|
@@ -24,6 +24,13 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
'' $scheme;
|
|
'' $scheme;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
|
|
|
|
+# server port the client connected to
|
|
|
|
+map $http_x_forwarded_port $proxy_x_forwarded_port {
|
|
|
|
+ default $http_x_forwarded_port;
|
|
|
|
+ '' $server_port;
|
|
|
|
+}
|
|
|
|
+
|
|
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
|
|
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
|
|
# Connection header that may have been passed to this server
|
|
# Connection header that may have been passed to this server
|
|
map $http_upgrade $proxy_connection {
|
|
map $http_upgrade $proxy_connection {
|
|
@@ -37,6 +44,12 @@ server_names_hash_bucket_size 128;
|
|
# Default dhparam
|
|
# Default dhparam
|
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
|
|
|
|
|
|
+# Set appropriate X-Forwarded-Ssl header
|
|
|
|
+map $scheme $proxy_x_forwarded_ssl {
|
|
|
|
+ default off;
|
|
|
|
+ https on;
|
|
|
|
+}
|
|
|
|
+
|
|
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
|
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
|
|
|
|
|
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
|
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
|
@@ -57,6 +70,8 @@ proxy_set_header Connection $proxy_connection;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
|
|
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
|
|
|
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
|
|
|
|
|
# Mitigate httpoxy attack (see README for details)
|
|
# Mitigate httpoxy attack (see README for details)
|
|
proxy_set_header Proxy "";
|
|
proxy_set_header Proxy "";
|
|
@@ -83,8 +98,9 @@ server {
|
|
{{ end }}
|
|
{{ end }}
|
|
|
|
|
|
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
|
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
|
-
|
|
|
|
-upstream {{ $host }} {
|
|
|
|
|
|
+{{ $upstream_name := sha1 $host }}
|
|
|
|
+# {{ $host }}
|
|
|
|
+upstream {{ $upstream_name }} {
|
|
{{ range $container := $containers }}
|
|
{{ range $container := $containers }}
|
|
{{ $addrLen := len $container.Addresses }}
|
|
{{ $addrLen := len $container.Addresses }}
|
|
|
|
|
|
@@ -177,9 +193,9 @@ server {
|
|
location / {
|
|
location / {
|
|
{{ if eq $proto "uwsgi" }}
|
|
{{ if eq $proto "uwsgi" }}
|
|
include uwsgi_params;
|
|
include uwsgi_params;
|
|
- uwsgi_pass {{ trim $proto }}://{{ trim $host }};
|
|
|
|
|
|
+ uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
|
|
{{ else }}
|
|
{{ else }}
|
|
- proxy_pass {{ trim $proto }}://{{ trim $host }};
|
|
|
|
|
|
+ proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
|
|
{{ end }}
|
|
{{ end }}
|
|
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
|
|
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
|
|
auth_basic "Restricted {{ $host }}";
|
|
auth_basic "Restricted {{ $host }}";
|
|
@@ -211,9 +227,9 @@ server {
|
|
location / {
|
|
location / {
|
|
{{ if eq $proto "uwsgi" }}
|
|
{{ if eq $proto "uwsgi" }}
|
|
include uwsgi_params;
|
|
include uwsgi_params;
|
|
- uwsgi_pass {{ trim $proto }}://{{ trim $host }};
|
|
|
|
|
|
+ uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
|
|
{{ else }}
|
|
{{ else }}
|
|
- proxy_pass {{ trim $proto }}://{{ trim $host }};
|
|
|
|
|
|
+ proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
|
|
{{ end }}
|
|
{{ end }}
|
|
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
|
|
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
|
|
auth_basic "Restricted {{ $host }}";
|
|
auth_basic "Restricted {{ $host }}";
|