119 lines
3.3 KiB
Plaintext
119 lines
3.3 KiB
Plaintext
|
{% if before_server is defined %}
|
||
|
{{ before_server }}
|
||
|
{% endif %}
|
||
|
server {
|
||
|
{% if listen80 is defined -%}
|
||
|
{{ listen80 }}
|
||
|
{% else %}
|
||
|
listen 80;
|
||
|
listen [::]:80;
|
||
|
{% endif %}
|
||
|
{% if proxy_protocol is defined %}
|
||
|
|
||
|
listen 81 proxy_protocol;
|
||
|
listen [::]:81 proxy_protocol;
|
||
|
real_ip_header proxy_protocol;
|
||
|
{% for ip in proxy_protocol.ipv4 %}
|
||
|
set_real_ip_from {{ ip }};
|
||
|
{% endfor %}
|
||
|
{% for ip in proxy_protocol.ipv6 %}
|
||
|
set_real_ip_from {{ ip }};
|
||
|
{% endfor %}
|
||
|
|
||
|
port_in_redirect off;
|
||
|
{% endif %}
|
||
|
server_name {{ domains | join(' ') }};
|
||
|
|
||
|
location / {
|
||
|
# enforce https
|
||
|
return 301 https://$server_name:443$request_uri;
|
||
|
}
|
||
|
{% if unsecure_server is defined %}
|
||
|
{{ unsecure_server }}
|
||
|
{% endif %}
|
||
|
location /.well-known/acme-challenge {
|
||
|
{% if acme_challenge is defined %}
|
||
|
{{ acme_challenge }}
|
||
|
{% else %}
|
||
|
root /var/www/acme;
|
||
|
{% endif %}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
{% if listen443 is defined -%}
|
||
|
{{ listen443 }}
|
||
|
{% else %}
|
||
|
listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
|
||
|
listen [::]:443 ssl http2;
|
||
|
{% endif %}
|
||
|
server_name {% if redirect_to_first is not defined or not redirect_to_first %}{{ domains | join(' ') }}{% else %}{{ domains[0] }}{% endif %};
|
||
|
{% if proxy_protocol is defined %}
|
||
|
|
||
|
listen 442 ssl http2 proxy_protocol;
|
||
|
listen [::]:442 ssl http2 proxy_protocol;
|
||
|
real_ip_header proxy_protocol;
|
||
|
{% for ip in proxy_protocol.ipv4 %}
|
||
|
set_real_ip_from {{ ip }};
|
||
|
{% endfor %}
|
||
|
{% for ip in proxy_protocol.ipv6 %}
|
||
|
set_real_ip_from {{ ip }};
|
||
|
{% endfor %}
|
||
|
|
||
|
port_in_redirect off;
|
||
|
{% endif %}
|
||
|
|
||
|
{% if ssl_certificate is defined %}
|
||
|
{{ ssl_certificate }}
|
||
|
{% else %}
|
||
|
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
|
||
|
ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
|
||
|
{% endif %}
|
||
|
|
||
|
add_header X-XSS-Protection "0";
|
||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
|
||
|
{% if headers is defined %}{{ headers }}{% endif %}
|
||
|
|
||
|
{% if server %}
|
||
|
{{ server }}
|
||
|
{% endif %}
|
||
|
}
|
||
|
{% if redirect_to_first is defined and redirect_to_first and domains|length > 1 %}
|
||
|
server {
|
||
|
listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
|
||
|
listen [::]:443 ssl http2;
|
||
|
server_name {{ domains[1:] | join(' ') }};
|
||
|
{% if proxy_protocol is defined %}
|
||
|
|
||
|
listen 442 ssl http2 proxy_protocol;
|
||
|
listen [::]:442 ssl http2 proxy_protocol;
|
||
|
real_ip_header proxy_protocol;
|
||
|
{% for ip in proxy_protocol.ipv4 %}
|
||
|
set_real_ip_from {{ ip }};
|
||
|
{% endfor %}
|
||
|
{% for ip in proxy_protocol.ipv6 %}
|
||
|
set_real_ip_from {{ ip }};
|
||
|
{% endfor %}
|
||
|
|
||
|
port_in_redirect off;
|
||
|
{% endif %}
|
||
|
|
||
|
{% if ssl_certificate is defined %}
|
||
|
{{ ssl_certificate }}
|
||
|
{% else %}
|
||
|
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
|
||
|
ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
|
||
|
{% endif %}
|
||
|
|
||
|
add_header X-XSS-Protection "0";
|
||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
|
||
|
|
||
|
location / {
|
||
|
rewrite (.*) https://{{ domains[0] }}$1;
|
||
|
}
|
||
|
}
|
||
|
{% endif %}
|
||
|
{% if after_server is defined %}
|
||
|
{{ after_server }}
|
||
|
{% endif %}
|