fcd9e6afc06ae9545aba4b0768f6919ec550fecb
[arvados-formula.git] / test / salt / pillar / examples / nginx_passenger.sls
1 ---
2 # Copyright (C) The Arvados Authors. All rights reserved.
3 #
4 # SPDX-License-Identifier: Apache-2.0
5
6 {%- if grains.os_family in ('RedHat',) %}
7   {%- set passenger_pkg = 'nginx-mod-http-passenger' %}
8   {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so' %}
9   {%- set passenger_ruby = '/usr/local/rvm/rubies/ruby-2.7.2/bin/ruby' %}
10 {%- else %}
11   {%- set passenger_pkg = 'libnginx-mod-http-passenger' %}
12   {%- set passenger_mod = '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %}
13   {%- set passenger_ruby = '/usr/bin/ruby' %}
14 {%- endif %}
15
16 ### NGINX
17 nginx:
18   install_from_phusionpassenger: true
19   lookup:
20     passenger_package: {{ passenger_pkg }}
21   ### PASSENGER
22   passenger:
23     passenger_ruby: {{ passenger_ruby }}
24
25   ### SERVER
26   server:
27     config:
28       # This is required to get the passenger module loaded
29       # In Debian it can be done with this
30       # include: 'modules-enabled/*.conf'
31       load_module: {{ passenger_mod }}
32
33       worker_processes: 4
34
35   ### SNIPPETS
36   snippets:
37     # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
38     ssl_hardening_default.conf:
39       - ssl_session_timeout: 1d
40       - ssl_session_cache: 'shared:curiiSSL:10m'
41       - ssl_session_tickets: 'off'
42
43       # intermediate configuration
44       - ssl_protocols: TLSv1.2 TLSv1.3
45       - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
46       - ssl_prefer_server_ciphers: 'off'
47
48       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
49       - add_header: 'Strict-Transport-Security "max-age=63072000" always'
50
51       # OCSP stapling
52       # FIXME! Stapling does not work with self-signed certificates, so disabling for tests
53       # - ssl_stapling: 'on'
54       # - ssl_stapling_verify: 'on'
55
56       # verify chain of trust of OCSP response using Root CA and Intermediate certs
57       # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
58
59       # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
60       # - ssl_dhparam: /path/to/dhparam
61
62       # replace with the IP address of your resolver
63       # - resolver: 127.0.0.1
64
65     arvados-snakeoil.conf:
66       - ssl_certificate: /etc/ssl/private/arvados-snakeoil-cert.pem
67       - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
68
69   ### SITES
70   servers:
71     managed:
72       # Remove default webserver
73       default:
74         enabled: false