66 lines
2.3 KiB
Django/Jinja
66 lines
2.3 KiB
Django/Jinja
{% if proxy is defined and proxy is not string %}
|
|
upstream {{ site }} {
|
|
{% for item in proxy %}
|
|
{% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %}
|
|
{% if item | regex_search(".*:[0-9]+$") %}
|
|
server {{ item }};
|
|
{% else %}
|
|
server {{ item }}:443;
|
|
{% endif %}
|
|
{% endfor %}
|
|
}
|
|
{% endif %}
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name {{ site }};
|
|
|
|
access_log {{ nginx_logdir }}/{{ site }}.access.log combined;
|
|
error_log {{ nginx_logdir }}/{{ site }}.error.log warn;
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
{% if ssl_config is defined %}
|
|
{% if ssl_config == "old" %}
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
{% endif %}
|
|
{% endif %}
|
|
ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
|
|
ssl_certificate_key {{ tls_private }}/{{ site }}.key;
|
|
|
|
{% include "./{}.conf.j2".format(site) ignore missing %}
|
|
{% if redirect is defined %}
|
|
return 301 {{ redirect }};
|
|
{% elif proxy is defined %}
|
|
location / {
|
|
{% if proxy is not string %}
|
|
{% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %}
|
|
# https://trac.nginx.org/nginx/ticket/1307
|
|
proxy_ssl_verify off;
|
|
proxy_pass https://{{ site }}{{ path }};
|
|
{% else %}
|
|
proxy_pass {{ proxy }};
|
|
{% endif %}
|
|
}
|
|
{% else %}
|
|
root /srv/web/{{ site }};
|
|
{% endif %}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ site }};
|
|
location /.well-known/acme-challenge/ {
|
|
proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
|
|
}
|
|
location / {
|
|
{% if redirect is defined %}
|
|
return 301 {{ redirect }};
|
|
{% else %}
|
|
return 301 https://$host$request_uri;
|
|
{% endif %}
|
|
}
|
|
}
|