123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636 |
- {{-
- }}
- {{- $globals := dict }}
- {{- $_ := set $globals "containers" $ }}
- {{- $_ := set $globals "Env" $.Env }}
- {{- $_ := set $globals "Docker" $.Docker }}
- {{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
- {{- $_ := set $globals "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
- {{- $_ := set $globals "external_http_port" (coalesce $globals.Env.HTTP_PORT "80") }}
- {{- $_ := set $globals "external_https_port" (coalesce $globals.Env.HTTPS_PORT "443") }}
- {{- $_ := set $globals "sha1_upstream_name" (parseBool (coalesce $globals.Env.SHA1_UPSTREAM_NAME "false")) }}
- {{- $_ := set $globals "default_root_response" (coalesce $globals.Env.DEFAULT_ROOT "404") }}
- {{- $_ := set $globals "trust_downstream_proxy" (parseBool (coalesce $globals.Env.TRUST_DOWNSTREAM_PROXY "true")) }}
- {{- $_ := set $globals "access_log" (or (and (not $globals.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
- {{- $_ := set $globals "enable_ipv6" (parseBool (coalesce $globals.Env.ENABLE_IPV6 "false")) }}
- {{- $_ := set $globals "ssl_policy" (or ($globals.Env.SSL_POLICY) "Mozilla-Intermediate") }}
- {{- $_ := set $globals "vhosts" (dict) }}
- {{- $_ := set $globals "networks" (dict) }}
- {{-
- }}
- {{- if $globals.CurrentContainer }}
- {{- range sortObjectsByKeysAsc $globals.CurrentContainer.Networks "Name" }}
- {{- $_ := set $globals.networks .Name . }}
- {{- else }}
- {{- end }}
- {{- else }}
- {{- end }}
- {{-
- }}
- {{- define "container_ip" }}
- {{- $ip := "" }}
-
- {{- range sortObjectsByKeysAsc $.container.Networks "Name" }}
- {{-
- }}
- {{- if eq .Name "ingress" }}
-
- {{- continue }}
- {{- end }}
- {{- if and (not (index $.globals.networks .Name)) (not $.globals.networks.host) }}
-
- {{- continue }}
- {{- end }}
- {{-
- }}
- {{- if $ip }}
-
- {{- continue }}
- {{- end }}
-
- {{- if and . .IP }}
- {{- $ip = .IP }}
- {{- else }}
-
- {{- end }}
- {{- else }}
-
- {{- end }}
-
- {{- $_ := set $ "ip" $ip }}
- {{- end }}
- {{-
- }}
- {{- define "container_port" }}
- {{- }}
-
- {{- $default_port := when (eq (len $.container.Addresses) 1) (first $.container.Addresses).Port "80" }}
-
- {{- $port := or $.container.Env.VIRTUAL_PORT $default_port }}
-
- {{- $addr_obj := where $.container.Addresses "Port" $port | first }}
- {{- if and $addr_obj $addr_obj.HostPort }}
-
-
-
- {{- end }}
- {{- $_ := set $ "port" $port }}
- {{- end }}
- {{- define "ssl_policy" }}
- {{- if eq .ssl_policy "Mozilla-Modern" }}
- ssl_protocols TLSv1.3;
- {{-
- }}
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers off;
- {{- else if eq .ssl_policy "Mozilla-Intermediate" }}
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
- ssl_prefer_server_ciphers off;
- {{- else if eq .ssl_policy "Mozilla-Old" }}
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
- ssl_prefer_server_ciphers on;
- {{- else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
- ssl_prefer_server_ciphers on;
- {{- else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
- ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
- ssl_prefer_server_ciphers on;
- {{- else if eq .ssl_policy "AWS-2016-08" }}
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
- ssl_prefer_server_ciphers on;
- {{- else if eq .ssl_policy "AWS-2015-05" }}
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
- ssl_prefer_server_ciphers on;
- {{- else if eq .ssl_policy "AWS-2015-03" }}
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
- ssl_prefer_server_ciphers on;
- {{- else if eq .ssl_policy "AWS-2015-02" }}
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
- ssl_prefer_server_ciphers on;
- {{- end }}
- {{- end }}
- {{- define "location" }}
- {{- $override := printf "/etc/nginx/vhost.d/%s_%s_location_override" .Host (sha1 .Path) }}
- {{- if and (eq .Path "/") (not (exists $override)) }}
- {{- $override = printf "/etc/nginx/vhost.d/%s_location_override" .Host }}
- {{- end }}
- {{- if exists $override }}
- include {{ $override }};
- {{- else }}
- {{- $keepalive := first (keys (groupByLabel .Containers "com.github.nginx-proxy.nginx-proxy.keepalive")) }}
- location {{ .Path }} {
- {{- if eq .NetworkTag "internal" }}
-
- include /etc/nginx/network_internal.conf;
- {{- end }}
- {{- if eq .Proto "uwsgi" }}
- include uwsgi_params;
- uwsgi_pass {{ trim .Proto }}:
- {{- else if eq .Proto "fastcgi" }}
- root {{ trim .VhostRoot }};
- include fastcgi_params;
- fastcgi_pass {{ trim .Upstream }};
- {{- if $keepalive }}
- fastcgi_keep_conn on;
- {{- end }}
- {{- else if eq .Proto "grpc" }}
- grpc_pass {{ trim .Proto }}:
- {{- else }}
- proxy_pass {{ trim .Proto }}:
- set $upstream_keepalive {{ if $keepalive }}true{{ else }}false{{ end }};
- {{- end }}
- {{- if (exists (printf "/etc/nginx/htpasswd/%s" .Host)) }}
- auth_basic "Restricted {{ .Host }}";
- auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" .Host) }};
- {{- end }}
- {{- if (exists (printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) )) }}
- include {{ printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) }};
- {{- else if (exists (printf "/etc/nginx/vhost.d/%s_location" .Host)) }}
- include {{ printf "/etc/nginx/vhost.d/%s_location" .Host}};
- {{- else if (exists "/etc/nginx/vhost.d/default_location") }}
- include /etc/nginx/vhost.d/default_location;
- {{- end }}
- }
- {{- end }}
- {{- end }}
- {{- define "upstream" }}
- upstream {{ .Upstream }} {
- {{- $server_found := false }}
- {{- $loadbalance := first (keys (groupByLabel .Containers "com.github.nginx-proxy.nginx-proxy.loadbalance")) }}
- {{- if $loadbalance }}
-
- {{ $loadbalance }}
- {{- end }}
- {{- range $container := .Containers }}
-
- {{- $args := dict "globals" $.globals "container" $container }}
- {{- template "container_ip" $args }}
- {{- $ip := $args.ip }}
- {{- $args := dict "container" $container }}
- {{- template "container_port" $args }}
- {{- $port := $args.port }}
- {{- if $ip }}
- {{- $server_found = true }}
- server {{ $ip }}:{{ $port }};
- {{- end }}
- {{- end }}
- {{- }}
- {{- if not $server_found }}
-
- server 127.0.0.1 down;
- {{- end }}
- {{- $keepalive := first (keys (groupByLabel .Containers "com.github.nginx-proxy.nginx-proxy.keepalive")) }}
- {{- if $keepalive }}
- keepalive {{ $keepalive }};
- {{- end }}
- }
- {{- end }}
- map $http_x_forwarded_proto $proxy_x_forwarded_proto {
- default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
- '' $scheme;
- }
- map $http_x_forwarded_host $proxy_x_forwarded_host {
- default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$http_host{{ end }};
- '' $http_host;
- }
- map $http_x_forwarded_port $proxy_x_forwarded_port {
- default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
- '' $server_port;
- }
- map $http_upgrade $proxy_connection {
- default upgrade;
- '' $proxy_connection_noupgrade;
- }
- map $upstream_keepalive $proxy_connection_noupgrade {
-
- default close;
-
- true '';
- }
- map "" $upstream_keepalive {
-
-
-
- default false;
- }
- server_names_hash_bucket_size 128;
- {{- if (exists "/etc/nginx/dhparam/dhparam.pem") }}
- ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
- {{- end }}
- map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
- default off;
- https on;
- }
- gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
- log_format vhost '{{ or $globals.Env.LOG_FORMAT "$host $remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$upstream_addr\"" }}';
- access_log off;
- {{- template "ssl_policy" (dict "ssl_policy" $globals.ssl_policy) }}
- error_log /dev/stderr;
- {{- if $globals.Env.RESOLVERS }}
- resolver {{ $globals.Env.RESOLVERS }};
- {{- end }}
- {{- if (exists "/etc/nginx/proxy.conf") }}
- include /etc/nginx/proxy.conf;
- {{- else }}
- proxy_http_version 1.1;
- proxy_buffering off;
- proxy_set_header Host $http_host;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $proxy_connection;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
- proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
- proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
- proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
- proxy_set_header X-Original-URI $request_uri;
- proxy_set_header Proxy "";
- {{- end }}
- {{-
- }}
- {{- range $vhost, $containers := groupByMulti $globals.containers "Env.VIRTUAL_HOST" "," }}
- {{- $vhost := trim $vhost }}
- {{- if not $vhost }}
- {{- }}
- {{- continue }}
- {{- end }}
- {{- $certName := first (groupByKeys $containers "Env.CERT_NAME") }}
- {{- $vhostCert := closest (dir "/etc/nginx/certs") (printf "%s.crt" $vhost) }}
- {{- $vhostCert = trimSuffix ".crt" $vhostCert }}
- {{- $vhostCert = trimSuffix ".key" $vhostCert }}
- {{- $cert := or $certName $vhostCert }}
- {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
- {{- $default := eq $globals.Env.DEFAULT_HOST $vhost }}
- {{- $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }}
- {{- $_ := set $globals.vhosts $vhost (dict "cert" $cert "cert_ok" $cert_ok "containers" $containers "default" $default "https_method" $https_method) }}
- {{- end }}
- {{-
- }}
- {{- block "fallback_server" $globals }}
- {{- $globals := . }}
- {{- $http_exists := false }}
- {{- $https_exists := false }}
- {{- $default_http_exists := false }}
- {{- $default_https_exists := false }}
- {{- range $vhost := $globals.vhosts }}
- {{- $http := or (ne $vhost.https_method "nohttp") (not $vhost.cert_ok) }}
- {{- $https := ne $vhost.https_method "nohttps" }}
- {{- $http_exists = or $http_exists $http }}
- {{- $https_exists = or $https_exists $https }}
- {{- $default_http_exists = or $default_http_exists (and $http $vhost.default) }}
- {{- $default_https_exists = or $default_https_exists (and $https $vhost.default) }}
- {{- end }}
- {{- $fallback_http := and $http_exists (not $default_http_exists) }}
- {{- $fallback_https := and $https_exists (not $default_https_exists) }}
- {{-
- }}
- {{- if and (not $http_exists) (not $https_exists) }}
- {{- $fallback_http = true }}
- {{- $fallback_https = true }}
- {{- end }}
- {{- if or $fallback_http $fallback_https }}
- server {
- server_name _;
- server_tokens off;
- {{- if $fallback_http }}
- listen {{ $globals.external_http_port }}; {{- }}
- {{- if $globals.enable_ipv6 }}
- listen [::]:{{ $globals.external_http_port }}; {{- }}
- {{- end }}
- {{- end }}
- {{- if $fallback_https }}
- listen {{ $globals.external_https_port }} ssl http2; {{- }}
- {{- if $globals.enable_ipv6 }}
- listen [::]:{{ $globals.external_https_port }} ssl http2; {{- }}
- {{- end }}
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
- {{- end }}
- {{ $globals.access_log }}
- {{- if $globals.default_cert_ok }}
- ssl_certificate /etc/nginx/certs/default.crt;
- ssl_certificate_key /etc/nginx/certs/default.key;
- {{- else }}
-
-
- {{- }}
- ssl_ciphers aNULL;
- set $empty "";
- ssl_certificate data:$empty;
- ssl_certificate_key data:$empty;
- if ($https) {
- return 444;
- }
- {{- end }}
- return 503;
- }
- {{- end }}
- {{- end }}
- {{- range $host, $vhost := $globals.vhosts }}
- {{- $cert := $vhost.cert }}
- {{- $cert_ok := $vhost.cert_ok }}
- {{- $containers := $vhost.containers }}
- {{- $default_server := when $vhost.default "default_server" "" }}
- {{- $https_method := $vhost.https_method }}
- {{- $is_regexp := hasPrefix "~" $host }}
- {{- $upstream_name := when (or $is_regexp $globals.sha1_upstream_name) (sha1 $host) $host }}
- {{- $paths := groupBy $containers "Env.VIRTUAL_PATH" }}
- {{- $nPaths := len $paths }}
- {{- if eq $nPaths 0 }}
- {{- $paths = dict "/" $containers }}
- {{- end }}
- {{- range $path, $containers := $paths }}
- {{- $upstream := $upstream_name }}
- {{- if gt $nPaths 0 }}
- {{- $sum := sha1 $path }}
- {{- $upstream = printf "%s-%s" $upstream $sum }}
- {{- end }}
- {{ template "upstream" (dict "globals" $globals "Upstream" $upstream "Containers" $containers) }}
- {{- end }}
- {{-
- }}
- {{- $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }}
- {{-
- }}
- {{- $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }}
- {{-
- }}
- {{- $hsts := or (first (groupByKeys $containers "Env.HSTS")) (or $globals.Env.HSTS "max-age=31536000") }}
- {{- }}
- {{- $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
- {{- if and $cert_ok (eq $https_method "redirect") }}
- server {
- server_name {{ $host }};
- {{- if $server_tokens }}
- server_tokens {{ $server_tokens }};
- {{- end }}
- listen {{ $globals.external_http_port }} {{ $default_server }};
- {{- if $globals.enable_ipv6 }}
- listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
- {{- end }}
- {{ $globals.access_log }}
-
- location ^~ /.well-known/acme-challenge/ {
- auth_basic off;
- auth_request off;
- allow all;
- root /usr/share/nginx/html;
- try_files $uri =404;
- break;
- }
- location / {
- {{- if eq $globals.external_https_port "443" }}
- return 301 https:
- {{- else }}
- return 301 https:
- {{- end }}
- }
- }
- {{- end }}
- server {
- server_name {{ $host }};
- {{- if $server_tokens }}
- server_tokens {{ $server_tokens }};
- {{- end }}
- {{ $globals.access_log }}
- {{- if or (eq $https_method "nohttps") (not $cert_ok) (eq $https_method "noredirect") }}
- listen {{ $globals.external_http_port }} {{ $default_server }};
- {{- if $globals.enable_ipv6 }}
- listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
- {{- end }}
- {{- end }}
- {{- if ne $https_method "nohttps" }}
- listen {{ $globals.external_https_port }} ssl http2 {{ $default_server }};
- {{- if $globals.enable_ipv6 }}
- listen [::]:{{ $globals.external_https_port }} ssl http2 {{ $default_server }};
- {{- end }}
- {{- if $cert_ok }}
- {{- template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
- ssl_session_timeout 5m;
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
- ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
- ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
- {{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
- ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
- {{- end }}
- {{- if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
- {{- end }}
- {{- if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
- set $sts_header "";
- if ($https) {
- set $sts_header "{{ trim $hsts }}";
- }
- add_header Strict-Transport-Security $sts_header always;
- {{- end }}
- {{- else if $globals.default_cert_ok }}
-
-
- ssl_certificate /etc/nginx/certs/default.crt;
- ssl_certificate_key /etc/nginx/certs/default.key;
- if ($https) {
- return 500;
- }
- {{- else }}
-
-
- {{-
- }}
- ssl_ciphers aNULL;
- set $empty "";
- ssl_certificate data:$empty;
- ssl_certificate_key data:$empty;
- if ($https) {
- return 444;
- }
- {{- end }}
- {{- end }}
- {{- if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
- include {{ printf "/etc/nginx/vhost.d/%s" $host }};
- {{- else if (exists "/etc/nginx/vhost.d/default") }}
- include /etc/nginx/vhost.d/default;
- {{- end }}
- {{- range $path, $containers := $paths }}
- {{-
- }}
- {{- $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
- {{-
- }}
- {{- $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
- {{- $upstream := $upstream_name }}
- {{- $dest := "" }}
- {{- if gt $nPaths 0 }}
- {{- $sum := sha1 $path }}
- {{- $upstream = printf "%s-%s" $upstream $sum }}
- {{- $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }}
- {{- end }}
- {{- template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag "Containers" $containers) }}
- {{- end }}
- {{- if and (not (contains $paths "/")) (ne $globals.default_root_response "none")}}
- location / {
- return {{ $globals.default_root_response }};
- }
- {{- end }}
- }
- {{- end }}
|