homeserver/Archiv/ReverseProxy-nginx/hispanico.nginx-revproxy/templates/reverseproxy_ssl_letsencrypt.conf.j2

################################################################################
# This file was generated by Ansible for {{ansible_fqdn}}
# Do NOT modify this file by hand!
################################################################################

upstream {{ item.key }}_backend  {
{% for upstream in item.value.upstreams %}
    server {{upstream.backend_address}}:{{upstream.backend_port}};
{% endfor %}
}

server {
   listen         {{ item.value.listen | default(80) }};
   listen    [::]:{{ item.value.listen | default(80) }};
   server_name    {{ item.value.domains | join(' ') }};
   location / {
   return         301 https://$server_name$request_uri;
   }

   location /.well-known/acme-challenge {
      alias /var/www/{{ item.key }}/.well-known/acme-challenge;
   }

   access_log /var/log/nginx/{{ item.key }}_access.log;
   error_log /var/log/nginx/{{ item.key }}_error.log error;

}

server {
   listen        {{ item.value.listen_ssl | default(443) }} ssl http2;
   listen   [::]:{{ item.value.listen_ssl | default(443) }} ssl http2;
   server_name {{ item.value.domains | join(' ') }};

{% if item.value.hsts_max_age is defined %}
   add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
{% endif %}

   access_log /var/log/nginx/{{ item.key }}_access.log;
   error_log /var/log/nginx/{{ item.key }}_error.log error;

   ssl on;
   ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
   ssl_session_timeout 5m;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;

   location /.well-known/acme-challenge {
      alias /var/www/{{ item.key }}/.well-known/acme-challenge;
   }

   location / {
      gzip off;
      proxy_set_header X-Forwarded-Ssl on;
      client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Frame-Options SAMEORIGIN;
      proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend;
{% if item.value.auth is defined %}
      auth_basic "Restricted Content";
      auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
{% endif %}
   }
}
first commit 2020-08-18 11:57:53 +02:00			`################################################################################`
			`# This file was generated by Ansible for {{ansible_fqdn}}`
			`# Do NOT modify this file by hand!`
			`################################################################################`

			`upstream {{ item.key }}_backend {`
			`{% for upstream in item.value.upstreams %}`
			`server {{upstream.backend_address}}:{{upstream.backend_port}};`
			`{% endfor %}`
			`}`

			`server {`
			`listen {{ item.value.listen \| default(80) }};`
			`listen [::]:{{ item.value.listen \| default(80) }};`
			`server_name {{ item.value.domains \| join(' ') }};`
			`location / {`
			`return 301 https://$server_name$request_uri;`
			`}`

			`location /.well-known/acme-challenge {`
			`alias /var/www/{{ item.key }}/.well-known/acme-challenge;`
			`}`

			`access_log /var/log/nginx/{{ item.key }}_access.log;`
			`error_log /var/log/nginx/{{ item.key }}_error.log error;`

			`}`

			`server {`
			`listen {{ item.value.listen_ssl \| default(443) }} ssl http2;`
			`listen [::]:{{ item.value.listen_ssl \| default(443) }} ssl http2;`
			`server_name {{ item.value.domains \| join(' ') }};`

			`{% if item.value.hsts_max_age is defined %}`
			`add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;`
			`{% endif %}`

			`access_log /var/log/nginx/{{ item.key }}_access.log;`
			`error_log /var/log/nginx/{{ item.key }}_error.log error;`

			`ssl on;`
			`ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;`
			`ssl_session_timeout 5m;`
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';`
			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`

			`location /.well-known/acme-challenge {`
			`alias /var/www/{{ item.key }}/.well-known/acme-challenge;`
			`}`

			`location / {`
			`gzip off;`
			`proxy_set_header X-Forwarded-Ssl on;`
			`client_max_body_size {{ item.value.client_max_body_size \| default('50M') }};`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Frame-Options SAMEORIGIN;`
			`proxy_pass {{ item.value.backend_protocol \| default('http') }}://{{ item.key }}_backend;`
			`{% if item.value.auth is defined %}`
			`auth_basic "Restricted Content";`
			`auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;`
			`{% endif %}`
			`}`
			`}`