majic-ansible-roles Files · roles/web_server/templates/nginx-default.j2

Files @ 814be5def61d

Branch filter:

Location: majic-ansible-roles/roles/web_server/templates/nginx-default.j2

814be5def61d 1.1 KiB text/plain Show Annotation Show as Raw Download as Raw

branko

MAR-189: Added support for Debian 11 Bullseye to xmpp_server role:

- Roll-out LDAP client configuration since Bullseye does not come with
a stock one at /etc/ldap/ldap.conf that sets the trust anchor
correctly for validating LDAP server certificates.
- Drop the backports pinning in case of Bullseye (for now let's try to
keep the Buster and Bullseye at same versions for simplicity).
- Drop installation of Python apt bindings (no longer used).
- Tests for Buster and Bullseye need to be split-up a bit due to some
differences around backports etc.

#
# Default server (vhost) configuration.
#
server {
    # HTTP (plaintext) configuration.
    listen 80 default_server;
    listen [::]:80 default_server;

    # Set server_name to something that won't be matched (for default server).
    server_name _;

    # Redirect plaintext connections to HTTPS
    return 301 https://$host$request_uri;
}

server {
    # HTTPS (TLS) configuration.
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}_https.key;
    ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}_https.pem;

    # Set-up HSTS header for preventing downgrades for users that visited the
    # site via HTTPS at least once.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Set-up the serving of default page.
    root /var/www/default/;
    index index.html;

    # Set server_name to something that won't be matched (for default server).
    server_name _;

    location / {
        # Always point user to the same index page.
        try_files $uri /index.html;
    }
}