diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2016-06-17 15:19:39 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2016-06-17 15:19:39 -0300 |
commit | 683dbde79850db946078624cf8a07ec2c954701b (patch) | |
tree | afbe4683e4140af3d75d8a0136494d79c95c2e7a | |
parent | 711b34ab5e9844f556e50c1fa523dd16907c37fe (diff) | |
download | puppet-nginx-683dbde79850db946078624cf8a07ec2c954701b.tar.gz puppet-nginx-683dbde79850db946078624cf8a07ec2c954701b.tar.bz2 |
Managing the default config
-rw-r--r-- | manifests/base.pp | 1 | ||||
-rw-r--r-- | manifests/config.pp | 1 | ||||
-rw-r--r-- | manifests/ssl.pp | 7 | ||||
-rw-r--r-- | templates/nginx.conf.erb | 108 |
4 files changed, 76 insertions, 41 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 7febb79..bb13860 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -18,6 +18,7 @@ class nginx::base { } # Main configuration + # TODO: we're managing the default config. Remove this block after a while. file { "/etc/nginx/nginx.conf": content => template("nginx/nginx.conf.erb"), owner => "root", diff --git a/manifests/config.pp b/manifests/config.pp index bba54b9..3b60016 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,5 +6,6 @@ define nginx::config($value, $ensure = 'present') { mode => '0644', content => "${value}\n", notify => Service['nginx'], + require => Package['nginx'], } } diff --git a/manifests/ssl.pp b/manifests/ssl.pp index 4b38332..899f4ff 100644 --- a/manifests/ssl.pp +++ b/manifests/ssl.pp @@ -18,7 +18,12 @@ class nginx::ssl( 'ssl_session_timeout': value => "ssl_session_timeout ${session_timeout};"; 'ssl_protocols': value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;'; 'ssl_ciphers': value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;'; - 'ssl_prefer_server_ciphers': value => 'ssl_prefer_server_ciphers on;'; 'ssl_dhparam': value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;'; } + + # Already in default config + nginx::config { 'ssl_prefer_server_ciphers': + value => 'ssl_prefer_server_ciphers on;', + ensure => absent, + } } diff --git a/templates/nginx.conf.erb b/templates/nginx.conf.erb index cf339dd..01a4a21 100644 --- a/templates/nginx.conf.erb +++ b/templates/nginx.conf.erb @@ -1,57 +1,85 @@ user www-data; -worker_processes 1; - -#error_log /var/log/nginx/error.log; -error_log /dev/null; -pid /var/run/nginx.pid; +worker_processes auto; +pid /run/nginx.pid; events { - worker_connections 1024; - # multi_accept on; + worker_connections 768; + # multi_accept on; } http { - include /etc/nginx/mime.types; - #access_log /var/log/nginx/access.log; - access_log /dev/null; + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## - sendfile on; - #tcp_nopush on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; - #keepalive_timeout 0; - keepalive_timeout 65; - proxy_read_timeout 120; - tcp_nodelay on; + ## + # Logging Settings + ## - # disable compression - # prevents BREACH attack - gzip off; - #gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + ## + # Gzip Settings + ## - ssl_session_cache shared:SSL:10m; + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; } -# mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/NginxImapAuthenticateWithApachePhpScript + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; # -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } # -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -# } +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} |