blob: 4eadf2bc9fbd5c3c3c9cea518c3f11f6470d7229 [file] [log] [blame]
Filip Pytloun6b5bb652015-10-06 16:28:32 +02001
Aleš Komárek296a8442017-04-11 13:22:35 +02002=============
3Nginx Formula
4=============
Filip Pytloun6b5bb652015-10-06 16:28:32 +02005
6Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server (origin server). The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
7
Aleš Komárek296a8442017-04-11 13:22:35 +02008Sample Pillars
Filip Pytloun6b5bb652015-10-06 16:28:32 +02009==============
10
11Gitlab server setup
12
13.. code-block:: yaml
14
15 nginx:
16 server:
17 enabled: true
18 bind:
19 address: '0.0.0.0'
20 ports:
21 - 80
22 site:
23 gitlab_domain:
24 enabled: true
25 type: gitlab
26 name: domain
27 ssl:
28 enabled: true
29 key: |
30 -----BEGIN RSA PRIVATE KEY-----
31 ...
32 cert: |
33 xyz
34 chain: |
35 my_chain..
36 host:
37 name: gitlab.domain.com
38 port: 80
39
40Simple static HTTP site
41
42.. code-block:: yaml
43
44 nginx:
45 server:
46 site:
47 nginx_static_site01:
48 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +020049 type: nginx_static
Filip Pytloun6b5bb652015-10-06 16:28:32 +020050 name: site01
51 host:
52 name: gitlab.domain.com
53 port: 80
54
Dmitry Stremkovskiy52145c62017-08-21 23:42:17 +030055Simple load balancer
56
57.. code-block:: yaml
58
59 nginx:
60 server:
61 upstream:
62 horizon-upstream:
63 backend1:
64 address: 10.10.10.113
65 port: 8078
66 opts: weight=3
67 backend2:
68 address: 10.10.10.114
69 site:
70 nginx_proxy_openstack_web:
71 enabled: true
72 type: nginx_proxy
73 name: openstack_web
74 proxy:
75 upstream_proxy_pass: http://horizon-upstream
76 host:
77 name: 192.168.0.1
78 port: 31337
79
Adam Tenglere7746cb2016-04-27 19:01:25 +020080Static site with access policy
81
82.. code-block:: yaml
83
84 nginx:
85 server:
86 site:
87 nginx_static_site01:
88 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +020089 type: nginx_static
Adam Tenglere7746cb2016-04-27 19:01:25 +020090 name: site01
91 access_policy:
92 allow:
93 - 192.168.1.1/24
94 - 127.0.0.1
95 deny:
96 - 192.168.1.2
97 - all
98 host:
99 name: gitlab.domain.com
100 port: 80
101
Dmitry Stremkovskiy6484afa2017-08-22 17:07:06 +0300102Simple TCP/UDP proxy
103
104.. code-block:: yaml
105
106 nginx:
107 server:
108 stream:
109 rabbitmq:
110 host:
111 port: 5672
112 backend:
113 server1:
114 address: 10.10.10.113
115 port: 5672
116 least_conn: true
117 hash: "$remote_addr consistent"
118 unbound:
119 host:
120 bind: 127.0.0.1
121 port: 53
122 protocol: udp
123 backend:
124 server1:
125 address: 10.10.10.113
126 port: 5353
127
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200128Simple HTTP proxy
129
130.. code-block:: yaml
131
132 nginx:
133 server:
134 site:
135 nginx_proxy_site01:
136 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200137 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200138 name: site01
139 proxy:
140 host: local.domain.com
141 port: 80
142 protocol: http
143 host:
144 name: gitlab.domain.com
145 port: 80
146
Jakub Josef83f7acf2018-04-09 16:05:49 +0200147Simple HTTP proxy with multiple locations
148If proxy part is defined and location is missing `/`, then proxy part is used. If `/` location is defined then it overrides proxy part.
149
150.. code-block:: yaml
151
152 nginx:
153 server:
154 site:
155 nginx_proxy_site01:
156 enabled: true
157 type: nginx_proxy
158 name: site01
159 proxy:
160 host: local.domain.com
161 port: 80
162 protocol: http
163 location:
164 /internal/:
165 host: 172.120.10.200
166 port: 80
167 protocol: http
168 /doc/:
169 host: 172.10.10.200
170 port: 80
171 protocol: http
172 host:
173 name: gitlab.domain.com
174 port: 80
175
176.. code-block:: yaml
177
178 nginx:
179 server:
180 site:
181 nginx_proxy_site01:
182 enabled: true
183 type: nginx_proxy
184 name: site01
185 location:
186 /:
187 host: 172.120.10.200
188 port: 80
189 protocol: http
190 /doc/:
191 host: 172.10.10.200
192 port: 80
193 protocol: http
194 host:
195 name: gitlab.domain.com
196 port: 80
197
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200198Simple Websocket proxy
199
200.. code-block:: yaml
201
202 nginx:
203 server:
204 site:
205 nginx_proxy_site02:
206 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200207 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200208 name: site02
209 proxy:
210 websocket: true
211 host: local.domain.com
212 port: 80
213 protocol: http
214 host:
215 name: gitlab.domain.com
216 port: 80
217
218Content filtering proxy
219
220.. code-block:: yaml
221
222 nginx:
223 server:
224 enabled: true
225 site:
226 nginx_proxy_site03:
227 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200228 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200229 name: site03
230 proxy:
231 host: local.domain.com
232 port: 80
233 protocol: http
234 filter:
235 search: https://www.domain.com
236 replace: http://10.10.10.10
237 host:
238 name: gitlab.domain.com
239 port: 80
240
Adam Tenglere7746cb2016-04-27 19:01:25 +0200241Proxy with access policy
242
243.. code-block:: yaml
244
245 nginx:
246 server:
247 site:
248 nginx_proxy_site01:
249 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200250 type: nginx_proxy
Adam Tenglere7746cb2016-04-27 19:01:25 +0200251 name: site01
252 access_policy:
253 allow:
254 - 192.168.1.1/24
255 - 127.0.0.1
256 deny:
257 - 192.168.1.2
258 - all
259 proxy:
260 host: local.domain.com
261 port: 80
262 protocol: http
263 host:
264 name: gitlab.domain.com
265 port: 80
266
Michel Nederlofeb5dd232018-03-13 13:57:34 +0100267Proxy with rate limiting scheme:
268
269.. code-block:: yaml
270
271 _dollar: '$'
272 nginx:
273 server:
274 site:
275 nginx_proxy_site01:
276 enabled: true
277 type: nginx_proxy
278 name: site01
279 proxy:
280 host: local.domain.com
281 port: 80
282 protocol: http
283 host:
284 name: gitlab.domain.com
285 port: 80
286 limit:
287 enabled: True
288 ip_whitelist:
289 - 127.0.0.1
290 burst: 600
291 rate: 10r/s
292 nodelay: True
293 subfilters:
294 heavy_url:
295 input: ${_dollar}{binary_remote_addr}${_dollar}{request_uri}
296 mode: blacklist
297 items:
298 - "~.*servers/detail[?]name=.*&status=ACTIVE"
299 rate: 2r/m
300 burst: 2
301 nodelay: True
302
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200303Gitlab server with user for basic auth
304
305.. code-block:: yaml
306
307 nginx:
308 server:
309 enabled: true
310 user:
311 username1:
312 enabled: true
313 password: magicunicorn
314 htpasswd: htpasswd-site1
315 username2:
316 enabled: true
317 password: magicunicorn
318
Ales Komarekd77b7972015-11-12 11:02:39 +0100319Proxy buffering
320
321.. code-block:: yaml
322
323 nginx:
324 server:
325 enabled: true
326 bind:
327 address: '0.0.0.0'
328 ports:
329 - 80
330 site:
331 gitlab_proxy:
332 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200333 type: nginx_proxy
Ales Komarekd77b7972015-11-12 11:02:39 +0100334 proxy:
Ondrej Smola5e177bc2017-12-07 12:55:23 +0100335 request_buffer: false
Ales Komarekd77b7972015-11-12 11:02:39 +0100336 buffer:
337 number: 8
338 size: 16
339 host:
340 name: gitlab.domain.com
341 port: 80
342
Michael Kutý3a5abf12015-12-04 21:03:33 +0100343Let's Encrypt
344
345.. code-block:: yaml
346
347 nginx:
348 server:
349 enabled: true
350 bind:
351 address: '0.0.0.0'
352 ports:
353 - 443
354 site:
355 gitlab_domain:
356 enabled: true
357 type: gitlab
358 name: domain
359 ssl:
360 enabled: true
361 engine: letsencrypt
362 host:
363 name: gitlab.domain.com
364 port: 443
365
Filip Pytloune0f75512016-11-03 14:34:26 +0100366SSL using already deployed key and cert file.
367Note that cert file should already contain CA cert and complete chain.
368
369.. code-block:: yaml
370
371 nginx:
372 server:
373 enabled: true
374 site:
375 mysite:
376 ssl:
377 enabled: true
378 key_file: /etc/ssl/private/mykey.key
379 cert_file: /etc/ssl/cert/mycert.crt
380
Adam Tenglerc3916572016-01-25 17:46:52 +0100381Nginx stats server (required by collectd nginx plugin)
382
Aleš Komárek296a8442017-04-11 13:22:35 +0200383.. code-block:: yaml
Adam Tenglerc3916572016-01-25 17:46:52 +0100384
385 nginx:
386 server:
387 enabled: true
388 site:
389 nginx_stats_server:
390 enabled: true
391 type: nginx_stats
392 name: server
393 host:
394 name: 127.0.0.1
395 port: 8888
396
Ramon Melero12cf6c52017-08-16 13:11:54 -0500397Change nginx server ssl protocol options in openstack/proxy.yml
398
399.. code-block:: yaml
400 nginx:
401 server:
402 site:
403 site01:
404 enabled: true
405 name: site01
406 host:
407 name: site01.domain.com
408 ssl:
409 enabled: true
410 key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
411 cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
412 chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
413 protocols: TLSv1 TLSv1.1 TLSv1.2
414 ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
415 prefer_server_ciphers: true
416 ecdh_curve: secp521r1
Aleš Komárek296a8442017-04-11 13:22:35 +0200417
418More Information
419================
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200420
421* http://wiki.nginx.org/Main
422* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
423* http://nginx.com/resources/admin-guide/reverse-proxy/
424* https://mozilla.github.io/server-side-tls/ssl-config-generator/
Filip Pytloun2e902c12017-02-02 13:02:03 +0100425
Aleš Komárek296a8442017-04-11 13:22:35 +0200426
Filip Pytloun2e902c12017-02-02 13:02:03 +0100427Documentation and Bugs
428======================
429
430To learn how to install and update salt-formulas, consult the documentation
431available online at:
432
433 http://salt-formulas.readthedocs.io/
434
435In the unfortunate event that bugs are discovered, they should be reported to
436the appropriate issue tracker. Use Github issue tracker for specific salt
437formula:
438
439 https://github.com/salt-formulas/salt-formula-nginx/issues
440
441For feature requests, bug reports or blueprints affecting entire ecosystem,
442use Launchpad salt-formulas project:
443
444 https://launchpad.net/salt-formulas
445
446You can also join salt-formulas-users team and subscribe to mailing list:
447
448 https://launchpad.net/~salt-formulas-users
449
450Developers wishing to work on the salt-formulas projects should always base
451their work on master branch and submit pull request against specific formula.
452
453 https://github.com/salt-formulas/salt-formula-nginx
454
455Any questions or feedback is always welcome so feel free to join our IRC
456channel:
457
458 #salt-formulas @ irc.freenode.net