[DOC] Updated.

ecaepp · ecaepp · commit 19f06c4a261e · 2018-12-10T16:00:15.000-06:00
Signed-off-by: ecaepp &lt;peace.patrick51@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -10,25 +10,45 @@ This role is currently in alpha testing
 
 Ansible 2.4
 
-## Role Variables
+-------
 
-Base role variables are defined in `default/main.yml` and is divied in to blocks base on the conf file or vhost configureation.
+## Configuration
 
-The Role Options section is for configureing option for how the role function and which task to run.
+All options in this section are configured as defaults for Nginx and are defined in `defaults.yml` so that they can easly be overwritten within the playbook.
+
+### Self Signed Cert Generation
+
+The Role has an option for generating a self signed TLS cert for testing. This setting is set to false defaultly to prevent unwanted self signed cert generation.
 
 ```yaml
 selfsigned_cert: false # Generate self signed SSL cert.
 ```
 
-The role creates three config file at the moment `nginx.conf, general.conf, and a vhost conf`.
+### Configuratoin Files
+
+All options in this section are configured as defaults for Nginx and are defind in `defaults.yml` so that they can easly be overwritten within the playbook.
+
+This role currently creates three conf files.
 
-Configs are defined in `defaults/main.yml so they can be easily overwritten elsewhere in the playbook. 
+* nginx.conf
+* general.conf
+* server.conf (vhost)
 
-Example of modifing Nginx configureation:
+#### nginx.conf
 
-Lets take a look at the smaple configs found in `defaults/main.yml` that are found in the `nginx.conf` section.
+This file contains options for cofiguring global options pretaining to the Nginx service.
 
 ```yaml
+# Service
+nginx_user: www-data
+worker_processes: auto
+nginx_pid_file: /var/run/nginx.pid
+worker_rlimit_nofile: 8192
+
+# Events
+event_multi_accept: "on"
+worker_connections: 4096
+
 # http
 charset: utf-8
 sendfile: "on"
@@ -37,67 +57,111 @@ tcp_nodelay: "on"
 types_hash_max_size: 2048
 client_max_body_size: 16M
 server_tokens: "off"
+
+# MIME
+include: mime.types
+default_type: application/octet-stream
+
+# Logging
+access_log: /var/log/nginx/access.log
+error_log: /var/log/nginx/error.log warn
+
+# Limits
+limit_req_log_level: warn
+limit_req_zone: $binary_remote_addr zone=login:10m rate=10r/m
+
+# SSL
+ssl_session_timeout: 1d
+ssl_session_cache: shared:SSL:50m
+ssl_session_tickets: "off"
+
+# Modern Config
+ssl_protocols: TLSv1.2
+ssl_ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ssl_prefer_server_ciphers: "on"
+
+# OSCP Stapling
+stapling: "on"
+stapling_verify: "on"
+resolver: 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s
+resolver_timeout: 2s
+
+# Load Configs
+conf_files: /etc/nginx/conf.d/*.conf
+sites_enabled: /etc/nginx/sites-enabled/*
 ```
 
-The recommended way to change default value of varibles for `nginx.conf` and `general.conf` is to copy the vars that need to be changed to `vars/main.yml`. It is best to also leave a comment noting the conf file the variable relates to and which stanza the config is stored in. This allows for easy versioning of custom vars in you own repo.
+#### general.conf
 
-```yaml
-# nginx.conf
+This conf file is used to set security headers, restrict access to `.` files, and compression options.
 
-# http
-types_hash_max_size: 1024
-server_tokens: "on"
+```yaml
+# Security Headers
+header_options: |
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header Referrer-Policy "no-referrer-when-downgrade" always;
+  add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+# . files
+dot_file_location: "deny all"
+
+# Assets media
+media_expires: 7d
+media_access_log: "off"
+
+# svg, fonts
+fonts_headrer_options: 'Access-Control-Allow-Origin "*"'
+fonts_expire: 78
+fonts_access_log: "off"
+
+# Gzip
+gzip_status: "on"
+gzip_vary: "on"
+gzip_proxied: any
+gzip_comp_level: 6
+gzip_types: 'text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml'
 ```
 
-```text
-Note: Configuring variable like this allows for easy versioning of custom vars in your own repo/vc system.
-```
+`**NOTE:** This file is likely to be deprecated in future when I have time to rewrite the conf file tasks.`
 
-## VHosts
+#### server.conf
 
-This role uses the template `templates/server.conf.j2` to create virtualhost conf files for applications.
+This file is used to configure Nginx to actually server the web application. This role generates these files from a template in the task `tasks/configure.yml`.
 
-First create a new `.yml` file in `vars` named after the application ex. `someapp.yml`
-Second copy the vars from the vhosts section in `defaults/main.yml` the file you created and then fill in the vars to configure the vhost.
-Any config not need can be remove. ex. The `fastcgi_php` configs can be deleted if they are not need as long proper YAML indentaion is maintained.
+Currently the options below are required for Nginx to be able to run the app
 
-Example vhosts file for some app:
+* server_name
+* listen_port
+* root_dir
+* index_name
 
 ```yaml
-vhost:
-  - server_name: someapp.com
+vhost: []
+  - server_name: test.com
     listen_port: 80
-    root_dir: /var/www/someapp
+    root_dir: /var/www
     index_name: index.html
 
-    # ssl:
-    #   cert_dir: /etc/nginx/ssl
-    #   crt: '/etc/nginx/ssl/server.crt'
-    #   key: '/etc/nginx/ssl/server.key'
+    ssl:
+      cert_dir: /etc/nginx/ssl
+      crt: '/etc/nginx/ssl/server.crt'
+      key: '/etc/nginx/ssl/server.key'
 
-    # security_headers:
-    #   transport_security: Strict-Transport-Security "max-age=15768000; includeSubdomains",
-    #   xframe_options: X-Frame-Options SAMEORIGIN
+    security_headers:
+      transport_security: Strict-Transport-Security "max-age=15768000; includeSubdomains",
+      xframe_options: X-Frame-Options SAMEORIGIN
 
-    try_files: '$uri $uri/ /index.html'
+    try_files: '$uri $uri/'
 
-    # fastcgi_php:
-    #   fastcgi_split_path_info: fastcgi_split_path_info ^(.+\.php)(/.+)$
-    #   fastcgi_pass: 'fastcgi_pass unix:/var/run/php7.0-fpm.sock'
-    #   fastcgi_index: fastcgi_index index.php,
-    #   include_fastcgi: include fastcgi.conf
+    fastcgi_php:
+      fastcgi_split_path_info: fastcgi_split_path_info ^(.+\.php)(/.+)$
+      fastcgi_pass: 'fastcgi_pass unix:/var/run/php7.0-fpm.sock'
+      fastcgi_index: fastcgi_index index.php,
+      include_fastcgi: include fastcgi.conf
 ```
 
-The SSL configs can be uncommented and set to the location of any certificates that have been uploaded or generated for the application to enable HTTPS.
-
-The `security_headers` are set globally in `general.conf` and can be modified here.
-
-`Fastcgi_php` can be uncommented for php apps that utilize fastcgi. Please note that this role currently only supports `php7.0-fpm`.
-
-## Dependencies
-
-Currently there are no plans for this role to have any dependencies of other roles.
-
 ## Example Playbook
 
 Including an example of how to use your role (for instance, with variables
@@ -109,24 +173,24 @@ passed in as parameters) is always nice for users too:
       roles:
          - { role: ecaepp.nginx }
 
-    vars/someapp.yml
+      vars/someapp.yml
 
-    vhost:
-      - server_name: test.com
-        listen_port: 80
-        root_dir: /var/www/someapp/app/webroot/
-        index_name: index.html
+      vhost:
+        - server_name: test.com
+          listen_port: 80
+          root_dir: /var/www/someapp/app/webroot/
+          index_name: index.html
 
-        ssl:
-          cert_dir: /etc/nginx/ssl
-          crt: '/etc/nginx/ssl/someapp.com.crt'
-          key: '/etc/nginx/ssl/someapp.com.key'
+          ssl:
+            cert_dir: /etc/nginx/ssl
+            crt: '/etc/nginx/ssl/someapp.com.crt'
+            key: '/etc/nginx/ssl/someapp.com.key'
 
-        security_headers:
-          transport_security: Strict-Transport-Security "max-age=15768000; includeSubdomains",
-          xframe_options: X-Frame-Options SAMEORIGIN
+          security_headers:
+            transport_security: Strict-Transport-Security "max-age=15768000;  includeSubdomains",
+            xframe_options: X-Frame-Options SAMEORIGIN
 
-        try_files: '$uri $uri/ /index.html'
+          try_files: '$uri $uri/ /index.html'
 
 ## License
 
