Saltstack Official Nginx Formula
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

306 lines
12KB

  1. #=====
  2. # nginx: see `nginx.ng` state instead.
  3. #======
  4. nginx:
  5. install_from_source: True
  6. use_upstart: True
  7. use_sysvinit: False
  8. user_auth_enabled: True
  9. with_luajit: False
  10. with_openresty: True
  11. repo_version: development # Must be using ppa install by setting `repo_source = ppa`
  12. set_real_ips: # NOTE: to use this, nginx must have http_realip module enabled
  13. from_ips:
  14. - 10.10.10.0/24
  15. real_ip_header: X-Forwarded-For
  16. modules:
  17. headers-more:
  18. source: http://github.com/agentzh/headers-more-nginx-module/tarball/v0.21
  19. source_hash: sha1=dbf914cbf3f7b6cb7e033fa7b7c49e2f8879113b
  20. #pid: /var/run/nginx.pid
  21. # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
  22. # ========
  23. # nginx.ng
  24. # ========
  25. nginx:
  26. ng:
  27. # The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided
  28. # package will be installed. If one of the `install_from` option is set to `True`, the state will
  29. # make sure the other two repos are removed.
  30. # Use the official's nginx repo binaries
  31. install_from_repo: false
  32. # Use Phusionpassenger's repo to install nginx and passenger binaries
  33. # Debian, Centos, Ubuntu and Redhat are currently available
  34. install_from_phusionpassenger: false
  35. # PPA install
  36. install_from_ppa: false
  37. # Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx )
  38. ppa_version: 'stable'
  39. # Source install
  40. source_version: '1.10.0'
  41. source_hash: ''
  42. # These are usually set by grains in map.jinja
  43. # Typically you can comment these out.
  44. lookup:
  45. package: nginx-custom (can be a list)
  46. service: nginx
  47. webuser: www-data
  48. conf_file: /etc/nginx/nginx.conf
  49. server_available: /etc/nginx/sites-available
  50. server_enabled: /etc/nginx/sites-enabled
  51. server_use_symlink: True
  52. # If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed
  53. passenger_package: libnginx-mod-http-passenger
  54. passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
  55. # This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever
  56. rh_os_releasever: '6'
  57. # Currently it can be used on rhel/centos/suse when installing from repo
  58. gpg_check: True
  59. pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ###
  60. # Source compilation is not currently a part of nginx.ng
  61. from_source: False
  62. source:
  63. opts: {}
  64. package:
  65. opts: {} # this partially exposes parameters of pkg.installed
  66. service:
  67. enable: True # Whether or not the service will be enabled/running or dead
  68. opts: {} # this partially exposes parameters of service.running / service.dead
  69. ##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  70. ## You can use snippets to define often repeated configuration once and include it later
  71. ## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'"
  72. ##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  73. snippets:
  74. letsencrypt:
  75. - location ^~ /.well-known/acme-challenge/:
  76. - proxy_pass: http://localhost:9999
  77. cloudflare_proxy:
  78. - set_real_ip_from: 103.21.244.0/22
  79. - set_real_ip_from: 103.22.200.0/22
  80. - set_real_ip_from: 104.16.0.0/12
  81. - set_real_ip_from: 108.162.192.0/18
  82. blacklist:
  83. - map $http_user_agent $bad_bot:
  84. - default: 0
  85. - '~*^Lynx': 0
  86. - '~*malicious': 1
  87. - '~*bot': 1
  88. - '~*crawler': 1
  89. - '~*bandit': 1
  90. - libwww-perl: 1
  91. - '~(?i)(httrack|htmlparser|libwww)': 1
  92. upstream_netdata_tcp:
  93. - upstream netdata:
  94. - server: 127.0.0.1:19999
  95. - keepalive: 64
  96. server:
  97. opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file
  98. #-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
  99. # nginx.conf (main server) declarations
  100. # dictionaries map to blocks {} and lists cause the same declaration to repeat with different values
  101. # see also http://nginx.org/en/docs/example.html
  102. #-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
  103. config:
  104. include: 'snippets/letsencrypt.conf'
  105. source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the
  106. # options; if it is found other options (worker_processes: 4 and so
  107. # on) are not processed and just upload the file from source
  108. worker_processes: 4
  109. load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start
  110. #pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
  111. events:
  112. worker_connections: 1024
  113. http:
  114. sendfile: 'on'
  115. include:
  116. #### Note: Syntax issues in these files generate nginx [emerg] errors on startup. ####
  117. - /etc/nginx/mime.types
  118. ### module ngx_http_log_module example
  119. log_format: |-
  120. main '...';
  121. access_log /var/log/nginx/access_log main
  122. access_log: [] #suppress default access_log option from being added
  123. ### module nngx_stream_core_module
  124. ### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
  125. stream:
  126. upstream lb-1000:
  127. - server:
  128. - hostname1.example.com:1000
  129. - hostname2.example.com:1000
  130. upstream stream_backend:
  131. least_conn: ''
  132. 'server backend1.example.com:12345 weight=5':
  133. 'server backend2.example.com:12345 max_fails=2 fail_timeout=30s':
  134. 'server backend3.example.com:12345 max_conns=3':
  135. upstream dns_servers:
  136. least_conn:
  137. 'server 192.168.136.130:53':
  138. 'server 192.168.136.131:53':
  139. 'server 192.168.136.132:53':
  140. server:
  141. listen: 1000
  142. proxy_pass: lb-1000
  143. 'server ':
  144. listen: '53 udp'
  145. proxy_pass: dns_servers
  146. 'server ':
  147. listen: 12346
  148. proxy_pass: backend4.example.com:12346
  149. servers:
  150. disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling
  151. symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites
  152. rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites
  153. managed_opts: {} # partially exposes file.managed params for managed server files
  154. dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs
  155. #####################
  156. # server declarations; placed by default in server "available" directory
  157. #####################
  158. managed:
  159. mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite')
  160. # may be True, False, or None where True is enabled, False, disabled, and None indicates no action
  161. enabled: True
  162. # Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default)
  163. # It also remove the symlink (if it is exists).
  164. # The site MUST be disabled before delete it (if not the nginx is not reloaded).
  165. #deleted: True
  166. #available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename
  167. #enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename
  168. disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking
  169. overwrite: True # overwrite an existing server file or not
  170. # May be a list of config options or None, if None, no server file will be managed/templated
  171. # Take server directives as lists of dictionaries. If the dictionary value is another list of
  172. # dictionaries a block {} will be started with the dictionary key name
  173. config:
  174. - server:
  175. - server_name: localhost
  176. - listen:
  177. - '80 default_server'
  178. - listen:
  179. - '443 ssl'
  180. - index: 'index.html index.htm'
  181. - location ~ .htm:
  182. - try_files: '$uri $uri/ =404'
  183. - test: something else
  184. - include: 'snippets/letsencrypt.conf'
  185. # Or a slightly more compact alternative syntax:
  186. - server:
  187. - server_name: localhost
  188. - listen:
  189. - '80 default_server'
  190. - '443 ssl'
  191. - index: 'index.html index.htm'
  192. - location ~ .htm:
  193. - try_files: '$uri $uri/ =404'
  194. - test: something else
  195. - include: 'snippets/letsencrypt.conf'
  196. # both of those output:
  197. # server {
  198. # server_name localhost;
  199. # listen 80 default_server;
  200. # listen 443 ssl;
  201. # index index.html index.htm;
  202. # location ~ .htm {
  203. # try_files $uri $uri/ =404;
  204. # test something else;
  205. # }
  206. # }
  207. mysite2: # Using source_path options to upload the file instead of templating all the file
  208. enabled: True
  209. available_dir: /etc/nginx/sites-available
  210. enabled_dir: /etc/nginx/sites-enabled
  211. config:
  212. source_path: salt://path-to-site-file/mysite2
  213. # Below configuration becomes handy if you want to create custom configuration files
  214. # for example if you want to create /usr/local/etc/nginx/http_options.conf with
  215. # the following content:
  216. # sendfile on;
  217. # tcp_nopush on;
  218. # tcp_nodelay on;
  219. # send_iowait 12000;
  220. http_options.conf:
  221. enabled: True
  222. available_dir: /usr/local/etc/nginx
  223. enabled_dir: /usr/local/etc/nginx
  224. config:
  225. - sendfile: 'on'
  226. - tcp_nopush: 'on'
  227. - tcp_nodelay: 'on'
  228. - send_iowait: 12000
  229. certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path.
  230. # If you're doing SSL termination, you can deploy certificates this way.
  231. # The private one(s) should go in a separate pillar file not in version
  232. # control (or use encrypted pillar data).
  233. certificates:
  234. 'www.example.com':
  235. # choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree)
  236. # public_cert_pillar: certs:example.com:fullchain.pem
  237. # private_key_pillar: certs:example.com:privkey.pem
  238. # or directly pasting the cert
  239. public_cert: |
  240. -----BEGIN CERTIFICATE-----
  241. (Your Primary SSL certificate: www.example.com.crt)
  242. -----END CERTIFICATE-----
  243. -----BEGIN CERTIFICATE-----
  244. (Your Intermediate certificate: ExampleCA.crt)
  245. -----END CERTIFICATE-----
  246. -----BEGIN CERTIFICATE-----
  247. (Your Root certificate: TrustedRoot.crt)
  248. -----END CERTIFICATE-----
  249. private_key: |
  250. -----BEGIN RSA PRIVATE KEY-----
  251. (Your Private Key: www.example.com.key)
  252. -----END RSA PRIVATE KEY-----
  253. dh_param:
  254. 'mydhparam1.pem': |
  255. -----BEGIN DH PARAMETERS-----
  256. (Your custom DH prime)
  257. -----END DH PARAMETERS-----
  258. # or to generate one on-the-fly
  259. 'mydhparam2.pem':
  260. keysize: 2048
  261. # Passenger configuration
  262. # Default passenger configuration is provided, and will be deployed in
  263. # /etc/nginx/conf.d/passenger.conf
  264. passenger:
  265. passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  266. passenger_ruby: /usr/bin/ruby
  267. passenger_instance_registry_dir: /var/run/passenger-instreg