141 lines
4.4 KiB
Django/Jinja
141 lines
4.4 KiB
Django/Jinja
#jinja2:lstrip_blocks: True
|
|
{% set vhost = {}|combine(nginx_vhosts_defaults, item.value, recursive=True) %}
|
|
{% set vhost_name = item.key %}
|
|
{% set vhost_headers = {}|combine(nginx.add_headers, vhost.add_headers) %}
|
|
{% set vhost_proxy_location = [ {}|combine(nginx_proxy_location, {'backend': vhost.backend }) ] if vhost.backend|d(False) else [] %}
|
|
|
|
{% macro nginx_listen(ips, port, options) %}
|
|
{% for ip in ips %}
|
|
listen {{ ip }}:{{ port }} {{ options|join(' ') }}{% if vhost.default_server %} default_server{% endif %};
|
|
{% endfor %}
|
|
{% endmacro %}
|
|
|
|
server {
|
|
{% if vhost.servername|length > 0 %}
|
|
server_name {{ vhost.servername|join(' ') }};
|
|
{% endif %}
|
|
|
|
{% if vhost.listen.ssl %}
|
|
{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
|
|
{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
{% if vhost.listen.nossl %}
|
|
{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.nossl_port, []) }}{% endif %}
|
|
{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.nossl_port, []) }}{% endif %}
|
|
{% endif %}
|
|
|
|
{% for i in vhost.listen.custom %}
|
|
listen {{ i }};
|
|
{% endfor %}
|
|
|
|
{% for header in vhost_headers if header %}
|
|
add_header {{ header }} "{{ vhost_headers[header] }}";
|
|
{% endfor %}
|
|
|
|
{% for c in vhost.custom|default([]) %}
|
|
{{ c }};
|
|
{% endfor %}
|
|
|
|
|
|
{% for location in ( vhost.locations + vhost_proxy_location ) %}
|
|
location {{ location.match }} {
|
|
{% if "alias" in location %}
|
|
alias {{ location.alias }};
|
|
{% endif %}
|
|
{% if location.backend|d(False) %}
|
|
proxy_pass {{ location.backend }};
|
|
|
|
{% if location.cache|d(False) %}
|
|
proxy_cache {{ location.cache }};
|
|
proxy_cache_revalidate on;
|
|
proxy_cache_lock on;
|
|
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
|
|
proxy_cache_background_update on;
|
|
# use actual host instead of proxy host for cache key
|
|
proxy_cache_key $scheme$host$uri$is_args$args;
|
|
# for debugging purposes, add the following header
|
|
#add_header X-Cache-Status $upstream_cache_status;
|
|
{% else %}
|
|
proxy_buffering off;
|
|
{% endif %}
|
|
|
|
# add proxy headers
|
|
proxy_set_header Host {{ location.host|d(vhost.host) }};
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
{% if not location.force_forwarded_ssl_header|d(vhost.force_forwarded_ssl_header) %}
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Ssl $https;
|
|
proxy_set_header X-Url-Scheme $scheme;
|
|
{% else %}
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
proxy_set_header X-Url-Scheme https;
|
|
{% endif %}
|
|
|
|
# add custom proxy headers
|
|
{% for header in vhost.add_proxy_headers if header %}
|
|
proxy_set_header {{ header }} "{{ vhost.add_proxy_headers[header] }}";
|
|
{% endfor %}
|
|
|
|
# Websockets
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
# remove custom proxy headers
|
|
{% for header in vhost.hide_proxy_headers if header %}
|
|
proxy_hide_header {{ header }};
|
|
{% endfor %}
|
|
# hide downstream headers for security reasons
|
|
proxy_hide_header X-Powered-By;
|
|
proxy_hide_header Server;
|
|
proxy_hide_header X-AspNetMvc-Version;
|
|
proxy_hide_header X-AspNet-Version;
|
|
|
|
# no double headers
|
|
proxy_hide_header Strict-Transport-Security;
|
|
{% endif %}
|
|
{% for c in location.custom|default([]) %}
|
|
{{ c }};
|
|
{% endfor %}
|
|
}
|
|
{% endfor %}
|
|
|
|
|
|
{% if vhost.disallow_dotfiles %}
|
|
# disallow every path starting with a dot except .well-known/
|
|
location ~ /\.(?!well-known\/).* {
|
|
deny all;
|
|
}
|
|
{% endif %}
|
|
|
|
|
|
{% if nginx.security_txt is defined %}
|
|
location /.well-known/security.txt {
|
|
add_header Content-Type text/plain;
|
|
return 200 "{{ nginx.security_txt | replace('\n', '\\n') }}";
|
|
}
|
|
{% endif %}
|
|
|
|
{% if vhost.auth.enable %}
|
|
auth_basic "restricted area";
|
|
auth_basic_user_file {{ vhost.auth.path }};
|
|
satisfy {{ vhost.auth.satisfy }};
|
|
{% endif %}
|
|
|
|
|
|
{% for include in vhost.includes %}
|
|
include {{ include }};
|
|
{% endfor %}
|
|
|
|
{% if vhost.letsencrypt %}
|
|
ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
|
|
ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
|
|
{% elif vhost.crt and vhost.key %}
|
|
ssl_certificate {{ vhost.crt }};
|
|
ssl_certificate_key {{ vhost.key }};
|
|
{% endif %}
|
|
}
|