blob: cde94d372d54f0848ac02085889e610debb1c5e1 [file] [log] [blame]
Filip Pytloun6b5bb652015-10-06 16:28:32 +02001
Aleš Komárek296a8442017-04-11 13:22:35 +02002=============
3Nginx Formula
4=============
Filip Pytloun6b5bb652015-10-06 16:28:32 +02005
6Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server (origin server). The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
7
Aleš Komárek296a8442017-04-11 13:22:35 +02008Sample Pillars
Filip Pytloun6b5bb652015-10-06 16:28:32 +02009==============
10
11Gitlab server setup
12
13.. code-block:: yaml
14
15 nginx:
16 server:
17 enabled: true
18 bind:
19 address: '0.0.0.0'
20 ports:
21 - 80
22 site:
23 gitlab_domain:
24 enabled: true
25 type: gitlab
26 name: domain
27 ssl:
28 enabled: true
29 key: |
30 -----BEGIN RSA PRIVATE KEY-----
31 ...
32 cert: |
33 xyz
34 chain: |
35 my_chain..
36 host:
37 name: gitlab.domain.com
38 port: 80
39
40Simple static HTTP site
41
42.. code-block:: yaml
43
44 nginx:
45 server:
46 site:
47 nginx_static_site01:
48 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +020049 type: nginx_static
Filip Pytloun6b5bb652015-10-06 16:28:32 +020050 name: site01
51 host:
52 name: gitlab.domain.com
53 port: 80
54
Dmitry Stremkovskiy52145c62017-08-21 23:42:17 +030055Simple load balancer
56
57.. code-block:: yaml
58
59 nginx:
60 server:
61 upstream:
62 horizon-upstream:
63 backend1:
64 address: 10.10.10.113
65 port: 8078
66 opts: weight=3
67 backend2:
68 address: 10.10.10.114
69 site:
70 nginx_proxy_openstack_web:
71 enabled: true
72 type: nginx_proxy
73 name: openstack_web
74 proxy:
75 upstream_proxy_pass: http://horizon-upstream
76 host:
77 name: 192.168.0.1
78 port: 31337
79
Adam Tenglere7746cb2016-04-27 19:01:25 +020080Static site with access policy
81
82.. code-block:: yaml
83
84 nginx:
85 server:
86 site:
87 nginx_static_site01:
88 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +020089 type: nginx_static
Adam Tenglere7746cb2016-04-27 19:01:25 +020090 name: site01
91 access_policy:
92 allow:
93 - 192.168.1.1/24
94 - 127.0.0.1
95 deny:
96 - 192.168.1.2
97 - all
98 host:
99 name: gitlab.domain.com
100 port: 80
101
Dmitry Stremkovskiy6484afa2017-08-22 17:07:06 +0300102Simple TCP/UDP proxy
103
104.. code-block:: yaml
105
106 nginx:
107 server:
108 stream:
109 rabbitmq:
110 host:
111 port: 5672
112 backend:
113 server1:
114 address: 10.10.10.113
115 port: 5672
116 least_conn: true
117 hash: "$remote_addr consistent"
118 unbound:
119 host:
120 bind: 127.0.0.1
121 port: 53
122 protocol: udp
123 backend:
124 server1:
125 address: 10.10.10.113
126 port: 5353
127
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200128Simple HTTP proxy
129
130.. code-block:: yaml
131
132 nginx:
133 server:
134 site:
135 nginx_proxy_site01:
136 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200137 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200138 name: site01
139 proxy:
140 host: local.domain.com
141 port: 80
142 protocol: http
143 host:
144 name: gitlab.domain.com
145 port: 80
146
147Simple Websocket proxy
148
149.. code-block:: yaml
150
151 nginx:
152 server:
153 site:
154 nginx_proxy_site02:
155 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200156 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200157 name: site02
158 proxy:
159 websocket: true
160 host: local.domain.com
161 port: 80
162 protocol: http
163 host:
164 name: gitlab.domain.com
165 port: 80
166
167Content filtering proxy
168
169.. code-block:: yaml
170
171 nginx:
172 server:
173 enabled: true
174 site:
175 nginx_proxy_site03:
176 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200177 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200178 name: site03
179 proxy:
180 host: local.domain.com
181 port: 80
182 protocol: http
183 filter:
184 search: https://www.domain.com
185 replace: http://10.10.10.10
186 host:
187 name: gitlab.domain.com
188 port: 80
189
Adam Tenglere7746cb2016-04-27 19:01:25 +0200190Proxy with access policy
191
192.. code-block:: yaml
193
194 nginx:
195 server:
196 site:
197 nginx_proxy_site01:
198 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200199 type: nginx_proxy
Adam Tenglere7746cb2016-04-27 19:01:25 +0200200 name: site01
201 access_policy:
202 allow:
203 - 192.168.1.1/24
204 - 127.0.0.1
205 deny:
206 - 192.168.1.2
207 - all
208 proxy:
209 host: local.domain.com
210 port: 80
211 protocol: http
212 host:
213 name: gitlab.domain.com
214 port: 80
215
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200216Gitlab server with user for basic auth
217
218.. code-block:: yaml
219
220 nginx:
221 server:
222 enabled: true
223 user:
224 username1:
225 enabled: true
226 password: magicunicorn
227 htpasswd: htpasswd-site1
228 username2:
229 enabled: true
230 password: magicunicorn
231
Ales Komarekd77b7972015-11-12 11:02:39 +0100232Proxy buffering
233
234.. code-block:: yaml
235
236 nginx:
237 server:
238 enabled: true
239 bind:
240 address: '0.0.0.0'
241 ports:
242 - 80
243 site:
244 gitlab_proxy:
245 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200246 type: nginx_proxy
Ales Komarekd77b7972015-11-12 11:02:39 +0100247 proxy:
248 buffer:
249 number: 8
250 size: 16
251 host:
252 name: gitlab.domain.com
253 port: 80
254
Michael Kutý3a5abf12015-12-04 21:03:33 +0100255Let's Encrypt
256
257.. code-block:: yaml
258
259 nginx:
260 server:
261 enabled: true
262 bind:
263 address: '0.0.0.0'
264 ports:
265 - 443
266 site:
267 gitlab_domain:
268 enabled: true
269 type: gitlab
270 name: domain
271 ssl:
272 enabled: true
273 engine: letsencrypt
274 host:
275 name: gitlab.domain.com
276 port: 443
277
Filip Pytloune0f75512016-11-03 14:34:26 +0100278SSL using already deployed key and cert file.
279Note that cert file should already contain CA cert and complete chain.
280
281.. code-block:: yaml
282
283 nginx:
284 server:
285 enabled: true
286 site:
287 mysite:
288 ssl:
289 enabled: true
290 key_file: /etc/ssl/private/mykey.key
291 cert_file: /etc/ssl/cert/mycert.crt
292
Adam Tenglerc3916572016-01-25 17:46:52 +0100293Nginx stats server (required by collectd nginx plugin)
294
Aleš Komárek296a8442017-04-11 13:22:35 +0200295.. code-block:: yaml
Adam Tenglerc3916572016-01-25 17:46:52 +0100296
297 nginx:
298 server:
299 enabled: true
300 site:
301 nginx_stats_server:
302 enabled: true
303 type: nginx_stats
304 name: server
305 host:
306 name: 127.0.0.1
307 port: 8888
308
Ramon Melero12cf6c52017-08-16 13:11:54 -0500309Change nginx server ssl protocol options in openstack/proxy.yml
310
311.. code-block:: yaml
312 nginx:
313 server:
314 site:
315 site01:
316 enabled: true
317 name: site01
318 host:
319 name: site01.domain.com
320 ssl:
321 enabled: true
322 key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
323 cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
324 chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
325 protocols: TLSv1 TLSv1.1 TLSv1.2
326 ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
327 prefer_server_ciphers: true
328 ecdh_curve: secp521r1
Aleš Komárek296a8442017-04-11 13:22:35 +0200329
330More Information
331================
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200332
333* http://wiki.nginx.org/Main
334* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
335* http://nginx.com/resources/admin-guide/reverse-proxy/
336* https://mozilla.github.io/server-side-tls/ssl-config-generator/
Filip Pytloun2e902c12017-02-02 13:02:03 +0100337
Aleš Komárek296a8442017-04-11 13:22:35 +0200338
Filip Pytloun2e902c12017-02-02 13:02:03 +0100339Documentation and Bugs
340======================
341
342To learn how to install and update salt-formulas, consult the documentation
343available online at:
344
345 http://salt-formulas.readthedocs.io/
346
347In the unfortunate event that bugs are discovered, they should be reported to
348the appropriate issue tracker. Use Github issue tracker for specific salt
349formula:
350
351 https://github.com/salt-formulas/salt-formula-nginx/issues
352
353For feature requests, bug reports or blueprints affecting entire ecosystem,
354use Launchpad salt-formulas project:
355
356 https://launchpad.net/salt-formulas
357
358You can also join salt-formulas-users team and subscribe to mailing list:
359
360 https://launchpad.net/~salt-formulas-users
361
362Developers wishing to work on the salt-formulas projects should always base
363their work on master branch and submit pull request against specific formula.
364
365 https://github.com/salt-formulas/salt-formula-nginx
366
367Any questions or feedback is always welcome so feel free to join our IRC
368channel:
369
370 #salt-formulas @ irc.freenode.net