b5baf3a2ae
* Create CONTRIBUTING.md * Add PR template * Tweak .yamllint * Update README playbook examples
349 lines
12 KiB
YAML
349 lines
12 KiB
YAML
---
|
|
# Enable creating dynamic templated NGINX HTML demo websites.
|
|
nginx_html_demo_template_enable: false
|
|
nginx_html_demo_template:
|
|
default:
|
|
template_file: www/index.html.j2
|
|
html_file_name: index.html
|
|
html_file_location: /usr/share/nginx/html
|
|
web_server_name: Default
|
|
|
|
# Enable creating dynamic templated NGINX configuration files.
|
|
# Defaults are the values found in a fresh NGINX installation.
|
|
nginx_main_template_enable: false
|
|
nginx_main_template:
|
|
template_file: nginx.conf.j2
|
|
conf_file_name: nginx.conf
|
|
conf_file_location: /etc/nginx/
|
|
user: nginx
|
|
worker_processes: auto
|
|
# worker_rlimit_nofile: 1024
|
|
error_log:
|
|
location: /var/log/nginx/error.log
|
|
level: warn
|
|
worker_connections: 1024
|
|
http_enable: true
|
|
http_settings:
|
|
access_log_format:
|
|
- name: main
|
|
format: |-
|
|
'$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"'
|
|
access_log_location:
|
|
- name: main
|
|
location: /var/log/nginx/access.log
|
|
tcp_nopush: true
|
|
tcp_nodelay: true
|
|
keepalive_timeout: 65
|
|
cache: false
|
|
rate_limit: false
|
|
keyval: false
|
|
# server_tokens: "off"
|
|
http_global_autoindex: false
|
|
# http_custom_options: []
|
|
stream_enable: false
|
|
# stream_custom_options: []
|
|
# auth_request_http: /auth
|
|
# auth_request_set_http:
|
|
# name: $auth_user
|
|
# value: $upstream_http_x_user
|
|
|
|
# Enable creating dynamic templated NGINX HTTP configuration files.
|
|
# Defaults will not produce a valid configuration. Instead they are meant to showcase
|
|
# the options available for templating. Each key represents a new configuration file.
|
|
nginx_http_template_enable: false
|
|
nginx_http_template:
|
|
default:
|
|
template_file: http/default.conf.j2
|
|
conf_file_name: default.conf
|
|
conf_file_location: /etc/nginx/conf.d/
|
|
servers:
|
|
server1:
|
|
listen:
|
|
listen_localhost:
|
|
ip: localhost # Wrap in square brackets for IPv6 addresses
|
|
port: 8081
|
|
opts: [] # Listen opts like http2 which will be added (ssl is automatically added if you specify 'ssl:').
|
|
server_name: localhost
|
|
include_files: []
|
|
error_page: /usr/share/nginx/html
|
|
access_log:
|
|
- name: main
|
|
location: /var/log/nginx/access.log
|
|
error_log:
|
|
location: /var/log/nginx/error.log
|
|
level: warn
|
|
root: /usr/share/nginx/html
|
|
# https_redirect: $host
|
|
autoindex: false
|
|
auth_basic: null
|
|
auth_basic_user_file: null
|
|
try_files: $uri $uri/index.html $uri.html =404
|
|
# auth_request: /auth
|
|
# auth_request_set:
|
|
# name: $auth_user
|
|
# value: $upstream_http_x_user
|
|
client_max_body_size: 1m
|
|
proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application
|
|
add_headers:
|
|
strict_transport_security:
|
|
name: Strict-Transport-Security
|
|
value: max-age=15768000; includeSubDomains
|
|
always: true
|
|
# header_name:
|
|
# name: Header-X
|
|
# value: Value-X
|
|
# always: false
|
|
ssl:
|
|
cert: /etc/ssl/certs/default.crt
|
|
key: /etc/ssl/private/default.key
|
|
dhparam: /etc/ssl/private/dh_param.pem
|
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
|
ciphers: HIGH:!aNULL:!MD5
|
|
prefer_server_ciphers: true
|
|
session_cache: none
|
|
session_timeout: 5m
|
|
disable_session_tickets: false
|
|
trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
|
|
stapling: true
|
|
stapling_verify: true
|
|
# custom_options: []
|
|
web_server:
|
|
locations:
|
|
default:
|
|
location: /
|
|
include_files: []
|
|
proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application
|
|
add_headers:
|
|
strict_transport_security:
|
|
name: Strict-Transport-Security
|
|
value: max-age=15768000; includeSubDomains
|
|
always: true
|
|
# header_name:
|
|
# name: Header-X
|
|
# value: Value-X
|
|
# always: false
|
|
html_file_location: /usr/share/nginx/html
|
|
html_file_name: index.html
|
|
autoindex: false
|
|
auth_basic: null
|
|
auth_basic_user_file: null
|
|
try_files: $uri $uri/index.html $uri.html =404
|
|
# auth_request: /auth
|
|
# auth_request_set:
|
|
# name: $auth_user
|
|
# value: $upstream_http_x_user
|
|
client_max_body_size: 1m
|
|
# returns:
|
|
# return302:
|
|
# code: 302
|
|
# url: https://sso.somehost.local/?url=https://$http_host$request_uri
|
|
# custom_options: []
|
|
http_demo_conf: false
|
|
reverse_proxy:
|
|
locations:
|
|
backend:
|
|
location: /
|
|
include_files: []
|
|
proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application
|
|
add_headers:
|
|
strict_transport_security:
|
|
name: Strict-Transport-Security
|
|
value: max-age=15768000; includeSubDomains
|
|
always: true
|
|
# header_name:
|
|
# name: Header-X
|
|
# value: Value-X
|
|
# always: false
|
|
proxy_connect_timeout: null
|
|
proxy_pass: http://backend
|
|
# rewrites:
|
|
# - /foo(.*) /$1 break
|
|
# proxy_pass_request_body: off
|
|
# allows:
|
|
# - 192.168.1.0/24
|
|
# denies:
|
|
# - all
|
|
proxy_set_header:
|
|
header_host:
|
|
name: Host
|
|
value: $host
|
|
header_x_real_ip:
|
|
name: X-Real-IP
|
|
value: $remote_addr
|
|
header_x_forwarded_for:
|
|
name: X-Forwarded-For
|
|
value: $proxy_add_x_forwarded_for
|
|
header_x_forwarded_proto:
|
|
name: X-Forwarded-Proto
|
|
value: $scheme
|
|
# header_upgrade:
|
|
# name: Upgrade
|
|
# value: $http_upgrade
|
|
# header_connection:
|
|
# name: Connection
|
|
# value: "Upgrade"
|
|
# header_random:
|
|
# name: RandomName
|
|
# value: RandomValue
|
|
# internal: false
|
|
# proxy_store: off
|
|
# proxy_store_acccess: user:rw
|
|
proxy_read_timeout: null
|
|
proxy_send_timeout: null
|
|
proxy_ssl:
|
|
cert: /etc/ssl/certs/proxy_default.crt
|
|
key: /etc/ssl/private/proxy_default.key
|
|
trusted_cert: /etc/ssl/certs/proxy_ca.crt
|
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
|
ciphers: HIGH:!aNULL:!MD5
|
|
verify: false
|
|
verify_depth: 1
|
|
session_reuse: true
|
|
proxy_cache: backend_proxy_cache
|
|
proxy_cache_valid:
|
|
- code: 200
|
|
time: 10m
|
|
- code: 301
|
|
time: 1m
|
|
proxy_temp_path:
|
|
path: /var/cache/nginx/proxy/backend/temp
|
|
proxy_cache_lock: false
|
|
proxy_cache_min_uses: 3
|
|
proxy_cache_revalidate: false
|
|
proxy_cache_use_stale:
|
|
- http_403
|
|
- http_404
|
|
proxy_ignore_headers:
|
|
- Vary
|
|
- Cache-Control
|
|
proxy_cookie_path:
|
|
path: /web/
|
|
replacement: /
|
|
proxy_buffering: false
|
|
proxy_http_version: 1.0
|
|
websocket: false
|
|
auth_basic: null
|
|
auth_basic_user_file: null
|
|
try_files: $uri $uri/index.html $uri.html =404
|
|
# auth_request: /auth
|
|
# auth_request_set:
|
|
# name: $auth_user
|
|
# value: $upstream_http_x_user
|
|
# returns:
|
|
# return302:
|
|
# code: 302
|
|
# url: https://sso.somehost.local/?url=https://$http_host$request_uri
|
|
# custom_options: []
|
|
health_check_plus: false
|
|
returns:
|
|
return301:
|
|
location: /
|
|
code: 301
|
|
value: http://$host$request_uri
|
|
proxy_cache:
|
|
proxy_cache_path:
|
|
- path: /var/cache/nginx/proxy/backend
|
|
keys_zone:
|
|
name: backend_proxy_cache
|
|
size: 10m
|
|
levels: "1:2"
|
|
max_size: 10g
|
|
inactive: 60m
|
|
use_temp_path: true
|
|
proxy_temp_path:
|
|
path: /var/cache/nginx/proxy/temp
|
|
proxy_cache_valid:
|
|
- code: 200
|
|
time: 10m
|
|
- code: 301
|
|
time: 1m
|
|
proxy_cache_lock: true
|
|
proxy_cache_min_uses: 5
|
|
proxy_cache_revalidate: true
|
|
proxy_cache_use_stale:
|
|
- error
|
|
- timeout
|
|
proxy_ignore_headers:
|
|
- Expires
|
|
upstreams:
|
|
upstream1:
|
|
name: backend
|
|
lb_method: least_conn
|
|
zone_name: backend_mem_zone
|
|
zone_size: 64k
|
|
sticky_cookie: false
|
|
servers:
|
|
server1:
|
|
address: localhost
|
|
port: 8081
|
|
weight: 1
|
|
health_check: max_fails=1 fail_timeout=10s
|
|
# custom_options: []
|
|
# custom_options: []
|
|
|
|
# Enable NGINX status data.
|
|
# Will enable 'stub_status' in NGINX Open Source and 'status' in NGINX Plus.
|
|
# Note - 'status' has been deprecated since NGINX Plus R13.
|
|
# Default is false.
|
|
nginx_status_enable: false
|
|
nginx_status_location: /etc/nginx/conf.d/stub_status.conf
|
|
nginx_status_port: 80
|
|
|
|
# Enable NGINX Plus REST API, write access to the REST API, and NGINX Plus dashboard.
|
|
# Requires NGINX Plus.
|
|
# Default is false.
|
|
nginx_rest_api_enable: false
|
|
nginx_rest_api_template_file: http/api.conf.j2
|
|
nginx_rest_api_file_location: /etc/nginx/conf.d/api.conf
|
|
nginx_rest_api_port: 80
|
|
nginx_rest_api_write: false
|
|
nginx_rest_api_dashboard: false
|
|
|
|
# Enable creating dynamic templated NGINX stream configuration files.
|
|
# Defaults will not produce a valid configuration. Instead they are meant to showcase
|
|
# the options available for templating. Each key represents a new configuration file.
|
|
nginx_stream_template_enable: false
|
|
nginx_stream_template:
|
|
default:
|
|
template_file: stream/default.conf.j2
|
|
conf_file_name: default.conf
|
|
conf_file_location: /etc/nginx/conf.d/stream/
|
|
network_streams:
|
|
default:
|
|
listen_address: localhost
|
|
listen_port: 80
|
|
udp_enable: false
|
|
include_files: []
|
|
proxy_pass: backend
|
|
proxy_timeout: 3s
|
|
proxy_connect_timeout: 1s
|
|
proxy_protocol: false
|
|
proxy_ssl:
|
|
cert: /etc/ssl/certs/proxy_default.crt
|
|
key: /etc/ssl/private/proxy_default.key
|
|
trusted_cert: /etc/ssl/certs/proxy_ca.crt
|
|
protocols: TLSv1 TLSv1.1 TLSv1.2
|
|
ciphers: HIGH:!aNULL:!MD5
|
|
verify: false
|
|
verify_depth: 1
|
|
session_reuse: true
|
|
health_check_plus: false
|
|
# custom_options: []
|
|
upstreams:
|
|
upstream1:
|
|
name: backend
|
|
lb_method: least_conn
|
|
zone_name: backend
|
|
zone_size: 64k
|
|
sticky_cookie: false
|
|
servers:
|
|
server1:
|
|
address: localhost
|
|
port: 8080
|
|
weight: 1
|
|
health_check: max_fails=1 fail_timeout=10s
|
|
# custom_options: []
|
|
# custom_options: []
|