|
@@ -239,25 +239,19 @@ server {
|
|
{{ end }}
|
|
{{ end }}
|
|
{{ $access_log }}
|
|
{{ $access_log }}
|
|
return 503;
|
|
return 503;
|
|
-}
|
|
|
|
|
|
|
|
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
-server {
|
|
|
|
- server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
|
|
|
- server_tokens off;
|
|
|
|
listen {{ $external_https_port }} ssl http2;
|
|
listen {{ $external_https_port }} ssl http2;
|
|
{{ if $enable_ipv6 }}
|
|
{{ if $enable_ipv6 }}
|
|
listen [::]:{{ $external_https_port }} ssl http2;
|
|
listen [::]:{{ $external_https_port }} ssl http2;
|
|
{{ end }}
|
|
{{ end }}
|
|
- {{ $access_log }}
|
|
|
|
- return 503;
|
|
|
|
|
|
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_session_tickets off;
|
|
ssl_session_tickets off;
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
-}
|
|
|
|
{{ end }}
|
|
{{ end }}
|
|
|
|
+}
|
|
|
|
|
|
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
|
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
|
|
|
|
|
@@ -317,9 +311,7 @@ server {
|
|
|
|
|
|
{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
|
{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
|
|
|
|
|
-{{ if $is_https }}
|
|
|
|
-
|
|
|
|
-{{ if eq $https_method "redirect" }}
|
|
|
|
|
|
+{{ if and $is_https (eq $https_method "redirect") }}
|
|
server {
|
|
server {
|
|
server_name {{ $host }};
|
|
server_name {{ $host }};
|
|
{{ if $server_tokens }}
|
|
{{ if $server_tokens }}
|
|
@@ -356,11 +348,18 @@ server {
|
|
{{ if $server_tokens }}
|
|
{{ if $server_tokens }}
|
|
server_tokens {{ $server_tokens }};
|
|
server_tokens {{ $server_tokens }};
|
|
{{ end }}
|
|
{{ end }}
|
|
|
|
+ {{ $access_log }}
|
|
|
|
+ {{- if or (not $is_https) (eq $https_method "noredirect") }}
|
|
|
|
+ listen {{ $external_http_port }} {{ $default_server }};
|
|
|
|
+ {{ if $enable_ipv6 }}
|
|
|
|
+ listen [::]:{{ $external_http_port }} {{ $default_server }};
|
|
|
|
+ {{ end }}
|
|
|
|
+ {{- end }}
|
|
|
|
+ {{- if $is_https }}
|
|
listen {{ $external_https_port }} ssl http2 {{ $default_server }};
|
|
listen {{ $external_https_port }} ssl http2 {{ $default_server }};
|
|
{{ if $enable_ipv6 }}
|
|
{{ if $enable_ipv6 }}
|
|
listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
|
|
listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
|
|
{{ end }}
|
|
{{ end }}
|
|
- {{ $access_log }}
|
|
|
|
|
|
|
|
{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
|
|
{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
|
|
|
|
|
|
@@ -382,51 +381,13 @@ server {
|
|
{{ end }}
|
|
{{ end }}
|
|
|
|
|
|
{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
|
|
{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
|
|
- add_header Strict-Transport-Security "{{ trim $hsts }}" always;
|
|
|
|
- {{ end }}
|
|
|
|
-
|
|
|
|
- {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
|
|
|
- include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
|
|
|
- {{ else if (exists "/etc/nginx/vhost.d/default") }}
|
|
|
|
- include /etc/nginx/vhost.d/default;
|
|
|
|
- {{ end }}
|
|
|
|
-
|
|
|
|
- {{ range $path, $containers := $paths }}
|
|
|
|
- {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost-vpath, falling back to "http" */}}
|
|
|
|
- {{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
|
|
|
|
-
|
|
|
|
- {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
|
|
|
|
- {{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
|
|
|
|
- {{ $upstream := $upstream_name }}
|
|
|
|
- {{ $dest := "" }}
|
|
|
|
- {{ if gt $nPaths 0 }}
|
|
|
|
- {{ $sum := sha1 $path }}
|
|
|
|
- {{ $upstream = printf "%s-%s" $upstream $sum }}
|
|
|
|
- {{ $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }}
|
|
|
|
- {{ end }}
|
|
|
|
- {{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }}
|
|
|
|
- {{ end }}
|
|
|
|
- {{ if (not (contains $paths "/")) }}
|
|
|
|
- location / {
|
|
|
|
- return {{ $default_root_response }};
|
|
|
|
- }
|
|
|
|
- {{ end }}
|
|
|
|
-}
|
|
|
|
-
|
|
|
|
-{{ end }}
|
|
|
|
-
|
|
|
|
-{{ if or (not $is_https) (eq $https_method "noredirect") }}
|
|
|
|
-
|
|
|
|
-server {
|
|
|
|
- server_name {{ $host }};
|
|
|
|
- {{ if $server_tokens }}
|
|
|
|
- server_tokens {{ $server_tokens }};
|
|
|
|
- {{ end }}
|
|
|
|
- listen {{ $external_http_port }} {{ $default_server }};
|
|
|
|
- {{ if $enable_ipv6 }}
|
|
|
|
- listen [::]:{{ $external_http_port }} {{ $default_server }};
|
|
|
|
|
|
+ set $sts_header "";
|
|
|
|
+ if ($https) {
|
|
|
|
+ set $sts_header "{{ trim $hsts }}";
|
|
|
|
+ }
|
|
|
|
+ add_header Strict-Transport-Security $sts_header always;
|
|
{{ end }}
|
|
{{ end }}
|
|
- {{ $access_log }}
|
|
|
|
|
|
+ {{- end }}
|
|
|
|
|
|
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
|
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
|
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
|
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
|
@@ -475,4 +436,3 @@ server {
|
|
{{ end }}
|
|
{{ end }}
|
|
|
|
|
|
{{ end }}
|
|
{{ end }}
|
|
-{{ end }}
|
|
|