R68801 gzip nginx cloudfront pr 2.x (#1544)

* r68801-r67628-gzip-nginx-cloudfront

* r68801-r67628-gzip-nginx-cloudfront

* remove test tasks

* remove test tasks

* remove test tasks

Author: tymofiisobchenko

roles/debian/nginx/defaults/main.yml

@@ -60,6 +60,7 @@ nginx:
         # on_calendar: "Mon *-*-* 04:00:00"
       ratelimitingcrawlers: true
       is_default: true
+      is_behind_cloudfront: false # set to true to disable gzip.
       basic_auth:
         auth_enabled: false
         auth_file: "" # optionally provide the path on the deploy server to a htpasswd file - WARNING - it must be valid and will not be checked!

roles/debian/nginx/tasks/main.yml

@@ -52,6 +52,7 @@
     force: true
   with_items:
     - _common
+    - _common_cloudfront
     - custom
     - docker_registry
     - drupal_common

roles/debian/nginx/templates/_common_cloudfront.j2

@@ -0,0 +1,11 @@
+### {{ ansible_managed }}
+
+gzip off;
+proxy_buffer_size       512k;
+proxy_buffers           8 256k;
+client_body_buffer_size 512k;
+fastcgi_buffer_size     512k ;
+fastcgi_buffers         8 256k ;
+client_max_body_size    {{ nginx.client_max_body_size }} ;
+# Disable content sniffing, since it's an attack vector.
+add_header X-Content-Type-Options nosniff;

roles/debian/nginx/templates/nginx.conf.j2

@@ -23,11 +23,11 @@ http {
 
         log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                           '$status $body_bytes_sent "$http_referer" '
-                          '"$http_user_agent" $request_length $body_bytes_sent';
+                          '"$http_user_agent" $request_length';
 
         log_format  proxy '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
                           '$status $body_bytes_sent "$http_referer" '
-                          '"$http_user_agent" $request_length $body_bytes_sent';
+                          '"$http_user_agent" $request_length';
 
     server_names_hash_bucket_size {{ nginx.http.server_names_hash_bucket_size }};
     # server_name_in_redirect off;
@@ -50,22 +50,9 @@ http {
     error_log {{ nginx.http.error_log }};
 
     ##
-    # Gzip Settings
+    # Additional Settings
     ##
 
-    gzip on;
-
-    # gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# Additional Settings
-	##
-
 {% if nginx.http.custom_directives is defined %}
     {% for directive in nginx.http.custom_directives %}
     {{ directive }}

roles/debian/nginx/templates/vhosts.j2

@@ -28,7 +28,11 @@ server {
     access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }};
     root "{{ domain.webroot }}";
     include "/etc/nginx/conf.d/{{ domain.project_type }}";
+{% if domain.is_behind_cloudfront is defined and domain.is_behind_cloudfront %}
+    include "/etc/nginx/conf.d/_common_cloudfront";
+{% else %}
     include "/etc/nginx/conf.d/_common";
+{% endif %}
 {% if domain.ssl is defined and domain.ssl.handling == 'letsencrypt' %}
 {% if domain.ssl.web_server | default('standalone') == 'standalone' %}
     # Proxy for certbot (LetsEncrypt)