diff options
| author | heqnx <root@heqnx.com> | 2025-10-02 13:08:58 +0300 |
|---|---|---|
| committer | heqnx <root@heqnx.com> | 2025-10-02 13:08:58 +0300 |
| commit | c00c75d310e2afea3b521e8a4b90e800ab4f9ff2 (patch) | |
| tree | 7875697bfeadfba2276e2e1d2066eca551bf3e17 /templates/nginx.conf.j2 | |
| parent | ac5767248e7b20b376127ac8e3cfdd1a7aaf4193 (diff) | |
| download | ansible-cockpit-c00c75d310e2afea3b521e8a4b90e800ab4f9ff2.tar.gz ansible-cockpit-c00c75d310e2afea3b521e8a4b90e800ab4f9ff2.zip | |
Diffstat (limited to 'templates/nginx.conf.j2')
| -rw-r--r-- | templates/nginx.conf.j2 | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 new file mode 100644 index 0000000..60c8cd4 --- /dev/null +++ b/templates/nginx.conf.j2 @@ -0,0 +1,83 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 1024; + multi_accept on; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_min_length 256; + gzip_types + text/plain + text/css + application/json + application/javascript + text/xml + application/xml + application/xml+rss + text/javascript + image/svg+xml; + + server { + listen 80; + listen 443 ssl; + server_name {{ansible_host}}; + + ssl_certificate /etc/cockpit/ws-certs.d/0-self-signed.cert; + ssl_certificate_key /etc/cockpit/ws-certs.d/0-self-signed.key; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; + + location / { + proxy_pass http://127.0.0.1:9090/; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + gzip off; + } + + access_log /var/log/nginx/cockpit-access.log; + error_log /var/log/nginx/cockpit-error.log warn; + } +} |