ec79746aeabbe5b99750ad8da962120410e5b172
[arvados-formula.git] / test / salt / pillar / examples / nginx_passenger.sls
1 ---
2 {%- if grains.os_family in ('RedHat',) %}
3   {%- set passenger_pkg = 'nginx-mod-http-passenger' %}
4   {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so' %}
5 {%- else %}
6   {%- set passenger_pkg = 'libnginx-mod-http-passenger' %}
7   {%- set passenger_mod = '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %}
8 {%- endif %}
9
10 ### NGINX
11 nginx:
12   install_from_phusionpassenger: true
13   lookup:
14     passenger_package: {{ passenger_pkg }}
15   ### SERVER
16   server:
17     config:
18       # This is required to get the passenger module loaded
19       # In Debian it can be done with this
20       # include: 'modules-enabled/*.conf'
21       load_module: {{ passenger_mod }}
22
23       worker_processes: 4
24
25   ### SNIPPETS
26   snippets:
27     # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
28     ssl_hardening_default.conf:
29       - ssl_session_timeout: 1d
30       - ssl_session_cache: 'shared:curiiSSL:10m'
31       - ssl_session_tickets: 'off'
32
33       # intermediate configuration
34       - ssl_protocols: TLSv1.2 TLSv1.3
35       - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
36       - ssl_prefer_server_ciphers: 'off'
37
38       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
39       - add_header: 'Strict-Transport-Security "max-age=63072000" always'
40
41       # OCSP stapling
42       # FIXME! Stapling does not work with self-signed certificates, so disabling for tests
43       # - ssl_stapling: 'on'
44       # - ssl_stapling_verify: 'on'
45
46       # verify chain of trust of OCSP response using Root CA and Intermediate certs
47       # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
48
49       # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
50       # - ssl_dhparam: /path/to/dhparam
51
52       # replace with the IP address of your resolver
53       # - resolver: 127.0.0.1
54
55     ssl_snakeoil.conf:
56       - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem
57       - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
58
59   ### SITES
60   servers:
61     managed:
62       # Remove default webserver
63       default:
64         enabled: false