moved nginx, graylog to podman

2022-05-01 03:31:16 -04:00
parent 8e373896a6
commit c5bc5a91ac
49 changed files with 2556 additions and 580 deletions
--- a/ansible/roles/podman/templates/nginx/nginx.conf.j2
+++ b/ansible/roles/podman/templates/nginx/nginx.conf.j2
@@ -0,0 +1,71 @@
+user nginx;
+worker_processes 1;
+
+load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
+
+error_log /var/log/nginx/error.log notice;
+error_log syslog:server=127.0.0.1:{{ syslog_udp_error }},tag=nginx,severity=info notice;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+  }
+
+  include mime.types;
+
+  default_type application/octet-stream;
+
+  log_format main '$remote_addr - $connection : $connection_requests [$time_iso8601] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+  log_format graylog_json escape=json '{ "nginx_timestamp": "[$time_iso8601]", '
+    '"remote_addr": "$remote_addr", '
+      '"connection": "$connection", '
+      '"connection_requests": $connection_requests, '
+      '"body_bytes_sent": $body_bytes_sent, '
+      '"request_length": $request_length, '
+      '"request_time": $request_time, '
+      '"response_status": $status, '
+      '"request": "$request", '
+      '"request_method": "$request_method", '
+      '"host": "$host", '
+      '"upstream_cache_status": "$upstream_cache_status", '
+      '"upstream_addr": "$upstream_addr", '
+      '"http_x_forwarded_for": "$http_x_forwarded_for", '
+      '"http_referrer": "$http_referer", '
+      '"http_user_agent": "$http_user_agent", '
+      '"http_version": "$server_protocol", '
+      '"remote_user": "$remote_user", '
+      '"http_x_forwarded_proto": "$http_x_forwarded_proto", '
+      '"upstream_response_time": "$upstream_response_time", '
+      '"nginx_access": true }';
+
+  access_log /var/log/nginx/access.log main;
+  access_log syslog:server=127.0.0.1:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json;
+
+  sendfile        on;
+  server_tokens   off;
+  #tcp_nopush     on;
+
+  keepalive_timeout 65;
+
+  gzip on;
+  gzip_disable "mise6";
+  gzip_min_length 1000;
+  gzip_proxied    expired no-cache no-store private auth;
+  gzip_types      text/plain application/xml application/json application/javascript application/octet-stream text/css;
+
+  # client_body_buffer_size     1k;
+  # client_header_buffer_size   1k;
+  # client_max_body_size        2k;
+  # large_client_header_buffers 2 1k;
+
+  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
+
+  include /etc/nginx/sites-enabled/*.conf;
+}