nginx.tmpl 53 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059
  1. # nginx-proxy{{ if $.Env.NGINX_PROXY_VERSION }} version : {{ $.Env.NGINX_PROXY_VERSION }}{{ end }}
  2. {{- /*
  3. * Global values. Values are stored in this map rather than in individual
  4. * global variables so that the values can be easily passed to embedded
  5. * templates (Go templates cannot access variables outside of their own
  6. * scope) and displayed in the debug endpoint output.
  7. */}}
  8. {{- $globals := dict }}
  9. {{- $_ := set $globals "containers" $ }}
  10. {{- $_ := set $globals "Env" $.Env }}
  11. {{- $_ := set $globals "Docker" $.Docker }}
  12. {{- $config := dict }}
  13. {{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }}
  14. {{- $_ := set $config "nginx_container_label" ($.Env.NGINX_CONTAINER_LABEL | default "com.github.nginx-proxy.nginx-proxy.nginx") }}
  15. {{- $_ := set $config "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
  16. {{- $_ := set $config "external_http_port" ($globals.Env.HTTP_PORT | default "80") }}
  17. {{- $_ := set $config "external_https_port" ($globals.Env.HTTPS_PORT | default "443") }}
  18. {{- $_ := set $config "sha1_upstream_name" ($globals.Env.SHA1_UPSTREAM_NAME | default "false" | parseBool) }}
  19. {{- $_ := set $config "default_root_response" ($globals.Env.DEFAULT_ROOT | default "404") }}
  20. {{- $_ := set $config "trust_default_cert" ($globals.Env.TRUST_DEFAULT_CERT | default "true") }}
  21. {{- $_ := set $config "trust_downstream_proxy" ($globals.Env.TRUST_DOWNSTREAM_PROXY | default "true" | parseBool) }}
  22. {{- $_ := set $config "enable_access_log" ($globals.Env.DISABLE_ACCESS_LOGS | default "false" | parseBool | not) }}
  23. {{- $_ := set $config "enable_ipv6" ($globals.Env.ENABLE_IPV6 | default "false" | parseBool) }}
  24. {{- $_ := set $config "prefer_ipv6_network" ($globals.Env.PREFER_IPV6_NETWORK | default "false" | parseBool) }}
  25. {{- $_ := set $config "ssl_policy" ($globals.Env.SSL_POLICY | default "Mozilla-Intermediate") }}
  26. {{- $_ := set $config "enable_debug_endpoint" ($globals.Env.DEBUG_ENDPOINT | default "false") }}
  27. {{- $_ := set $config "hsts" ($globals.Env.HSTS | default "max-age=31536000") }}
  28. {{- $_ := set $config "acme_http_challenge" ($globals.Env.ACME_HTTP_CHALLENGE_LOCATION | default "true") }}
  29. {{- $_ := set $config "acme_http_challenge_accept_unknown_host" ($globals.Env.ACME_HTTP_CHALLENGE_ACCEPT_UNKNOWN_HOST | default "false" | parseBool) }}
  30. {{- $_ := set $config "enable_http2" ($globals.Env.ENABLE_HTTP2 | default "true") }}
  31. {{- $_ := set $config "enable_http3" ($globals.Env.ENABLE_HTTP3 | default "false") }}
  32. {{- $_ := set $config "enable_http_on_missing_cert" ($globals.Env.ENABLE_HTTP_ON_MISSING_CERT | default "true") }}
  33. {{- $_ := set $config "https_method" ($globals.Env.HTTPS_METHOD | default "redirect") }}
  34. {{- $_ := set $config "non_get_redirect" ($globals.Env.NON_GET_REDIRECT | default "301") }}
  35. {{- $_ := set $config "default_host" $globals.Env.DEFAULT_HOST }}
  36. {{- $_ := set $config "resolvers" $globals.Env.RESOLVERS }}
  37. {{- /* LOG_JSON is a shorthand that sets logging defaults to JSON format */}}
  38. {{- $_ := set $config "enable_json_logs" ($globals.Env.LOG_JSON | default "false" | parseBool) }}
  39. {{- $_ := set $config "log_format" $globals.Env.LOG_FORMAT }}
  40. {{- $_ := set $config "log_format_escape" $globals.Env.LOG_FORMAT_ESCAPE }}
  41. {{- $_ := set $globals "config" $config }}
  42. {{- $_ := set $globals "vhosts" (dict) }}
  43. {{- $_ := set $globals "networks" (dict) }}
  44. {{- $currentContainer := where $globals.containers "ID" $globals.Docker.CurrentContainerID | first }}
  45. {{- $labeledContainer := whereLabelExists $globals.containers $globals.config.nginx_container_label | first }}
  46. {{- $_ := set $globals "NetworkContainer" ($labeledContainer | default $currentContainer) }}
  47. # Networks available to the container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen
  48. # (which are assumed to match the networks available to the container running nginx):
  49. {{- /*
  50. * Note:
  51. * $globals.NetworkContainer may be nil in some circumstances due to https://github.com/nginx-proxy/docker-gen/issues/458.
  52. * For more context see https://github.com/nginx-proxy/nginx-proxy/issues/2189.
  53. */}}
  54. {{- if $globals.NetworkContainer }}
  55. {{- range sortObjectsByKeysAsc $globals.NetworkContainer.Networks "Name" }}
  56. {{- $_ := set $globals.networks .Name . }}
  57. # {{ .Name }}
  58. {{- else }}
  59. # (none)
  60. {{- end }}
  61. {{- else }}
  62. # /!\ WARNING: Failed to find the Docker container labeled "{{ $globals.config.nginx_container_label }}" or the one running docker-gen.
  63. # All upstream (backend) application containers will appear to be unreachable.
  64. # Try removing the -only-exposed and -only-published arguments to docker-gen if you pass either of those.
  65. # See https://github.com/nginx-proxy/docker-gen/issues/458.
  66. {{- end }}
  67. {{- /*
  68. * Template used as a function to get a container's IP address. This
  69. * template only outputs debug comments; the IP address is "returned" by
  70. * storing the value in the provided dot dict.
  71. *
  72. * The provided dot dict is expected to have the following entries:
  73. * - "globals": Global values.
  74. * - "container": The container's RuntimeContainer struct.
  75. *
  76. * The return value will be added to the dot dict with key "ip".
  77. */}}
  78. {{- define "container_ip" }}
  79. {{- $ipv4 := "" }}
  80. {{- $ipv6 := "" }}
  81. # networks:
  82. {{- range sortObjectsByKeysAsc $.container.Networks "Name" }}
  83. {{- /*
  84. * TODO: Only ignore the "ingress" network for Swarm tasks (in case
  85. * the user is not using Swarm mode and names a network "ingress").
  86. */}}
  87. {{- if eq .Name "ingress" }}
  88. # {{ .Name }} (ignored)
  89. {{- continue }}
  90. {{- end }}
  91. {{- if eq .Name "host" }}
  92. {{- /* Handle containers in host nework mode */}}
  93. {{- if (index $.globals.networks "host") }}
  94. # both container and proxy are in host network mode, using localhost IP
  95. {{- $ipv4 = "127.0.0.1" }}
  96. {{- continue }}
  97. {{- end }}
  98. {{- range sortObjectsByKeysAsc $.globals.NetworkContainer.Networks "Name" }}
  99. {{- if and . .Gateway (not .Internal) }}
  100. # container is in host network mode, using {{ .Name }} gateway IP
  101. {{- $ipv4 = .Gateway }}
  102. {{- break }}
  103. {{- end }}
  104. {{- end }}
  105. {{- if $ipv4 }}
  106. {{- continue }}
  107. {{- end }}
  108. {{- end }}
  109. {{- if and (not (index $.globals.networks .Name)) (not $.globals.networks.host) }}
  110. # {{ .Name }} (unreachable)
  111. {{- continue }}
  112. {{- end }}
  113. {{- /*
  114. * Do not emit multiple `server` directives for this container if it
  115. * is reachable over multiple networks or multiple IP stacks. This avoids
  116. * accidentally inflating the effective round-robin weight of a server due
  117. * to the redundant upstream addresses that nginx sees as belonging to
  118. * distinct servers.
  119. */}}
  120. {{- if or $ipv4 $ipv6 }}
  121. # {{ .Name }} (ignored; reachable but redundant)
  122. {{- continue }}
  123. {{- end }}
  124. # {{ .Name }} (reachable)
  125. {{- if and . .IP }}
  126. {{- $ipv4 = .IP }}
  127. {{- end }}
  128. {{- if and . .GlobalIPv6Address }}
  129. {{- $ipv6 = .GlobalIPv6Address }}
  130. {{- end }}
  131. {{- if and (empty $ipv4) (empty $ipv6) }}
  132. # /!\ No IPv4 or IPv6 for this network!
  133. {{- end }}
  134. {{- else }}
  135. # (none)
  136. {{- end }}
  137. {{ if and $ipv6 $.globals.config.prefer_ipv6_network }}
  138. # IPv4 address: {{ if $ipv4 }}{{ $ipv4 }} (ignored; reachable but IPv6 prefered){{ else }}(none usable){{ end }}
  139. # IPv6 address: {{ $ipv6 }}
  140. {{- $_ := set $ "ip" (printf "[%s]" $ipv6) }}
  141. {{- else }}
  142. # IPv4 address: {{ if $ipv4 }}{{ $ipv4 }}{{ else }}(none usable){{ end }}
  143. # IPv6 address: {{ if $ipv6 }}{{ $ipv6 }}{{ if $ipv4 }} (ignored; reachable but IPv4 prefered){{ end }}{{ else }}(none usable){{ end }}
  144. {{- if $ipv4 }}
  145. {{- $_ := set $ "ip" $ipv4 }}
  146. {{- else if $ipv6}}
  147. {{- $_ := set $ "ip" (printf "[%s]" $ipv6) }}
  148. {{- end }}
  149. {{- end }}
  150. {{- end }}
  151. {{- /*
  152. * Template used as a function to get the port of the server in the given
  153. * container. This template only outputs debug comments; the port is
  154. * "returned" by storing the value in the provided dot dict.
  155. *
  156. * The provided dot dict is expected to have the following entries:
  157. * - "container": The container's RuntimeContainer struct.
  158. *
  159. * The return value will be added to the dot dict with key "port".
  160. */}}
  161. {{- define "container_port" }}
  162. {{- /* If only 1 port exposed, use that as a default, else 80. */}}
  163. # exposed ports (first ten):{{ range $index, $address := (sortObjectsByKeysAsc $.container.Addresses "Port") }}{{ if lt $index 10 }} {{ $address.Port }}/{{ $address.Proto }}{{ end }}{{ else }} (none){{ end }}
  164. {{- $default_port := when (eq (len $.container.Addresses) 1) (first $.container.Addresses).Port "80" }}
  165. # default port: {{ $default_port }}
  166. {{- $port := eq $.port "default" | ternary $default_port $.port }}
  167. # using port: {{ $port }}
  168. {{- $addr_obj := where $.container.Addresses "Port" $port | first }}
  169. {{- if and $addr_obj $addr_obj.HostPort }}
  170. # /!\ WARNING: Virtual port published on host. Clients
  171. # might be able to bypass nginx-proxy and
  172. # access the container's server directly.
  173. {{- end }}
  174. {{- $_ := set $ "port" $port }}
  175. {{- end }}
  176. {{- define "ssl_policy" }}
  177. {{- if eq .ssl_policy "Mozilla-Modern" }}
  178. ssl_protocols TLSv1.3;
  179. {{- /*
  180. * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
  181. * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
  182. */}}
  183. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
  184. ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  185. ssl_prefer_server_ciphers off;
  186. {{- else if eq .ssl_policy "Mozilla-Intermediate" }}
  187. ssl_protocols TLSv1.2 TLSv1.3;
  188. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
  189. ssl_prefer_server_ciphers off;
  190. {{- else if eq .ssl_policy "Mozilla-Old" }}
  191. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  192. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0';
  193. ssl_prefer_server_ciphers on;
  194. {{- else if eq .ssl_policy "AWS-TLS13-1-3-2021-06" }}
  195. ssl_protocols TLSv1.3;
  196. {{- /*
  197. * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
  198. * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
  199. */}}
  200. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
  201. ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  202. ssl_prefer_server_ciphers on;
  203. {{- else if eq .ssl_policy "AWS-TLS13-1-2-2021-06" }}
  204. ssl_protocols TLSv1.2 TLSv1.3;
  205. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
  206. ssl_prefer_server_ciphers on;
  207. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Res-2021-06" }}
  208. ssl_protocols TLSv1.2 TLSv1.3;
  209. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
  210. ssl_prefer_server_ciphers on;
  211. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Ext1-2021-06" }}
  212. ssl_protocols TLSv1.2 TLSv1.3;
  213. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
  214. ssl_prefer_server_ciphers on;
  215. {{- else if eq .ssl_policy "AWS-TLS13-1-2-Ext2-2021-06" }}
  216. ssl_protocols TLSv1.2 TLSv1.3;
  217. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  218. ssl_prefer_server_ciphers on;
  219. {{- else if eq .ssl_policy "AWS-TLS13-1-1-2021-06" }}
  220. ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
  221. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  222. ssl_prefer_server_ciphers on;
  223. {{- else if eq .ssl_policy "AWS-TLS13-1-0-2021-06" }}
  224. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  225. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  226. ssl_prefer_server_ciphers on;
  227. {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2020-10" }}
  228. ssl_protocols TLSv1.2;
  229. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
  230. ssl_prefer_server_ciphers on;
  231. {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2019-08" }}
  232. ssl_protocols TLSv1.2;
  233. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
  234. ssl_prefer_server_ciphers on;
  235. {{- else if eq .ssl_policy "AWS-FS-1-2-2019-08" }}
  236. ssl_protocols TLSv1.2;
  237. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
  238. ssl_prefer_server_ciphers on;
  239. {{- else if eq .ssl_policy "AWS-FS-1-1-2019-08" }}
  240. ssl_protocols TLSv1.1 TLSv1.2;
  241. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:@SECLEVEL=0';
  242. ssl_prefer_server_ciphers on;
  243. {{- else if eq .ssl_policy "AWS-FS-2018-06" }}
  244. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  245. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:@SECLEVEL=0';
  246. ssl_prefer_server_ciphers on;
  247. {{- else if eq .ssl_policy "AWS-TLS-1-2-Ext-2018-06" }}
  248. ssl_protocols TLSv1.2;
  249. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
  250. ssl_prefer_server_ciphers on;
  251. {{- else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
  252. ssl_protocols TLSv1.2;
  253. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
  254. ssl_prefer_server_ciphers on;
  255. {{- else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
  256. ssl_protocols TLSv1.1 TLSv1.2;
  257. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  258. ssl_prefer_server_ciphers on;
  259. {{- else if eq .ssl_policy "AWS-2016-08" }}
  260. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  261. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
  262. ssl_prefer_server_ciphers on;
  263. {{- else if eq .ssl_policy "AWS-2015-05" }}
  264. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  265. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0';
  266. ssl_prefer_server_ciphers on;
  267. {{- else if eq .ssl_policy "AWS-2015-03" }}
  268. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  269. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:@SECLEVEL=0';
  270. ssl_prefer_server_ciphers on;
  271. {{- else if eq .ssl_policy "AWS-2015-02" }}
  272. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  273. ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:@SECLEVEL=0';
  274. ssl_prefer_server_ciphers on;
  275. {{- end }}
  276. {{- end }}
  277. {{- define "location" }}
  278. {{- $vpath := .VPath }}
  279. {{- $override := printf "/etc/nginx/vhost.d/%s_%s_location_override" .Host (sha1 .Path) }}
  280. {{- if and (eq .Path "/") (not (exists $override)) }}
  281. {{- $override = printf "/etc/nginx/vhost.d/%s_location_override" .Host }}
  282. {{- end }}
  283. {{- if exists $override }}
  284. include {{ $override }};
  285. {{- else }}
  286. {{- $keepalive := $vpath.keepalive }}
  287. location {{ .Path }} {
  288. {{- if eq $vpath.network_tag "internal" }}
  289. # Only allow traffic from internal clients
  290. include /etc/nginx/network_internal.conf;
  291. {{- end }}
  292. {{ $proto := $vpath.proto }}
  293. {{ $upstream := $vpath.upstream }}
  294. {{ $dest := $vpath.dest }}
  295. {{- if eq $proto "uwsgi" }}
  296. include uwsgi_params;
  297. uwsgi_pass {{ trim $proto }}://{{ trim $upstream }};
  298. {{- else if eq $proto "fastcgi" }}
  299. {{- if (exists "/etc/nginx/fastcgi.conf") }}
  300. include fastcgi.conf;
  301. {{- else if (exists "/etc/nginx/fastcgi_params") }}
  302. include fastcgi_params;
  303. {{- else }}
  304. # neither /etc/nginx/fastcgi.conf nor /etc/nginx/fastcgi_params found, fastcgi won't work
  305. {{- end }}
  306. root {{ trim .VhostRoot }};
  307. fastcgi_pass {{ trim $upstream }};
  308. {{- if ne $keepalive "disabled" }}
  309. fastcgi_keep_conn on;
  310. {{- end }}
  311. {{- else if eq $proto "grpc" }}
  312. grpc_pass {{ trim $proto }}://{{ trim $upstream }};
  313. {{- else if eq $proto "grpcs" }}
  314. grpc_pass {{ trim $proto }}://{{ trim $upstream }};
  315. {{- else }}
  316. proxy_pass {{ trim $proto }}://{{ trim $upstream }}{{ trim $dest }};
  317. set $upstream_keepalive {{ if ne $keepalive "disabled" }}true{{ else }}false{{ end }};
  318. {{- end }}
  319. {{- if (exists (printf "/etc/nginx/htpasswd/%s_%s" .Host (sha1 .Path) )) }}
  320. auth_basic "Restricted {{ .Host }}{{ .Path }}";
  321. auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s_%s" .Host (sha1 .Path)) }};
  322. {{- else if (exists (printf "/etc/nginx/htpasswd/%s" .Host)) }}
  323. auth_basic "Restricted {{ .HostIsRegexp | ternary "access" .Host }}";
  324. auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" .Host) }};
  325. {{- end }}
  326. {{- if (exists (printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) )) }}
  327. include {{ printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) }};
  328. {{- else if (exists (printf "/etc/nginx/vhost.d/%s_location" .Host)) }}
  329. include {{ printf "/etc/nginx/vhost.d/%s_location" .Host}};
  330. {{- else if (exists "/etc/nginx/vhost.d/default_location") }}
  331. include /etc/nginx/vhost.d/default_location;
  332. {{- end }}
  333. }
  334. {{- end }}
  335. {{- end }}
  336. {{- define "upstream" }}
  337. {{- $path := .Path }}
  338. {{- $vpath := .VPath }}
  339. upstream {{ $vpath.upstream }} {
  340. {{- $servers := 0 }}
  341. {{- $loadbalance := $vpath.loadbalance }}
  342. {{- if $loadbalance }}
  343. # From the container's loadbalance label:
  344. {{ $loadbalance }}
  345. {{- end }}
  346. {{- range $port, $containers := $vpath.ports }}
  347. {{- range $container := $containers }}
  348. # Container: {{ $container.Name }}
  349. {{- $args := dict "globals" $.globals "container" $container }}
  350. {{- template "container_ip" $args }}
  351. {{- $ip := $args.ip }}
  352. {{- $args = dict "container" $container "path" $path "port" $port }}
  353. {{- template "container_port" $args }}
  354. {{- if $ip }}
  355. {{- $servers = add1 $servers }}
  356. server {{ $ip }}:{{ $args.port }};
  357. {{- end }}
  358. {{- end }}
  359. {{- end }}
  360. {{- /* nginx-proxy/nginx-proxy#1105 */}}
  361. {{- if lt $servers 1 }}
  362. # Fallback entry
  363. server 127.0.0.1 down;
  364. {{- end }}
  365. {{- $keepalive := $vpath.keepalive }}
  366. {{- if and (ne $keepalive "disabled") (gt $servers 0) }}
  367. {{- if eq $keepalive "auto" }}
  368. keepalive {{ mul $servers 2 }};
  369. {{- else }}
  370. keepalive {{ $keepalive }};
  371. {{- end }}
  372. {{- end }}
  373. }
  374. {{- end }}
  375. {{- /* debug "endpoint" location template */}}
  376. {{- define "debug_location" }}
  377. {{- $debug_paths := dict }}
  378. {{- range $path, $vpath := .VHost.paths }}
  379. {{- $tmp_ports := dict }}
  380. {{- range $port, $containers := $vpath.ports }}
  381. {{- $tmp_containers := list }}
  382. {{- range $container := $containers }}
  383. {{- $tmp_containers = dict "Name" $container.Name | append $tmp_containers }}
  384. {{- end }}
  385. {{- $_ := set $tmp_ports $port $tmp_containers }}
  386. {{- end }}
  387. {{- $debug_vpath := deepCopy $vpath | merge (dict "ports" $tmp_ports) }}
  388. {{- $_ := set $debug_paths $path $debug_vpath }}
  389. {{- end }}
  390. {{- $debug_vhost := deepCopy .VHost }}
  391. {{- /* If it's a regexp, do not render the Hostname to the response to avoid rendering config breaking characters */}}
  392. {{- $_ := set $debug_vhost "hostname" (.VHost.is_regexp | ternary "Hostname is a regexp and unsafe to include in the debug response." .Hostname) }}
  393. {{- $_ := set $debug_vhost "paths" $debug_paths }}
  394. {{- $debug_response := dict
  395. "global" .GlobalConfig
  396. "request" (dict
  397. "host" "$host"
  398. "https" "$https"
  399. "http2" "$http2"
  400. "http3" "$http3"
  401. "ssl_cipher" "$ssl_cipher"
  402. "ssl_protocol" "$ssl_protocol"
  403. )
  404. "vhost" $debug_vhost
  405. }}
  406. {{- /*
  407. * The maximum line length in an nginx config is 4096 characters.
  408. * If we're nearing this limit (with headroom for the rest
  409. * of the directive), strip vhost.paths from the response.
  410. */}}
  411. {{- if gt (toJson $debug_response | len) 4000 }}
  412. {{- $_ := unset $debug_vhost "paths" }}
  413. {{- $_ := set $debug_response "warning" "Virtual paths configuration for this hostname is too large and has been stripped from response." }}
  414. {{- end }}
  415. location /nginx-proxy-debug {
  416. default_type application/json;
  417. return 200 '{{ toJson $debug_response }}{{ "\\n" }}';
  418. }
  419. {{- end }}
  420. {{- define "access_log" }}
  421. {{- when .Enable "access_log /var/log/nginx/access.log vhost;" "" }}
  422. {{- end }}
  423. # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
  424. # scheme used to connect to this server
  425. map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  426. default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
  427. '' $scheme;
  428. }
  429. map $http_x_forwarded_host $proxy_x_forwarded_host {
  430. default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
  431. '' $host;
  432. }
  433. # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
  434. # server port the client connected to
  435. map $http_x_forwarded_port $proxy_x_forwarded_port {
  436. default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
  437. '' $server_port;
  438. }
  439. # Include the port in the Host header sent to the container if it is non-standard
  440. map $server_port $host_port {
  441. default :$server_port;
  442. 80 '';
  443. 443 '';
  444. }
  445. # If the request from the downstream client has an "Upgrade:" header (set to any
  446. # non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
  447. # Otherwise, the value for the "Connection" header depends on whether the user
  448. # has enabled keepalive to the upstream server.
  449. map $http_upgrade $proxy_connection {
  450. default upgrade;
  451. '' $proxy_connection_noupgrade;
  452. }
  453. map $upstream_keepalive $proxy_connection_noupgrade {
  454. # Preserve nginx's default behavior (send "Connection: close").
  455. default close;
  456. # Use an empty string to cancel nginx's default behavior.
  457. true '';
  458. }
  459. # Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
  460. # that $upstream_keepalive is always defined. This is necessary because:
  461. # - The $proxy_connection variable is indirectly derived from
  462. # $upstream_keepalive, so $upstream_keepalive must be defined whenever
  463. # $proxy_connection is resolved.
  464. # - The $proxy_connection variable is used in a proxy_set_header directive in
  465. # the http block, so it is always fully resolved for every request -- even
  466. # those where proxy_pass is not used (e.g., unknown virtual host).
  467. map "" $upstream_keepalive {
  468. # The value here should not matter because it should always be overridden in
  469. # a location block (see the "location" template) for all requests where the
  470. # value actually matters.
  471. default false;
  472. }
  473. # Apply fix for very long server names
  474. server_names_hash_bucket_size 128;
  475. # Default dhparam
  476. {{- if (exists "/etc/nginx/dhparam/dhparam.pem") }}
  477. ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
  478. {{- end }}
  479. # Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
  480. map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  481. default off;
  482. https on;
  483. }
  484. gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  485. {{- /* See https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format for details and variables
  486. * LOG_FORMAT_ESCAPE sets the escape part of the log format
  487. * LOG_FORMAT sets the log format
  488. */}}
  489. {{- $logEscape := $globals.config.log_format_escape | default "default" | printf "escape=%s" }}
  490. {{- $logFormat := $globals.config.log_format | default `$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"` }}
  491. {{- if $globals.config.enable_json_logs }}
  492. # JSON Logging enabled (via LOG_JSON env variable)
  493. {{- $logEscape = $globals.config.log_format_escape | default "json" | printf "escape=%s" }}
  494. {{- $logFormat = $globals.config.log_format | default `{"time_local":"$time_iso8601","client_ip":"$http_x_forwarded_for","remote_addr":"$remote_addr","request":"$request","status":"$status","body_bytes_sent":"$body_bytes_sent","request_time":"$request_time","upstream_response_time":"$upstream_response_time","upstream_addr":"$upstream_addr","http_referrer":"$http_referer","http_user_agent":"$http_user_agent","request_id":"$request_id"}` }}
  495. {{- end }}
  496. log_format vhost {{ $logEscape }} '{{ $logFormat }}';
  497. access_log off;
  498. {{- /* Lower the SSL policy of the http context
  499. * if at least one vhost use a TLSv1 or TLSv1.1 policy
  500. * so TLSv1 and TLSv1.1 can be enabled on those vhosts
  501. */}}
  502. {{- $httpContextSslPolicy := $globals.config.ssl_policy }}
  503. {{- $inUseSslPolicies := groupByKeys $globals.containers "Env.SSL_POLICY" }}
  504. {{- range $tls1Policy := list "AWS-TLS13-1-1-2021-06" "AWS-TLS13-1-0-2021-06" "AWS-FS-1-1-2019-08" "AWS-FS-2018-06" "AWS-TLS-1-1-2017-01" "AWS-2016-08" "AWS-2015-05" "AWS-2015-03" "AWS-2015-02" "Mozilla-Old" }}
  505. {{- if has $tls1Policy $inUseSslPolicies }}
  506. # Using Mozilla-Old SSL policy on the http context to allow TLSv1 and TLSv1.1
  507. {{- $httpContextSslPolicy = "Mozilla-Old" }}
  508. {{- break }}
  509. {{- end }}
  510. {{- end }}
  511. {{- template "ssl_policy" (dict "ssl_policy" $httpContextSslPolicy) }}
  512. error_log /dev/stderr;
  513. {{- if $globals.config.resolvers }}
  514. resolver {{ $globals.config.resolvers }};
  515. {{- end }}
  516. {{- if (exists "/etc/nginx/proxy.conf") }}
  517. include /etc/nginx/proxy.conf;
  518. {{- else }}
  519. # HTTP 1.1 support
  520. proxy_http_version 1.1;
  521. proxy_set_header Host $host$host_port;
  522. proxy_set_header Upgrade $http_upgrade;
  523. proxy_set_header Connection $proxy_connection;
  524. proxy_set_header X-Real-IP $remote_addr;
  525. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  526. proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
  527. proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
  528. proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
  529. proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
  530. proxy_set_header X-Original-URI $request_uri;
  531. # Mitigate httpoxy attack (see README for details)
  532. proxy_set_header Proxy "";
  533. {{- end }}
  534. {{- /* Precompute and store some information about vhost that use VIRTUAL_HOST_MULTIPORTS. */}}
  535. {{- range $vhosts_yaml, $containers := groupBy $globals.containers "Env.VIRTUAL_HOST_MULTIPORTS" }}
  536. {{- /* Print a warning in the config if VIRTUAL_HOST_MULTIPORTS can't be parsed. */}}
  537. {{- $parsedVhosts := fromYaml $vhosts_yaml }}
  538. {{- if (empty $parsedVhosts) }}
  539. {{- $containerNames := list }}
  540. {{- range $container := $containers }}
  541. {{- $containerNames = append $containerNames $container.Name }}
  542. {{- end }}
  543. # /!\ WARNING: the VIRTUAL_HOST_MULTIPORTS environment variable used for {{ len $containerNames | plural "this container" "those containers" }} is not a valid YAML string:
  544. # {{ $containerNames | join ", " }}
  545. {{- continue }}
  546. {{- end }}
  547. {{- range $hostname, $vhost := $parsedVhosts }}
  548. {{- $vhost_data := get $globals.vhosts $hostname | default (dict) }}
  549. {{- $paths := $vhost_data.paths | default (dict) }}
  550. {{- if (empty $vhost) }}
  551. {{ $vhost = dict "/" (dict) }}
  552. {{- end }}
  553. {{- range $path, $vpath := $vhost }}
  554. {{- if (empty $vpath) }}
  555. {{- $vpath = dict
  556. "dest" ""
  557. "port" "default"
  558. "proto" "http"
  559. }}
  560. {{- end }}
  561. {{- $dest := $vpath.dest | default "" }}
  562. {{- $port := $vpath.port | default "default" | toString }}
  563. {{- $proto := $vpath.proto | default "http" }}
  564. {{- $path_data := get $paths $path | default (dict) }}
  565. {{- $path_ports := $path_data.ports | default (dict) }}
  566. {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
  567. {{- $_ := set $path_ports $port $path_port_containers }}
  568. {{- $_ := set $path_data "ports" $path_ports }}
  569. {{- if (not (hasKey $path_data "dest")) }}
  570. {{- $_ := set $path_data "dest" $dest }}
  571. {{- end }}
  572. {{- if (not (hasKey $path_data "proto")) }}
  573. {{- $_ := set $path_data "proto" $proto }}
  574. {{- end }}
  575. {{- $_ := set $paths $path $path_data }}
  576. {{- end }}
  577. {{- $_ := set $vhost_data "paths" $paths }}
  578. {{- $_ := set $globals.vhosts $hostname $vhost_data }}
  579. {{- end }}
  580. {{- end }}
  581. {{- /* Precompute and store some information about vhost that use VIRTUAL_HOST. */}}
  582. {{- range $hostname, $containers := groupByMulti $globals.containers "Env.VIRTUAL_HOST" "," }}
  583. {{- /* Ignore containers with VIRTUAL_HOST set to the empty string. */}}
  584. {{- $hostname = trim $hostname }}
  585. {{- if not $hostname }}
  586. {{- continue }}
  587. {{- end }}
  588. {{- /* Drop containers with both VIRTUAL_HOST and VIRTUAL_HOST_MULTIPORTS set
  589. * (VIRTUAL_HOST_MULTIPORTS takes precedence thanks to the previous loop).
  590. */}}
  591. {{- range $_, $containers_to_drop := groupBy $containers "Env.VIRTUAL_HOST_MULTIPORTS" }}
  592. {{- range $container := $containers_to_drop }}
  593. {{- $containers = without $containers $container }}
  594. {{- end }}
  595. {{- end }}
  596. {{- if (eq (len $containers) 0) }}
  597. {{- continue }}
  598. {{- end }}
  599. {{- $vhost_data := get $globals.vhosts $hostname | default (dict) }}
  600. {{- $paths := $vhost_data.paths | default (dict) }}
  601. {{- $tmp_paths := groupByWithDefault $containers "Env.VIRTUAL_PATH" "/" }}
  602. {{- range $path, $containers := $tmp_paths }}
  603. {{- $dest := groupByKeys $containers "Env.VIRTUAL_DEST" | first | default "" }}
  604. {{- $proto := groupByKeys $containers "Env.VIRTUAL_PROTO" | first | default "http" | trim }}
  605. {{- $path_data := get $paths $path | default (dict) }}
  606. {{- $path_ports := $path_data.ports | default (dict) }}
  607. {{- range $port, $containers := groupByWithDefault $containers "Env.VIRTUAL_PORT" "default" }}
  608. {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
  609. {{- $_ := set $path_ports $port $path_port_containers }}
  610. {{- end }}
  611. {{- $_ := set $path_data "ports" $path_ports }}
  612. {{- if (not (hasKey $path_data "dest")) }}
  613. {{- $_ := set $path_data "dest" $dest }}
  614. {{- end }}
  615. {{- if (not (hasKey $path_data "proto")) }}
  616. {{- $_ := set $path_data "proto" $proto }}
  617. {{- end }}
  618. {{- $_ := set $paths $path $path_data }}
  619. {{- end }}
  620. {{- $_ := set $vhost_data "paths" $paths }}
  621. {{- $_ := set $globals.vhosts $hostname $vhost_data }}
  622. {{- end }}
  623. {{- /* Loop over $globals.vhosts and update it with the remaining informations about each vhost. */}}
  624. {{- range $hostname, $vhost_data := $globals.vhosts }}
  625. {{- $is_regexp := hasPrefix "~" $hostname }}
  626. {{- $upstream_name := or $is_regexp $globals.config.sha1_upstream_name | ternary (sha1 $hostname) $hostname }}
  627. {{- $vhost_containers := list }}
  628. {{- range $path, $vpath_data := $vhost_data.paths }}
  629. {{- $vpath_containers := list }}
  630. {{- range $port, $vport_containers := $vpath_data.ports }}
  631. {{ $vpath_containers = concat $vpath_containers $vport_containers }}
  632. {{- end }}
  633. {{- /* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external". */}}
  634. {{- $network_tag := groupByKeys $vpath_containers "Env.NETWORK_ACCESS" | first | default "external" }}
  635. {{- $loadbalance := groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.loadbalance" | keys | first }}
  636. {{- $keepalive := groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.keepalive" | keys | first | default "auto" }}
  637. {{- $upstream := $upstream_name }}
  638. {{- if (not (eq $path "/")) }}
  639. {{- $sum := sha1 $path }}
  640. {{- $upstream = printf "%s-%s" $upstream $sum }}
  641. {{- end }}
  642. {{- $_ := set $vpath_data "network_tag" $network_tag }}
  643. {{- $_ := set $vpath_data "upstream" $upstream }}
  644. {{- $_ := set $vpath_data "loadbalance" $loadbalance }}
  645. {{- $_ := set $vpath_data "keepalive" $keepalive }}
  646. {{- $_ := set $vhost_data.paths $path $vpath_data }}
  647. {{ $vhost_containers = concat $vhost_containers $vpath_containers }}
  648. {{- end }}
  649. {{- $userIdentifiedCert := groupByKeys $vhost_containers "Env.CERT_NAME" | first }}
  650. {{- $vhostCert := "" }}
  651. {{- if exists (printf "/etc/nginx/certs/%s.crt" $hostname) }}
  652. {{- $vhostCert = $hostname }}
  653. {{- end }}
  654. {{- $parentVhostCert := "" }}
  655. {{- if gt ($hostname | sprigSplit "." | len) 2 }}
  656. {{- $parentHostname := ($hostname | sprigSplitn "." 2)._1 }}
  657. {{- if exists (printf "/etc/nginx/certs/%s.crt" $parentHostname) }}
  658. {{- $parentVhostCert = $parentHostname }}
  659. {{- end }}
  660. {{- end }}
  661. {{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }}
  662. {{- $defaultCert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }}
  663. {{- $cert := or $userIdentifiedCert $vhostCert $parentVhostCert $defaultCert }}
  664. {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
  665. {{- $enable_debug_endpoint := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.debug-endpoint" | keys | first | default $globals.config.enable_debug_endpoint | parseBool }}
  666. {{- $default := eq $globals.config.default_host $hostname }}
  667. {{- $https_method := groupByKeys $vhost_containers "Env.HTTPS_METHOD" | first | default $globals.config.https_method }}
  668. {{- $enable_http_on_missing_cert := groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT" | first | default $globals.config.enable_http_on_missing_cert | parseBool }}
  669. {{- /* When no trusted certs (default and/or vhost) are present we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
  670. {{- $https_method_disable_http := list "nohttp" "redirect" | has $https_method }}
  671. {{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }}
  672. {{- $https_method = "noredirect" }}
  673. {{- end }}
  674. {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }}
  675. {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
  676. {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }}
  677. {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }}
  678. {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
  679. {{- $acme_http_challenge_enabled := false }}
  680. {{- if (not $acme_http_challenge_legacy) }}
  681. {{- $acme_http_challenge_enabled = parseBool $acme_http_challenge }}
  682. {{- end }}
  683. {{- /* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "". */}}
  684. {{- $server_tokens := groupByKeys $vhost_containers "Env.SERVER_TOKENS" | first | default "" | trim }}
  685. {{- /* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default). */}}
  686. {{- $ssl_policy := groupByKeys $vhost_containers "Env.SSL_POLICY" | first | default "" }}
  687. {{- /* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000". */}}
  688. {{- $hsts := groupByKeys $vhost_containers "Env.HSTS" | first | default $globals.config.hsts }}
  689. {{- /* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
  690. {{- $vhost_root := groupByKeys $vhost_containers "Env.VIRTUAL_ROOT" | first | default "/var/www/public" }}
  691. {{- $vhost_data = merge $vhost_data (dict
  692. "cert" $cert
  693. "cert_ok" $cert_ok
  694. "enable_debug_endpoint" $enable_debug_endpoint
  695. "default" $default
  696. "hsts" $hsts
  697. "https_method" $https_method
  698. "non_get_redirect" $non_get_redirect
  699. "http2_enabled" $http2_enabled
  700. "http3_enabled" $http3_enabled
  701. "is_regexp" $is_regexp
  702. "acme_http_challenge_legacy" $acme_http_challenge_legacy
  703. "acme_http_challenge_enabled" $acme_http_challenge_enabled
  704. "server_tokens" $server_tokens
  705. "ssl_policy" $ssl_policy
  706. "trust_default_cert" $trust_default_cert
  707. "upstream_name" $upstream_name
  708. "vhost_root" $vhost_root
  709. ) }}
  710. {{- $_ := set $globals.vhosts $hostname $vhost_data }}
  711. {{- end }}
  712. {{- /*
  713. * If needed, create a catch-all fallback server to send an error code to
  714. * clients that request something from an unknown vhost.
  715. *
  716. * This server must appear first in the generated config because nginx uses
  717. * the first `server` directive to handle requests that don't match any of
  718. * the other `server` directives. An alternative approach would be to add
  719. * the `default_server` option to the `listen` directives inside this
  720. * `server`, but some users inject a custom `server` directive that uses
  721. * `default_server`. Using `default_server` here would cause nginx to fail
  722. * to start for those users. See
  723. * <https://github.com/nginx-proxy/nginx-proxy/issues/2212>.
  724. */}}
  725. {{- block "fallback_server" $globals }}
  726. {{- $globals := . }}
  727. {{- $http_exists := false }}
  728. {{- $https_exists := false }}
  729. {{- $default_http_exists := false }}
  730. {{- $default_https_exists := false }}
  731. {{- $http3_enabled := false }}
  732. {{- range $vhost := $globals.vhosts }}
  733. {{- $http := ne $vhost.https_method "nohttp" }}
  734. {{- $https := ne $vhost.https_method "nohttps" }}
  735. {{- $http_exists = or $http_exists $http }}
  736. {{- $https_exists = or $https_exists $https }}
  737. {{- $default_http_exists = or $default_http_exists (and $http $vhost.default) }}
  738. {{- $default_https_exists = or $default_https_exists (and $https $vhost.default) }}
  739. {{- $http3_enabled = or $http3_enabled $vhost.http3_enabled }}
  740. {{- end }}
  741. {{- $fallback_http := not $default_http_exists }}
  742. {{- $fallback_https := not $default_https_exists }}
  743. {{- /*
  744. * If there are no vhosts at all, create fallbacks for both plain http
  745. * and https so that clients get something more useful than a connection
  746. * refused error.
  747. */}}
  748. {{- if and (not $http_exists) (not $https_exists) }}
  749. {{- $fallback_https = true }}
  750. {{- end }}
  751. {{- if or $fallback_http $fallback_https }}
  752. server {
  753. server_name _; # This is just an invalid value which will never trigger on a real hostname.
  754. server_tokens off;
  755. {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
  756. http2 on;
  757. {{- if $fallback_http }}
  758. listen {{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
  759. {{- if $globals.config.enable_ipv6 }}
  760. listen [::]:{{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
  761. {{- end }}
  762. {{- end }}
  763. {{- if $fallback_https }}
  764. listen {{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
  765. {{- if $globals.config.enable_ipv6 }}
  766. listen [::]:{{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
  767. {{- end }}
  768. {{- if $http3_enabled }}
  769. http3 on;
  770. listen {{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
  771. {{- if $globals.config.enable_ipv6 }}
  772. listen [::]:{{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
  773. {{- end }}
  774. {{- end }}
  775. ssl_session_cache shared:SSL:50m;
  776. ssl_session_tickets off;
  777. {{- end }}
  778. {{- if $globals.config.default_cert_ok }}
  779. ssl_certificate /etc/nginx/certs/default.crt;
  780. ssl_certificate_key /etc/nginx/certs/default.key;
  781. {{- else }}
  782. # No default certificate found, so reject SSL handshake;
  783. ssl_reject_handshake on;
  784. {{- end }}
  785. {{- if $globals.config.acme_http_challenge_accept_unknown_host }}
  786. location ^~ /.well-known/acme-challenge/ {
  787. auth_basic off;
  788. allow all;
  789. root /usr/share/nginx/html;
  790. try_files $uri =404;
  791. break;
  792. }
  793. {{- end }}
  794. {{- if (exists "/usr/share/nginx/html/errors/50x.html") }}
  795. error_page 500 502 503 504 /50x.html;
  796. location /50x.html {
  797. root /usr/share/nginx/html/errors;
  798. internal;
  799. }
  800. {{- end }}
  801. location ^~ / {
  802. return 503;
  803. }
  804. }
  805. {{- end }}
  806. {{- end }}
  807. {{- range $hostname, $vhost := $globals.vhosts }}
  808. {{- $default_server := when $vhost.default "default_server" "" }}
  809. {{- range $path, $vpath := $vhost.paths }}
  810. # {{ $hostname }}{{ $path }}
  811. {{ template "upstream" (dict "globals" $globals "Path" $path "VPath" $vpath) }}
  812. {{- end }}
  813. {{- if (eq $vhost.https_method "redirect") }}
  814. server {
  815. server_name {{ $hostname }};
  816. {{- if $vhost.server_tokens }}
  817. server_tokens {{ $vhost.server_tokens }};
  818. {{- end }}
  819. {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
  820. listen {{ $globals.config.external_http_port }} {{ $default_server }};
  821. {{- if $globals.config.enable_ipv6 }}
  822. listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
  823. {{- end }}
  824. {{- if (or $vhost.acme_http_challenge_legacy $vhost.acme_http_challenge_enabled) }}
  825. # Do not HTTPS redirect Let's Encrypt ACME challenge
  826. location ^~ /.well-known/acme-challenge/ {
  827. auth_basic off;
  828. auth_request off;
  829. allow all;
  830. root /usr/share/nginx/html;
  831. try_files $uri =404;
  832. break;
  833. }
  834. {{- end }}
  835. {{- if $vhost.enable_debug_endpoint }}
  836. {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
  837. {{- end }}
  838. location / {
  839. {{- $redirect_uri := "https://$host$request_uri" }}
  840. {{- if ne $globals.config.external_https_port "443" }}
  841. {{- $redirect_uri = printf "https://$host:%s$request_uri" $globals.config.external_https_port }}
  842. {{- end}}
  843. if ($request_method ~ (OPTIONS|POST|PUT|PATCH|DELETE)) {
  844. return {{ $vhost.non_get_redirect }} {{ $redirect_uri }};
  845. }
  846. return 301 {{ $redirect_uri }};
  847. }
  848. }
  849. {{- end }}
  850. server {
  851. {{- if $vhost.is_regexp }}
  852. {{- if or
  853. (printf "/etc/nginx/vhost.d/%s" $hostname | exists)
  854. (printf "/etc/nginx/vhost.d/%s_location" $hostname | exists)
  855. (printf "/etc/nginx/vhost.d/%s_location_override" $hostname | exists)
  856. (printf "/etc/nginx/htpasswd/%s" $hostname | exists)
  857. }}
  858. # https://github.com/nginx-proxy/nginx-proxy/issues/2529#issuecomment-2437609249
  859. # Support for vhost config file(s) named like a regexp ({{ $hostname }}) has been removed from nginx-proxy.
  860. # Please name your vhost config file(s) with the sha1 of the regexp instead ({{ $hostname }} -> {{ sha1 $hostname }}) :
  861. # - /etc/nginx/vhost.d/{{ sha1 $hostname }}
  862. # - /etc/nginx/vhost.d/{{ sha1 $hostname }}_location
  863. # - /etc/nginx/vhost.d/{{ sha1 $hostname }}_location_override
  864. # - /etc/nginx/htpasswd/{{ sha1 $hostname }}
  865. {{- end }}
  866. {{- end }}
  867. server_name {{ $hostname }};
  868. {{- if $vhost.server_tokens }}
  869. server_tokens {{ $vhost.server_tokens }};
  870. {{- end }}
  871. {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
  872. {{- if $vhost.http2_enabled }}
  873. http2 on;
  874. {{- end }}
  875. {{- if or (eq $vhost.https_method "nohttps") (eq $vhost.https_method "noredirect") }}
  876. listen {{ $globals.config.external_http_port }} {{ $default_server }};
  877. {{- if $globals.config.enable_ipv6 }}
  878. listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
  879. {{- end }}
  880. {{- if (and (eq $vhost.https_method "noredirect") $vhost.acme_http_challenge_enabled) }}
  881. location /.well-known/acme-challenge/ {
  882. auth_basic off;
  883. allow all;
  884. root /usr/share/nginx/html;
  885. try_files $uri =404;
  886. break;
  887. }
  888. {{- end }}
  889. {{- end }}
  890. {{- if ne $vhost.https_method "nohttps" }}
  891. listen {{ $globals.config.external_https_port }} ssl {{ $default_server }};
  892. {{- if $globals.config.enable_ipv6 }}
  893. listen [::]:{{ $globals.config.external_https_port }} ssl {{ $default_server }};
  894. {{- end }}
  895. {{- if $vhost.http3_enabled }}
  896. http3 on;
  897. add_header alt-svc 'h3=":{{ $globals.config.external_https_port }}"; ma=86400;';
  898. listen {{ $globals.config.external_https_port }} quic {{ $default_server }};
  899. {{- if $globals.config.enable_ipv6 }}
  900. listen [::]:{{ $globals.config.external_https_port }} quic {{ $default_server }};
  901. {{- end }}
  902. {{- end }}
  903. {{- if $vhost.cert_ok }}
  904. {{- template "ssl_policy" (dict "ssl_policy" $vhost.ssl_policy) }}
  905. ssl_session_timeout 5m;
  906. ssl_session_cache shared:SSL:50m;
  907. ssl_session_tickets off;
  908. ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $vhost.cert) }};
  909. ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $vhost.cert) }};
  910. {{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert)) }}
  911. ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $vhost.cert }};
  912. {{- end }}
  913. {{- if (exists (printf "/etc/nginx/certs/%s.chain.pem" $vhost.cert)) }}
  914. ssl_stapling on;
  915. ssl_stapling_verify on;
  916. ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $vhost.cert }};
  917. {{- end }}
  918. {{- if (not (or (eq $vhost.https_method "noredirect") (eq $vhost.hsts "off"))) }}
  919. set $sts_header "";
  920. if ($https) {
  921. set $sts_header "{{ trim $vhost.hsts }}";
  922. }
  923. add_header Strict-Transport-Security $sts_header always;
  924. {{- end }}
  925. {{- else if not $vhost.trust_default_cert | and $globals.config.default_cert_ok }}
  926. # No certificate found for this vhost, and the default certificate isn't trusted, so reject SSL handshake.
  927. ssl_reject_handshake on;
  928. {{- else }}
  929. # No certificate for this vhost nor default certificate found, so reject SSL handshake.
  930. ssl_reject_handshake on;
  931. {{- end }}
  932. {{- end }}
  933. {{- $vhostFileName := $vhost.is_regexp | ternary (sha1 $hostname) $hostname }}
  934. {{- if (exists (printf "/etc/nginx/vhost.d/%s" $vhostFileName)) }}
  935. include {{ printf "/etc/nginx/vhost.d/%s" $vhostFileName }};
  936. {{- else if (exists "/etc/nginx/vhost.d/default") }}
  937. include /etc/nginx/vhost.d/default;
  938. {{- end }}
  939. {{- if $vhost.enable_debug_endpoint }}
  940. {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
  941. {{- end }}
  942. {{- range $path, $vpath := $vhost.paths }}
  943. {{- template "location" (dict
  944. "Path" $path
  945. "Host" $vhostFileName
  946. "HostIsRegexp" $vhost.is_regexp
  947. "VhostRoot" $vhost.vhost_root
  948. "VPath" $vpath
  949. ) }}
  950. {{- end }}
  951. {{- if and (not (contains $vhost.paths "/")) (ne $globals.config.default_root_response "none")}}
  952. location / {
  953. return {{ $globals.config.default_root_response }};
  954. }
  955. {{- end }}
  956. }
  957. {{- end }}