From: Alfredo Deza <adeza@redhat.com>
Date: Thu, 21 Jul 2016 14:13:27 +0000 (-0400)
Subject: ansible: make nginx_site template accommodate load balanced apps
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=18aef5877c2ca65d9d2b24a1daa7efee51c86090;p=ceph-build.git

ansible: make nginx_site template accommodate load balanced apps

Signed-off-by: Alfredo Deza <adeza@redhat.com>
---

diff --git a/ansible/roles/nginx/templates/nginx_site.conf b/ansible/roles/nginx/templates/nginx_site.conf
index d151af6a..5d2b24e7 100644
--- a/ansible/roles/nginx/templates/nginx_site.conf
+++ b/ansible/roles/nginx/templates/nginx_site.conf
@@ -1,17 +1,33 @@
 server {
-    listen       443 default_server ssl;
-    server_name  {{ fqdn }};
+    server_name {{ item.fqdn }};
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        root {{ ssl_webroot_base_path }}/{{ item.fqdn }};
+    }
+    location / {
+        add_header Strict-Transport-Security max-age=31536000;
+        return 301 https://$server_name$request_uri;
+    }
+}
 
-    ssl_certificate     /etc/ssl/certs/{{ fqdn }}-bundled.crt;
-    ssl_certificate_key /etc/ssl/private/{{ fqdn }}.key;
+server {
+    listen       443 ssl;
+    server_name  {{ item.fqdn }};
+    {% if development_server %}
+    ssl_certificate     /etc/ssl/certs/{{ item.fqdn }}-bundled.crt;
+    ssl_certificate_key /etc/ssl/private/{{ item.fqdn }}.key;
+    {% else %}
+    ssl_certificate     /etc/letsencrypt/live/{{ item.fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ item.fqdn }}/privkey.pem;
+    {% endif %}
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_prefer_server_ciphers on;
     add_header Strict-Transport-Security "max-age=31536000";
 
-    access_log  /var/log/nginx/{{ app_name }}-access.log;
-    error_log /var/log/nginx/{{ app_name }}-error.log;
+    access_log  /var/log/nginx/{{ item.app_name }}-access.log upstreamlog;
+    error_log /var/log/nginx/{{ item.app_name }}-error.log;
 
-    # Some binaries are gigantic
-    client_max_body_size 2048m;
 
     location / {
       proxy_set_header        Host $host;
@@ -19,8 +35,13 @@ server {
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        X-Forwarded-Proto $scheme;
 
-      proxy_pass          http://127.0.0.1:8000;
-      proxy_read_timeout  500;
+
+      {% if item.upstreams is defined %}
+      proxy_pass          https://{{ item.upstreams.name }};
+      {% elif item.proxy_pass is defined %}
+      proxy_pass          {{ item.proxy_pass }};
+      {% endif %}
+      proxy_read_timeout  30;
     }
 
 }