majic-ansible-roles Files · roles/php_website/templates/nginx

Files @ 17cf34f73ca6

Branch filter:

Location: majic-ansible-roles/roles/php_website/templates/nginx_site.j2

17cf34f73ca6 2.4 KiB text/plain Show Annotation Show as Raw Download as Raw

branko

MAR-28: Implemented additional tests for mail_server role:

- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.

{% if enforce_https -%}
server {
    # HTTP (plaintext) configuration.
    listen 80;
    server_name {{ fqdn }};

    # Redirect plaintext connections to HTTPS
    return 301 https://$host$request_uri;
}

{% endif -%}
server {
    # Base settings.
    root {{ home }}/htdocs/;
    index {{ index }};
    server_name {{ fqdn }};
{% if not enforce_https %}

    # HTTP (plaintext) configuration.
    listen 80;

{% endif %}
    # HTTPS (TLS) configuration.
    listen 443 ssl;
    listen [::]:443 ssl;
    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;

{% if default_enforce_https -%}
    # Set-up HSTS header for preventing downgrades for users that visited the
    # site via HTTPS at least once.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
{% endif -%}

    {% for config in additional_nginx_config -%}
    # {{ config.comment }}
    {{ config.value }}
    {% endfor -%}

    {% if rewrites -%}
    # Generic URL rewrites.
    {% for rewrite in rewrites -%}
    rewrite {{ rewrite }};
    {% endfor -%}
    {% endif %}

    {% if deny_files_regex -%}
    # Deny access to user-specified files.
    {% for regex in deny_files_regex -%}
    location ~ {{ regex }} {
        deny all;
    }
    {% endfor -%}
    {% endif %}

    # Interpret PHP files via FastCGI.
    location ~ {{ php_file_regex }} {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php5-fpm/{{ fqdn }}.sock;
    }

    # Serve the files.
    location ~ /(.+) {
	try_files $uri $uri/{% if php_rewrite_urls %} @php_rewrite{% else %} =404{% endif %};
    }

    {% if php_rewrite_urls -%}
    # Apply URL rewrites.
    location @php_rewrite {
    {% for rewrite in php_rewrite_urls %}
    rewrite {{ rewrite }};
    {% endfor -%}
    }
    {% endif -%}

    {% if environment_indicator -%}
    # Show environment indicator on HTML pages.
    sub_filter_types text/html;
    sub_filter_once on;
    sub_filter "</body>" "<div id='website-environment' style='background-color: {{ environment_indicator.background_colour }}; width: 100%; text-align: center; position: fixed; bottom: 5px; color: {{ environment_indicator.text_colour }}; font-weight: bold; z-index: 999999;'>{{ environment_indicator.text }}</div></body>";
    {% endif -%}

    access_log /var/log/nginx/{{ fqdn }}-access.log;
    error_log /var/log/nginx/{{ fqdn }}-error.log;
}