This repository has been archived by the owner on Oct 29, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
nginx_conf.yml
132 lines (126 loc) · 4.91 KB
/
nginx_conf.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
- name: strfry | Configure nginx
ansible.builtin.import_role:
name: nginx_core.nginx_config
vars:
# afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary.
# See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352
# The only difference between this and the main nginx config is the worker_rlimit_nofile value and worker_connections.
nginx_config_main_template_enable: true
nginx_config_main_template:
template_file: nginx.conf.j2
deployment_location: /etc/nginx/nginx.conf
backup: false
config: # https://nginx.org/en/docs/ngx_core_module.html
main:
user:
username: nginx
group: nginx
worker_processes: auto
error_log:
file: /var/log/nginx/error.log
level: notice
pid: /var/run/nginx.pid
# worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes.
# Used to increase the limit without restarting the main process.
# The recomended value seems to be worker_connections * 2
worker_rlimit_nofile: 12288
events:
worker_connections: 4096
# include: # String or a list of strings
# - /etc/nginx/modules.conf
http: # https://nginx.org/en/docs/http/ngx_http_core_module.html
default_type: application/octet-stream
sendfile: true
server_tokens: false
tcp_nodelay: true
tcp_nopush: true
include:
- /etc/nginx/mime.types
- /etc/nginx/http.conf # These are shared http level configs that nginx_conf refuses to directly configure.
- /etc/nginx/conf.d/*.conf
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
deployment_location: "/etc/nginx/conf.d/strfry_{{ nginx_strfry_domain }}.conf"
backup: false
config:
upstreams:
- name: strfry
servers:
- address: "127.0.0.1:{{ strfry_relay.port|default(7777) }}"
#- address: unix:/var/lib/strfry/strfry.sock
servers:
- core:
listen:
- address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nginx_strfry_https_port|default(443) }} ssl"
include:
- "/etc/nginx/acme_{{ nginx_strfry_domain }}.conf"
client_max_body_size: 0 # Stream request body to backend
http2:
enable: true
locations:
- location: /
proxy:
pass: http://strfry
http_version: '1.1'
set_header:
- field: Host
value: $http_host
- field: Connection
value: $connection_upgrade
- field: Upgrade
value: $http_upgrade
- field: X-Forwarded-For
value: $proxy_add_x_forwarded_for
connect_timeout: 3m
send_timeout: 3m
read_timeout: 3m
- template_file: http/default.conf.j2
deployment_location: /etc/nginx/http.conf
backup: false
config:
core:
default_type: application/octet-stream
sendfile: true
server_tokens: false
tcp_nodelay: true
tcp_nopush: true
resolver: # required for oscp stapling
address:
- '1.1.1.1'
- '8.8.8.8'
resolver_timeout: 10s
log:
format:
- name: main
format: |
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"'
gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html
enable: true
comp_level: 3
disable: "msie6"
min_length: 1100
proxied: any
types:
- text/plain
- text/css
- application/x-javascript
- text/xml
- application/xml
vary: true
- template_file: http/default.conf.j2
deployment_location: "/etc/nginx/conf.d/mappings.conf"
backup: false
config:
map:
mappings: # https://nginx.org/en/docs/http/websocket.html
- string: $http_upgrade
variable: $connection_upgrade
content:
- value: default
new_value: upgrade
- value: "''"
new_value: close