54 lines
1.8 KiB
Django/Jinja
54 lines
1.8 KiB
Django/Jinja
{% if proxy is defined and proxy is not string %}
|
|
upstream upstream_{{ site }} {
|
|
{% for item in proxy %}
|
|
server {{ item }}:443;
|
|
{% endfor %}
|
|
}
|
|
{% endif %}
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name {{ site }};
|
|
|
|
{% if ssl_config is defined %}
|
|
{% if ssl_config == "old" %}
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
{% endif %}
|
|
{% endif %}
|
|
ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
|
|
ssl_certificate_key {{ tls_private }}/{{ site }}.key;
|
|
|
|
{% if redirect is defined %}
|
|
return 301 {{ redirect }};
|
|
{% elif proxy is defined %}
|
|
location / {
|
|
{% if proxy is not string %}
|
|
proxy_pass https://upstream_{{ site }};
|
|
{% else %}
|
|
proxy_pass {{ proxy }};
|
|
{% endif %}
|
|
}
|
|
{% else %}
|
|
root /srv/web/{{ site }};
|
|
{% endif %}
|
|
include /etc/nginx/conf.d/{{ site }}/*.conf;
|
|
}
|
|
|
|
server {
|
|
ssl off;
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ site }};
|
|
location /.well-known/acme-challenge/ {
|
|
proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
|
|
}
|
|
location / {
|
|
{% if redirect is defined %}
|
|
return 301 {{ redirect }};
|
|
{% else %}
|
|
return 301 https://$host$request_uri;
|
|
{% endif %}
|
|
}
|
|
}
|