2
0

nginx.tmpl 37 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748
  1. # nginx-proxy{{ if $.Env.NGINX_PROXY_VERSION }} version : {{ $.Env.NGINX_PROXY_VERSION }}{{ end }}
  2. {{- /*
  3. * Global values. Values are stored in this map rather than in individual
  4. * global variables so that the values can be easily passed to embedded
  5. * templates. (Go templates cannot access variables outside of their own
  6. * scope.)
  7. */}}
  8. {{- $globals := dict }}
  9. {{- $_ := set $globals "containers" $ }}
  10. {{- $_ := set $globals "Env" $.Env }}
  11. {{- $_ := set $globals "Docker" $.Docker }}
  12. {{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
  13. {{- $_ := set $globals "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
  14. {{- $_ := set $globals "external_http_port" (coalesce $globals.Env.HTTP_PORT "80") }}
  15. {{- $_ := set $globals "external_https_port" (coalesce $globals.Env.HTTPS_PORT "443") }}
  16. {{- $_ := set $globals "sha1_upstream_name" (parseBool (coalesce $globals.Env.SHA1_UPSTREAM_NAME "false")) }}
  17. {{- $_ := set $globals "default_root_response" (coalesce $globals.Env.DEFAULT_ROOT "404") }}
  18. {{- $_ := set $globals "trust_downstream_proxy" (parseBool (coalesce $globals.Env.TRUST_DOWNSTREAM_PROXY "true")) }}
  19. {{- $_ := set $globals "access_log" (or (and (not $globals.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
  20. {{- $_ := set $globals "enable_ipv6" (parseBool (coalesce $globals.Env.ENABLE_IPV6 "false")) }}
  21. {{- $_ := set $globals "ssl_policy" (or ($globals.Env.SSL_POLICY) "Mozilla-Intermediate") }}
  22. {{- $_ := set $globals "vhosts" (dict) }}
  23. {{- $_ := set $globals "networks" (dict) }}
  24. # Networks available to the container running docker-gen (which are assumed to
  25. # match the networks available to the container running nginx):
  26. {{- /*
  27. * Note: $globals.CurrentContainer may be nil in some circumstances due to
  28. * <https://github.com/nginx-proxy/docker-gen/issues/458>. For more context
  29. * see <https://github.com/nginx-proxy/nginx-proxy/issues/2189>.
  30. */}}
  31. {{- if $globals.CurrentContainer }}
  32. {{- range sortObjectsByKeysAsc $globals.CurrentContainer.Networks "Name" }}
  33. {{- $_ := set $globals.networks .Name . }}
  34. # {{ .Name }}
  35. {{- else }}
  36. # (none)
  37. {{- end }}
  38. {{- else }}
  39. # /!\ WARNING: Failed to find the Docker container running docker-gen. All
  40. # upstream (backend) application containers will appear to be
  41. # unreachable. Try removing the -only-exposed and -only-published
  42. # arguments to docker-gen if you pass either of those. See
  43. # <https://github.com/nginx-proxy/docker-gen/issues/458>.
  44. {{- end }}
  45. {{- /*
  46. * Template used as a function to get a container's IP address. This
  47. * template only outputs debug comments; the IP address is "returned" by
  48. * storing the value in the provided dot dict.
  49. *
  50. * The provided dot dict is expected to have the following entries:
  51. * - "globals": Global values.
  52. * - "container": The container's RuntimeContainer struct.
  53. *
  54. * The return value will be added to the dot dict with key "ip".
  55. */}}
  56. {{- define "container_ip" }}
  57. {{- $ip := "" }}
  58. # networks:
  59. {{- range sortObjectsByKeysAsc $.container.Networks "Name" }}
  60. {{- /*
  61. * TODO: Only ignore the "ingress" network for Swarm tasks (in case
  62. * the user is not using Swarm mode and names a network "ingress").
  63. */}}
  64. {{- if eq .Name "ingress" }}
  65. # {{ .Name }} (ignored)
  66. {{- continue }}
  67. {{- end }}
  68. {{- if eq .Name "host" }}
  69. {{- /* Handle containers in host nework mode */}}
  70. {{- if (index $.globals.networks "host") }}
  71. # both container and proxy are in host network mode, using localhost IP
  72. {{- $ip = "127.0.0.1" }}
  73. {{- continue }}
  74. {{- end }}
  75. {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }}
  76. {{- if and . .Gateway (not .Internal) }}
  77. # container is in host network mode, using {{ .Name }} gateway IP
  78. {{- $ip = .Gateway }}
  79. {{- break }}
  80. {{- end }}
  81. {{- end }}
  82. {{- if $ip }}
  83. {{- continue }}
  84. {{- end }}
  85. {{- end }}
  86. {{- if and (not (index $.globals.networks .Name)) (not $.globals.networks.host) }}
  87. # {{ .Name }} (unreachable)
  88. {{- continue }}
  89. {{- end }}
  90. {{- /*
  91. * Do not emit multiple `server` directives for this container if it
  92. * is reachable over multiple networks. This avoids accidentally
  93. * inflating the effective round-robin weight of a server due to the
  94. * redundant upstream addresses that nginx sees as belonging to
  95. * distinct servers.
  96. */}}
  97. {{- if $ip }}
  98. # {{ .Name }} (ignored; reachable but redundant)
  99. {{- continue }}
  100. {{- end }}
  101. # {{ .Name }} (reachable)
  102. {{- if and . .IP }}
  103. {{- $ip = .IP }}
  104. {{- else }}
  105. # /!\ No IP for this network!
  106. {{- end }}
  107. {{- else }}
  108. # (none)
  109. {{- end }}
  110. # IP address: {{ if $ip }}{{ $ip }}{{ else }}(none usable){{ end }}
  111. {{- $_ := set $ "ip" $ip }}
  112. {{- end }}
  113. {{- /*
  114. * Template used as a function to get the port of the server in the given
  115. * container. This template only outputs debug comments; the port is
  116. * "returned" by storing the value in the provided dot dict.
  117. *
  118. * The provided dot dict is expected to have the following entries:
  119. * - "container": The container's RuntimeContainer struct.
  120. *
  121. * The return value will be added to the dot dict with key "port".
  122. */}}
  123. {{- define "container_port" }}
  124. {{- /* If only 1 port exposed, use that as a default, else 80. */}}
  125. # exposed ports:{{ range sortObjectsByKeysAsc $.container.Addresses "Port" }} {{ .Port }}/{{ .Proto }}{{ else }} (none){{ end }}
  126. {{- $default_port := when (eq (len $.container.Addresses) 1) (first $.container.Addresses).Port "80" }}
  127. # default port: {{ $default_port }}
  128. {{- $port := or $.container.Env.VIRTUAL_PORT $default_port }}
  129. # using port: {{ $port }}
  130. {{- $addr_obj := where $.container.Addresses "Port" $port | first }}
  131. {{- if and $addr_obj $addr_obj.HostPort }}
  132. # /!\ WARNING: Virtual port published on host. Clients
  133. # might be able to bypass nginx-proxy and
  134. # access the container's server directly.
  135. {{- end }}
  136. {{- $_ := set $ "port" $port }}
  137. {{- end }}
  138. {{- define "ssl_policy" }}
  139. {{- if eq .ssl_policy "Mozilla-Modern" }}
  140. ssl_protocols TLSv1.3;
  141. {{- /*
  142. * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
  143. * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
  144. */}}
  145. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
  146. ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  147. ssl_prefer_server_ciphers off;
  148. {{- else if eq .ssl_policy "Mozilla-Intermediate" }}
  149. ssl_protocols TLSv1.2 TLSv1.3;
  150. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
  151. ssl_prefer_server_ciphers off;
  152. {{- else if eq .ssl_policy "Mozilla-Old" }}
  153. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  154. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
  155. ssl_prefer_server_ciphers on;
  156. {{- else if eq .ssl_policy "AWS-TLS13-1-3-2021-06" }}
  157. ssl_protocols TLSv1.3;
  158. {{- /*
  159. * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
  160. * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
  161. */}}
  162. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
  163. ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  164. ssl_prefer_server_ciphers on;
  165. {{- else if eq .ssl_policy "AWS-TLS13-1-2-2021-06" }}
  166. ssl_protocols TLSv1.2 TLSv1.3;
  167. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
  168. ssl_prefer_server_ciphers on;
  169. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Res-2021-06" }}
  170. ssl_protocols TLSv1.2 TLSv1.3;
  171. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
  172. ssl_prefer_server_ciphers on;
  173. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Ext1-2021-06" }}
  174. ssl_protocols TLSv1.2 TLSv1.3;
  175. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
  176. ssl_prefer_server_ciphers on;
  177. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Ext2-2021-06" }}
  178. ssl_protocols TLSv1.2 TLSv1.3;
  179. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  180. ssl_prefer_server_ciphers on;
  181. {{- else if eq .ssl_policy "AWS-TLS13-1-1-2021-06" }}
  182. ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
  183. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  184. ssl_prefer_server_ciphers on;
  185. {{- else if eq .ssl_policy "AWS-TLS13-1-0-2021-06" }}
  186. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  187. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  188. ssl_prefer_server_ciphers on;
  189. {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2020-10" }}
  190. ssl_protocols TLSv1.2;
  191. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
  192. ssl_prefer_server_ciphers on;
  193. {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2019-08" }}
  194. ssl_protocols TLSv1.2;
  195. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
  196. ssl_prefer_server_ciphers on;
  197. {{- else if eq .ssl_policy "AWS-FS-1-2-2019-08" }}
  198. ssl_protocols TLSv1.2;
  199. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
  200. ssl_prefer_server_ciphers on;
  201. {{- else if eq .ssl_policy "AWS-FS-1-1-2019-08" }}
  202. ssl_protocols TLSv1.1 TLSv1.2;
  203. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
  204. ssl_prefer_server_ciphers on;
  205. {{- else if eq .ssl_policy "AWS-FS-2018-06" }}
  206. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  207. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
  208. ssl_prefer_server_ciphers on;
  209. {{- else if eq .ssl_policy "AWS-TLS-1-2-Ext-2018-06" }}
  210. ssl_protocols TLSv1.2;
  211. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  212. ssl_prefer_server_ciphers on;
  213. {{- else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
  214. ssl_protocols TLSv1.2;
  215. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
  216. ssl_prefer_server_ciphers on;
  217. {{- else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
  218. ssl_protocols TLSv1.1 TLSv1.2;
  219. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  220. ssl_prefer_server_ciphers on;
  221. {{- else if eq .ssl_policy "AWS-2016-08" }}
  222. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  223. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  224. ssl_prefer_server_ciphers on;
  225. {{- else if eq .ssl_policy "AWS-2015-05" }}
  226. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  227. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
  228. ssl_prefer_server_ciphers on;
  229. {{- else if eq .ssl_policy "AWS-2015-03" }}
  230. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  231. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
  232. ssl_prefer_server_ciphers on;
  233. {{- else if eq .ssl_policy "AWS-2015-02" }}
  234. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  235. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
  236. ssl_prefer_server_ciphers on;
  237. {{- end }}
  238. {{- end }}
  239. {{- define "location" }}
  240. {{- $override := printf "/etc/nginx/vhost.d/%s_%s_location_override" .Host (sha1 .Path) }}
  241. {{- if and (eq .Path "/") (not (exists $override)) }}
  242. {{- $override = printf "/etc/nginx/vhost.d/%s_location_override" .Host }}
  243. {{- end }}
  244. {{- if exists $override }}
  245. include {{ $override }};
  246. {{- else }}
  247. {{- $keepalive := first (keys (groupByLabel .Containers "com.github.nginx-proxy.nginx-proxy.keepalive")) }}
  248. location {{ .Path }} {
  249. {{- if eq .NetworkTag "internal" }}
  250. # Only allow traffic from internal clients
  251. include /etc/nginx/network_internal.conf;
  252. {{- end }}
  253. {{- if eq .Proto "uwsgi" }}
  254. include uwsgi_params;
  255. uwsgi_pass {{ trim .Proto }}://{{ trim .Upstream }};
  256. {{- else if eq .Proto "fastcgi" }}
  257. root {{ trim .VhostRoot }};
  258. include fastcgi_params;
  259. fastcgi_pass {{ trim .Upstream }};
  260. {{- if $keepalive }}
  261. fastcgi_keep_conn on;
  262. {{- end }}
  263. {{- else if eq .Proto "grpc" }}
  264. grpc_pass {{ trim .Proto }}://{{ trim .Upstream }};
  265. {{- else }}
  266. proxy_pass {{ trim .Proto }}://{{ trim .Upstream }}{{ trim .Dest }};
  267. set $upstream_keepalive {{ if $keepalive }}true{{ else }}false{{ end }};
  268. {{- end }}
  269. {{- if (exists (printf "/etc/nginx/htpasswd/%s" .Host)) }}
  270. auth_basic "Restricted {{ .Host }}";
  271. auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" .Host) }};
  272. {{- end }}
  273. {{- if (exists (printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) )) }}
  274. include {{ printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) }};
  275. {{- else if (exists (printf "/etc/nginx/vhost.d/%s_location" .Host)) }}
  276. include {{ printf "/etc/nginx/vhost.d/%s_location" .Host}};
  277. {{- else if (exists "/etc/nginx/vhost.d/default_location") }}
  278. include /etc/nginx/vhost.d/default_location;
  279. {{- end }}
  280. }
  281. {{- end }}
  282. {{- end }}
  283. {{- define "upstream" }}
  284. upstream {{ .Upstream }} {
  285. {{- $server_found := false }}
  286. {{- $loadbalance := first (keys (groupByLabel .Containers "com.github.nginx-proxy.nginx-proxy.loadbalance")) }}
  287. {{- if $loadbalance }}
  288. # From the container's loadbalance label:
  289. {{ $loadbalance }}
  290. {{- end }}
  291. {{- range $container := .Containers }}
  292. # Container: {{ $container.Name }}
  293. {{- $args := dict "globals" $.globals "container" $container }}
  294. {{- template "container_ip" $args }}
  295. {{- $ip := $args.ip }}
  296. {{- $args := dict "container" $container }}
  297. {{- template "container_port" $args }}
  298. {{- $port := $args.port }}
  299. {{- if $ip }}
  300. {{- $server_found = true }}
  301. server {{ $ip }}:{{ $port }};
  302. {{- end }}
  303. {{- end }}
  304. {{- /* nginx-proxy/nginx-proxy#1105 */}}
  305. {{- if not $server_found }}
  306. # Fallback entry
  307. server 127.0.0.1 down;
  308. {{- end }}
  309. {{- $keepalive := first (keys (groupByLabel .Containers "com.github.nginx-proxy.nginx-proxy.keepalive")) }}
  310. {{- if $keepalive }}
  311. keepalive {{ $keepalive }};
  312. {{- end }}
  313. }
  314. {{- end }}
  315. # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
  316. # scheme used to connect to this server
  317. map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  318. default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
  319. '' $scheme;
  320. }
  321. map $http_x_forwarded_host $proxy_x_forwarded_host {
  322. default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
  323. '' $host;
  324. }
  325. # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
  326. # server port the client connected to
  327. map $http_x_forwarded_port $proxy_x_forwarded_port {
  328. default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
  329. '' $server_port;
  330. }
  331. # If the request from the downstream client has an "Upgrade:" header (set to any
  332. # non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
  333. # Otherwise, the value for the "Connection" header depends on whether the user
  334. # has enabled keepalive to the upstream server.
  335. map $http_upgrade $proxy_connection {
  336. default upgrade;
  337. '' $proxy_connection_noupgrade;
  338. }
  339. map $upstream_keepalive $proxy_connection_noupgrade {
  340. # Preserve nginx's default behavior (send "Connection: close").
  341. default close;
  342. # Use an empty string to cancel nginx's default behavior.
  343. true '';
  344. }
  345. # Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
  346. # that $upstream_keepalive is always defined. This is necessary because:
  347. # - The $proxy_connection variable is indirectly derived from
  348. # $upstream_keepalive, so $upstream_keepalive must be defined whenever
  349. # $proxy_connection is resolved.
  350. # - The $proxy_connection variable is used in a proxy_set_header directive in
  351. # the http block, so it is always fully resolved for every request -- even
  352. # those where proxy_pass is not used (e.g., unknown virtual host).
  353. map "" $upstream_keepalive {
  354. # The value here should not matter because it should always be overridden in
  355. # a location block (see the "location" template) for all requests where the
  356. # value actually matters.
  357. default false;
  358. }
  359. # Apply fix for very long server names
  360. server_names_hash_bucket_size 128;
  361. # Default dhparam
  362. {{- if (exists "/etc/nginx/dhparam/dhparam.pem") }}
  363. ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
  364. {{- end }}
  365. # Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
  366. map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  367. default off;
  368. https on;
  369. }
  370. gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  371. log_format vhost '{{ or $globals.Env.LOG_FORMAT "$host $remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$upstream_addr\"" }}';
  372. access_log off;
  373. {{- template "ssl_policy" (dict "ssl_policy" $globals.ssl_policy) }}
  374. error_log /dev/stderr;
  375. {{- if $globals.Env.RESOLVERS }}
  376. resolver {{ $globals.Env.RESOLVERS }};
  377. {{- end }}
  378. {{- if (exists "/etc/nginx/proxy.conf") }}
  379. include /etc/nginx/proxy.conf;
  380. {{- else }}
  381. # HTTP 1.1 support
  382. proxy_http_version 1.1;
  383. proxy_buffering off;
  384. proxy_set_header Host $host;
  385. proxy_set_header Upgrade $http_upgrade;
  386. proxy_set_header Connection $proxy_connection;
  387. proxy_set_header X-Real-IP $remote_addr;
  388. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  389. proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
  390. proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
  391. proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
  392. proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
  393. proxy_set_header X-Original-URI $request_uri;
  394. # Mitigate httpoxy attack (see README for details)
  395. proxy_set_header Proxy "";
  396. {{- end }}
  397. {{- /*
  398. * Precompute some information about each vhost. This is done early because
  399. * the creation of fallback servers depends on DEFAULT_HOST, HTTPS_METHOD,
  400. * and whether there are any missing certs.
  401. */}}
  402. {{- range $vhost, $containers := groupByMulti $globals.containers "Env.VIRTUAL_HOST" "," }}
  403. {{- $vhost := trim $vhost }}
  404. {{- if not $vhost }}
  405. {{- /* Ignore containers with VIRTUAL_HOST set to the empty string. */}}
  406. {{- continue }}
  407. {{- end }}
  408. {{- $certName := first (groupByKeys $containers "Env.CERT_NAME") }}
  409. {{- $vhostCert := closest (dir "/etc/nginx/certs") (printf "%s.crt" $vhost) }}
  410. {{- $vhostCert = trimSuffix ".crt" $vhostCert }}
  411. {{- $vhostCert = trimSuffix ".key" $vhostCert }}
  412. {{- $cert := or $certName $vhostCert }}
  413. {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
  414. {{- $default := eq $globals.Env.DEFAULT_HOST $vhost }}
  415. {{- $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }}
  416. {{- $http3 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
  417. {{- $_ := set $globals.vhosts $vhost (dict
  418. "cert" $cert
  419. "cert_ok" $cert_ok
  420. "containers" $containers
  421. "default" $default
  422. "https_method" $https_method
  423. "http3" $http3
  424. ) }}
  425. {{- end }}
  426. {{- /*
  427. * If needed, create a catch-all fallback server to send an error code to
  428. * clients that request something from an unknown vhost.
  429. *
  430. * This server must appear first in the generated config because nginx uses
  431. * the first `server` directive to handle requests that don't match any of
  432. * the other `server` directives. An alternative approach would be to add
  433. * the `default_server` option to the `listen` directives inside this
  434. * `server`, but some users inject a custom `server` directive that uses
  435. * `default_server`. Using `default_server` here would cause nginx to fail
  436. * to start for those users. See
  437. * <https://github.com/nginx-proxy/nginx-proxy/issues/2212>.
  438. */}}
  439. {{- block "fallback_server" $globals }}
  440. {{- $globals := . }}
  441. {{- $http_exists := false }}
  442. {{- $https_exists := false }}
  443. {{- $default_http_exists := false }}
  444. {{- $default_https_exists := false }}
  445. {{- $http3 := false }}
  446. {{- range $vhost := $globals.vhosts }}
  447. {{- $http := or (ne $vhost.https_method "nohttp") (not $vhost.cert_ok) }}
  448. {{- $https := ne $vhost.https_method "nohttps" }}
  449. {{- $http_exists = or $http_exists $http }}
  450. {{- $https_exists = or $https_exists $https }}
  451. {{- $default_http_exists = or $default_http_exists (and $http $vhost.default) }}
  452. {{- $default_https_exists = or $default_https_exists (and $https $vhost.default) }}
  453. {{- $http3 = or $http3 $vhost.http3 }}
  454. {{- end }}
  455. {{- $fallback_http := and $http_exists (not $default_http_exists) }}
  456. {{- $fallback_https := and $https_exists (not $default_https_exists) }}
  457. {{- /*
  458. * If there are no vhosts at all, create fallbacks for both plain http
  459. * and https so that clients get something more useful than a connection
  460. * refused error.
  461. */}}
  462. {{- if and (not $http_exists) (not $https_exists) }}
  463. {{- $fallback_http = true }}
  464. {{- $fallback_https = true }}
  465. {{- end }}
  466. {{- if or $fallback_http $fallback_https }}
  467. server {
  468. server_name _; # This is just an invalid value which will never trigger on a real hostname.
  469. server_tokens off;
  470. {{ $globals.access_log }}
  471. http2 on;
  472. {{- if $fallback_http }}
  473. listen {{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
  474. {{- if $globals.enable_ipv6 }}
  475. listen [::]:{{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
  476. {{- end }}
  477. {{- end }}
  478. {{- if $fallback_https }}
  479. listen {{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
  480. {{- if $globals.enable_ipv6 }}
  481. listen [::]:{{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
  482. {{- end }}
  483. {{- if $http3 }}
  484. http3 on;
  485. listen {{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
  486. {{- if $globals.enable_ipv6 }}
  487. listen [::]:{{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
  488. {{- end }}
  489. {{- end }}
  490. ssl_session_cache shared:SSL:50m;
  491. ssl_session_tickets off;
  492. {{- end }}
  493. {{- if $globals.default_cert_ok }}
  494. ssl_certificate /etc/nginx/certs/default.crt;
  495. ssl_certificate_key /etc/nginx/certs/default.key;
  496. {{- else }}
  497. # No default.crt certificate found for this vhost, so force nginx to emit a
  498. # TLS error if the client connects via https.
  499. {{- /* See the comment in the main `server` directive for rationale. */}}
  500. ssl_ciphers aNULL;
  501. set $empty "";
  502. ssl_certificate data:$empty;
  503. ssl_certificate_key data:$empty;
  504. if ($https) {
  505. return 444;
  506. }
  507. {{- end }}
  508. return 503;
  509. }
  510. {{- end }}
  511. {{- end }}
  512. {{- range $host, $vhost := $globals.vhosts }}
  513. {{- $cert := $vhost.cert }}
  514. {{- $cert_ok := $vhost.cert_ok }}
  515. {{- $containers := $vhost.containers }}
  516. {{- $default_server := when $vhost.default "default_server" "" }}
  517. {{- $https_method := $vhost.https_method }}
  518. {{- $http2 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
  519. {{- $http3 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
  520. {{- $is_regexp := hasPrefix "~" $host }}
  521. {{- $upstream_name := when (or $is_regexp $globals.sha1_upstream_name) (sha1 $host) $host }}
  522. {{- $paths := groupBy $containers "Env.VIRTUAL_PATH" }}
  523. {{- $nPaths := len $paths }}
  524. {{- if eq $nPaths 0 }}
  525. {{- $paths = dict "/" $containers }}
  526. {{- end }}
  527. {{- range $path, $containers := $paths }}
  528. {{- $upstream := $upstream_name }}
  529. {{- if gt $nPaths 0 }}
  530. {{- $sum := sha1 $path }}
  531. {{- $upstream = printf "%s-%s" $upstream $sum }}
  532. {{- end }}
  533. # {{ $host }}{{ $path }}
  534. {{ template "upstream" (dict "globals" $globals "Upstream" $upstream "Containers" $containers) }}
  535. {{- end }}
  536. {{- /*
  537. * Get the SERVER_TOKENS defined by containers w/ the same vhost,
  538. * falling back to "".
  539. */}}
  540. {{- $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }}
  541. {{- /*
  542. * Get the SSL_POLICY defined by containers w/ the same vhost, falling
  543. * back to empty string (use default).
  544. */}}
  545. {{- $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }}
  546. {{- /*
  547. * Get the HSTS defined by containers w/ the same vhost, falling back to
  548. * "max-age=31536000".
  549. */}}
  550. {{- $hsts := or (first (groupByKeys $containers "Env.HSTS")) (or $globals.Env.HSTS "max-age=31536000") }}
  551. {{- /* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
  552. {{- $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
  553. {{- if and $cert_ok (eq $https_method "redirect") }}
  554. server {
  555. server_name {{ $host }};
  556. {{- if $server_tokens }}
  557. server_tokens {{ $server_tokens }};
  558. {{- end }}
  559. {{ $globals.access_log }}
  560. listen {{ $globals.external_http_port }} {{ $default_server }};
  561. {{- if $globals.enable_ipv6 }}
  562. listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
  563. {{- end }}
  564. # Do not HTTPS redirect Let's Encrypt ACME challenge
  565. location ^~ /.well-known/acme-challenge/ {
  566. auth_basic off;
  567. auth_request off;
  568. allow all;
  569. root /usr/share/nginx/html;
  570. try_files $uri =404;
  571. break;
  572. }
  573. location / {
  574. {{- if eq $globals.external_https_port "443" }}
  575. return 301 https://$host$request_uri;
  576. {{- else }}
  577. return 301 https://$host:{{ $globals.external_https_port }}$request_uri;
  578. {{- end }}
  579. }
  580. }
  581. {{- end }}
  582. server {
  583. server_name {{ $host }};
  584. {{- if $server_tokens }}
  585. server_tokens {{ $server_tokens }};
  586. {{- end }}
  587. {{ $globals.access_log }}
  588. {{- if $http2 }}
  589. http2 on;
  590. {{- end }}
  591. {{- if or (eq $https_method "nohttps") (not $cert_ok) (eq $https_method "noredirect") }}
  592. listen {{ $globals.external_http_port }} {{ $default_server }};
  593. {{- if $globals.enable_ipv6 }}
  594. listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
  595. {{- end }}
  596. {{- end }}
  597. {{- if ne $https_method "nohttps" }}
  598. listen {{ $globals.external_https_port }} ssl {{ $default_server }};
  599. {{- if $globals.enable_ipv6 }}
  600. listen [::]:{{ $globals.external_https_port }} ssl {{ $default_server }};
  601. {{- end }}
  602. {{- if $http3 }}
  603. http3 on;
  604. add_header alt-svc 'h3=":{{ $globals.external_https_port }}"; ma=86400;';
  605. listen {{ $globals.external_https_port }} quic {{ $default_server }};
  606. {{- if $globals.enable_ipv6 }}
  607. listen [::]:{{ $globals.external_https_port }} quic {{ $default_server }};
  608. {{- end }}
  609. {{- end }}
  610. {{- if $cert_ok }}
  611. {{- template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
  612. ssl_session_timeout 5m;
  613. ssl_session_cache shared:SSL:50m;
  614. ssl_session_tickets off;
  615. ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
  616. ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
  617. {{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
  618. ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
  619. {{- end }}
  620. {{- if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
  621. ssl_stapling on;
  622. ssl_stapling_verify on;
  623. ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
  624. {{- end }}
  625. {{- if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
  626. set $sts_header "";
  627. if ($https) {
  628. set $sts_header "{{ trim $hsts }}";
  629. }
  630. add_header Strict-Transport-Security $sts_header always;
  631. {{- end }}
  632. {{- else if $globals.default_cert_ok }}
  633. # No certificate found for this vhost, so use the default certificate and
  634. # return an error code if the user connects via https.
  635. ssl_certificate /etc/nginx/certs/default.crt;
  636. ssl_certificate_key /etc/nginx/certs/default.key;
  637. if ($https) {
  638. return 500;
  639. }
  640. {{- else }}
  641. # No certificate found for this vhost, so force nginx to emit a TLS error if
  642. # the client connects via https.
  643. {{- /*
  644. * The alternative is to not provide an https server for this
  645. * vhost, which would either cause the user to see the wrong
  646. * vhost (if there is another vhost with a certificate) or a
  647. * connection refused error (if there is no other vhost with a
  648. * certificate). A TLS error is easier to troubleshoot, and is
  649. * safer than serving the wrong vhost. Also see
  650. * <https://serverfault.com/a/1044022>.
  651. */}}
  652. ssl_ciphers aNULL;
  653. set $empty "";
  654. ssl_certificate data:$empty;
  655. ssl_certificate_key data:$empty;
  656. if ($https) {
  657. return 444;
  658. }
  659. {{- end }}
  660. {{- end }}
  661. {{- if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
  662. include {{ printf "/etc/nginx/vhost.d/%s" $host }};
  663. {{- else if (exists "/etc/nginx/vhost.d/default") }}
  664. include /etc/nginx/vhost.d/default;
  665. {{- end }}
  666. {{- range $path, $containers := $paths }}
  667. {{- /*
  668. * Get the VIRTUAL_PROTO defined by containers w/ the same
  669. * vhost-vpath, falling back to "http".
  670. */}}
  671. {{- $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
  672. {{- /*
  673. * Get the NETWORK_ACCESS defined by containers w/ the same vhost,
  674. * falling back to "external".
  675. */}}
  676. {{- $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
  677. {{- $upstream := $upstream_name }}
  678. {{- $dest := "" }}
  679. {{- if gt $nPaths 0 }}
  680. {{- $sum := sha1 $path }}
  681. {{- $upstream = printf "%s-%s" $upstream $sum }}
  682. {{- $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }}
  683. {{- end }}
  684. {{- template "location" (dict
  685. "Path" $path
  686. "Proto" $proto
  687. "Upstream" $upstream
  688. "Host" $host
  689. "VhostRoot" $vhost_root
  690. "Dest" $dest
  691. "NetworkTag" $network_tag
  692. "Containers" $containers
  693. ) }}
  694. {{- end }}
  695. {{- if and (not (contains $paths "/")) (ne $globals.default_root_response "none")}}
  696. location / {
  697. return {{ $globals.default_root_response }};
  698. }
  699. {{- end }}
  700. }
  701. {{- end }}