Merge pull request #876 from TangRufus/update-h5bp

Update h5bp Nginx server configs

roles/nginx/defaults/main.yml

@@ -4,7 +4,7 @@ nginx_package: nginx
 nginx_conf: nginx.conf.j2
 nginx_path: /etc/nginx
 nginx_logs_root: /var/log/nginx
-nginx_user: www-data
+nginx_user: www-data www-data
 nginx_fastcgi_buffers: 8 8k
 nginx_fastcgi_buffer_size: 8k
 nginx_fastcgi_read_timeout: 120s

roles/nginx/tasks/main.yml

@@ -29,7 +29,7 @@
   git:
     repo: "https://github.com/h5bp/server-configs-nginx.git"
     dest: "{{ nginx_path }}/h5bp-server-configs"
-    version: 82181a672a7c26f9bc8744fead80318d8a2520b1
+    version: c5c6602232e0976d9e69d69874aa84d2a2698265
     force: yes
 
 - name: Move h5bp configs

roles/nginx/templates/nginx.conf.j2

@@ -1,49 +1,51 @@
 # {{ ansible_managed }}
 
-# nginx Configuration File
-# http://wiki.nginx.org/Configuration
+# Configuration File - Nginx Server Configs
+# http://nginx.org/en/docs/dirindex.html
 
 {% block modules_enabled -%}
 include modules-enabled/*.conf;
 {% endblock %}
 
 {% block user %}
-# Run as a less privileged user for security reasons.
+# Run as a unique, less privileged user for security reasons.
+# Default: nobody nobody
 user {{ nginx_user }};
 {% endblock %}
 
 {% block worker %}
-# How many worker threads to run;
-# "auto" sets it to the number of CPU cores available in the system, and
-# offers the best performance. Don't set it higher than the number of CPU
-# cores if changing this parameter.
-
-# The maximum number of connections for Nginx is calculated by:
-# max_clients = worker_processes * worker_connections
+# Sets the worker threads to the number of CPU cores available in the system for best performance.
+# Should be > the number of CPU cores.
+# Maximum number of connections = worker_processes * worker_connections
+# Default: 1
 worker_processes auto;
 
-# Maximum open file descriptors per process;
-# should be > worker_connections.
+# Maximum number of open files per worker process.
+# Should be > worker_connections.
+# Default: no limit
 worker_rlimit_nofile 8192;
 {% endblock %}
 
 {% block events %}
 events {
-  # When you need > 8000 * cpu_cores connections, you start optimizing your OS,
-  # and this is probably the point at which you hire people who are smarter than
-  # you, as this is *a lot* of requests.
+  # If you need more connections than this, you start optimizing your OS.
+  # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
+  # Should be < worker_rlimit_nofile.
+  # Default: 512
   worker_connections 8000;
 }
 {% endblock %}
 
 {% block error_log %}
-# Default error log file
-# (this is only used when you don't override error_log on a server{} level)
+# Log errors and warnings to this file
+# This is only used when you don't override it on a server{} level
+# Default: logs/error.log error
 error_log  {{ nginx_logs_root }}/error.log warn;
 {% endblock %}
 
 {% block pid %}
 # The file storing the process ID of the main process
+# Default: nginx.pid
 pid        /run/nginx.pid;
 {% endblock %}
 
@@ -52,6 +54,7 @@ http {
 
   {% block server_tokens -%}
   # Hide nginx version information.
+  # Default: on
   server_tokens off;
   {% endblock %}
 
@@ -70,75 +73,100 @@ http {
   {% endblock %}
 
   {% block mime_types -%}
-  # Define the MIME types for files.
+  # Specify MIME types for files.
   include       h5bp-server-configs/mime.types;
+
+  # Default: text/plain
   default_type  application/octet-stream;
   {% endblock %}
 
   {% block charset_types -%}
-  # Update charset_types due to updated mime.types
-  charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
+  # Update charset_types to match updated mime.types.
+  # text/html is always included by charset module.
+  # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
+  charset_types
+    text/css
+    text/plain
+    text/vnd.wap.wml
+    application/javascript
+    application/json
+    application/rss+xml
+    application/xml;
   {% endblock %}
 
   {% block log_format -%}
-  # Format to use in log files
+  # Include $http_x_forwarded_for within default format used in log files
   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';
   {% endblock %}
 
   {% block access_log -%}
-  # Default log file
-  # (this is only used when you don't override access_log on a server{} level)
+  # Log access to this file
+  # This is only used when you don't override it on a server{} level
+  # Default: logs/access.log combined
   access_log {{ nginx_logs_root }}/access.log main;
   {% endblock %}
 
   {% block keepalive -%}
-  # How long to allow each connection to stay idle; longer values are better
-  # for each individual client, particularly for SSL, but means that worker
-  # connections are tied up longer. (Default: 65)
-  keepalive_timeout 20;
+  # How long to allow each connection to stay idle.
+  # Longer values are better for each individual client, particularly for SSL,
+  # but means that worker connections are tied up longer.
+  # Default: 75s
+  keepalive_timeout 20s;
   {% endblock %}
 
   {% block sendfile -%}
   # Speed up file transfers by using sendfile() to copy directly
   # between descriptors rather than using read()/write().
+  # For performance reasons, on FreeBSD systems w/ ZFS
+  # this option should be disabled as ZFS's ARC caches
+  # frequently used files in RAM by default.
+  # Default: off
   sendfile        on;
   {% endblock %}
 
   {% block tcp_nopush -%}
-  # Tell Nginx not to send out partial frames; this increases throughput
-  # since TCP frames are filled up before being sent out. (adds TCP_CORK)
+  # Don't send out partial frames; this increases throughput
+  # since TCP frames are filled up before being sent out.
+  # Default: off
   tcp_nopush      on;
   {% endblock %}
 
   {% block compression -%}
   # Compression
 
-  # Enable Gzip compressed.
+  # Enable gzip compression.
+  # Default: off
   gzip on;
 
   # Compression level (1-9).
-  # 5 is a perfect compromise between size and cpu usage, offering about
-  # 75% reduction for most ascii files (almost identical to level 9).
+  # 5 is a perfect compromise between size and CPU usage, offering about
+  # 75% reduction for most ASCII files (almost identical to level 9).
+  # Default: 1
   gzip_comp_level    5;
 
   # Don't compress anything that's already small and unlikely to shrink much
   # if at all (the default is 20 bytes, which is bad as that usually leads to
   # larger files after gzipping).
+  # Default: 20
   gzip_min_length    256;
 
   # Compress data even for clients that are connecting to us via proxies,
   # identified by the "Via" header (required for CloudFront).
+  # Default: off
   gzip_proxied       any;
 
   # Tell proxies to cache both the gzipped and regular version of a resource
   # whenever the client's Accept-Encoding capabilities header varies;
   # Avoids the issue where a non-gzip capable client (which is extremely rare
   # today) would display gibberish if their proxy gave them the gzipped version.
+  # Default: off
   gzip_vary          on;
 
   # Compress all output labeled with one of the following MIME-types.
+  # text/html is always compressed by gzip module.
+  # Default: text/html
   gzip_types
     application/atom+xml
     application/javascript
@@ -164,7 +192,6 @@ http {
     text/vtt
     text/x-component
     text/x-cross-domain-policy;
-  # text/html is always compressed by HttpGzipModule
 
   # This should be turned on if you are going to have pre-compressed copies (.gz) of
   # static files available. If not it should be left off as it will cause extra I/O
@@ -174,6 +201,10 @@ http {
   {% endblock %}
 
   {% block sites_enabled -%}
+  # Include files in the sites-enabled folder. server{} configuration files should be
+  # placed in the sites-available folder, and then the configuration should be enabled
+  # by creating a symlink to it in the sites-enabled folder.
+  # See doc/sites-enabled.md for more info.
   include sites-enabled/*.conf;
   {% endblock %}
 }

roles/nginx/templates/no-default.conf.j2

@@ -8,6 +8,6 @@
 # returning 444 "no response".
 
 server {
-  listen 80 default_server;
+  listen [::]:80 default_server;
   return 444;
 }

roles/wordpress-setup/defaults/main.yml

@@ -23,6 +23,18 @@ nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d
 nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$"
 nginx_includes_d_cleanup: true
 
+# h5bp helpers
+not_dev: "{{ env != 'development' }}"
+h5bp: "{{ item.value.h5bp | default({}) }}"
+h5bp_cache_file_descriptors_enabled: "{{ h5bp.cache_file_descriptors | default(not_dev) }}"
+h5bp_extra_security_enabled: "{{ h5bp.extra_security | default(true) }}"
+h5bp_no_transform_enabled: "{{ h5bp.no_transform | default(false) }}"
+h5bp_x_ua_compatible_enabled: "{{ h5bp.x_ua_compatible | default(true) }}"
+h5bp_cache_busting_enabled: "{{ h5bp.cache_busting | default(not_dev) }}"
+h5bp_cross_domain_fonts_enabled: "{{ h5bp.cross_domain_fonts | default(true) }}"
+h5bp_expires_enabled: "{{ h5bp.expires | default(not_dev) }}"
+h5bp_protect_system_files_enabled: "{{ h5bp.protect_system_files | default(true) }}"
+
 # PHP FPM
 php_fpm_pm_max_children: 10
 php_fpm_pm_start_servers: 1

roles/wordpress-setup/templates/wordpress-site.conf.j2

@@ -4,6 +4,7 @@
 
 server {
   {% block server_id -%}
+  listen {{ ssl_enabled | ternary('[::]:443 ssl http2', '[::]:80') }};
   listen {{ ssl_enabled | ternary('443 ssl http2', '80') }};
   server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }};
   {% endblock %}
@@ -17,6 +18,8 @@ server {
   root  {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web;
   index index.php index.htm index.html;
   add_header Fastcgi-Cache $upstream_cache_status;
+
+  # Specify a charset
   charset utf-8;
 
   # Set the max body size equal to PHP's max POST size.
@@ -118,10 +121,38 @@ server {
   {% endblock %}
 
   {% block h5bp -%}
-  include h5bp/directive-only/x-ua-compatible.conf;
+  {% if h5bp_cache_file_descriptors_enabled -%}
+  include h5bp/directive-only/cache-file-descriptors.conf;
+  {% endif -%}
+
+  {% if h5bp_extra_security_enabled -%}
   include h5bp/directive-only/extra-security.conf;
+  {% endif -%}
+
+  {% if h5bp_no_transform_enabled -%}
+  include h5bp/directive-only/no-transform.conf;
+  {% endif -%}
+
+  {% if h5bp_x_ua_compatible_enabled -%}
+  include h5bp/directive-only/x-ua-compatible.conf;
+  {% endif -%}
+
+  {% if h5bp_cache_busting_enabled -%}
+  include h5bp/location/cache-busting.conf
+  {% endif -%}
+
+  {% if h5bp_cross_domain_fonts_enabled -%}
   include h5bp/location/cross-domain-fonts.conf;
+  {% endif -%}
+
+  {% if h5bp_expires_enabled -%}
+  include h5bp/location/expires.conf;
+  {% endif -%}
+
+  {% if h5bp_protect_system_files_enabled -%}
   include h5bp/location/protect-system-files.conf;
+  {% endif -%}
+
   {% endblock %}
 
   {% block location_php -%}
@@ -158,6 +189,7 @@ server {
 {% if ssl_enabled %}
 # Redirect to https
 server {
+  listen [::]:80;
   listen 80;
   server_name {{ site_hosts | union(multisite_subdomains_wildcards) | join(' ') }};
 
@@ -177,16 +209,15 @@ server {
 {% endif %}
 {% for host in item.value.site_hosts if host.redirects | default([]) %}
 server {
+  listen {{ ssl_enabled | ternary('[::]:443 ssl http2', '[::]:80') }};
   listen {{ ssl_enabled | ternary('443 ssl http2', '80') }};
   server_name {{ host.redirects | join(' ') }};
 
   {{ self.https() -}}
 
   {{ self.acme_challenge() -}}
 
-  location / {
-    return 301 $scheme://{{ host.canonical }}$request_uri;
-  }
+  return 301 $scheme://{{ host.canonical }}$request_uri;
 }
 {% endfor %}
 {% endblock %}