Create roles for symfony app and ssl certificate

2017-09-09 13:09:09 +03:00
parent 15612ad981
commit 9634d7ab61
15 changed files with 350 additions and 145 deletions
--- a/ansible/roles/symfony-app/templates/app.conf.j2
+++ b/ansible/roles/symfony-app/templates/app.conf.j2
@ -0,0 +1,50 @@
+server {
+    server_name {{ app_domains | join(" ") }};
+
+    {% if app_cert %}
+        listen 443 ssl http2 deferred;
+    {% else %}
+        listen 80;
+    {% endif %}
+
+    {% if app_cert %}
+        {% include './ssl.j2' %}
+    {% endif %}
+
+    root {{ app_web_root }};
+
+    location / {
+        # try to serve file directly, fallback to app.php
+        try_files $uri /app.php$is_args$args;
+    }
+
+    location ~ ^/app\.php(/|$) {
+        fastcgi_pass {{ app_web_listen }};
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+
+        # When you are using symlinks to link the document root to the
+        # current version of your application, you should pass the real
+        # application path instead of the path to the symlink to PHP
+        # FPM.
+        # Otherwise, PHP's OPcache may not properly detect changes to
+        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
+        # for more information).
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/app.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+        return 404;
+    }
+
+    error_log /var/log/nginx/{{ app_name }}_error.log;
+    access_log /var/log/nginx/{{ app_name }}_access.log;
+}
--- a/ansible/roles/symfony-app/templates/fpm-pool.conf.j2
+++ b/ansible/roles/symfony-app/templates/fpm-pool.conf.j2
@ -0,0 +1,28 @@
+[{{ app_fpool_name }}]
+
+listen = {{ app_fpool_listen }}
+listen.allowed_clients = 127.0.0.1
+listen.backlog = -1
+
+user = {{ app_user }}
+group = {{ app_group }}
+
+; request_slowlog_timeout = 5s
+; slowlog = /var/log/php-fpm/slowlog-blog.log
+
+pm = dynamic
+pm.max_children = 4
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 200
+pm.status_path = /status
+
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+{% for name, value in app_envs.iteritems() %}
+env[{{ name }}]={{ value }}
+{% endfor %}
--- a/ansible/roles/symfony-app/templates/ssl.j2
+++ b/ansible/roles/symfony-app/templates/ssl.j2
@ -0,0 +1,15 @@
+ssl on;
+ssl_certificate         {{ app_cert_certificate }};
+ssl_certificate_key     {{ app_cert_key }};
+ssl_trusted_certificate {{ app_cert_certificate }};
+
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+ssl_dhparam {{ app_dhparam_file }};
+ssl_prefer_server_ciphers on;