Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / nginx / 1cd5c5b928a590a24720e161fd23e1f56601e953 / . / README.rst
blob: 33736b969c3c4fa5be419ec666d8f96398f6c3a8 [file] [log] [blame]
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]1
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]2=============
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]3Usage
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]4=============
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]5
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]6Nginx is an open source reverse proxy server for HTTP, HTTPS,
7SMTP, POP3, and IMAP protocols, as well as a load balancer,
8HTTP cache, and a web server (origin server). The nginx project
9started with a strong focus on high concurrency, high performance
10and low memory usage.
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]11
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]12Sample Pillars
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]13==============
14
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]15Gitlab server setup:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]16
17.. code-block:: yaml
18
19 nginx:
20 server:
21 enabled: true
22 bind:
23 address: '0.0.0.0'
24 ports:
25 - 80
26 site:
27 gitlab_domain:
28 enabled: true
29 type: gitlab
30 name: domain
31 ssl:
32 enabled: true
33 key: |
34 -----BEGIN RSA PRIVATE KEY-----
35 ...
36 cert: |
37 xyz
38 chain: |
39 my_chain..
40 host:
41 name: gitlab.domain.com
42 port: 80
43
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]44Simple static HTTP site:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]45
46.. code-block:: yaml
47
48 nginx:
49 server:
50 site:
51 nginx_static_site01:
52 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]53 type: nginx_static
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]54 name: site01
55 host:
56 name: gitlab.domain.com
57 port: 80
58
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]59Simple load balancer:
Dmitry Stremkovskiy52145c62017-08-21 23:42:17 +0300[diff] [blame]60
61.. code-block:: yaml
62
63 nginx:
64 server:
65 upstream:
66 horizon-upstream:
67 backend1:
68 address: 10.10.10.113
69 port: 8078
70 opts: weight=3
71 backend2:
72 address: 10.10.10.114
73 site:
74 nginx_proxy_openstack_web:
75 enabled: true
76 type: nginx_proxy
77 name: openstack_web
78 proxy:
79 upstream_proxy_pass: http://horizon-upstream
80 host:
81 name: 192.168.0.1
82 port: 31337
83
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]84Static site with access policy:
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]85
86.. code-block:: yaml
87
88 nginx:
89 server:
90 site:
91 nginx_static_site01:
92 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]93 type: nginx_static
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]94 name: site01
95 access_policy:
96 allow:
97 - 192.168.1.1/24
98 - 127.0.0.1
99 deny:
100 - 192.168.1.2
101 - all
102 host:
103 name: gitlab.domain.com
104 port: 80
105
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]106Simple TCP/UDP proxy:
Dmitry Stremkovskiy6484afa2017-08-22 17:07:06 +0300[diff] [blame]107
108.. code-block:: yaml
109
110 nginx:
111 server:
112 stream:
113 rabbitmq:
114 host:
115 port: 5672
116 backend:
117 server1:
118 address: 10.10.10.113
119 port: 5672
120 least_conn: true
121 hash: "$remote_addr consistent"
122 unbound:
123 host:
124 bind: 127.0.0.1
125 port: 53
126 protocol: udp
127 backend:
128 server1:
129 address: 10.10.10.113
130 port: 5353
131
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]132Simple HTTP proxy:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]133
134.. code-block:: yaml
135
136 nginx:
137 server:
138 site:
139 nginx_proxy_site01:
140 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]141 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]142 name: site01
143 proxy:
144 host: local.domain.com
145 port: 80
146 protocol: http
147 host:
148 name: gitlab.domain.com
149 port: 80
150
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]151Simple HTTP proxy with multiple locations:
152
153.. note:: If proxy part is defined and location is missing ``/``,
154 the proxy part is used. If the ``/`` location is defined,
155 it overrides the proxy part.
Jakub Josef83f7acf2018-04-09 16:05:49 +0200[diff] [blame]156
157.. code-block:: yaml
158
159 nginx:
160 server:
161 site:
162 nginx_proxy_site01:
163 enabled: true
164 type: nginx_proxy
165 name: site01
166 proxy:
167 host: local.domain.com
168 port: 80
169 protocol: http
170 location:
171 /internal/:
172 host: 172.120.10.200
173 port: 80
174 protocol: http
175 /doc/:
176 host: 172.10.10.200
177 port: 80
178 protocol: http
179 host:
180 name: gitlab.domain.com
181 port: 80
182
183.. code-block:: yaml
184
185 nginx:
186 server:
187 site:
188 nginx_proxy_site01:
189 enabled: true
190 type: nginx_proxy
191 name: site01
192 location:
193 /:
194 host: 172.120.10.200
195 port: 80
196 protocol: http
197 /doc/:
198 host: 172.10.10.200
199 port: 80
200 protocol: http
201 host:
202 name: gitlab.domain.com
203 port: 80
204
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]205Simple Websocket proxy:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]206
207.. code-block:: yaml
208
209 nginx:
210 server:
211 site:
212 nginx_proxy_site02:
213 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]214 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]215 name: site02
216 proxy:
217 websocket: true
218 host: local.domain.com
219 port: 80
220 protocol: http
221 host:
222 name: gitlab.domain.com
223 port: 80
224
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]225Content filtering proxy:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]226
227.. code-block:: yaml
228
229 nginx:
230 server:
231 enabled: true
232 site:
233 nginx_proxy_site03:
234 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]235 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]236 name: site03
237 proxy:
238 host: local.domain.com
239 port: 80
240 protocol: http
241 filter:
242 search: https://www.domain.com
243 replace: http://10.10.10.10
244 host:
245 name: gitlab.domain.com
246 port: 80
247
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]248Proxy with access policy:
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]249
250.. code-block:: yaml
251
252 nginx:
253 server:
254 site:
255 nginx_proxy_site01:
256 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]257 type: nginx_proxy
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]258 name: site01
259 access_policy:
260 allow:
261 - 192.168.1.1/24
262 - 127.0.0.1
263 deny:
264 - 192.168.1.2
265 - all
266 proxy:
267 host: local.domain.com
268 port: 80
269 protocol: http
270 host:
271 name: gitlab.domain.com
272 port: 80
273
Vasyl Saienkoc14eca22018-12-07 09:46:17 +0000[diff] [blame]274Use nginx `ngx_http_map_module` that creates variables whose values depend on
275values of other variables.
Michel Nederlofeb5dd232018-03-13 13:57:34 +0100[diff] [blame]276
277.. code-block:: yaml
278
Vasyl Saienkoc14eca22018-12-07 09:46:17 +0000[diff] [blame]279 nginx:
280 server:
281 enabled: true
282 map:
283 enabled: true
284 items:
285 mymap:
286 enabled: true
287 string: input_string
288 variable: output_map_variable
289 body:
290 default:
291 value: '""'
292 example.com:
293 value: '1'
294 example.org:
295 value: '2'
296
297Use nginx `ngx_http_geo_module module` that creates variables with values
298depending on the client IP address.
299
300.. code-block:: yaml
301
302 nginx:
303 server:
304 enabled: true
305 geo:
306 enabled: true
307 items:
308 my_geo_map:
309 enabled: true
310 variable: output_get_variable
311 body:
312 default:
313 value: '""'
314 cl1
315 name: 10.12.100.1/32
316 value: '1'
317 cl2
318 name: 10.13.0.0/16
319 value: 2'
320
321Use `ngx_http_limit_req_module` module that is used to limit the request
322processing rate per a defined key, in particular, the processing rate of
323requests coming from a single IP address. The limitation is done using
324the `leaky bucket` method.
325The `limit_req_module` might be configured globally or applied to specific
326nginx site.
327
328.. code-block:: yaml
329
330 nginx:
331 server:
332 limit_req_module:
333 limit_req_zone:
334 global_limit_ip_zone:
335 key: global_limit_ip_var
336 size: 10m
337 rate: '1r/s'
338 limit_req_status: 503
339 limit_req:
340 global_limit_zone:
341 burst: 5
342 enabled: true
343
344There is an example to to limit requests to all sites based on IP.
345In the following example all clients are limited except of 10.12.100.1
346with 1 req per second.
347
348#. Create geo instance that will match IP and set `limit_action` var.
349 "0" - is unlimited, 1 - limited
350
351#. Create a `global_geo_limiting_map` that will map `ip_limit_key` to
352 `ip_limit_action`
353
354#. Create global `limit_req_zone` called `global_limit_zone` that limits
355 number of requests to 1r/s
356
357#. Apply `global_limit_zone` globally to all requests with 5 req burst.
358
359.. code-block:: yaml
360
361 nginx:
362 server:
363 enabled: true
364 geo:
365 enabled: true
366 items:
367 global_geo_limiting:
368 enabled: true
369 variable: ip_limit_key
370 body:
371 default:
372 value: '1'
373 unlimited_client1:
374 name: '10.12.100.1/32'
375 value: '0'
376 map:
377 enabled: true
378 items:
379 global_geo_limiting_map:
380 enabled: true
381 string: ip_limit_key
382 variable: ip_limit_action
383 body:
384 limited:
385 name: 1
386 value: '$binary_remote_addr'
387 unlimited:
388 name: 0
389 value: '""'
390 limit_req_module:
391 limit_req_zone:
392 global_limit_zone:
393 key: ip_limit_action
394 size: 10m
395 rate: '1r/s'
396 limit_req_status: 503
397 limit_req:
398 global_limit_zone:
399 burst: 5
400 enabled: true
401
402To apply request limiting to particular site only `limit_req` should be
403applied on site level, for example:
404
405.. code-block:: yaml
406
Michel Nederlofeb5dd232018-03-13 13:57:34 +0100[diff] [blame]407 nginx:
408 server:
409 site:
Vasyl Saienkoc14eca22018-12-07 09:46:17 +0000[diff] [blame]410 nginx_proxy_openstack_api_keystone:
411 limit_req_module:
412 limit_req:
413 global_limit_zone:
414 burst: 5
415 enabled: true
416
Michel Nederlofeb5dd232018-03-13 13:57:34 +0100[diff] [blame]417
Oleksandr Bryndziia26617c2018-12-07 17:36:42 +0000[diff] [blame]418Use `ngx_http_limit_conn_module` module that is used to set the shared memory
419zone and the maximum allowed number of connections for a given key value.
420The `limit_conn_module` might be configured globally or applied to specific
421nginx site.
422
423.. code-block:: yaml
424
425 nginx:
426 server:
427 limit_conn_module:
428 limit_conn_zone:
429 global_limit_conn_zone:
430 key: 'binary_remote_addr'
431 size: 10m
432 limit_conn_status: 503
433 limit_conn:
434 global_limit_conn_zone:
435 connection: 50
436 enabled: true
437
438
439To apply connection limiting to particular site only `limit_conn` should be
440applied on site level, for example:
441
442.. code-block:: yaml
443
444 nginx:
445 server:
446 site:
447 nginx_proxy_openstack_web:
448 limit_conn_module:
449 limit_conn:
450 global_limit_conn_zone:
451 connections: 25
452 enabled: true
453
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]454Gitlab server with user for basic auth:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]455
456.. code-block:: yaml
457
458 nginx:
459 server:
460 enabled: true
461 user:
462 username1:
463 enabled: true
464 password: magicunicorn
465 htpasswd: htpasswd-site1
466 username2:
467 enabled: true
468 password: magicunicorn
469
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]470Proxy buffering:
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]471
472.. code-block:: yaml
473
474 nginx:
475 server:
476 enabled: true
477 bind:
478 address: '0.0.0.0'
479 ports:
480 - 80
481 site:
482 gitlab_proxy:
483 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]484 type: nginx_proxy
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]485 proxy:
Ondrej Smola5e177bc2017-12-07 12:55:23 +0100[diff] [blame]486 request_buffer: false
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]487 buffer:
488 number: 8
489 size: 16
490 host:
491 name: gitlab.domain.com
492 port: 80
493
Valeriy Sakharov1cd5c5b2021-07-02 14:40:51 +0400[diff] [blame^]494If we need to read large client request headers, we need to add new
495parameter `large_client_header_buffers` with buffers number and size:
496.. code-block:: yaml
497 nginx:
498 server:
499 enabled: true
500 bind:
501 address: '0.0.0.0'
502 ports:
503 - 80
504 site:
505 gitlab_proxy:
506 enabled: true
507 type: nginx_proxy
508 large_client_header_buffers: '4 8k'
509 host:
510 name: gitlab.domain.com
511 port: 80
512
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]513Let's Encrypt:
Michael Kutý3a5abf12015-12-04 21:03:33 +0100[diff] [blame]514
515.. code-block:: yaml
516
517 nginx:
518 server:
519 enabled: true
520 bind:
521 address: '0.0.0.0'
522 ports:
523 - 443
524 site:
525 gitlab_domain:
526 enabled: true
527 type: gitlab
528 name: domain
529 ssl:
530 enabled: true
531 engine: letsencrypt
532 host:
533 name: gitlab.domain.com
534 port: 443
535
Filip Pytloune0f75512016-11-03 14:34:26 +0100[diff] [blame]536SSL using already deployed key and cert file.
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]537
538.. note:: The cert file should already contain CA cert and
539 complete chain.
Filip Pytloune0f75512016-11-03 14:34:26 +0100[diff] [blame]540
541.. code-block:: yaml
542
543 nginx:
544 server:
545 enabled: true
546 site:
547 mysite:
548 ssl:
549 enabled: true
550 key_file: /etc/ssl/private/mykey.key
551 cert_file: /etc/ssl/cert/mycert.crt
552
Denis Egorenkob8cb5432019-07-15 16:47:32 +0400[diff] [blame]553or
554
555.. code-block:: yaml
556
557 nginx:
558 server:
559 enabled: true
560 site:
561 mysite:
562 ssl:
563 enabled: true
564 engine: custom
565 key_file: /etc/ssl/private/mykey.key
566 cert_file: /etc/ssl/cert/mycert.crt
567
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]568Advanced SSL configuration, more information about SSL option
569may be found at http://nginx.org/en/docs/http/ngx_http_ssl_module.html
570
571.. note:: Prior to nginx 1.11.0, only one type of ecdh curve
572 can be applied in ``ssl_ecdh_curve directive``.
573
574 if mode = ``secure`` or mode = ``normal`` and ``ciphers``
575 or ``protocols`` are set, they should have type ``string``.
576 If mode = ``manual``, their type should be ``dict``
577 as shown below.
Vasyl Saienkod3348f62018-02-09 20:08:01 +0200[diff] [blame]578
579.. code-block:: yaml
580
581 nginx:
582 server:
583 enabled: true
584 site:
585 mysite:
586 ssl:
587 enabled: true
588 mode: 'manual'
589 key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
590 cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
591 chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
592 protocols:
593 TLS1:
594 name: 'TLSv1'
595 enabled: True
596 TLS1_1:
597 name: 'TLSv1.1'
598 enabled: True
599 TLS1_2:
600 name: 'TLSv1.2'
601 enabled: False
602 ciphers:
603 ECDHE_RSA_AES256_GCM_SHA384:
604 name: 'ECDHE-RSA-AES256-GCM-SHA384'
605 enabled: True
606 ECDHE_ECDSA_AES256_GCM_SHA384:
607 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
608 enabled: True
609 buffer_size: '16k'
610 crl:
611 file: '/etc/ssl/crl.pem'
612 enabled: False
613 dhparam:
614 enabled: True
615 numbits: 2048
azvyagintsev4f4e7d42019-01-24 13:44:55 +0200[diff] [blame]616 use_dsaparam: True
Vasyl Saienkod3348f62018-02-09 20:08:01 +0200[diff] [blame]617 ecdh_curve:
618 secp384r1:
619 name: 'secp384r1'
620 enabled: False
621 secp521r1:
622 name: 'secp521r1'
623 enabled: True
624 password_file:
625 content: 'testcontent22'
626 enabled: True
627 file: '/etc/ssl/password.key'
628 prefer_server_ciphers: 'on'
629 ticket_key:
630 enabled: True
631 numbytes: 48
632 resolver:
633 address: '127.0.0.1'
634 valid_seconds: '500'
635 timeout_seconds: '60'
636 session_tickets: 'on'
637 stapling: 'off'
638 stapling_file: '/path/to/stapling/file'
639 stapling_responder: 'http://ocsp.example.com/'
640 stapling_verify: 'on'
641 verify_client: 'on'
642 client_certificate:
643 file: '/etc/ssl/client_cert.pem'
644 enabled: False
645 verify_depth: 1
646 session_cache: 'shared:SSL:15m'
647 session_timeout: '15m'
Adam Tengler5c64af62018-06-22 12:17:55 +0000[diff] [blame]648 strict_transport_security:
649 max_age: 16000000
650 include_subdomains: False
651 always: true
652 enabled: true
Vasyl Saienkod3348f62018-02-09 20:08:01 +0200[diff] [blame]653
Vasyl Saienkof5c57e22018-09-28 08:54:33 +0000[diff] [blame]654Setting custom proxy headers:
655
656.. code-block:: yaml
657
658 nginx:
659 server:
660 enabled: true
661 site:
662 custom_headers:
663 type: nginx_proxy
664 proxy_set_header:
665 Host:
666 enabled: true
667 value: "$host:8774"
668 X-Real-IP:
669 enabled: true
670 value: '$remote_addr'
671 X-Forwarded-For:
672 enabled: true
673 value: '$proxy_add_x_forwarded_for'
674 X-Forwarded-Proto:
675 enabled: true
676 value: '$scheme'
677 X-Forwarded-Port:
678 enabled: true
679 value: '$server_port'
680
Dzmitry Stremkouski13772462018-10-27 14:56:47 +0200[diff] [blame]681Define site catalog indexes:
682
683.. code-block:: yaml
684
685 nginx:
686 server:
687 enabled: true
688 site:
689 nginx_catalog:
690 enabled: true
691 type: nginx_static
692 name: server
693 indexes:
694 - index.htm
695 - index.html
696 host:
697 name: 127.0.0.1
698 port: 80
699
700Define site catalog autoindex:
701
702.. code-block:: yaml
703
704 nginx:
705 server:
706 enabled: true
707 site:
708 nginx_catalog:
709 enabled: true
710 type: nginx_static
711 name: server
712 autoindex: True
713 host:
714 name: 127.0.0.1
715 port: 80
716
717Nginx stats server (required by collectd nginx plugin) (DEPRECATED):
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]718
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]719.. code-block:: yaml
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]720
721 nginx:
722 server:
723 enabled: true
724 site:
725 nginx_stats_server:
726 enabled: true
727 type: nginx_stats
728 name: server
729 host:
730 name: 127.0.0.1
731 port: 8888
732
Dzmitry Stremkouski13772462018-10-27 14:56:47 +0200[diff] [blame]733or:
734
735.. code-block:: yaml
736
737 nginx:
738 server:
739 enabled: true
740 site:
741 nginx_stats_server:
742 enabled: true
743 root: disabled
744 indexes: []
745 stats: True
746 type: nginx_static
747 name: stat_server
748 host:
749 name: 127.0.0.1
750 address: 127.0.0.1
751 port: 8888
752
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300[diff] [blame]753Nginx configured to wait for another service/s before
754starting (currently only with systemd):
Adam Tengler86893942018-06-20 14:06:24 +0000[diff] [blame]755
756.. code-block:: yaml
757
758 nginx:
759 server:
760 wait_for_service:
761 - foo-bar.mount
762 enabled: true
763 site:
764 ...
765
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]766More Information
767================
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]768
769* http://wiki.nginx.org/Main
770* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
771* http://nginx.com/resources/admin-guide/reverse-proxy/
772* https://mozilla.github.io/server-side-tls/ssl-config-generator/