Merge branch '20846-ubuntu2204'
[arvados.git] / tools / salt-install / config_examples / single_host / single_hostname / pillars / nginx_passenger.sls
1 ---
2 # Copyright (C) The Arvados Authors. All rights reserved.
3 #
4 # SPDX-License-Identifier: AGPL-3.0
5
6 {%- set passenger_pkg = 'nginx-mod-http-passenger'
7                           if grains.osfinger in ('CentOS Linux-7') else
8                         'libnginx-mod-http-passenger' %}
9 {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so'
10                           if grains.osfinger in ('CentOS Linux-7',) else
11                         '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %}
12 {%- set passenger_ruby = '/usr/local/rvm/wrappers/default/ruby'
13                            if grains.osfinger in ('CentOS Linux-7', 'Ubuntu-18.04', 'Debian-10') else
14                          '/usr/bin/ruby' %}
15
16 ### NGINX
17 nginx:
18   __NGINX_INSTALL_SOURCE__: true
19   lookup:
20     passenger_package: {{ passenger_pkg }}
21   ### PASSENGER
22   passenger:
23     passenger_ruby: {{ passenger_ruby }}
24
25   ### SERVER
26   server:
27     config:
28       # Needed for RVM, harmless otherwise. Cf. https://dev.arvados.org/issues/19015
29       env: GEM_HOME
30       # As we now differentiate where passenger is required or not, we need to
31       # load this module conditionally, so we add this conditional just to use
32       # the same pillar file
33       {% if "install_from_phusionpassenger" == "__NGINX_INSTALL_SOURCE__" %}
34       # This is required to get the passenger module loaded
35       # In Debian it can be done with this
36       # include: 'modules-enabled/*.conf'
37       load_module: {{ passenger_mod }}
38       {% endif %}
39       worker_processes: 4
40
41   ### SNIPPETS
42   snippets:
43     # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
44     ssl_hardening_default.conf:
45       - ssl_session_timeout: 1d
46       - ssl_session_cache: 'shared:arvadosSSL:10m'
47       - ssl_session_tickets: 'off'
48
49       # intermediate configuration
50       - ssl_protocols: TLSv1.2 TLSv1.3
51       - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
52       - ssl_prefer_server_ciphers: 'off'
53
54       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
55       - add_header: 'Strict-Transport-Security "max-age=63072000" always'
56
57       # OCSP stapling
58       # NOTE! Stapling does not work with self-signed certificates, so disabling for tests
59       # - ssl_stapling: 'on'
60       # - ssl_stapling_verify: 'on'
61
62       # verify chain of trust of OCSP response using Root CA and Intermediate certs
63       # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
64
65       # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
66       # - ssl_dhparam: /path/to/dhparam
67
68       # replace with the IP address of your resolver
69       # - resolver: 127.0.0.1
70
71     arvados-snakeoil.conf:
72       - ssl_certificate: /etc/ssl/private/arvados-snakeoil-cert.pem
73       - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
74
75   ### SITES
76   servers:
77     managed:
78       # Update default config to redirect to https
79       default:
80         enabled: true
81         overwrite: true
82         config:
83           - server:
84             - server_name: _
85             - listen:
86               - 80 default_server
87             - location /.well-known:
88               - root: /var/www
89             - location /:
90               - return: '301 https://$host$request_uri'