Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / nginx / eb5dd2396ca57abf440737cecf277ab14918dbfe / . / README.rst
blob: 4df896c7bfcc4fac082913fdcc7eb9c39532baa2 [file] [log] [blame]
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]1
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]2=============
3Nginx Formula
4=============
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]5
6Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server (origin server). The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
7
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]8Sample Pillars
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]9==============
10
11Gitlab server setup
12
13.. code-block:: yaml
14
15 nginx:
16 server:
17 enabled: true
18 bind:
19 address: '0.0.0.0'
20 ports:
21 - 80
22 site:
23 gitlab_domain:
24 enabled: true
25 type: gitlab
26 name: domain
27 ssl:
28 enabled: true
29 key: |
30 -----BEGIN RSA PRIVATE KEY-----
31 ...
32 cert: |
33 xyz
34 chain: |
35 my_chain..
36 host:
37 name: gitlab.domain.com
38 port: 80
39
40Simple static HTTP site
41
42.. code-block:: yaml
43
44 nginx:
45 server:
46 site:
47 nginx_static_site01:
48 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]49 type: nginx_static
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]50 name: site01
51 host:
52 name: gitlab.domain.com
53 port: 80
54
Dmitry Stremkovskiy52145c62017-08-21 23:42:17 +0300[diff] [blame]55Simple load balancer
56
57.. code-block:: yaml
58
59 nginx:
60 server:
61 upstream:
62 horizon-upstream:
63 backend1:
64 address: 10.10.10.113
65 port: 8078
66 opts: weight=3
67 backend2:
68 address: 10.10.10.114
69 site:
70 nginx_proxy_openstack_web:
71 enabled: true
72 type: nginx_proxy
73 name: openstack_web
74 proxy:
75 upstream_proxy_pass: http://horizon-upstream
76 host:
77 name: 192.168.0.1
78 port: 31337
79
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]80Static site with access policy
81
82.. code-block:: yaml
83
84 nginx:
85 server:
86 site:
87 nginx_static_site01:
88 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]89 type: nginx_static
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]90 name: site01
91 access_policy:
92 allow:
93 - 192.168.1.1/24
94 - 127.0.0.1
95 deny:
96 - 192.168.1.2
97 - all
98 host:
99 name: gitlab.domain.com
100 port: 80
101
Dmitry Stremkovskiy6484afa2017-08-22 17:07:06 +0300[diff] [blame]102Simple TCP/UDP proxy
103
104.. code-block:: yaml
105
106 nginx:
107 server:
108 stream:
109 rabbitmq:
110 host:
111 port: 5672
112 backend:
113 server1:
114 address: 10.10.10.113
115 port: 5672
116 least_conn: true
117 hash: "$remote_addr consistent"
118 unbound:
119 host:
120 bind: 127.0.0.1
121 port: 53
122 protocol: udp
123 backend:
124 server1:
125 address: 10.10.10.113
126 port: 5353
127
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]128Simple HTTP proxy
129
130.. code-block:: yaml
131
132 nginx:
133 server:
134 site:
135 nginx_proxy_site01:
136 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]137 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]138 name: site01
139 proxy:
140 host: local.domain.com
141 port: 80
142 protocol: http
143 host:
144 name: gitlab.domain.com
145 port: 80
146
147Simple Websocket proxy
148
149.. code-block:: yaml
150
151 nginx:
152 server:
153 site:
154 nginx_proxy_site02:
155 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]156 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]157 name: site02
158 proxy:
159 websocket: true
160 host: local.domain.com
161 port: 80
162 protocol: http
163 host:
164 name: gitlab.domain.com
165 port: 80
166
167Content filtering proxy
168
169.. code-block:: yaml
170
171 nginx:
172 server:
173 enabled: true
174 site:
175 nginx_proxy_site03:
176 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]177 type: nginx_proxy
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]178 name: site03
179 proxy:
180 host: local.domain.com
181 port: 80
182 protocol: http
183 filter:
184 search: https://www.domain.com
185 replace: http://10.10.10.10
186 host:
187 name: gitlab.domain.com
188 port: 80
189
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]190Proxy with access policy
191
192.. code-block:: yaml
193
194 nginx:
195 server:
196 site:
197 nginx_proxy_site01:
198 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]199 type: nginx_proxy
Adam Tenglere7746cb2016-04-27 19:01:25 +0200[diff] [blame]200 name: site01
201 access_policy:
202 allow:
203 - 192.168.1.1/24
204 - 127.0.0.1
205 deny:
206 - 192.168.1.2
207 - all
208 proxy:
209 host: local.domain.com
210 port: 80
211 protocol: http
212 host:
213 name: gitlab.domain.com
214 port: 80
215
Michel Nederlofeb5dd232018-03-13 13:57:34 +0100[diff] [blame^]216Proxy with rate limiting scheme:
217
218.. code-block:: yaml
219
220 _dollar: '$'
221 nginx:
222 server:
223 site:
224 nginx_proxy_site01:
225 enabled: true
226 type: nginx_proxy
227 name: site01
228 proxy:
229 host: local.domain.com
230 port: 80
231 protocol: http
232 host:
233 name: gitlab.domain.com
234 port: 80
235 limit:
236 enabled: True
237 ip_whitelist:
238 - 127.0.0.1
239 burst: 600
240 rate: 10r/s
241 nodelay: True
242 subfilters:
243 heavy_url:
244 input: ${_dollar}{binary_remote_addr}${_dollar}{request_uri}
245 mode: blacklist
246 items:
247 - "~.*servers/detail[?]name=.*&status=ACTIVE"
248 rate: 2r/m
249 burst: 2
250 nodelay: True
251
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]252Gitlab server with user for basic auth
253
254.. code-block:: yaml
255
256 nginx:
257 server:
258 enabled: true
259 user:
260 username1:
261 enabled: true
262 password: magicunicorn
263 htpasswd: htpasswd-site1
264 username2:
265 enabled: true
266 password: magicunicorn
267
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]268Proxy buffering
269
270.. code-block:: yaml
271
272 nginx:
273 server:
274 enabled: true
275 bind:
276 address: '0.0.0.0'
277 ports:
278 - 80
279 site:
280 gitlab_proxy:
281 enabled: true
Niklaus Giger23096b22017-06-30 16:41:49 +0200[diff] [blame]282 type: nginx_proxy
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]283 proxy:
Ondrej Smola5e177bc2017-12-07 12:55:23 +0100[diff] [blame]284 request_buffer: false
Ales Komarekd77b7972015-11-12 11:02:39 +0100[diff] [blame]285 buffer:
286 number: 8
287 size: 16
288 host:
289 name: gitlab.domain.com
290 port: 80
291
Michael Kutý3a5abf12015-12-04 21:03:33 +0100[diff] [blame]292Let's Encrypt
293
294.. code-block:: yaml
295
296 nginx:
297 server:
298 enabled: true
299 bind:
300 address: '0.0.0.0'
301 ports:
302 - 443
303 site:
304 gitlab_domain:
305 enabled: true
306 type: gitlab
307 name: domain
308 ssl:
309 enabled: true
310 engine: letsencrypt
311 host:
312 name: gitlab.domain.com
313 port: 443
314
Filip Pytloune0f75512016-11-03 14:34:26 +0100[diff] [blame]315SSL using already deployed key and cert file.
316Note that cert file should already contain CA cert and complete chain.
317
318.. code-block:: yaml
319
320 nginx:
321 server:
322 enabled: true
323 site:
324 mysite:
325 ssl:
326 enabled: true
327 key_file: /etc/ssl/private/mykey.key
328 cert_file: /etc/ssl/cert/mycert.crt
329
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]330Nginx stats server (required by collectd nginx plugin)
331
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]332.. code-block:: yaml
Adam Tenglerc3916572016-01-25 17:46:52 +0100[diff] [blame]333
334 nginx:
335 server:
336 enabled: true
337 site:
338 nginx_stats_server:
339 enabled: true
340 type: nginx_stats
341 name: server
342 host:
343 name: 127.0.0.1
344 port: 8888
345
Ramon Melero12cf6c52017-08-16 13:11:54 -0500[diff] [blame]346Change nginx server ssl protocol options in openstack/proxy.yml
347
348.. code-block:: yaml
349 nginx:
350 server:
351 site:
352 site01:
353 enabled: true
354 name: site01
355 host:
356 name: site01.domain.com
357 ssl:
358 enabled: true
359 key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
360 cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
361 chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
362 protocols: TLSv1 TLSv1.1 TLSv1.2
363 ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
364 prefer_server_ciphers: true
365 ecdh_curve: secp521r1
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]366
367More Information
368================
Filip Pytloun6b5bb652015-10-06 16:28:32 +0200[diff] [blame]369
370* http://wiki.nginx.org/Main
371* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
372* http://nginx.com/resources/admin-guide/reverse-proxy/
373* https://mozilla.github.io/server-side-tls/ssl-config-generator/
Filip Pytloun2e902c12017-02-02 13:02:03 +0100[diff] [blame]374
Aleš Komárek296a8442017-04-11 13:22:35 +0200[diff] [blame]375
Filip Pytloun2e902c12017-02-02 13:02:03 +0100[diff] [blame]376Documentation and Bugs
377======================
378
379To learn how to install and update salt-formulas, consult the documentation
380available online at:
381
382 http://salt-formulas.readthedocs.io/
383
384In the unfortunate event that bugs are discovered, they should be reported to
385the appropriate issue tracker. Use Github issue tracker for specific salt
386formula:
387
388 https://github.com/salt-formulas/salt-formula-nginx/issues
389
390For feature requests, bug reports or blueprints affecting entire ecosystem,
391use Launchpad salt-formulas project:
392
393 https://launchpad.net/salt-formulas
394
395You can also join salt-formulas-users team and subscribe to mailing list:
396
397 https://launchpad.net/~salt-formulas-users
398
399Developers wishing to work on the salt-formulas projects should always base
400their work on master branch and submit pull request against specific formula.
401
402 https://github.com/salt-formulas/salt-formula-nginx
403
404Any questions or feedback is always welcome so feel free to join our IRC
405channel:
406
407 #salt-formulas @ irc.freenode.net