nginx/nginx.conf.j2


user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    ssl_protocols TLSv1.2 TLSv1.3; 
    keepalive_timeout  65;

    gzip  on;
    server {
        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpport }};
        listen {{ config.listenhttpaddress4 }}:{{ config.httpport }};
        server_name _;
        root /var/www/empty;
        default_type text/html;
        return 200 "Nothing to see here";
    }
    server {
        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpsport }} ssl;
        listen {{ config.listenhttpaddress4 }}:{{ config.httpsport }} ssl;
        server_name _;

        ssl_certificate /etc/nginx/ssl.cert;
        ssl_certificate_key /etc/nginx/ssl.key;
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security max-age=15768000;
        default_type text/html;
        return 200 "Nothing to see here";
    }

{% for app in otherapps -%}
{%- if "web" in otherapps[app]["imports"] -%}
{%- for onesite in otherapps[app]["imports"]["web"] -%}

    {# Redirect http to https.  We only support https sites #}
    server {
        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpport }};
        listen {{ config.listenhttpaddress4 }}:{{ config.httpport }};
        server_name {{ onesite.publicname }};
        root /var/www/empty;
        location / {
                rewrite  ^/(.*)$  https://{{ onesite.publicname }}/$1  permanent;
        }
    }
    server {
        listen [{{ config.listenhttpaddress6 }}]:{{ config.httpsport }} ssl;
        listen {{ config.listenhttpaddress4 }}:{{ config.httpsport }} ssl;
        server_name {{ onesite.publicname }};

        ssl_certificate /etc/nginx/ssl.cert;
        ssl_certificate_key /etc/nginx/ssl.key;
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security max-age=15768000;

        {# allow large file uploads, currently 500 meg.  Should be increased if we really need big uploads #}
        client_max_body_size 500M;

        # Set headers
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    
        {# enable websockets: http://nginx.org/en/docs/http/websocket.html #}
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        {#  The Connection header defines, comma seperated, which headers are hop-to-hop.  So it doesn't hurt 
        to define the upgrade header at all times, we don't have any other hop-to-hop headers anyway. #}
        proxy_set_header   Connection "upgrade";
        proxy_redirect     off;
    
        {# set timeout #}
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
        send_timeout       600s;
    
        location / {
            proxy_pass {{ onesite.proxyaddress }}/;
        }

    }
{% endfor -%}
{%- endif -%}
{%- endfor %}
}
initial commit 2024-10-16 21:04:26 +02:00
			`user nginx;`
			`worker_processes auto;`

			`error_log /var/log/nginx/error.log notice;`
			`pid /var/run/nginx.pid;`


			`events {`
			`worker_connections 1024;`
			`}`


			`http {`
			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`

			`log_format main '$remote_addr - $remote_user [$time_local] "$request" '`
			`'$status $body_bytes_sent "$http_referer" '`
			`'"$http_user_agent" "$http_x_forwarded_for"';`

			`access_log /var/log/nginx/access.log main;`

			`sendfile on;`
			`#tcp_nopush on;`

			`ssl_protocols TLSv1.2 TLSv1.3;`
			`keepalive_timeout 65;`

			`gzip on;`
			`server {`
			`listen [{{ config.listenhttpaddress6 }}]:{{ config.httpport }};`
			`listen {{ config.listenhttpaddress4 }}:{{ config.httpport }};`
			`server_name _;`
			`root /var/www/empty;`
			`default_type text/html;`
			`return 200 "Nothing to see here";`
			`}`
			`server {`
			`listen [{{ config.listenhttpaddress6 }}]:{{ config.httpsport }} ssl;`
			`listen {{ config.listenhttpaddress4 }}:{{ config.httpsport }} ssl;`
			`server_name _;`

			`ssl_certificate /etc/nginx/ssl.cert;`
			`ssl_certificate_key /etc/nginx/ssl.key;`
			`ssl_protocols TLSv1.2;`
			`ssl_prefer_server_ciphers on;`
			`add_header Strict-Transport-Security max-age=15768000;`
			`default_type text/html;`
			`return 200 "Nothing to see here";`
			`}`

			`{% for app in otherapps -%}`
			`{%- if "web" in otherapps[app]["imports"] -%}`
			`{%- for onesite in otherapps[app]["imports"]["web"] -%}`

			`{# Redirect http to https. We only support https sites #}`
			`server {`
			`listen [{{ config.listenhttpaddress6 }}]:{{ config.httpport }};`
			`listen {{ config.listenhttpaddress4 }}:{{ config.httpport }};`
			`server_name {{ onesite.publicname }};`
			`root /var/www/empty;`
			`location / {`
			`rewrite ^/(.*)$ https://{{ onesite.publicname }}/$1 permanent;`
			`}`
			`}`
			`server {`
			`listen [{{ config.listenhttpaddress6 }}]:{{ config.httpsport }} ssl;`
			`listen {{ config.listenhttpaddress4 }}:{{ config.httpsport }} ssl;`
			`server_name {{ onesite.publicname }};`

			`ssl_certificate /etc/nginx/ssl.cert;`
			`ssl_certificate_key /etc/nginx/ssl.key;`
			`ssl_protocols TLSv1.2;`
			`ssl_prefer_server_ciphers on;`
			`add_header Strict-Transport-Security max-age=15768000;`

			`{# allow large file uploads, currently 500 meg. Should be increased if we really need big uploads #}`
			`client_max_body_size 500M;`

			`# Set headers`
			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`{# enable websockets: http://nginx.org/en/docs/http/websocket.html #}`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`{# The Connection header defines, comma seperated, which headers are hop-to-hop. So it doesn't hurt`
			`to define the upgrade header at all times, we don't have any other hop-to-hop headers anyway. #}`
			`proxy_set_header Connection "upgrade";`
			`proxy_redirect off;`

			`{# set timeout #}`
			`proxy_read_timeout 600s;`
			`proxy_send_timeout 600s;`
			`send_timeout 600s;`

			`location / {`
			`proxy_pass {{ onesite.proxyaddress }}/;`
			`}`

			`}`
			`{% endfor -%}`
			`{%- endif -%}`
			`{%- endfor %}`
			`}`