Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / nginx / 5e177bc64553fa5fb3e5253356ed678423ea0d7f / . / README.rst
blob: cbf35a893c52ce4767f533ec6fdebb16bee47ea9 [file] [log] [blame]
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]1
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]2=============
3Nginx Formula
4=============
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]5
6Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server (origin server). The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
7
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]8Sample Pillars
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]9==============
10
11Gitlab server setup
12
13.. code-block:: yaml
14
15 nginx:
16 server:
17 enabled: true
18 bind:
19 address: '0.0.0.0'
20 ports:
21 - 80
22 site:
23 gitlab_domain:
24 enabled: true
25 type: gitlab
26 name: domain
27 ssl:
28 enabled: true
29 key: |
30 -----BEGIN RSA PRIVATE KEY-----
31 ...
32 cert: |
33 xyz
34 chain: |
35 my_chain..
36 host:
37 name: gitlab.domain.com
38 port: 80
39
40Simple static HTTP site
41
42.. code-block:: yaml
43
44 nginx:
45 server:
46 site:
47 nginx_static_site01:
48 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]49 type: nginx_static
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]50 name: site01
51 host:
52 name: gitlab.domain.com
53 port: 80
54
Dmitry Stremkovskiy52145c62017-08-21 23:42:17 +0300[diff] [blame]55Simple load balancer
56
57.. code-block:: yaml
58
59 nginx:
60 server:
61 upstream:
62 horizon-upstream:
63 backend1:
64 address: 10.10.10.113
65 port: 8078
66 opts: weight=3
67 backend2:
68 address: 10.10.10.114
69 site:
70 nginx_proxy_openstack_web:
71 enabled: true
72 type: nginx_proxy
73 name: openstack_web
74 proxy:
75 upstream_proxy_pass: http://horizon-upstream
76 host:
77 name: 192.168.0.1
78 port: 31337
79
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]80Static site with access policy
81
82.. code-block:: yaml
83
84 nginx:
85 server:
86 site:
87 nginx_static_site01:
88 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]89 type: nginx_static
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]90 name: site01
91 access_policy:
92 allow:
93 - 192.168.1.1/24
94 - 127.0.0.1
95 deny:
96 - 192.168.1.2
97 - all
98 host:
99 name: gitlab.domain.com
100 port: 80
101
Dmitry Stremkovskiy6484afa2017-08-22 17:07:06 +0300[diff] [blame]102Simple TCP/UDP proxy
103
104.. code-block:: yaml
105
106 nginx:
107 server:
108 stream:
109 rabbitmq:
110 host:
111 port: 5672
112 backend:
113 server1:
114 address: 10.10.10.113
115 port: 5672
116 least_conn: true
117 hash: "$remote_addr consistent"
118 unbound:
119 host:
120 bind: 127.0.0.1
121 port: 53
122 protocol: udp
123 backend:
124 server1:
125 address: 10.10.10.113
126 port: 5353
127
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]128Simple HTTP proxy
129
130.. code-block:: yaml
131
132 nginx:
133 server:
134 site:
135 nginx_proxy_site01:
136 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]137 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]138 name: site01
139 proxy:
140 host: local.domain.com
141 port: 80
142 protocol: http
143 host:
144 name: gitlab.domain.com
145 port: 80
146
147Simple Websocket proxy
148
149.. code-block:: yaml
150
151 nginx:
152 server:
153 site:
154 nginx_proxy_site02:
155 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]156 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]157 name: site02
158 proxy:
159 websocket: true
160 host: local.domain.com
161 port: 80
162 protocol: http
163 host:
164 name: gitlab.domain.com
165 port: 80
166
167Content filtering proxy
168
169.. code-block:: yaml
170
171 nginx:
172 server:
173 enabled: true
174 site:
175 nginx_proxy_site03:
176 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]177 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]178 name: site03
179 proxy:
180 host: local.domain.com
181 port: 80
182 protocol: http
183 filter:
184 search: https://www.domain.com
185 replace: http://10.10.10.10
186 host:
187 name: gitlab.domain.com
188 port: 80
189
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]190Proxy with access policy
191
192.. code-block:: yaml
193
194 nginx:
195 server:
196 site:
197 nginx_proxy_site01:
198 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]199 type: nginx_proxy
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]200 name: site01
201 access_policy:
202 allow:
203 - 192.168.1.1/24
204 - 127.0.0.1
205 deny:
206 - 192.168.1.2
207 - all
208 proxy:
209 host: local.domain.com
210 port: 80
211 protocol: http
212 host:
213 name: gitlab.domain.com
214 port: 80
215
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]216Gitlab server with user for basic auth
217
218.. code-block:: yaml
219
220 nginx:
221 server:
222 enabled: true
223 user:
224 username1:
225 enabled: true
226 password: magicunicorn
227 htpasswd: htpasswd-site1
228 username2:
229 enabled: true
230 password: magicunicorn
231
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]232Proxy buffering
233
234.. code-block:: yaml
235
236 nginx:
237 server:
238 enabled: true
239 bind:
240 address: '0.0.0.0'
241 ports:
242 - 80
243 site:
244 gitlab_proxy:
245 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]246 type: nginx_proxy
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]247 proxy:
Ondrej Smola5e177bc2017-12-07 12:55:23 +0100[diff] [blame^]248 request_buffer: false
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]249 buffer:
250 number: 8
251 size: 16
252 host:
253 name: gitlab.domain.com
254 port: 80
255
Michael Kutý3a5abf12015-12-04 21:03:33 +0100[diff] [blame]256Let's Encrypt
257
258.. code-block:: yaml
259
260 nginx:
261 server:
262 enabled: true
263 bind:
264 address: '0.0.0.0'
265 ports:
266 - 443
267 site:
268 gitlab_domain:
269 enabled: true
270 type: gitlab
271 name: domain
272 ssl:
273 enabled: true
274 engine: letsencrypt
275 host:
276 name: gitlab.domain.com
277 port: 443
278
Filip Pytloune0f75512016-11-03 14:34:26 +0100[diff] [blame]279SSL using already deployed key and cert file.
280Note that cert file should already contain CA cert and complete chain.
281
282.. code-block:: yaml
283
284 nginx:
285 server:
286 enabled: true
287 site:
288 mysite:
289 ssl:
290 enabled: true
291 key_file: /etc/ssl/private/mykey.key
292 cert_file: /etc/ssl/cert/mycert.crt
293
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]294Nginx stats server (required by collectd nginx plugin)
295
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]296.. code-block:: yaml
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]297
298 nginx:
299 server:
300 enabled: true
301 site:
302 nginx_stats_server:
303 enabled: true
304 type: nginx_stats
305 name: server
306 host:
307 name: 127.0.0.1
308 port: 8888
309
Ramon Melero12cf6c52017-08-16 13:11:54 -0500[diff] [blame]310Change nginx server ssl protocol options in openstack/proxy.yml
311
312.. code-block:: yaml
313 nginx:
314 server:
315 site:
316 site01:
317 enabled: true
318 name: site01
319 host:
320 name: site01.domain.com
321 ssl:
322 enabled: true
323 key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
324 cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
325 chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
326 protocols: TLSv1 TLSv1.1 TLSv1.2
327 ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
328 prefer_server_ciphers: true
329 ecdh_curve: secp521r1
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]330
331More Information
332================
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]333
334* http://wiki.nginx.org/Main
335* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
336* http://nginx.com/resources/admin-guide/reverse-proxy/
337* https://mozilla.github.io/server-side-tls/ssl-config-generator/
Filip Pytloun2e902c12017-02-02 13:02:03 +0100[diff] [blame]338
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]339
Filip Pytloun2e902c12017-02-02 13:02:03 +0100[diff] [blame]340Documentation and Bugs
341======================
342
343To learn how to install and update salt-formulas, consult the documentation
344available online at:
345
346 http://salt-formulas.readthedocs.io/
347
348In the unfortunate event that bugs are discovered, they should be reported to
349the appropriate issue tracker. Use Github issue tracker for specific salt
350formula:
351
352 https://github.com/salt-formulas/salt-formula-nginx/issues
353
354For feature requests, bug reports or blueprints affecting entire ecosystem,
355use Launchpad salt-formulas project:
356
357 https://launchpad.net/salt-formulas
358
359You can also join salt-formulas-users team and subscribe to mailing list:
360
361 https://launchpad.net/~salt-formulas-users
362
363Developers wishing to work on the salt-formulas projects should always base
364their work on master branch and submit pull request against specific formula.
365
366 https://github.com/salt-formulas/salt-formula-nginx
367
368Any questions or feedback is always welcome so feel free to join our IRC
369channel:
370
371 #salt-formulas @ irc.freenode.net