt
|
||||||
|
server_name: false
|
||||||
|
name: server_name
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
ciphers: HIGH:!aNULL:!MD5
|
||||||
|
verify: false
|
||||||
|
verify_depth: 1
|
||||||
|
session_reuse: true
|
||||||
health_check_plus: false
|
health_check_plus: false
|
||||||
upstreams:
|
upstreams:
|
||||||
upstream1:
|
upstream1:
|
||||||
|
@ -170,6 +170,10 @@ nginx_http_template:
|
|||||||
ssl:
|
ssl:
|
||||||
cert: /etc/ssl/certs/default.crt
|
cert: /etc/ssl/certs/default.crt
|
||||||
key: /etc/ssl/private/default.key
|
key: /etc/ssl/private/default.key
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
ciphers: HIGH:!aNULL:!MD5
|
||||||
|
session_cache: none
|
||||||
|
session_timeout: 5m
|
||||||
web_server:
|
web_server:
|
||||||
locations:
|
locations:
|
||||||
default:
|
default:
|
||||||
@ -204,6 +208,15 @@ nginx_http_template:
|
|||||||
backend:
|
backend:
|
||||||
location: /
|
location: /
|
||||||
proxy_pass: http://backend
|
proxy_pass: http://backend
|
||||||
|
proxy_ssl:
|
||||||
|
cert: /etc/ssl/certs/proxy_default.crt
|
||||||
|
key: /etc/ssl/private/proxy_default.key
|
||||||
|
trusted_cert: /etc/ssl/certs/proxy_ca.crt
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
ciphers: HIGH:!aNULL:!MD5
|
||||||
|
verify: false
|
||||||
|
verify_depth: 1
|
||||||
|
session_reuse: true
|
||||||
proxy_cache: frontend_proxy_cache
|
proxy_cache: frontend_proxy_cache
|
||||||
proxy_temp_path:
|
proxy_temp_path:
|
||||||
path: /var/cache/nginx/proxy/backend/temp
|
path: /var/cache/nginx/proxy/backend/temp
|
||||||
@ -275,6 +288,15 @@ nginx_stream_template:
|
|||||||
proxy_timeout: 3s
|
proxy_timeout: 3s
|
||||||
proxy_connect_timeout: 1s
|
proxy_connect_timeout: 1s
|
||||||
proxy_protocol: false
|
proxy_protocol: false
|
||||||
|
proxy_ssl:
|
||||||
|
cert: /etc/ssl/certs/proxy_default.crt
|
||||||
|
key: /etc/ssl/private/proxy_default.key
|
||||||
|
trusted_cert: /etc/ssl/certs/proxy_ca.crt
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
||||||
|
ciphers: HIGH:!aNULL:!MD5
|
||||||
|
verify: false
|
||||||
|
verify_depth: 1
|
||||||
|
session_reuse: true
|
||||||
health_check_plus: false
|
health_check_plus: false
|
||||||
upstreams:
|
upstreams:
|
||||||
upstream1:
|
upstream1:
|
||||||
|
@ -52,6 +52,18 @@ server {
|
|||||||
listen {{ item.value.port }} ssl;
|
listen {{ item.value.port }} ssl;
|
||||||
ssl_certificate {{ item.value.ssl.cert }};
|
ssl_certificate {{ item.value.ssl.cert }};
|
||||||
ssl_certificate_key {{ item.value.ssl.key }};
|
ssl_certificate_key {{ item.value.ssl.key }};
|
||||||
|
{% if item.value.ssl.protocols is defined %}
|
||||||
|
ssl_protocols {{ item.value.ssl.protocols }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.ssl.ciphers is defined %}
|
||||||
|
ssl_ciphers {{ item.value.ssl.ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.ssl.session_cache is defined %}
|
||||||
|
ssl_session_cache {{ item.value.ssl.session_cache }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.ssl.session_timeout is defined %}
|
||||||
|
ssl_session_timeout {{ item.value.ssl.session_timeout }};
|
||||||
|
{% endif %}
|
||||||
{% else %}
|
{% else %}
|
||||||
listen {{ item.value.port }};
|
listen {{ item.value.port }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@ -75,6 +87,39 @@ server {
|
|||||||
auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }};
|
auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
proxy_pass {{ item.value.reverse_proxy.locations[location].proxy_pass }};
|
proxy_pass {{ item.value.reverse_proxy.locations[location].proxy_pass }};
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl is defined %}
|
||||||
|
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.cert is defined %}
|
||||||
|
proxy_ssl_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.cert }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.key is defined %}
|
||||||
|
proxy_ssl_certificate_key {{ item.value.reverse_proxy.locations[location].proxy_ssl.key }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert is defined %}
|
||||||
|
proxy_ssl_trusted_certificate {{ item.value.reverse_proxy.locations[location].proxy_ssl.trusted_cert }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.server_name is defined %}
|
||||||
|
proxy_ssl_server_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.server_name | ternary("on", "off") }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.name is defined %}
|
||||||
|
proxy_ssl_name {{ item.value.reverse_proxy.locations[location].proxy_ssl.name }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.protocols is defined %}
|
||||||
|
proxy_ssl_protocols {{ item.value.reverse_proxy.locations[location].proxy_ssl.protocols }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.ciphers is defined %}
|
||||||
|
proxy_ssl_ciphers {{ item.value.reverse_proxy.locations[location].proxy_ssl.ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify is defined %}
|
||||||
|
proxy_ssl_verify {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify | ternary("on", "off") }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth is defined %}
|
||||||
|
proxy_ssl_verify_depth {{ item.value.reverse_proxy.locations[location].proxy_ssl.verify_depth }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse is defined %}
|
||||||
|
proxy_ssl_session_reuse {{ item.value.reverse_proxy.locations[location].proxy_ssl.session_reuse | ternary("on", "off") }};
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
{% if item.value.reverse_proxy.locations[location].proxy_redirect is defined %}
|
{% if item.value.reverse_proxy.locations[location].proxy_redirect is defined %}
|
||||||
proxy_redirect {{ item.value.reverse_proxy.locations[location].proxy_redirect | ternary(item.value.reverse_proxy.locations[location].proxy_redirect, "off") }};
|
proxy_redirect {{ item.value.reverse_proxy.locations[location].proxy_redirect | ternary(item.value.reverse_proxy.locations[location].proxy_redirect, "off") }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -42,6 +42,39 @@ server {
|
|||||||
{% else %}
|
{% else %}
|
||||||
proxy_protocol off;
|
proxy_protocol off;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl is defined %}
|
||||||
|
proxy_ssl on;
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.cert is defined %}
|
||||||
|
proxy_ssl_certificate {{ item.value.network_streams[stream].proxy_ssl.cert }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.key is defined %}
|
||||||
|
proxy_ssl_certificate_key {{ item.value.network_streams[stream].proxy_ssl.key }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.server_name is defined %}
|
||||||
|
proxy_ssl_server_name {{ item.value.network_streams[stream].proxy_ssl.server_name | ternary("on", "off") }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.name is defined %}
|
||||||
|
proxy_ssl_name {{ item.value.network_streams[stream].proxy_ssl.name }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.protocols is defined %}
|
||||||
|
proxy_ssl_protocols {{ item.value.network_streams[stream].proxy_ssl.protocols }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.ciphers is defined %}
|
||||||
|
proxy_ssl_ciphers {{ item.value.network_streams[stream].proxy_ssl.ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.trusted_cert is defined %}
|
||||||
|
proxy_ssl_trusted_certificate {{ item.value.network_streams[stream].proxy_ssl.trusted_cert }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.verify is defined %}
|
||||||
|
proxy_ssl_verify {{ item.value.network_streams[stream].proxy_ssl.verify | ternary("on", "off") }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.verify_depth is defined %}
|
||||||
|
proxy_ssl_verify_depth {{ item.value.network_streams[stream].proxy_ssl.verify_depth }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.value.network_streams[stream].proxy_ssl.session_reuse is defined %}
|
||||||
|
proxy_ssl_session_reuse {{ item.value.network_streams[stream].proxy_ssl.session_reuse | ternary("on", "off") }};
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
{% if item.value.network_streams[stream].health_check_plus %}
|
{% if item.value.network_streams[stream].health_check_plus %}
|
||||||
health_check;
|
health_check;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user