nginx.tmpl 53 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048
  1. # nginx-proxy{{ if $.Env.NGINX_PROXY_VERSION }} version : {{ $.Env.NGINX_PROXY_VERSION }}{{ end }}
  2. {{- /*
  3. * Global values. Values are stored in this map rather than in individual
  4. * global variables so that the values can be easily passed to embedded
  5. * templates (Go templates cannot access variables outside of their own
  6. * scope) and displayed in the debug endpoint output.
  7. */}}
  8. {{- $globals := dict }}
  9. {{- $_ := set $globals "containers" $ }}
  10. {{- $_ := set $globals "Env" $.Env }}
  11. {{- $_ := set $globals "Docker" $.Docker }}
  12. {{- $config := dict }}
  13. {{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }}
  14. {{- $_ := set $config "nginx_container_label" ($.Env.NGINX_CONTAINER_LABEL | default "com.github.nginx-proxy.nginx-proxy.nginx") }}
  15. {{- $_ := set $config "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
  16. {{- $_ := set $config "external_http_port" ($globals.Env.HTTP_PORT | default "80") }}
  17. {{- $_ := set $config "external_https_port" ($globals.Env.HTTPS_PORT | default "443") }}
  18. {{- $_ := set $config "sha1_upstream_name" ($globals.Env.SHA1_UPSTREAM_NAME | default "false" | parseBool) }}
  19. {{- $_ := set $config "default_root_response" ($globals.Env.DEFAULT_ROOT | default "404") }}
  20. {{- $_ := set $config "trust_default_cert" ($globals.Env.TRUST_DEFAULT_CERT | default "true") }}
  21. {{- $_ := set $config "trust_downstream_proxy" ($globals.Env.TRUST_DOWNSTREAM_PROXY | default "true" | parseBool) }}
  22. {{- $_ := set $config "enable_access_log" ($globals.Env.DISABLE_ACCESS_LOGS | default "false" | parseBool | not) }}
  23. {{- $_ := set $config "enable_ipv6" ($globals.Env.ENABLE_IPV6 | default "false" | parseBool) }}
  24. {{- $_ := set $config "prefer_ipv6_network" ($globals.Env.PREFER_IPV6_NETWORK | default "false" | parseBool) }}
  25. {{- $_ := set $config "ssl_policy" ($globals.Env.SSL_POLICY | default "Mozilla-Intermediate") }}
  26. {{- $_ := set $config "enable_debug_endpoint" ($globals.Env.DEBUG_ENDPOINT | default "false") }}
  27. {{- $_ := set $config "hsts" ($globals.Env.HSTS | default "max-age=31536000") }}
  28. {{- $_ := set $config "acme_http_challenge" ($globals.Env.ACME_HTTP_CHALLENGE_LOCATION | default "true") }}
  29. {{- $_ := set $config "enable_http2" ($globals.Env.ENABLE_HTTP2 | default "true") }}
  30. {{- $_ := set $config "enable_http3" ($globals.Env.ENABLE_HTTP3 | default "false") }}
  31. {{- $_ := set $config "enable_http_on_missing_cert" ($globals.Env.ENABLE_HTTP_ON_MISSING_CERT | default "true") }}
  32. {{- $_ := set $config "https_method" ($globals.Env.HTTPS_METHOD | default "redirect") }}
  33. {{- $_ := set $config "non_get_redirect" ($globals.Env.NON_GET_REDIRECT | default "301") }}
  34. {{- $_ := set $config "default_host" $globals.Env.DEFAULT_HOST }}
  35. {{- $_ := set $config "resolvers" $globals.Env.RESOLVERS }}
  36. {{- /* LOG_JSON is a shorthand that sets logging defaults to JSON format */}}
  37. {{- $_ := set $config "enable_json_logs" ($globals.Env.LOG_JSON | default "false" | parseBool) }}
  38. {{- $_ := set $config "log_format" $globals.Env.LOG_FORMAT }}
  39. {{- $_ := set $config "log_format_escape" $globals.Env.LOG_FORMAT_ESCAPE }}
  40. {{- $_ := set $globals "config" $config }}
  41. {{- $_ := set $globals "vhosts" (dict) }}
  42. {{- $_ := set $globals "networks" (dict) }}
  43. {{- $currentContainer := where $globals.containers "ID" $globals.Docker.CurrentContainerID | first }}
  44. {{- $labeledContainer := whereLabelExists $globals.containers $globals.config.nginx_container_label | first }}
  45. {{- $_ := set $globals "NetworkContainer" ($labeledContainer | default $currentContainer) }}
  46. # Networks available to the container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen
  47. # (which are assumed to match the networks available to the container running nginx):
  48. {{- /*
  49. * Note:
  50. * $globals.NetworkContainer may be nil in some circumstances due to https://github.com/nginx-proxy/docker-gen/issues/458.
  51. * For more context see https://github.com/nginx-proxy/nginx-proxy/issues/2189.
  52. */}}
  53. {{- if $globals.NetworkContainer }}
  54. {{- range sortObjectsByKeysAsc $globals.NetworkContainer.Networks "Name" }}
  55. {{- $_ := set $globals.networks .Name . }}
  56. # {{ .Name }}
  57. {{- else }}
  58. # (none)
  59. {{- end }}
  60. {{- else }}
  61. # /!\ WARNING: Failed to find the Docker container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen.
  62. # All upstream (backend) application containers will appear to be unreachable.
  63. # Try removing the -only-exposed and -only-published arguments to docker-gen if you pass either of those.
  64. # See https://github.com/nginx-proxy/docker-gen/issues/458.
  65. {{- end }}
  66. {{- /*
  67. * Template used as a function to get a container's IP address. This
  68. * template only outputs debug comments; the IP address is "returned" by
  69. * storing the value in the provided dot dict.
  70. *
  71. * The provided dot dict is expected to have the following entries:
  72. * - "globals": Global values.
  73. * - "container": The container's RuntimeContainer struct.
  74. *
  75. * The return value will be added to the dot dict with key "ip".
  76. */}}
  77. {{- define "container_ip" }}
  78. {{- $ipv4 := "" }}
  79. {{- $ipv6 := "" }}
  80. # networks:
  81. {{- range sortObjectsByKeysAsc $.container.Networks "Name" }}
  82. {{- /*
  83. * TODO: Only ignore the "ingress" network for Swarm tasks (in case
  84. * the user is not using Swarm mode and names a network "ingress").
  85. */}}
  86. {{- if eq .Name "ingress" }}
  87. # {{ .Name }} (ignored)
  88. {{- continue }}
  89. {{- end }}
  90. {{- if eq .Name "host" }}
  91. {{- /* Handle containers in host nework mode */}}
  92. {{- if (index $.globals.networks "host") }}
  93. # both container and proxy are in host network mode, using localhost IP
  94. {{- $ipv4 = "127.0.0.1" }}
  95. {{- continue }}
  96. {{- end }}
  97. {{- range sortObjectsByKeysAsc $.globals.NetworkContainer.Networks "Name" }}
  98. {{- if and . .Gateway (not .Internal) }}
  99. # container is in host network mode, using {{ .Name }} gateway IP
  100. {{- $ipv4 = .Gateway }}
  101. {{- break }}
  102. {{- end }}
  103. {{- end }}
  104. {{- if $ipv4 }}
  105. {{- continue }}
  106. {{- end }}
  107. {{- end }}
  108. {{- if and (not (index $.globals.networks .Name)) (not $.globals.networks.host) }}
  109. # {{ .Name }} (unreachable)
  110. {{- continue }}
  111. {{- end }}
  112. {{- /*
  113. * Do not emit multiple `server` directives for this container if it
  114. * is reachable over multiple networks or multiple IP stacks. This avoids
  115. * accidentally inflating the effective round-robin weight of a server due
  116. * to the redundant upstream addresses that nginx sees as belonging to
  117. * distinct servers.
  118. */}}
  119. {{- if or $ipv4 $ipv6 }}
  120. # {{ .Name }} (ignored; reachable but redundant)
  121. {{- continue }}
  122. {{- end }}
  123. # {{ .Name }} (reachable)
  124. {{- if and . .IP }}
  125. {{- $ipv4 = .IP }}
  126. {{- end }}
  127. {{- if and . .GlobalIPv6Address }}
  128. {{- $ipv6 = .GlobalIPv6Address }}
  129. {{- end }}
  130. {{- if and (empty $ipv4) (empty $ipv6) }}
  131. # /!\ No IPv4 or IPv6 for this network!
  132. {{- end }}
  133. {{- else }}
  134. # (none)
  135. {{- end }}
  136. {{ if and $ipv6 $.globals.config.prefer_ipv6_network }}
  137. # IPv4 address: {{ if $ipv4 }}{{ $ipv4 }} (ignored; reachable but IPv6 prefered){{ else }}(none usable){{ end }}
  138. # IPv6 address: {{ $ipv6 }}
  139. {{- $_ := set $ "ip" (printf "[%s]" $ipv6) }}
  140. {{- else }}
  141. # IPv4 address: {{ if $ipv4 }}{{ $ipv4 }}{{ else }}(none usable){{ end }}
  142. # IPv6 address: {{ if $ipv6 }}{{ $ipv6 }}{{ if $ipv4 }} (ignored; reachable but IPv4 prefered){{ end }}{{ else }}(none usable){{ end }}
  143. {{- if $ipv4 }}
  144. {{- $_ := set $ "ip" $ipv4 }}
  145. {{- else if $ipv6}}
  146. {{- $_ := set $ "ip" (printf "[%s]" $ipv6) }}
  147. {{- end }}
  148. {{- end }}
  149. {{- end }}
  150. {{- /*
  151. * Template used as a function to get the port of the server in the given
  152. * container. This template only outputs debug comments; the port is
  153. * "returned" by storing the value in the provided dot dict.
  154. *
  155. * The provided dot dict is expected to have the following entries:
  156. * - "container": The container's RuntimeContainer struct.
  157. *
  158. * The return value will be added to the dot dict with key "port".
  159. */}}
  160. {{- define "container_port" }}
  161. {{- /* If only 1 port exposed, use that as a default, else 80. */}}
  162. # exposed ports (first ten):{{ range $index, $address := (sortObjectsByKeysAsc $.container.Addresses "Port") }}{{ if lt $index 10 }} {{ $address.Port }}/{{ $address.Proto }}{{ end }}{{ else }} (none){{ end }}
  163. {{- $default_port := when (eq (len $.container.Addresses) 1) (first $.container.Addresses).Port "80" }}
  164. # default port: {{ $default_port }}
  165. {{- $port := eq $.port "default" | ternary $default_port $.port }}
  166. # using port: {{ $port }}
  167. {{- $addr_obj := where $.container.Addresses "Port" $port | first }}
  168. {{- if and $addr_obj $addr_obj.HostPort }}
  169. # /!\ WARNING: Virtual port published on host. Clients
  170. # might be able to bypass nginx-proxy and
  171. # access the container's server directly.
  172. {{- end }}
  173. {{- $_ := set $ "port" $port }}
  174. {{- end }}
  175. {{- define "ssl_policy" }}
  176. {{- if eq .ssl_policy "Mozilla-Modern" }}
  177. ssl_protocols TLSv1.3;
  178. {{- /*
  179. * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
  180. * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
  181. */}}
  182. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
  183. ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  184. ssl_prefer_server_ciphers off;
  185. {{- else if eq .ssl_policy "Mozilla-Intermediate" }}
  186. ssl_protocols TLSv1.2 TLSv1.3;
  187. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
  188. ssl_prefer_server_ciphers off;
  189. {{- else if eq .ssl_policy "Mozilla-Old" }}
  190. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  191. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0';
  192. ssl_prefer_server_ciphers on;
  193. {{- else if eq .ssl_policy "AWS-TLS13-1-3-2021-06" }}
  194. ssl_protocols TLSv1.3;
  195. {{- /*
  196. * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
  197. * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
  198. */}}
  199. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
  200. ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  201. ssl_prefer_server_ciphers on;
  202. {{- else if eq .ssl_policy "AWS-TLS13-1-2-2021-06" }}
  203. ssl_protocols TLSv1.2 TLSv1.3;
  204. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
  205. ssl_prefer_server_ciphers on;
  206. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Res-2021-06" }}
  207. ssl_protocols TLSv1.2 TLSv1.3;
  208. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
  209. ssl_prefer_server_ciphers on;
  210. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Ext1-2021-06" }}
  211. ssl_protocols TLSv1.2 TLSv1.3;
  212. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
  213. ssl_prefer_server_ciphers on;
  214. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Ext2-2021-06" }}
  215. ssl_protocols TLSv1.2 TLSv1.3;
  216. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  217. ssl_prefer_server_ciphers on;
  218. {{- else if eq .ssl_policy "AWS-TLS13-1-1-2021-06" }}
  219. ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
  220. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  221. ssl_prefer_server_ciphers on;
  222. {{- else if eq .ssl_policy "AWS-TLS13-1-0-2021-06" }}
  223. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  224. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  225. ssl_prefer_server_ciphers on;
  226. {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2020-10" }}
  227. ssl_protocols TLSv1.2;
  228. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
  229. ssl_prefer_server_ciphers on;
  230. {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2019-08" }}
  231. ssl_protocols TLSv1.2;
  232. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
  233. ssl_prefer_server_ciphers on;
  234. {{- else if eq .ssl_policy "AWS-FS-1-2-2019-08" }}
  235. ssl_protocols TLSv1.2;
  236. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
  237. ssl_prefer_server_ciphers on;
  238. {{- else if eq .ssl_policy "AWS-FS-1-1-2019-08" }}
  239. ssl_protocols TLSv1.1 TLSv1.2;
  240. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:@SECLEVEL=0';
  241. ssl_prefer_server_ciphers on;
  242. {{- else if eq .ssl_policy "AWS-FS-2018-06" }}
  243. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  244. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:@SECLEVEL=0';
  245. ssl_prefer_server_ciphers on;
  246. {{- else if eq .ssl_policy "AWS-TLS-1-2-Ext-2018-06" }}
  247. ssl_protocols TLSv1.2;
  248. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  249. ssl_prefer_server_ciphers on;
  250. {{- else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
  251. ssl_protocols TLSv1.2;
  252. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
  253. ssl_prefer_server_ciphers on;
  254. {{- else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
  255. ssl_protocols TLSv1.1 TLSv1.2;
  256. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  257. ssl_prefer_server_ciphers on;
  258. {{- else if eq .ssl_policy "AWS-2016-08" }}
  259. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  260. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  261. ssl_prefer_server_ciphers on;
  262. {{- else if eq .ssl_policy "AWS-2015-05" }}
  263. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  264. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0';
  265. ssl_prefer_server_ciphers on;
  266. {{- else if eq .ssl_policy "AWS-2015-03" }}
  267. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  268. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:@SECLEVEL=0';
  269. ssl_prefer_server_ciphers on;
  270. {{- else if eq .ssl_policy "AWS-2015-02" }}
  271. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  272. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:@SECLEVEL=0';
  273. ssl_prefer_server_ciphers on;
  274. {{- end }}
  275. {{- end }}
  276. {{- define "location" }}
  277. {{- $vpath := .VPath }}
  278. {{- $override := printf "/etc/nginx/vhost.d/%s_%s_location_override" .Host (sha1 .Path) }}
  279. {{- if and (eq .Path "/") (not (exists $override)) }}
  280. {{- $override = printf "/etc/nginx/vhost.d/%s_location_override" .Host }}
  281. {{- end }}
  282. {{- if exists $override }}
  283. include {{ $override }};
  284. {{- else }}
  285. {{- $keepalive := $vpath.keepalive }}
  286. location {{ .Path }} {
  287. {{- if eq $vpath.network_tag "internal" }}
  288. # Only allow traffic from internal clients
  289. include /etc/nginx/network_internal.conf;
  290. {{- end }}
  291. {{ $proto := $vpath.proto }}
  292. {{ $upstream := $vpath.upstream }}
  293. {{ $dest := $vpath.dest }}
  294. {{- if eq $proto "uwsgi" }}
  295. include uwsgi_params;
  296. uwsgi_pass {{ trim $proto }}://{{ trim $upstream }};
  297. {{- else if eq $proto "fastcgi" }}
  298. {{- if (exists "/etc/nginx/fastcgi.conf") }}
  299. include fastcgi.conf;
  300. {{- else if (exists "/etc/nginx/fastcgi_params") }}
  301. include fastcgi_params;
  302. {{- else }}
  303. # neither /etc/nginx/fastcgi.conf nor /etc/nginx/fastcgi_params found, fastcgi won't work
  304. {{- end }}
  305. root {{ trim .VhostRoot }};
  306. fastcgi_pass {{ trim $upstream }};
  307. {{- if ne $keepalive "disabled" }}
  308. fastcgi_keep_conn on;
  309. {{- end }}
  310. {{- else if eq $proto "grpc" }}
  311. grpc_pass {{ trim $proto }}://{{ trim $upstream }};
  312. {{- else if eq $proto "grpcs" }}
  313. grpc_pass {{ trim $proto }}://{{ trim $upstream }};
  314. {{- else }}
  315. proxy_pass {{ trim $proto }}://{{ trim $upstream }}{{ trim $dest }};
  316. set $upstream_keepalive {{ if ne $keepalive "disabled" }}true{{ else }}false{{ end }};
  317. {{- end }}
  318. {{- if (exists (printf "/etc/nginx/htpasswd/%s_%s" .Host (sha1 .Path) )) }}
  319. auth_basic "Restricted {{ .Host }}{{ .Path }}";
  320. auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s_%s" .Host (sha1 .Path)) }};
  321. {{- else if (exists (printf "/etc/nginx/htpasswd/%s" .Host)) }}
  322. auth_basic "Restricted {{ .HostIsRegexp | ternary "access" .Host }}";
  323. auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" .Host) }};
  324. {{- end }}
  325. {{- if (exists (printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) )) }}
  326. include {{ printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) }};
  327. {{- else if (exists (printf "/etc/nginx/vhost.d/%s_location" .Host)) }}
  328. include {{ printf "/etc/nginx/vhost.d/%s_location" .Host}};
  329. {{- else if (exists "/etc/nginx/vhost.d/default_location") }}
  330. include /etc/nginx/vhost.d/default_location;
  331. {{- end }}
  332. }
  333. {{- end }}
  334. {{- end }}
  335. {{- define "upstream" }}
  336. {{- $path := .Path }}
  337. {{- $vpath := .VPath }}
  338. upstream {{ $vpath.upstream }} {
  339. {{- $servers := 0 }}
  340. {{- $loadbalance := $vpath.loadbalance }}
  341. {{- if $loadbalance }}
  342. # From the container's loadbalance label:
  343. {{ $loadbalance }}
  344. {{- end }}
  345. {{- range $port, $containers := $vpath.ports }}
  346. {{- range $container := $containers }}
  347. # Container: {{ $container.Name }}
  348. {{- $args := dict "globals" $.globals "container" $container }}
  349. {{- template "container_ip" $args }}
  350. {{- $ip := $args.ip }}
  351. {{- $args = dict "container" $container "path" $path "port" $port }}
  352. {{- template "container_port" $args }}
  353. {{- if $ip }}
  354. {{- $servers = add1 $servers }}
  355. server {{ $ip }}:{{ $args.port }};
  356. {{- end }}
  357. {{- end }}
  358. {{- end }}
  359. {{- /* nginx-proxy/nginx-proxy#1105 */}}
  360. {{- if lt $servers 1 }}
  361. # Fallback entry
  362. server 127.0.0.1 down;
  363. {{- end }}
  364. {{- $keepalive := $vpath.keepalive }}
  365. {{- if and (ne $keepalive "disabled") (gt $servers 0) }}
  366. {{- if eq $keepalive "auto" }}
  367. keepalive {{ mul $servers 2 }};
  368. {{- else }}
  369. keepalive {{ $keepalive }};
  370. {{- end }}
  371. {{- end }}
  372. }
  373. {{- end }}
  374. {{- /* debug "endpoint" location template */}}
  375. {{- define "debug_location" }}
  376. {{- $debug_paths := dict }}
  377. {{- range $path, $vpath := .VHost.paths }}
  378. {{- $tmp_ports := dict }}
  379. {{- range $port, $containers := $vpath.ports }}
  380. {{- $tmp_containers := list }}
  381. {{- range $container := $containers }}
  382. {{- $tmp_containers = dict "Name" $container.Name | append $tmp_containers }}
  383. {{- end }}
  384. {{- $_ := set $tmp_ports $port $tmp_containers }}
  385. {{- end }}
  386. {{- $debug_vpath := deepCopy $vpath | merge (dict "ports" $tmp_ports) }}
  387. {{- $_ := set $debug_paths $path $debug_vpath }}
  388. {{- end }}
  389. {{- $debug_vhost := deepCopy .VHost }}
  390. {{- /* If it's a regexp, do not render the Hostname to the response to avoid rendering config breaking characters */}}
  391. {{- $_ := set $debug_vhost "hostname" (.VHost.is_regexp | ternary "Hostname is a regexp and unsafe to include in the debug response." .Hostname) }}
  392. {{- $_ := set $debug_vhost "paths" $debug_paths }}
  393. {{- $debug_response := dict
  394. "global" .GlobalConfig
  395. "request" (dict
  396. "host" "$host"
  397. "https" "$https"
  398. "http2" "$http2"
  399. "http3" "$http3"
  400. "ssl_cipher" "$ssl_cipher"
  401. "ssl_protocol" "$ssl_protocol"
  402. )
  403. "vhost" $debug_vhost
  404. }}
  405. {{- /*
  406. * The maximum line length in an nginx config is 4096 characters.
  407. * If we're nearing this limit (with headroom for the rest
  408. * of the directive), strip vhost.paths from the response.
  409. */}}
  410. {{- if gt (toJson $debug_response | len) 4000 }}
  411. {{- $_ := unset $debug_vhost "paths" }}
  412. {{- $_ := set $debug_response "warning" "Virtual paths configuration for this hostname is too large and has been stripped from response." }}
  413. {{- end }}
  414. location /nginx-proxy-debug {
  415. default_type application/json;
  416. return 200 '{{ toJson $debug_response }}{{ "\\n" }}';
  417. }
  418. {{- end }}
  419. {{- define "access_log" }}
  420. {{- when .Enable "access_log /var/log/nginx/access.log vhost;" "" }}
  421. {{- end }}
  422. # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
  423. # scheme used to connect to this server
  424. map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  425. default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
  426. '' $scheme;
  427. }
  428. map $http_x_forwarded_host $proxy_x_forwarded_host {
  429. default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
  430. '' $host;
  431. }
  432. # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
  433. # server port the client connected to
  434. map $http_x_forwarded_port $proxy_x_forwarded_port {
  435. default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
  436. '' $server_port;
  437. }
  438. # Include the port in the Host header sent to the container if it is non-standard
  439. map $server_port $host_port {
  440. default :$server_port;
  441. 80 '';
  442. 443 '';
  443. }
  444. # If the request from the downstream client has an "Upgrade:" header (set to any
  445. # non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
  446. # Otherwise, the value for the "Connection" header depends on whether the user
  447. # has enabled keepalive to the upstream server.
  448. map $http_upgrade $proxy_connection {
  449. default upgrade;
  450. '' $proxy_connection_noupgrade;
  451. }
  452. map $upstream_keepalive $proxy_connection_noupgrade {
  453. # Preserve nginx's default behavior (send "Connection: close").
  454. default close;
  455. # Use an empty string to cancel nginx's default behavior.
  456. true '';
  457. }
  458. # Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
  459. # that $upstream_keepalive is always defined. This is necessary because:
  460. # - The $proxy_connection variable is indirectly derived from
  461. # $upstream_keepalive, so $upstream_keepalive must be defined whenever
  462. # $proxy_connection is resolved.
  463. # - The $proxy_connection variable is used in a proxy_set_header directive in
  464. # the http block, so it is always fully resolved for every request -- even
  465. # those where proxy_pass is not used (e.g., unknown virtual host).
  466. map "" $upstream_keepalive {
  467. # The value here should not matter because it should always be overridden in
  468. # a location block (see the "location" template) for all requests where the
  469. # value actually matters.
  470. default false;
  471. }
  472. # Apply fix for very long server names
  473. server_names_hash_bucket_size 128;
  474. # Default dhparam
  475. {{- if (exists "/etc/nginx/dhparam/dhparam.pem") }}
  476. ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
  477. {{- end }}
  478. # Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
  479. map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  480. default off;
  481. https on;
  482. }
  483. gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  484. {{- /* See https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format for details and variables
  485. * LOG_FORMAT_ESCAPE sets the escape part of the log format
  486. * LOG_FORMAT sets the log format
  487. */}}
  488. {{- $logEscape := $globals.config.log_format_escape | default "default" | printf "escape=%s" }}
  489. {{- $logFormat := $globals.config.log_format | default `$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"` }}
  490. {{- if $globals.config.enable_json_logs }}
  491. # JSON Logging enabled (via LOG_JSON env variable)
  492. {{- $logEscape = $globals.config.log_format_escape | default "json" | printf "escape=%s" }}
  493. {{- $logFormat = $globals.config.log_format | default `{"time_local":"$time_iso8601","client_ip":"$http_x_forwarded_for","remote_addr":"$remote_addr","request":"$request","status":"$status","body_bytes_sent":"$body_bytes_sent","request_time":"$request_time","upstream_response_time":"$upstream_response_time","upstream_addr":"$upstream_addr","http_referrer":"$http_referer","http_user_agent":"$http_user_agent","request_id":"$request_id"}` }}
  494. {{- end }}
  495. log_format vhost {{ $logEscape }} '{{ $logFormat }}';
  496. access_log off;
  497. {{- /* Lower the SSL policy of the http context
  498. * if at least one vhost use a TLSv1 or TLSv1.1 policy
  499. * so TLSv1 and TLSv1.1 can be enabled on those vhosts
  500. */}}
  501. {{- $httpContextSslPolicy := $globals.config.ssl_policy }}
  502. {{- $inUseSslPolicies := groupByKeys $globals.containers "Env.SSL_POLICY" }}
  503. {{- range $tls1Policy := list "AWS-TLS13-1-1-2021-06" "AWS-TLS13-1-0-2021-06" "AWS-FS-1-1-2019-08" "AWS-FS-2018-06" "AWS-TLS-1-1-2017-01" "AWS-2016-08" "AWS-2015-05" "AWS-2015-03" "AWS-2015-02" "Mozilla-Old" }}
  504. {{- if has $tls1Policy $inUseSslPolicies }}
  505. # Using Mozilla-Old SSL policy on the http context to allow TLSv1 and TLSv1.1
  506. {{- $httpContextSslPolicy = "Mozilla-Old" }}
  507. {{- break }}
  508. {{- end }}
  509. {{- end }}
  510. {{- template "ssl_policy" (dict "ssl_policy" $httpContextSslPolicy) }}
  511. error_log /dev/stderr;
  512. {{- if $globals.config.resolvers }}
  513. resolver {{ $globals.config.resolvers }};
  514. {{- end }}
  515. {{- if (exists "/etc/nginx/proxy.conf") }}
  516. include /etc/nginx/proxy.conf;
  517. {{- else }}
  518. # HTTP 1.1 support
  519. proxy_http_version 1.1;
  520. proxy_set_header Host $host$host_port;
  521. proxy_set_header Upgrade $http_upgrade;
  522. proxy_set_header Connection $proxy_connection;
  523. proxy_set_header X-Real-IP $remote_addr;
  524. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  525. proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
  526. proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
  527. proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
  528. proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
  529. proxy_set_header X-Original-URI $request_uri;
  530. # Mitigate httpoxy attack (see README for details)
  531. proxy_set_header Proxy "";
  532. {{- end }}
  533. {{- /* Precompute and store some information about vhost that use VIRTUAL_HOST_MULTIPORTS. */}}
  534. {{- range $vhosts_yaml, $containers := groupBy $globals.containers "Env.VIRTUAL_HOST_MULTIPORTS" }}
  535. {{- /* Print a warning in the config if VIRTUAL_HOST_MULTIPORTS can't be parsed. */}}
  536. {{- $parsedVhosts := fromYaml $vhosts_yaml }}
  537. {{- if (empty $parsedVhosts) }}
  538. {{- $containerNames := list }}
  539. {{- range $container := $containers }}
  540. {{- $containerNames = append $containerNames $container.Name }}
  541. {{- end }}
  542. # /!\ WARNING: the VIRTUAL_HOST_MULTIPORTS environment variable used for {{ len $containerNames | plural "this container" "those containers" }} is not a valid YAML string:
  543. # {{ $containerNames | join ", " }}
  544. {{- continue }}
  545. {{- end }}
  546. {{- range $hostname, $vhost := $parsedVhosts }}
  547. {{- $vhost_data := get $globals.vhosts $hostname | default (dict) }}
  548. {{- $paths := $vhost_data.paths | default (dict) }}
  549. {{- if (empty $vhost) }}
  550. {{ $vhost = dict "/" (dict) }}
  551. {{- end }}
  552. {{- range $path, $vpath := $vhost }}
  553. {{- if (empty $vpath) }}
  554. {{- $vpath = dict
  555. "dest" ""
  556. "port" "default"
  557. "proto" "http"
  558. }}
  559. {{- end }}
  560. {{- $dest := $vpath.dest | default "" }}
  561. {{- $port := $vpath.port | default "default" | toString }}
  562. {{- $proto := $vpath.proto | default "http" }}
  563. {{- $path_data := get $paths $path | default (dict) }}
  564. {{- $path_ports := $path_data.ports | default (dict) }}
  565. {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
  566. {{- $_ := set $path_ports $port $path_port_containers }}
  567. {{- $_ := set $path_data "ports" $path_ports }}
  568. {{- if (not (hasKey $path_data "dest")) }}
  569. {{- $_ := set $path_data "dest" $dest }}
  570. {{- end }}
  571. {{- if (not (hasKey $path_data "proto")) }}
  572. {{- $_ := set $path_data "proto" $proto }}
  573. {{- end }}
  574. {{- $_ := set $paths $path $path_data }}
  575. {{- end }}
  576. {{- $_ := set $vhost_data "paths" $paths }}
  577. {{- $_ := set $globals.vhosts $hostname $vhost_data }}
  578. {{- end }}
  579. {{- end }}
  580. {{- /* Precompute and store some information about vhost that use VIRTUAL_HOST. */}}
  581. {{- range $hostname, $containers := groupByMulti $globals.containers "Env.VIRTUAL_HOST" "," }}
  582. {{- /* Ignore containers with VIRTUAL_HOST set to the empty string. */}}
  583. {{- $hostname = trim $hostname }}
  584. {{- if not $hostname }}
  585. {{- continue }}
  586. {{- end }}
  587. {{- /* Drop containers with both VIRTUAL_HOST and VIRTUAL_HOST_MULTIPORTS set
  588. * (VIRTUAL_HOST_MULTIPORTS takes precedence thanks to the previous loop).
  589. */}}
  590. {{- range $_, $containers_to_drop := groupBy $containers "Env.VIRTUAL_HOST_MULTIPORTS" }}
  591. {{- range $container := $containers_to_drop }}
  592. {{- $containers = without $containers $container }}
  593. {{- end }}
  594. {{- end }}
  595. {{- if (eq (len $containers) 0) }}
  596. {{- continue }}
  597. {{- end }}
  598. {{- $vhost_data := get $globals.vhosts $hostname | default (dict) }}
  599. {{- $paths := $vhost_data.paths | default (dict) }}
  600. {{- $tmp_paths := groupByWithDefault $containers "Env.VIRTUAL_PATH" "/" }}
  601. {{- range $path, $containers := $tmp_paths }}
  602. {{- $dest := groupByKeys $containers "Env.VIRTUAL_DEST" | first | default "" }}
  603. {{- $proto := groupByKeys $containers "Env.VIRTUAL_PROTO" | first | default "http" | trim }}
  604. {{- $path_data := get $paths $path | default (dict) }}
  605. {{- $path_ports := $path_data.ports | default (dict) }}
  606. {{- range $port, $containers := groupByWithDefault $containers "Env.VIRTUAL_PORT" "default" }}
  607. {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
  608. {{- $_ := set $path_ports $port $path_port_containers }}
  609. {{- end }}
  610. {{- $_ := set $path_data "ports" $path_ports }}
  611. {{- if (not (hasKey $path_data "dest")) }}
  612. {{- $_ := set $path_data "dest" $dest }}
  613. {{- end }}
  614. {{- if (not (hasKey $path_data "proto")) }}
  615. {{- $_ := set $path_data "proto" $proto }}
  616. {{- end }}
  617. {{- $_ := set $paths $path $path_data }}
  618. {{- end }}
  619. {{- $_ := set $vhost_data "paths" $paths }}
  620. {{- $_ := set $globals.vhosts $hostname $vhost_data }}
  621. {{- end }}
  622. {{- /* Loop over $globals.vhosts and update it with the remaining informations about each vhost. */}}
  623. {{- range $hostname, $vhost_data := $globals.vhosts }}
  624. {{- $is_regexp := hasPrefix "~" $hostname }}
  625. {{- $upstream_name := or $is_regexp $globals.config.sha1_upstream_name | ternary (sha1 $hostname) $hostname }}
  626. {{- $vhost_containers := list }}
  627. {{- range $path, $vpath_data := $vhost_data.paths }}
  628. {{- $vpath_containers := list }}
  629. {{- range $port, $vport_containers := $vpath_data.ports }}
  630. {{ $vpath_containers = concat $vpath_containers $vport_containers }}
  631. {{- end }}
  632. {{- /* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external". */}}
  633. {{- $network_tag := groupByKeys $vpath_containers "Env.NETWORK_ACCESS" | first | default "external" }}
  634. {{- $loadbalance := groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.loadbalance" | keys | first }}
  635. {{- $keepalive := groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.keepalive" | keys | first | default "auto" }}
  636. {{- $upstream := $upstream_name }}
  637. {{- if (not (eq $path "/")) }}
  638. {{- $sum := sha1 $path }}
  639. {{- $upstream = printf "%s-%s" $upstream $sum }}
  640. {{- end }}
  641. {{- $_ := set $vpath_data "network_tag" $network_tag }}
  642. {{- $_ := set $vpath_data "upstream" $upstream }}
  643. {{- $_ := set $vpath_data "loadbalance" $loadbalance }}
  644. {{- $_ := set $vpath_data "keepalive" $keepalive }}
  645. {{- $_ := set $vhost_data.paths $path $vpath_data }}
  646. {{ $vhost_containers = concat $vhost_containers $vpath_containers }}
  647. {{- end }}
  648. {{- $userIdentifiedCert := groupByKeys $vhost_containers "Env.CERT_NAME" | first }}
  649. {{- $vhostCert := "" }}
  650. {{- if exists (printf "/etc/nginx/certs/%s.crt" $hostname) }}
  651. {{- $vhostCert = $hostname }}
  652. {{- end }}
  653. {{- $parentVhostCert := "" }}
  654. {{- if gt ($hostname | sprigSplit "." | len) 2 }}
  655. {{- $parentHostname := ($hostname | sprigSplitn "." 2)._1 }}
  656. {{- if exists (printf "/etc/nginx/certs/%s.crt" $parentHostname) }}
  657. {{- $parentVhostCert = $parentHostname }}
  658. {{- end }}
  659. {{- end }}
  660. {{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }}
  661. {{- $defaultCert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }}
  662. {{- $cert := or $userIdentifiedCert $vhostCert $parentVhostCert $defaultCert }}
  663. {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
  664. {{- $enable_debug_endpoint := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.debug-endpoint" | keys | first | default $globals.config.enable_debug_endpoint | parseBool }}
  665. {{- $default := eq $globals.config.default_host $hostname }}
  666. {{- $https_method := groupByKeys $vhost_containers "Env.HTTPS_METHOD" | first | default $globals.config.https_method }}
  667. {{- $enable_http_on_missing_cert := groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT" | first | default $globals.config.enable_http_on_missing_cert | parseBool }}
  668. {{- /* When no trusted certs (default and/or vhost) are present we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
  669. {{- $https_method_disable_http := list "nohttp" "redirect" | has $https_method }}
  670. {{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }}
  671. {{- $https_method = "noredirect" }}
  672. {{- end }}
  673. {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }}
  674. {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
  675. {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }}
  676. {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }}
  677. {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
  678. {{- $acme_http_challenge_enabled := false }}
  679. {{- if (not $acme_http_challenge_legacy) }}
  680. {{- $acme_http_challenge_enabled = parseBool $acme_http_challenge }}
  681. {{- end }}
  682. {{- /* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "". */}}
  683. {{- $server_tokens := groupByKeys $vhost_containers "Env.SERVER_TOKENS" | first | default "" | trim }}
  684. {{- /* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default). */}}
  685. {{- $ssl_policy := groupByKeys $vhost_containers "Env.SSL_POLICY" | first | default "" }}
  686. {{- /* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000". */}}
  687. {{- $hsts := groupByKeys $vhost_containers "Env.HSTS" | first | default $globals.config.hsts }}
  688. {{- /* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
  689. {{- $vhost_root := groupByKeys $vhost_containers "Env.VIRTUAL_ROOT" | first | default "/var/www/public" }}
  690. {{- $vhost_data = merge $vhost_data (dict
  691. "cert" $cert
  692. "cert_ok" $cert_ok
  693. "enable_debug_endpoint" $enable_debug_endpoint
  694. "default" $default
  695. "hsts" $hsts
  696. "https_method" $https_method
  697. "non_get_redirect" $non_get_redirect
  698. "http2_enabled" $http2_enabled
  699. "http3_enabled" $http3_enabled
  700. "is_regexp" $is_regexp
  701. "acme_http_challenge_legacy" $acme_http_challenge_legacy
  702. "acme_http_challenge_enabled" $acme_http_challenge_enabled
  703. "server_tokens" $server_tokens
  704. "ssl_policy" $ssl_policy
  705. "trust_default_cert" $trust_default_cert
  706. "upstream_name" $upstream_name
  707. "vhost_root" $vhost_root
  708. ) }}
  709. {{- $_ := set $globals.vhosts $hostname $vhost_data }}
  710. {{- end }}
  711. {{- /*
  712. * If needed, create a catch-all fallback server to send an error code to
  713. * clients that request something from an unknown vhost.
  714. *
  715. * This server must appear first in the generated config because nginx uses
  716. * the first `server` directive to handle requests that don't match any of
  717. * the other `server` directives. An alternative approach would be to add
  718. * the `default_server` option to the `listen` directives inside this
  719. * `server`, but some users inject a custom `server` directive that uses
  720. * `default_server`. Using `default_server` here would cause nginx to fail
  721. * to start for those users. See
  722. * <https://github.com/nginx-proxy/nginx-proxy/issues/2212>.
  723. */}}
  724. {{- block "fallback_server" $globals }}
  725. {{- $globals := . }}
  726. {{- $http_exists := false }}
  727. {{- $https_exists := false }}
  728. {{- $default_http_exists := false }}
  729. {{- $default_https_exists := false }}
  730. {{- $http3_enabled := false }}
  731. {{- range $vhost := $globals.vhosts }}
  732. {{- $http := ne $vhost.https_method "nohttp" }}
  733. {{- $https := ne $vhost.https_method "nohttps" }}
  734. {{- $http_exists = or $http_exists $http }}
  735. {{- $https_exists = or $https_exists $https }}
  736. {{- $default_http_exists = or $default_http_exists (and $http $vhost.default) }}
  737. {{- $default_https_exists = or $default_https_exists (and $https $vhost.default) }}
  738. {{- $http3_enabled = or $http3_enabled $vhost.http3_enabled }}
  739. {{- end }}
  740. {{- $fallback_http := not $default_http_exists }}
  741. {{- $fallback_https := not $default_https_exists }}
  742. {{- /*
  743. * If there are no vhosts at all, create fallbacks for both plain http
  744. * and https so that clients get something more useful than a connection
  745. * refused error.
  746. */}}
  747. {{- if and (not $http_exists) (not $https_exists) }}
  748. {{- $fallback_https = true }}
  749. {{- end }}
  750. {{- if or $fallback_http $fallback_https }}
  751. server {
  752. server_name _; # This is just an invalid value which will never trigger on a real hostname.
  753. server_tokens off;
  754. {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
  755. http2 on;
  756. {{- if $fallback_http }}
  757. listen {{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
  758. {{- if $globals.config.enable_ipv6 }}
  759. listen [::]:{{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
  760. {{- end }}
  761. {{- end }}
  762. {{- if $fallback_https }}
  763. listen {{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
  764. {{- if $globals.config.enable_ipv6 }}
  765. listen [::]:{{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
  766. {{- end }}
  767. {{- if $http3_enabled }}
  768. http3 on;
  769. listen {{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
  770. {{- if $globals.config.enable_ipv6 }}
  771. listen [::]:{{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
  772. {{- end }}
  773. {{- end }}
  774. ssl_session_cache shared:SSL:50m;
  775. ssl_session_tickets off;
  776. {{- end }}
  777. {{- if $globals.config.default_cert_ok }}
  778. ssl_certificate /etc/nginx/certs/default.crt;
  779. ssl_certificate_key /etc/nginx/certs/default.key;
  780. {{- else }}
  781. # No default certificate found, so reject SSL handshake;
  782. ssl_reject_handshake on;
  783. {{- end }}
  784. {{- if (exists "/usr/share/nginx/html/errors/50x.html") }}
  785. error_page 500 502 503 504 /50x.html;
  786. location /50x.html {
  787. root /usr/share/nginx/html/errors;
  788. internal;
  789. }
  790. {{- end }}
  791. location ^~ / {
  792. return 503;
  793. }
  794. }
  795. {{- end }}
  796. {{- end }}
  797. {{- range $hostname, $vhost := $globals.vhosts }}
  798. {{- $default_server := when $vhost.default "default_server" "" }}
  799. {{- range $path, $vpath := $vhost.paths }}
  800. # {{ $hostname }}{{ $path }}
  801. {{ template "upstream" (dict "globals" $globals "Path" $path "VPath" $vpath) }}
  802. {{- end }}
  803. {{- if (eq $vhost.https_method "redirect") }}
  804. server {
  805. server_name {{ $hostname }};
  806. {{- if $vhost.server_tokens }}
  807. server_tokens {{ $vhost.server_tokens }};
  808. {{- end }}
  809. {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
  810. listen {{ $globals.config.external_http_port }} {{ $default_server }};
  811. {{- if $globals.config.enable_ipv6 }}
  812. listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
  813. {{- end }}
  814. {{- if (or $vhost.acme_http_challenge_legacy $vhost.acme_http_challenge_enabled) }}
  815. # Do not HTTPS redirect Let's Encrypt ACME challenge
  816. location ^~ /.well-known/acme-challenge/ {
  817. auth_basic off;
  818. auth_request off;
  819. allow all;
  820. root /usr/share/nginx/html;
  821. try_files $uri =404;
  822. break;
  823. }
  824. {{- end }}
  825. {{- if $vhost.enable_debug_endpoint }}
  826. {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
  827. {{- end }}
  828. location / {
  829. {{- $redirect_uri := "https://$host$request_uri" }}
  830. {{- if ne $globals.config.external_https_port "443" }}
  831. {{- $redirect_uri = printf "https://$host:%s$request_uri" $globals.config.external_https_port }}
  832. {{- end}}
  833. if ($request_method ~ (OPTIONS|POST|PUT|PATCH|DELETE)) {
  834. return {{ $vhost.non_get_redirect }} {{ $redirect_uri }};
  835. }
  836. return 301 {{ $redirect_uri }};
  837. }
  838. }
  839. {{- end }}
  840. server {
  841. {{- if $vhost.is_regexp }}
  842. {{- if or
  843. (printf "/etc/nginx/vhost.d/%s" $hostname | exists)
  844. (printf "/etc/nginx/vhost.d/%s_location" $hostname | exists)
  845. (printf "/etc/nginx/vhost.d/%s_location_override" $hostname | exists)
  846. (printf "/etc/nginx/htpasswd/%s" $hostname | exists)
  847. }}
  848. # https://github.com/nginx-proxy/nginx-proxy/issues/2529#issuecomment-2437609249
  849. # Support for vhost config file(s) named like a regexp ({{ $hostname }}) has been removed from nginx-proxy.
  850. # Please name your vhost config file(s) with the sha1 of the regexp instead ({{ $hostname }} -> {{ sha1 $hostname }}) :
  851. # - /etc/nginx/vhost.d/{{ sha1 $hostname }}
  852. # - /etc/nginx/vhost.d/{{ sha1 $hostname }}_location
  853. # - /etc/nginx/vhost.d/{{ sha1 $hostname }}_location_override
  854. # - /etc/nginx/htpasswd/{{ sha1 $hostname }}
  855. {{- end }}
  856. {{- end }}
  857. server_name {{ $hostname }};
  858. {{- if $vhost.server_tokens }}
  859. server_tokens {{ $vhost.server_tokens }};
  860. {{- end }}
  861. {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
  862. {{- if $vhost.http2_enabled }}
  863. http2 on;
  864. {{- end }}
  865. {{- if or (eq $vhost.https_method "nohttps") (eq $vhost.https_method "noredirect") }}
  866. listen {{ $globals.config.external_http_port }} {{ $default_server }};
  867. {{- if $globals.config.enable_ipv6 }}
  868. listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
  869. {{- end }}
  870. {{- if (and (eq $vhost.https_method "noredirect") $vhost.acme_http_challenge_enabled) }}
  871. location /.well-known/acme-challenge/ {
  872. auth_basic off;
  873. allow all;
  874. root /usr/share/nginx/html;
  875. try_files $uri =404;
  876. break;
  877. }
  878. {{- end }}
  879. {{- end }}
  880. {{- if ne $vhost.https_method "nohttps" }}
  881. listen {{ $globals.config.external_https_port }} ssl {{ $default_server }};
  882. {{- if $globals.config.enable_ipv6 }}
  883. listen [::]:{{ $globals.config.external_https_port }} ssl {{ $default_server }};
  884. {{- end }}
  885. {{- if $vhost.http3_enabled }}
  886. http3 on;
  887. add_header alt-svc 'h3=":{{ $globals.config.external_https_port }}"; ma=86400;';
  888. listen {{ $globals.config.external_https_port }} quic {{ $default_server }};
  889. {{- if $globals.config.enable_ipv6 }}
  890. listen [::]:{{ $globals.config.external_https_port }} quic {{ $default_server }};
  891. {{- end }}
  892. {{- end }}
  893. {{- if $vhost.cert_ok }}
  894. {{- template "ssl_policy" (dict "ssl_policy" $vhost.ssl_policy) }}
  895. ssl_session_timeout 5m;
  896. ssl_session_cache shared:SSL:50m;
  897. ssl_session_tickets off;
  898. ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $vhost.cert) }};
  899. ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $vhost.cert) }};
  900. {{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert)) }}
  901. ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert }};
  902. {{- end }}
  903. {{- if (exists (printf "/etc/nginx/certs/%s.chain.pem" $vhost.cert)) }}
  904. ssl_stapling on;
  905. ssl_stapling_verify on;
  906. ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $vhost.cert }};
  907. {{- end }}
  908. {{- if (not (or (eq $vhost.https_method "noredirect") (eq $vhost.hsts "off"))) }}
  909. set $sts_header "";
  910. if ($https) {
  911. set $sts_header "{{ trim $vhost.hsts }}";
  912. }
  913. add_header Strict-Transport-Security $sts_header always;
  914. {{- end }}
  915. {{- else if not $vhost.trust_default_cert | and $globals.config.default_cert_ok }}
  916. # No certificate found for this vhost, and the default certificate isn't trusted, so reject SSL handshake.
  917. ssl_reject_handshake on;
  918. {{- else }}
  919. # No certificate for this vhost nor default certificate found, so reject SSL handshake.
  920. ssl_reject_handshake on;
  921. {{- end }}
  922. {{- end }}
  923. {{- $vhostFileName := $vhost.is_regexp | ternary (sha1 $hostname) $hostname }}
  924. {{- if (exists (printf "/etc/nginx/vhost.d/%s" $vhostFileName)) }}
  925. include {{ printf "/etc/nginx/vhost.d/%s" $vhostFileName }};
  926. {{- else if (exists "/etc/nginx/vhost.d/default") }}
  927. include /etc/nginx/vhost.d/default;
  928. {{- end }}
  929. {{- if $vhost.enable_debug_endpoint }}
  930. {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
  931. {{- end }}
  932. {{- range $path, $vpath := $vhost.paths }}
  933. {{- template "location" (dict
  934. "Path" $path
  935. "Host" $vhostFileName
  936. "HostIsRegexp" $vhost.is_regexp
  937. "VhostRoot" $vhost.vhost_root
  938. "VPath" $vpath
  939. ) }}
  940. {{- end }}
  941. {{- if and (not (contains $vhost.paths "/")) (ne $globals.config.default_root_response "none")}}
  942. location / {
  943. return {{ $globals.config.default_root_response }};
  944. }
  945. {{- end }}
  946. }
  947. {{- end }}