{% if nginx_site_proxy is defined and nginx_site_proxy is not string %} upstream {{ nginx_site_name }} { {% if nginx_site_load_balance_method is defined %} {{ nginx_site_load_balance_method }}; {% endif %} {% for item in nginx_site_proxy %} {% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} {% if item | regex_search(".*:[0-9]+$") %} server {{ item }}; {% else %} server {{ item }}:443; {% endif %} {% endfor %} } {% endif %} server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ nginx_site_name }}; access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log custom; error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn; add_header Strict-Transport-Security "max-age=63072000" always; ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; {% include "./{}.conf.j2".format(nginx_site_name) ignore missing %} {% if nginx_site_redirect is defined %} return 301 {{ nginx_site_redirect }}; {% elif nginx_site_proxy is defined %} location / { {% if nginx_site_proxy is not string %} {% set path = nginx_site_proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} # https://trac.nginx.org/nginx/ticket/1307 proxy_ssl_verify off; proxy_pass https://{{ nginx_site_name }}{{ path }}; {% else %} proxy_pass {{ nginx_site_proxy }}; {% endif %} } {% else %} root /srv/web/{{ nginx_site_name }}; {% endif %} } {% if nginx_site_plaintext %} server { listen 80; listen [::]:80; server_name {{ nginx_site_name }}; {% if nginx_site_name == 'certbot.home.foo.sh' and 'proxy' not in groups %} root /srv/web/{{ nginx_site_name }}; {% else %} location /.well-known/acme-challenge/ { proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { {% if nginx_site_redirect is defined %} return 301 {{ nginx_site_redirect }}; {% else %} return 301 https://$host$request_uri; {% endif %} } {% endif %} } {% endif %}