Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / nginx / 178fad5c1a496436ff07f9bc6ee76efa93931a00 / . / README.rst
blob: 0ac937dfef81353b4272264765a59f68c0f42280 [file] [log] [blame]
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]1
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]2=============
3Nginx Formula
4=============
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]5
6Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server (origin server). The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
7
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]8Sample Pillars
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]9==============
10
11Gitlab server setup
12
13.. code-block:: yaml
14
15 nginx:
16 server:
17 enabled: true
18 bind:
19 address: '0.0.0.0'
20 ports:
21 - 80
22 site:
23 gitlab_domain:
24 enabled: true
25 type: gitlab
26 name: domain
27 ssl:
28 enabled: true
29 key: |
30 -----BEGIN RSA PRIVATE KEY-----
31 ...
32 cert: |
33 xyz
34 chain: |
35 my_chain..
36 host:
37 name: gitlab.domain.com
38 port: 80
39
40Simple static HTTP site
41
42.. code-block:: yaml
43
44 nginx:
45 server:
46 site:
47 nginx_static_site01:
48 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]49 type: nginx_static
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]50 name: site01
51 host:
52 name: gitlab.domain.com
53 port: 80
54
Dmitry Stremkovskiy52145c62017-08-21 23:42:17 +0300[diff] [blame]55Simple load balancer
56
57.. code-block:: yaml
58
59 nginx:
60 server:
61 upstream:
62 horizon-upstream:
63 backend1:
64 address: 10.10.10.113
65 port: 8078
66 opts: weight=3
67 backend2:
68 address: 10.10.10.114
69 site:
70 nginx_proxy_openstack_web:
71 enabled: true
72 type: nginx_proxy
73 name: openstack_web
74 proxy:
75 upstream_proxy_pass: http://horizon-upstream
76 host:
77 name: 192.168.0.1
78 port: 31337
79
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]80Static site with access policy
81
82.. code-block:: yaml
83
84 nginx:
85 server:
86 site:
87 nginx_static_site01:
88 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]89 type: nginx_static
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]90 name: site01
91 access_policy:
92 allow:
93 - 192.168.1.1/24
94 - 127.0.0.1
95 deny:
96 - 192.168.1.2
97 - all
98 host:
99 name: gitlab.domain.com
100 port: 80
101
Dmitry Stremkovskiy6484afa2017-08-22 17:07:06 +0300[diff] [blame]102Simple TCP/UDP proxy
103
104.. code-block:: yaml
105
106 nginx:
107 server:
108 stream:
109 rabbitmq:
110 host:
111 port: 5672
112 backend:
113 server1:
114 address: 10.10.10.113
115 port: 5672
116 least_conn: true
117 hash: "$remote_addr consistent"
118 unbound:
119 host:
120 bind: 127.0.0.1
121 port: 53
122 protocol: udp
123 backend:
124 server1:
125 address: 10.10.10.113
126 port: 5353
127
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]128Simple HTTP proxy
129
130.. code-block:: yaml
131
132 nginx:
133 server:
134 site:
135 nginx_proxy_site01:
136 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]137 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]138 name: site01
139 proxy:
140 host: local.domain.com
141 port: 80
142 protocol: http
143 host:
144 name: gitlab.domain.com
145 port: 80
146
Jakub Josef83f7acf2018-04-09 16:05:49 +0200[diff] [blame]147Simple HTTP proxy with multiple locations
148If proxy part is defined and location is missing `/`, then proxy part is used. If `/` location is defined then it overrides proxy part.
149
150.. code-block:: yaml
151
152 nginx:
153 server:
154 site:
155 nginx_proxy_site01:
156 enabled: true
157 type: nginx_proxy
158 name: site01
159 proxy:
160 host: local.domain.com
161 port: 80
162 protocol: http
163 location:
164 /internal/:
165 host: 172.120.10.200
166 port: 80
167 protocol: http
168 /doc/:
169 host: 172.10.10.200
170 port: 80
171 protocol: http
172 host:
173 name: gitlab.domain.com
174 port: 80
175
176.. code-block:: yaml
177
178 nginx:
179 server:
180 site:
181 nginx_proxy_site01:
182 enabled: true
183 type: nginx_proxy
184 name: site01
185 location:
186 /:
187 host: 172.120.10.200
188 port: 80
189 protocol: http
190 /doc/:
191 host: 172.10.10.200
192 port: 80
193 protocol: http
194 host:
195 name: gitlab.domain.com
196 port: 80
197
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]198Simple Websocket proxy
199
200.. code-block:: yaml
201
202 nginx:
203 server:
204 site:
205 nginx_proxy_site02:
206 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]207 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]208 name: site02
209 proxy:
210 websocket: true
211 host: local.domain.com
212 port: 80
213 protocol: http
214 host:
215 name: gitlab.domain.com
216 port: 80
217
218Content filtering proxy
219
220.. code-block:: yaml
221
222 nginx:
223 server:
224 enabled: true
225 site:
226 nginx_proxy_site03:
227 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]228 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]229 name: site03
230 proxy:
231 host: local.domain.com
232 port: 80
233 protocol: http
234 filter:
235 search: https://www.domain.com
236 replace: http://10.10.10.10
237 host:
238 name: gitlab.domain.com
239 port: 80
240
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]241Proxy with access policy
242
243.. code-block:: yaml
244
245 nginx:
246 server:
247 site:
248 nginx_proxy_site01:
249 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]250 type: nginx_proxy
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]251 name: site01
252 access_policy:
253 allow:
254 - 192.168.1.1/24
255 - 127.0.0.1
256 deny:
257 - 192.168.1.2
258 - all
259 proxy:
260 host: local.domain.com
261 port: 80
262 protocol: http
263 host:
264 name: gitlab.domain.com
265 port: 80
266
Michel Nederlofeb5dd232018-03-13 13:57:34 +0100[diff] [blame]267Proxy with rate limiting scheme:
268
269.. code-block:: yaml
270
271 _dollar: '$'
272 nginx:
273 server:
274 site:
275 nginx_proxy_site01:
276 enabled: true
277 type: nginx_proxy
278 name: site01
279 proxy:
280 host: local.domain.com
281 port: 80
282 protocol: http
283 host:
284 name: gitlab.domain.com
285 port: 80
286 limit:
287 enabled: True
288 ip_whitelist:
289 - 127.0.0.1
290 burst: 600
291 rate: 10r/s
292 nodelay: True
293 subfilters:
294 heavy_url:
295 input: ${_dollar}{binary_remote_addr}${_dollar}{request_uri}
296 mode: blacklist
297 items:
298 - "~.*servers/detail[?]name=.*&status=ACTIVE"
299 rate: 2r/m
300 burst: 2
301 nodelay: True
302
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]303Gitlab server with user for basic auth
304
305.. code-block:: yaml
306
307 nginx:
308 server:
309 enabled: true
310 user:
311 username1:
312 enabled: true
313 password: magicunicorn
314 htpasswd: htpasswd-site1
315 username2:
316 enabled: true
317 password: magicunicorn
318
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]319Proxy buffering
320
321.. code-block:: yaml
322
323 nginx:
324 server:
325 enabled: true
326 bind:
327 address: '0.0.0.0'
328 ports:
329 - 80
330 site:
331 gitlab_proxy:
332 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]333 type: nginx_proxy
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]334 proxy:
Ondrej Smola5e177bc2017-12-07 12:55:23 +0100[diff] [blame]335 request_buffer: false
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]336 buffer:
337 number: 8
338 size: 16
339 host:
340 name: gitlab.domain.com
341 port: 80
342
Michael Kutý3a5abf12015-12-04 21:03:33 +0100[diff] [blame]343Let's Encrypt
344
345.. code-block:: yaml
346
347 nginx:
348 server:
349 enabled: true
350 bind:
351 address: '0.0.0.0'
352 ports:
353 - 443
354 site:
355 gitlab_domain:
356 enabled: true
357 type: gitlab
358 name: domain
359 ssl:
360 enabled: true
361 engine: letsencrypt
362 host:
363 name: gitlab.domain.com
364 port: 443
365
Filip Pytloune0f75512016-11-03 14:34:26 +0100[diff] [blame]366SSL using already deployed key and cert file.
367Note that cert file should already contain CA cert and complete chain.
368
369.. code-block:: yaml
370
371 nginx:
372 server:
373 enabled: true
374 site:
375 mysite:
376 ssl:
377 enabled: true
378 key_file: /etc/ssl/private/mykey.key
379 cert_file: /etc/ssl/cert/mycert.crt
380
Vasyl Saienkod3348f62018-02-09 20:08:01 +0200[diff] [blame]381Advanced SSL configuration, more information about SSL option may be found
382at http://nginx.org/en/docs/http/ngx_http_ssl_module.html
383!Note that prior to nginx 1.11.0 only one type of ecdh curve can be applied in ssl_ecdh_curve directive
384!!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
385type "string", if mode = 'manual', their type should be "dict" (like shown below)
386
387.. code-block:: yaml
388
389 nginx:
390 server:
391 enabled: true
392 site:
393 mysite:
394 ssl:
395 enabled: true
396 mode: 'manual'
397 key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
398 cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
399 chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
400 protocols:
401 TLS1:
402 name: 'TLSv1'
403 enabled: True
404 TLS1_1:
405 name: 'TLSv1.1'
406 enabled: True
407 TLS1_2:
408 name: 'TLSv1.2'
409 enabled: False
410 ciphers:
411 ECDHE_RSA_AES256_GCM_SHA384:
412 name: 'ECDHE-RSA-AES256-GCM-SHA384'
413 enabled: True
414 ECDHE_ECDSA_AES256_GCM_SHA384:
415 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
416 enabled: True
417 buffer_size: '16k'
418 crl:
419 file: '/etc/ssl/crl.pem'
420 enabled: False
421 dhparam:
422 enabled: True
423 numbits: 2048
424 ecdh_curve:
425 secp384r1:
426 name: 'secp384r1'
427 enabled: False
428 secp521r1:
429 name: 'secp521r1'
430 enabled: True
431 password_file:
432 content: 'testcontent22'
433 enabled: True
434 file: '/etc/ssl/password.key'
435 prefer_server_ciphers: 'on'
436 ticket_key:
437 enabled: True
438 numbytes: 48
439 resolver:
440 address: '127.0.0.1'
441 valid_seconds: '500'
442 timeout_seconds: '60'
443 session_tickets: 'on'
444 stapling: 'off'
445 stapling_file: '/path/to/stapling/file'
446 stapling_responder: 'http://ocsp.example.com/'
447 stapling_verify: 'on'
448 verify_client: 'on'
449 client_certificate:
450 file: '/etc/ssl/client_cert.pem'
451 enabled: False
452 verify_depth: 1
453 session_cache: 'shared:SSL:15m'
454 session_timeout: '15m'
Adam Tengler5c64af62018-06-22 12:17:55 +0000[diff] [blame]455 strict_transport_security:
456 max_age: 16000000
457 include_subdomains: False
458 always: true
459 enabled: true
Vasyl Saienkod3348f62018-02-09 20:08:01 +0200[diff] [blame]460
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]461Nginx stats server (required by collectd nginx plugin)
462
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]463.. code-block:: yaml
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]464
465 nginx:
466 server:
467 enabled: true
468 site:
469 nginx_stats_server:
470 enabled: true
471 type: nginx_stats
472 name: server
473 host:
474 name: 127.0.0.1
475 port: 8888
476
Adam Tengler86893942018-06-20 14:06:24 +0000[diff] [blame]477Nginx configured to wait for another service/s before starting (currently only with systemd)
478
479.. code-block:: yaml
480
481 nginx:
482 server:
483 wait_for_service:
484 - foo-bar.mount
485 enabled: true
486 site:
487 ...
488
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]489More Information
490================
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]491
492* http://wiki.nginx.org/Main
493* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
494* http://nginx.com/resources/admin-guide/reverse-proxy/
495* https://mozilla.github.io/server-side-tls/ssl-config-generator/
Filip Pytloun2e902c12017-02-02 13:02:03 +0100[diff] [blame]496
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]497
Filip Pytloun2e902c12017-02-02 13:02:03 +0100[diff] [blame]498Documentation and Bugs
499======================
500
501To learn how to install and update salt-formulas, consult the documentation
502available online at:
503
504 http://salt-formulas.readthedocs.io/
505
506In the unfortunate event that bugs are discovered, they should be reported to
507the appropriate issue tracker. Use Github issue tracker for specific salt
508formula:
509
510 https://github.com/salt-formulas/salt-formula-nginx/issues
511
512For feature requests, bug reports or blueprints affecting entire ecosystem,
513use Launchpad salt-formulas project:
514
515 https://launchpad.net/salt-formulas
516
517You can also join salt-formulas-users team and subscribe to mailing list:
518
519 https://launchpad.net/~salt-formulas-users
520
521Developers wishing to work on the salt-formulas projects should always base
522their work on master branch and submit pull request against specific formula.
523
524 https://github.com/salt-formulas/salt-formula-nginx
525
526Any questions or feedback is always welcome so feel free to join our IRC
527channel:
528
529 #salt-formulas @ irc.freenode.net