e3a9237b83
These can be overriden to bind to the actual management network IP in a real deployment Change-Id: I4824faedd1c663ac004a9e2674988c565f4cc27f
48 lines
1.5 KiB
Django/Jinja
48 lines
1.5 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
server {
|
|
|
|
listen {{ keystone_web_server_bind_address }}:{{ keystone_nginx_ports[item] }};
|
|
|
|
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" %}
|
|
ssl on;
|
|
ssl_protocols {{ keystone_ssl_protocol }};
|
|
ssl_certificate {{ keystone_ssl_cert }};
|
|
ssl_certificate_key {{ keystone_ssl_key }};
|
|
ssl_trusted_certificate {{ keystone_ssl_ca_cert }};
|
|
ssl_ciphers {{ keystone_ssl_cipher_suite }};
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:2m;
|
|
ssl_session_timeout 2m;
|
|
{%- endif %}
|
|
|
|
{% for line in keystone_nginx_extra_conf %}
|
|
{{ line }}
|
|
{%- endfor %}
|
|
|
|
error_log syslog:server=unix:/dev/log;
|
|
access_log syslog:server=unix:/dev/log;
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Content-Security-Policy "default-src 'self' https: wss:;";
|
|
add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }};
|
|
|
|
real_ip_header X-Forwarded-For;
|
|
{% for ip in keystone_set_real_ip_from %}
|
|
set_real_ip_from {{ ip }};
|
|
{%- endfor %}
|
|
|
|
location / {
|
|
try_files $uri @yourapplication;
|
|
}
|
|
|
|
location @yourapplication {
|
|
include uwsgi_params;
|
|
uwsgi_pass 127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
|
|
uwsgi_param SCRIPT_NAME '';
|
|
{% for header in keystone_extra_headers %}
|
|
add_header "{{ header['parameter'] }}" "{{ header['value'] }}";
|
|
{% endfor %}
|
|
}
|
|
}
|