ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE

monitoring-nginx.conf.j2 (2816B)

      1 server {
      2 
      3   listen 443 ssl;
      4   listen [::]:443 ssl;
      5 
      6   # Do not identify as nginx
      7   server_tokens off;
      8   server_name monitoring.{{ domain_name }};
      9 
     10   ssl_certificate /etc/letsencrypt/live/monitoring/fullchain.pem;
     11   ssl_certificate_key /etc/letsencrypt/live/monitoring/privkey.pem;
     12   ssl_trusted_certificate /etc/letsencrypt/live/monitoring/chain.pem;
     13   ssl_prefer_server_ciphers on;
     14   ssl_session_cache shared:SSL:10m;
     15   ssl_dhparam /etc/ssl/private/dhparam.pem;
     16   ssl_protocols TLSv1.3 TLSv1.2;
     17   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
     18 
     19   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
     20 
     21   error_log /var/log/nginx/monitoring.{{ domain_name }}.err;
     22   access_log /var/log/nginx/monitoring.{{ domain_name }}.log;
     23 
     24   location /prometheus/ {
     25      if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
     26         return 401;
     27      }
     28      rewrite ^/prometheus/(.*)$ /$1 break;
     29      proxy_pass http://127.0.0.1:9090/;
     30   }
     31 
     32   location /node/ {
     33      # Put API behind simple access control.
     34      if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
     35         return 401;
     36      }
     37      rewrite ^/node/(.*)$ /$1 break;
     38      proxy_pass http://127.0.0.1:9100/;
     39   }
     40 
     41   location /nginx/ {
     42      # Put API behind simple access control.
     43      if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
     44         return 401;
     45      }
     46      rewrite ^/nginx/(.*)$ /$1 break;
     47      proxy_pass http://127.0.0.1:9113/;
     48   }
     49 
     50   location /postgres/ {
     51      # Put API behind simple access control.
     52      if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
     53         return 401;
     54      }
     55      rewrite ^/postgres/(.*)$ /$1 break;
     56      proxy_pass http://127.0.0.1:9187/;
     57   }
     58 
     59 #  location /systemd/ {
     60      # Put API behind simple access control.
     61 #     if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
     62 #        return 401;
     63 #     }
     64 #     rewrite ^/systemd/(.*)$ /$1 break;
     65 #     proxy_pass http://127.0.0.1:9116/;
     66 #  }
     67 
     68   # See /etc/default/alloy for the export
     69   location /alloy/ {
     70      # Put API behind simple access control.
     71      if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
     72         return 401;
     73      }
     74      rewrite ^/alloy/(.*)$ /$1 break;
     75      proxy_pass http://127.0.0.1:12345/;
     76   }
     77 
     78   location /alertmanager/ {
     79      if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
     80         return 401;
     81      }
     82      rewrite ^/alertmanager/(.*)$ /$1 break;
     83      proxy_pass http://127.0.0.1:9093/;
     84   }
     85 }
     86 
     87 
     88 
     89 # Expose Nginx /metrics on loopback for the node exporter
     90 # See /etc/default/prometheus-nginx-exporter for the use
     91 server {
     92   listen localhost;
     93   root /dev/null;
     94   server_name localhost;
     95 
     96   location /metrics {
     97      stub_status on;
     98      access_log off;
     99      allow 127.0.0.1;
    100      deny all;
    101    }
    102 }