ansible-roles/roles/nginx/defaults/main.yml

---

nginx_ports:
  - 80
nginx_ssl_ports:
  - 443
nginx_src_ip:
 - 0.0.0.0/0

# If true, will install openresty as an nginx replacement
nginx_openresty: False

nginx_modules:
  - stream
  - http_image_filter
  - http_perl

nginx_log_format: combined_virtual

# The root domaine.
# Some special vhost names can be derived from it. Eg downtime.{{ nginx_primary_domain }}
nginx_primary_domain: "{{ ansible_domain }}"

nginx_cert_path: /etc/nginx/ssl/cert.pem
nginx_key_path: /etc/nginx/ssl/key.pem
# OR
#
# nginx_letsencrypt_cert:

nginx_vhosts: []
nginx_default_vhost_base:
  aliases: []
  port: 80 # can also be a list of ports
  ssl:
    enabled: True
    forced: True
    compat: False
    port: 443 # can also be a list of ports
  auth: none
  # htpasswd_file: 
  maintenance: False
  acme_http: False
  redirect_aliases: True
  document_root: /var/www/html
  csp: "default-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'"
  perf: True
  limits: True
  naxsi: True
  naxsi_learn: True
  naxsi_wl: "# No naxsi whitelist defined"
  max_body_size: 10m
  location: /
  proxy:
    backend: False
    websocket: True
    cache: False
    timeout: 60s
    headers:
      X-Forwarded-For: '$proxy_add_x_forwarded_for'
      X-Real-IP: '$remote_addr'
      X-Forwarded-Proto: '$scheme'
      X-Forwarded-Host: '$host'
      X-Forwarded-Port: '$server_port'
      Host: '$host'
  allowed_methods:
    - GET
    - HEAD
    - POST
  headers:
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: $hsts_header
  logs:
    gelf: True
  src_ip: []
  deny_ip: []
  custom_pre: '# No custom configuration defined'
  custom_begin: '# No custom configuration defined'
  custom_end: '# No custom configuration defined'
  custom_location_begin: '# No custom configuration defined'
  custom_location_end: '# No custom configuration defined'

nginx_default_vhost_extra: {}
nginx_default_vhost: "{{ nginx_default_vhost_base | combine(nginx_default_vhost_extra,recursive=True) }}"

# List of IP addresses which won't be affected by maintenance redirections
nginx_maintenance_ip: []

nginx_ssl_ciphers_modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
nginx_ssl_ciphers_compat: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
nginx_ssl_protocols:
  - TLSv1.2
  - TLSv1.3

# List of ip/cidr which won't have any DOS limit
nginx_dos_whitelisted_ip: []

# Max number of request per second, per IP address for non whitelisted IP
nginx_req_per_sec: 25

# Max size of the cache on disk
nginx_cache_size: 2g

# If true, a letsencrypt cert will be created for every vhost, automatically
nginx_auto_letsencrypt_cert: False

# Can be used to deploy htpasswd files
nginx_htpasswd: []
# nginx_htpasswd:
#   - path: /etc/nginx/customers.htpasswd
#     users:
#       - login: client1
#         password: s3crEt.
#         state: present
#       - login: client2
#         state: absent