|
@@ -277,8 +277,8 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
|
}
|
|
|
|
|
|
map $http_x_forwarded_host $proxy_x_forwarded_host {
|
|
|
- default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$http_host{{ end }};
|
|
|
- '' $http_host;
|
|
|
+ default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
|
|
|
+ '' $host;
|
|
|
}
|
|
|
|
|
|
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
|
|
@@ -350,7 +350,7 @@ include /etc/nginx/proxy.conf;
|
|
|
# HTTP 1.1 support
|
|
|
proxy_http_version 1.1;
|
|
|
proxy_buffering off;
|
|
|
-proxy_set_header Host $http_host;
|
|
|
+proxy_set_header Host $host;
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
proxy_set_header Connection $proxy_connection;
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
@@ -384,7 +384,15 @@ proxy_set_header Proxy "";
|
|
|
{{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
|
|
|
{{- $default := eq $globals.Env.DEFAULT_HOST $vhost }}
|
|
|
{{- $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }}
|
|
|
- {{- $_ := set $globals.vhosts $vhost (dict "cert" $cert "cert_ok" $cert_ok "containers" $containers "default" $default "https_method" $https_method) }}
|
|
|
+ {{- $http3 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
|
|
|
+ {{- $_ := set $globals.vhosts $vhost (dict
|
|
|
+ "cert" $cert
|
|
|
+ "cert_ok" $cert_ok
|
|
|
+ "containers" $containers
|
|
|
+ "default" $default
|
|
|
+ "https_method" $https_method
|
|
|
+ "http3" $http3
|
|
|
+ ) }}
|
|
|
{{- end }}
|
|
|
|
|
|
{{- /*
|
|
@@ -406,6 +414,7 @@ proxy_set_header Proxy "";
|
|
|
{{- $https_exists := false }}
|
|
|
{{- $default_http_exists := false }}
|
|
|
{{- $default_https_exists := false }}
|
|
|
+ {{- $http3 := false }}
|
|
|
{{- range $vhost := $globals.vhosts }}
|
|
|
{{- $http := or (ne $vhost.https_method "nohttp") (not $vhost.cert_ok) }}
|
|
|
{{- $https := ne $vhost.https_method "nohttps" }}
|
|
@@ -413,6 +422,7 @@ proxy_set_header Proxy "";
|
|
|
{{- $https_exists = or $https_exists $https }}
|
|
|
{{- $default_http_exists = or $default_http_exists (and $http $vhost.default) }}
|
|
|
{{- $default_https_exists = or $default_https_exists (and $https $vhost.default) }}
|
|
|
+ {{- $http3 = or $http3 $vhost.http3 }}
|
|
|
{{- end }}
|
|
|
{{- $fallback_http := and $http_exists (not $default_http_exists) }}
|
|
|
{{- $fallback_https := and $https_exists (not $default_https_exists) }}
|
|
@@ -429,6 +439,7 @@ proxy_set_header Proxy "";
|
|
|
server {
|
|
|
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
|
|
server_tokens off;
|
|
|
+ {{ $globals.access_log }}
|
|
|
http2 on;
|
|
|
{{- if $fallback_http }}
|
|
|
listen {{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
|
|
@@ -441,10 +452,16 @@ server {
|
|
|
{{- if $globals.enable_ipv6 }}
|
|
|
listen [::]:{{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
{{- end }}
|
|
|
+ {{- if $http3 }}
|
|
|
+ http3 on;
|
|
|
+ listen {{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ {{- if $globals.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
|
|
|
+ {{- end }}
|
|
|
+ {{- end }}
|
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
ssl_session_tickets off;
|
|
|
{{- end }}
|
|
|
- {{ $globals.access_log }}
|
|
|
{{- if $globals.default_cert_ok }}
|
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
@@ -471,6 +488,8 @@ server {
|
|
|
{{- $containers := $vhost.containers }}
|
|
|
{{- $default_server := when $vhost.default "default_server" "" }}
|
|
|
{{- $https_method := $vhost.https_method }}
|
|
|
+ {{- $http2 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
|
|
|
+ {{- $http3 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
|
|
|
|
|
|
{{- $is_regexp := hasPrefix "~" $host }}
|
|
|
{{- $upstream_name := when (or $is_regexp $globals.sha1_upstream_name) (sha1 $host) $host }}
|
|
@@ -518,11 +537,11 @@ server {
|
|
|
{{- if $server_tokens }}
|
|
|
server_tokens {{ $server_tokens }};
|
|
|
{{- end }}
|
|
|
+ {{ $globals.access_log }}
|
|
|
listen {{ $globals.external_http_port }} {{ $default_server }};
|
|
|
{{- if $globals.enable_ipv6 }}
|
|
|
listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
|
|
|
{{- end }}
|
|
|
- {{ $globals.access_log }}
|
|
|
|
|
|
# Do not HTTPS redirect Let's Encrypt ACME challenge
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
@@ -549,8 +568,10 @@ server {
|
|
|
{{- if $server_tokens }}
|
|
|
server_tokens {{ $server_tokens }};
|
|
|
{{- end }}
|
|
|
- http2 on;
|
|
|
{{ $globals.access_log }}
|
|
|
+ {{- if $http2 }}
|
|
|
+ http2 on;
|
|
|
+ {{- end }}
|
|
|
{{- if or (eq $https_method "nohttps") (not $cert_ok) (eq $https_method "noredirect") }}
|
|
|
listen {{ $globals.external_http_port }} {{ $default_server }};
|
|
|
{{- if $globals.enable_ipv6 }}
|
|
@@ -563,6 +584,15 @@ server {
|
|
|
listen [::]:{{ $globals.external_https_port }} ssl {{ $default_server }};
|
|
|
{{- end }}
|
|
|
|
|
|
+ {{- if $http3 }}
|
|
|
+ http3 on;
|
|
|
+ add_header alt-svc 'h3=":{{ $globals.external_https_port }}"; ma=86400;';
|
|
|
+ listen {{ $globals.external_https_port }} quic {{ $default_server }};
|
|
|
+ {{- if $globals.enable_ipv6 }}
|
|
|
+ listen [::]:{{ $globals.external_https_port }} quic {{ $default_server }};
|
|
|
+ {{- end }}
|
|
|
+ {{- end }}
|
|
|
+
|
|
|
{{- if $cert_ok }}
|
|
|
{{- template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
|
|
|
|
|
@@ -645,7 +675,16 @@ server {
|
|
|
{{- $upstream = printf "%s-%s" $upstream $sum }}
|
|
|
{{- $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }}
|
|
|
{{- end }}
|
|
|
- {{- template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag "Containers" $containers) }}
|
|
|
+ {{- template "location" (dict
|
|
|
+ "Path" $path
|
|
|
+ "Proto" $proto
|
|
|
+ "Upstream" $upstream
|
|
|
+ "Host" $host
|
|
|
+ "VhostRoot" $vhost_root
|
|
|
+ "Dest" $dest
|
|
|
+ "NetworkTag" $network_tag
|
|
|
+ "Containers" $containers
|
|
|
+ ) }}
|
|
|
{{- end }}
|
|
|
{{- if and (not (contains $paths "/")) (ne $globals.default_root_response "none")}}
|
|
|
location / {
|