homeserver/roles/hispanico.letsencrypt-nginx-revproxy/templates/reverseproxy_ssl.conf.j2
2020-08-18 11:57:53 +02:00

67 lines
2.2 KiB
Django/Jinja

################################################################################
# This file was generated by Ansible for {{ansible_fqdn}}
# Do NOT modify this file by hand!
################################################################################
upstream {{ item.key }}_backend {
{% for upstream in item.value.upstreams %}
server {{upstream.backend_address}}:{{upstream.backend_port}};
{% endfor %}
}
server {
listen 80;
listen [::]:80;
server_name {{ item.value.domains | join(' ') }};
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known {
alias /var/www/{{ item.key }}/.well-known;
}
access_log /var/log/nginx/{{ item.key }}_access.log;
error_log /var/log/nginx/{{ item.key }}_error.log error;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ item.value.domains | join(' ') }};
{% if item.value.hsts_max_age is defined %}
add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
{% endif %}
access_log /var/log/nginx/{{ item.key }}_access.log;
error_log /var/log/nginx/{{ item.key }}_error.log error;
ssl on;
ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location /.well-known {
alias /var/www/{{ item.key }}/.well-known;
}
location / {
gzip off;
proxy_set_header X-Forwarded-Ssl on;
client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://{{ item.key }}_backend;
}
}