ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/monitoring-server/templates/01-influxdb.j2

70 lines
2.3 KiB
Django/Jinja
Raw Permalink Blame History

server {
listen 443 ssl;
listen [::]:443 ssl; # listen for ipv6
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
{% endif -%}
include /etc/nginx/listen-proxy-protocol.conf;
server_name {{ influxdb_url }};
location /ping {
# if /ping?verbose=true, it leaks the version
set $args '';
proxy_pass http://127.0.0.1:{{ influxdb_port }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ ^/(metrics|health|debug) {
# /health will leak version number
# /metrics are private
# /debug is also private
allow 127.0.0.1;
{% if inventory_hostname in my_public_ips -%}
allow {{ my_public_ips[inventory_hostname] }}/32;
{% endif -%}
allow {{ my_public_ips[ansible_control_host] }}/32;
deny all;
proxy_pass http://127.0.0.1:{{ influxdb_port }};
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location / {
proxy_pass http://127.0.0.1:{{ influxdb_port }};
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
proxy_hide_header X-Influxdb-Version;
proxy_hide_header X-Influxdb-Build;
client_body_buffer_size 50m;
access_log /var/log/nginx/access_{{ influxdb_url }}.log main;
error_log /var/log/nginx/error_{{ influxdb_url }}.log warn;
ssl_certificate /usr/local/etc/certs/{{ influxdb_url }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/{{ influxdb_url }}/privkey.pem;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
}
View Git Blame Copy Permalink