slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️: refactor allowlist

Browse Source
This commit is contained in:
VC
2024-11-04 17:48:43 +01:00
parent 92cbac9568
commit 95f38ef6f7
19 changed files with 95 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
roles/nginx/templates/header.conf.j2
View File

@@ -1,10 +1,21 @@
listen *:443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/x509/{{ item }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item }}/{{ item }}.key;
server_name {{ item }};
access_log /var/log/nginx/{{ item }}.access.log combined;
ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
server_name {{ item.host }};
access_log /var/log/nginx/{{ item.host }}.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/{{ item }}.error.log;
error_log /var/log/nginx/{{ item.host }}.error.log;
error_log syslog:server=unix:/dev/log;
{% if item.allowlistv4 is defined %}
allow {{ hostvars['haproxy.dmz.mateu.be'].ansible_default_ipv4.address }};
{% endif %}
{% if item.allowlistv6 is defined %}
{% for addrv6 in item.allowlistv6 %}
allow {{ addrv6 }};
{% endfor %}
{% endif %}
{% if item.allowlistv4 is defined or item.allowlistv6 is defined %}
deny all;
{% endif %}