blob: 8c08775cd10a0d9a3c9c9e6e873ccaadb82ab4c9 [file] [log] [blame]
Filip Pytloun6b5bb652015-10-06 16:28:32 +02001
Aleš Komárek296a8442017-04-11 13:22:35 +02002=============
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +03003Usage
Aleš Komárek296a8442017-04-11 13:22:35 +02004=============
Filip Pytloun6b5bb652015-10-06 16:28:32 +02005
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +03006Nginx is an open source reverse proxy server for HTTP, HTTPS,
7SMTP, POP3, and IMAP protocols, as well as a load balancer,
8HTTP cache, and a web server (origin server). The nginx project
9started with a strong focus on high concurrency, high performance
10and low memory usage.
Filip Pytloun6b5bb652015-10-06 16:28:32 +020011
Aleš Komárek296a8442017-04-11 13:22:35 +020012Sample Pillars
Filip Pytloun6b5bb652015-10-06 16:28:32 +020013==============
14
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +030015Gitlab server setup:
Filip Pytloun6b5bb652015-10-06 16:28:32 +020016
17.. code-block:: yaml
18
19 nginx:
20 server:
21 enabled: true
22 bind:
23 address: '0.0.0.0'
24 ports:
25 - 80
26 site:
27 gitlab_domain:
28 enabled: true
29 type: gitlab
30 name: domain
31 ssl:
32 enabled: true
33 key: |
34 -----BEGIN RSA PRIVATE KEY-----
35 ...
36 cert: |
37 xyz
38 chain: |
39 my_chain..
40 host:
41 name: gitlab.domain.com
42 port: 80
43
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +030044Simple static HTTP site:
Filip Pytloun6b5bb652015-10-06 16:28:32 +020045
46.. code-block:: yaml
47
48 nginx:
49 server:
50 site:
51 nginx_static_site01:
52 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +020053 type: nginx_static
Filip Pytloun6b5bb652015-10-06 16:28:32 +020054 name: site01
55 host:
56 name: gitlab.domain.com
57 port: 80
58
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +030059Simple load balancer:
Dmitry Stremkovskiy52145c62017-08-21 23:42:17 +030060
61.. code-block:: yaml
62
63 nginx:
64 server:
65 upstream:
66 horizon-upstream:
67 backend1:
68 address: 10.10.10.113
69 port: 8078
70 opts: weight=3
71 backend2:
72 address: 10.10.10.114
73 site:
74 nginx_proxy_openstack_web:
75 enabled: true
76 type: nginx_proxy
77 name: openstack_web
78 proxy:
79 upstream_proxy_pass: http://horizon-upstream
80 host:
81 name: 192.168.0.1
82 port: 31337
83
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +030084Static site with access policy:
Adam Tenglere7746cb2016-04-27 19:01:25 +020085
86.. code-block:: yaml
87
88 nginx:
89 server:
90 site:
91 nginx_static_site01:
92 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +020093 type: nginx_static
Adam Tenglere7746cb2016-04-27 19:01:25 +020094 name: site01
95 access_policy:
96 allow:
97 - 192.168.1.1/24
98 - 127.0.0.1
99 deny:
100 - 192.168.1.2
101 - all
102 host:
103 name: gitlab.domain.com
104 port: 80
105
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300106Simple TCP/UDP proxy:
Dmitry Stremkovskiy6484afa2017-08-22 17:07:06 +0300107
108.. code-block:: yaml
109
110 nginx:
111 server:
112 stream:
113 rabbitmq:
114 host:
115 port: 5672
116 backend:
117 server1:
118 address: 10.10.10.113
119 port: 5672
120 least_conn: true
121 hash: "$remote_addr consistent"
122 unbound:
123 host:
124 bind: 127.0.0.1
125 port: 53
126 protocol: udp
127 backend:
128 server1:
129 address: 10.10.10.113
130 port: 5353
131
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300132Simple HTTP proxy:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200133
134.. code-block:: yaml
135
136 nginx:
137 server:
138 site:
139 nginx_proxy_site01:
140 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200141 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200142 name: site01
143 proxy:
144 host: local.domain.com
145 port: 80
146 protocol: http
147 host:
148 name: gitlab.domain.com
149 port: 80
150
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300151Simple HTTP proxy with multiple locations:
152
153.. note:: If proxy part is defined and location is missing ``/``,
154 the proxy part is used. If the ``/`` location is defined,
155 it overrides the proxy part.
Jakub Josef83f7acf2018-04-09 16:05:49 +0200156
157.. code-block:: yaml
158
159 nginx:
160 server:
161 site:
162 nginx_proxy_site01:
163 enabled: true
164 type: nginx_proxy
165 name: site01
166 proxy:
167 host: local.domain.com
168 port: 80
169 protocol: http
170 location:
171 /internal/:
172 host: 172.120.10.200
173 port: 80
174 protocol: http
175 /doc/:
176 host: 172.10.10.200
177 port: 80
178 protocol: http
179 host:
180 name: gitlab.domain.com
181 port: 80
182
183.. code-block:: yaml
184
185 nginx:
186 server:
187 site:
188 nginx_proxy_site01:
189 enabled: true
190 type: nginx_proxy
191 name: site01
192 location:
193 /:
194 host: 172.120.10.200
195 port: 80
196 protocol: http
197 /doc/:
198 host: 172.10.10.200
199 port: 80
200 protocol: http
201 host:
202 name: gitlab.domain.com
203 port: 80
204
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300205Simple Websocket proxy:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200206
207.. code-block:: yaml
208
209 nginx:
210 server:
211 site:
212 nginx_proxy_site02:
213 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200214 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200215 name: site02
216 proxy:
217 websocket: true
218 host: local.domain.com
219 port: 80
220 protocol: http
221 host:
222 name: gitlab.domain.com
223 port: 80
224
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300225Content filtering proxy:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200226
227.. code-block:: yaml
228
229 nginx:
230 server:
231 enabled: true
232 site:
233 nginx_proxy_site03:
234 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200235 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200236 name: site03
237 proxy:
238 host: local.domain.com
239 port: 80
240 protocol: http
241 filter:
242 search: https://www.domain.com
243 replace: http://10.10.10.10
244 host:
245 name: gitlab.domain.com
246 port: 80
247
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300248Proxy with access policy:
Adam Tenglere7746cb2016-04-27 19:01:25 +0200249
250.. code-block:: yaml
251
252 nginx:
253 server:
254 site:
255 nginx_proxy_site01:
256 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200257 type: nginx_proxy
Adam Tenglere7746cb2016-04-27 19:01:25 +0200258 name: site01
259 access_policy:
260 allow:
261 - 192.168.1.1/24
262 - 127.0.0.1
263 deny:
264 - 192.168.1.2
265 - all
266 proxy:
267 host: local.domain.com
268 port: 80
269 protocol: http
270 host:
271 name: gitlab.domain.com
272 port: 80
273
Michel Nederlofeb5dd232018-03-13 13:57:34 +0100274Proxy with rate limiting scheme:
275
276.. code-block:: yaml
277
278 _dollar: '$'
279 nginx:
280 server:
281 site:
282 nginx_proxy_site01:
283 enabled: true
284 type: nginx_proxy
285 name: site01
286 proxy:
287 host: local.domain.com
288 port: 80
289 protocol: http
290 host:
291 name: gitlab.domain.com
292 port: 80
293 limit:
294 enabled: True
295 ip_whitelist:
296 - 127.0.0.1
297 burst: 600
298 rate: 10r/s
299 nodelay: True
300 subfilters:
301 heavy_url:
302 input: ${_dollar}{binary_remote_addr}${_dollar}{request_uri}
303 mode: blacklist
304 items:
305 - "~.*servers/detail[?]name=.*&status=ACTIVE"
306 rate: 2r/m
307 burst: 2
308 nodelay: True
309
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300310Gitlab server with user for basic auth:
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200311
312.. code-block:: yaml
313
314 nginx:
315 server:
316 enabled: true
317 user:
318 username1:
319 enabled: true
320 password: magicunicorn
321 htpasswd: htpasswd-site1
322 username2:
323 enabled: true
324 password: magicunicorn
325
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300326Proxy buffering:
Ales Komarekd77b7972015-11-12 11:02:39 +0100327
328.. code-block:: yaml
329
330 nginx:
331 server:
332 enabled: true
333 bind:
334 address: '0.0.0.0'
335 ports:
336 - 80
337 site:
338 gitlab_proxy:
339 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200340 type: nginx_proxy
Ales Komarekd77b7972015-11-12 11:02:39 +0100341 proxy:
Ondrej Smola5e177bc2017-12-07 12:55:23 +0100342 request_buffer: false
Ales Komarekd77b7972015-11-12 11:02:39 +0100343 buffer:
344 number: 8
345 size: 16
346 host:
347 name: gitlab.domain.com
348 port: 80
349
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300350Let's Encrypt:
Michael Kutý3a5abf12015-12-04 21:03:33 +0100351
352.. code-block:: yaml
353
354 nginx:
355 server:
356 enabled: true
357 bind:
358 address: '0.0.0.0'
359 ports:
360 - 443
361 site:
362 gitlab_domain:
363 enabled: true
364 type: gitlab
365 name: domain
366 ssl:
367 enabled: true
368 engine: letsencrypt
369 host:
370 name: gitlab.domain.com
371 port: 443
372
Filip Pytloune0f75512016-11-03 14:34:26 +0100373SSL using already deployed key and cert file.
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300374
375.. note:: The cert file should already contain CA cert and
376 complete chain.
Filip Pytloune0f75512016-11-03 14:34:26 +0100377
378.. code-block:: yaml
379
380 nginx:
381 server:
382 enabled: true
383 site:
384 mysite:
385 ssl:
386 enabled: true
387 key_file: /etc/ssl/private/mykey.key
388 cert_file: /etc/ssl/cert/mycert.crt
389
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300390Advanced SSL configuration, more information about SSL option
391may be found at http://nginx.org/en/docs/http/ngx_http_ssl_module.html
392
393.. note:: Prior to nginx 1.11.0, only one type of ecdh curve
394 can be applied in ``ssl_ecdh_curve directive``.
395
396 if mode = ``secure`` or mode = ``normal`` and ``ciphers``
397 or ``protocols`` are set, they should have type ``string``.
398 If mode = ``manual``, their type should be ``dict``
399 as shown below.
Vasyl Saienkod3348f62018-02-09 20:08:01 +0200400
401.. code-block:: yaml
402
403 nginx:
404 server:
405 enabled: true
406 site:
407 mysite:
408 ssl:
409 enabled: true
410 mode: 'manual'
411 key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
412 cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
413 chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
414 protocols:
415 TLS1:
416 name: 'TLSv1'
417 enabled: True
418 TLS1_1:
419 name: 'TLSv1.1'
420 enabled: True
421 TLS1_2:
422 name: 'TLSv1.2'
423 enabled: False
424 ciphers:
425 ECDHE_RSA_AES256_GCM_SHA384:
426 name: 'ECDHE-RSA-AES256-GCM-SHA384'
427 enabled: True
428 ECDHE_ECDSA_AES256_GCM_SHA384:
429 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
430 enabled: True
431 buffer_size: '16k'
432 crl:
433 file: '/etc/ssl/crl.pem'
434 enabled: False
435 dhparam:
436 enabled: True
437 numbits: 2048
438 ecdh_curve:
439 secp384r1:
440 name: 'secp384r1'
441 enabled: False
442 secp521r1:
443 name: 'secp521r1'
444 enabled: True
445 password_file:
446 content: 'testcontent22'
447 enabled: True
448 file: '/etc/ssl/password.key'
449 prefer_server_ciphers: 'on'
450 ticket_key:
451 enabled: True
452 numbytes: 48
453 resolver:
454 address: '127.0.0.1'
455 valid_seconds: '500'
456 timeout_seconds: '60'
457 session_tickets: 'on'
458 stapling: 'off'
459 stapling_file: '/path/to/stapling/file'
460 stapling_responder: 'http://ocsp.example.com/'
461 stapling_verify: 'on'
462 verify_client: 'on'
463 client_certificate:
464 file: '/etc/ssl/client_cert.pem'
465 enabled: False
466 verify_depth: 1
467 session_cache: 'shared:SSL:15m'
468 session_timeout: '15m'
Adam Tengler5c64af62018-06-22 12:17:55 +0000469 strict_transport_security:
470 max_age: 16000000
471 include_subdomains: False
472 always: true
473 enabled: true
Vasyl Saienkod3348f62018-02-09 20:08:01 +0200474
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300475Nginx stats server (required by collectd nginx plugin):
Adam Tenglerc3916572016-01-25 17:46:52 +0100476
Aleš Komárek296a8442017-04-11 13:22:35 +0200477.. code-block:: yaml
Adam Tenglerc3916572016-01-25 17:46:52 +0100478
479 nginx:
480 server:
481 enabled: true
482 site:
483 nginx_stats_server:
484 enabled: true
485 type: nginx_stats
486 name: server
487 host:
488 name: 127.0.0.1
489 port: 8888
490
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300491Nginx configured to wait for another service/s before
492starting (currently only with systemd):
Adam Tengler86893942018-06-20 14:06:24 +0000493
494.. code-block:: yaml
495
496 nginx:
497 server:
498 wait_for_service:
499 - foo-bar.mount
500 enabled: true
501 site:
502 ...
503
Aleš Komárek296a8442017-04-11 13:22:35 +0200504More Information
505================
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200506
507* http://wiki.nginx.org/Main
508* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
509* http://nginx.com/resources/admin-guide/reverse-proxy/
510* https://mozilla.github.io/server-side-tls/ssl-config-generator/
Filip Pytloun2e902c12017-02-02 13:02:03 +0100511
512Documentation and Bugs
513======================
514
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300515* http://salt-formulas.readthedocs.io/
516 Learn how to install and update salt-formulas
Filip Pytloun2e902c12017-02-02 13:02:03 +0100517
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300518* https://github.com/salt-formulas/salt-formula-nginx/issues
519 In the unfortunate event that bugs are discovered, report the issue to the
520 appropriate issue tracker. Use the Github issue tracker for a specific salt
521 formula
Filip Pytloun2e902c12017-02-02 13:02:03 +0100522
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300523* https://launchpad.net/salt-formulas
524 For feature requests, bug reports, or blueprints affecting the entire
525 ecosystem, use the Launchpad salt-formulas project
Filip Pytloun2e902c12017-02-02 13:02:03 +0100526
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300527* https://launchpad.net/~salt-formulas-users
528 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloun2e902c12017-02-02 13:02:03 +0100529
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300530* https://github.com/salt-formulas/salt-formula-nginx
531 Develop the salt-formulas projects in the master branch and then submit pull
532 requests against a specific formula
Filip Pytloun2e902c12017-02-02 13:02:03 +0100533
OlgaGusarenkoe2f808f2018-07-30 23:42:18 +0300534* #salt-formulas @ irc.freenode.net
535 Use this IRC channel in case of any questions or feedback which is always
536 welcome