hoall.nginx-proxy

Role nginx-proxy

This role sets up nginx as a proxy server, specifically for HTTPS use. Make sure to configure your SSL certificate. The dhparam file will be generated automatically during installation. This role also includes some helpful default settings for proxy servers.

The security level is modern, as defined by the Mozilla foundation (check their generator for more details: https://mozilla.github.io/server-side-tls/ssl-config-generator/). This configuration should work well for most systems. The templates were created using Ubuntu 16.04. HSTS is enabled, and the setup receives an A+ score from ssllabs.com.

The default website is linked to root ( / ). I created this role to help secure the connection to my Tomcat server.

If you have suggestions for improvements, please create a pull request.

Requirements

You need an SSL certificate and OpenSSL (for the dhparam). For a good role, consider checking out geerlingguy.certbot.

Role Variables

NOTE: Variables that must be replaced are in UPPERCASE.

Name	Default Value	Description
`NP_SERVER_NAME`	NONE	Names that the server should listen to, e.g., "example.com www.example.com"
`NP_SSL_CERTIFICATE`	NONE	Path to your SSL certificate (fullchain.pem), e.g., /etc/letsencrypt/live/example.de/fullchain.pem
`NP_SSL_CERTIFICATE_KEY`	NONE	Path to your SSL certificate private key (privkey.pem), e.g., /etc/letsencrypt/live/example.de/privkey.pem
`NP_PROXY_PASS`	NONE	Path to the backend, e.g., "http://127.0.0.1:8080/example/"
`NP_REWRITE`	NONE	Rewrite rule for the website, e.g., "^/example(.*)$ $1 last"
`np_worker_processes`	{{ ansible_processor_count }}	Number of worker processes, typically one per core.
`np_worker_connections`	1024	Number of connections for each worker process.
`np_keep_alive_timeout`	15	Timeout for idle client connections (in seconds).
`np_client_max_body_size`	10m	Maximum allowed size of client request body.
`np_client_body_buffer_size`	10k	Buffer size for reading the client request body.
`np_proxy_connect_timeout`	10	Timeout for connecting to the backend server.
`np_proxy_send_timeout`	10	Timeout for sending requests to the proxied server (in seconds).
`np_proxy_read_timeout`	10	Timeout for reading responses from the proxied server (in seconds).
`np_proxy_buffers`	"32 8k"	Size of the buffer for reading the first part of the response.

Note: Parts of this documentation are from the official nginx documentation (https://nginx.org/en/docs/). The sources and documentation are shared under a BSD-like license.

Customize the variables to fit your needs.

Dependencies

Example Playbook

    - hosts: servers
      roles:
         - { role: hoall.nginx-proxy, NP_SERVER_NAME: "example.com www.example.com", NP_SSL_CERTIFICATE: /etc/letsencrypt/live/fullchain.pem, NP_SSL_CERTIFICATE_KEY: /etc/letsencrypt/live/privkey.pem }

License

BSD

Author Information

Felix Paetow
fhmpaetow@fsfe.org

Informazioni sul progetto

Installation, configuration and hardening of a nginx proxy with one website.

role dhparam hardening nginx proxy ssl tls website

Installa

ansible-galaxy install hoall.nginx-proxy

GitHub repository

0 stelle

0 fork

0 problemi aperti

Licenza

bsd-2-clause

Download

118

Proprietario

Felix Paetow