iac
/
ansible-role-nginx-config-svc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ansible-role-nginx-config-svc/templates/nginx.conf.j2

131 lines
3.6 KiB
Django/Jinja
Raw Permalink Blame History

{% if before_server is defined %}
{{ before_server }}
{% endif %}
server {
{% if nginx_listen80 is defined %}
{{ nginx_listen80 }}
{% else %}
listen 80;
listen [::]:80;
{% if proxy_protocol is defined %}
listen 81 proxy_protocol;
listen [::]:81 proxy_protocol;
real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
set_real_ip_from {{ ip }};
{% endfor %}
port_in_redirect off;
{% endif %}
{% endif %}
server_name {{ domains | join(' ') }};
{%+ if notls is not defined and unsecure_server is not defined %}
location / {
# enforce https
return 301 https://$server_name:443$request_uri;
}
{% endif %}
{% if unsecure_server is defined -%}
{{ unsecure_server | indent(4) }}
{%- endif %}
location /.well-known/acme-challenge {
root /var/www/acme;
{% if nginx_acme_challenge is defined %}
{{ nginx_acme_challenge }}
{% endif %}
}
}
{%+ if notls is not defined %}
server {
{% if nginx_listen443 is defined %}
{{ nginx_listen443 }}
{% else %}
listen 443 ssl http2;
listen [::]:443 ssl http2;
{% if proxy_protocol is defined %}
listen 442 ssl http2 proxy_protocol;
listen [::]:442 ssl http2 proxy_protocol;
real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
set_real_ip_from {{ ip }};
{% endfor %}
port_in_redirect off;
{% endif %}
{% endif %}
server_name {% if redirect_to_first is not defined or not redirect_to_first %}{{ domains | join(' ') }}{% else %}{{ domains[0] }}{% endif %};
{% if ssl_certificate is defined -%}
{{ ssl_certificate | indent(4) }}
{% elif instance_name is defined -%}
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
{% else -%}
ssl_certificate /etc/ssl/csr/{{ domains[0] }}-fullchain.crt;
ssl_certificate_key /etc/ssl/private/{{ domains[0] }}.pem;
{% endif %}
add_header X-XSS-Protection "0";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
{%+ if headers is defined %}{{ headers }}{% endif %}
{% if server -%}
{{ server | indent(4) }}
{%- endif %}
}
{% if redirect_to_first is defined and redirect_to_first and domains|length > 1 %}
server {
{% if nginx_listen443 is defined -%}
{{ nginx_listen443 }}
{% else %}
listen 443 ssl http2;
listen [::]:443 ssl http2;
{% if proxy_protocol is defined %}
listen 442 ssl http2 proxy_protocol;
listen [::]:442 ssl http2 proxy_protocol;
real_ip_header proxy_protocol;
{% for ip in proxy_protocol.ipv4 %}
set_real_ip_from {{ ip }};
{% endfor %}
{% for ip in proxy_protocol.ipv6 %}
set_real_ip_from {{ ip }};
{% endfor %}
port_in_redirect off;
{% endif %}
{% endif %}
server_name {{ domains[1:] | join(' ') }};
{% if ssl_certificate is defined %}
{{ ssl_certificate }}
{% elif instance_name is defined -%}
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
{% else %}
ssl_certificate /etc/ssl/csr/{{ domains[0] }}-fullchain.crt;
ssl_certificate_key /etc/ssl/private/{{ domains[0] }}.pem;
{% endif %}
add_header X-XSS-Protection "0";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
location / {
rewrite (.*) https://{{ domains[0] }}$1 permanent;
}
}
{% endif %}
{% endif %}
{% if after_server is defined %}
{{ after_server }}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink