user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; ssl_protocols TLSv1.2 TLSv1.3; keepalive_timeout 65; gzip on; server { listen [{{ config.listenhttpaddress6 }}]:{{ ports.http }}; listen {{ config.listenhttpaddress4 }}:{{ ports.http }}; {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.http }};{% endif %} {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.http }};{% endif %} server_name _; root /var/www/empty; default_type text/html; return 200 "Nothing to see here"; } server { listen [{{ config.listenhttpaddress6 }}]:{{ ports.https }} ssl; listen {{ config.listenhttpaddress4 }}:{{ ports.https }} ssl; {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.https }} ssl;{% endif %} {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.https }} ssl;{% endif %} server_name _; ssl_certificate /etc/nginx/ssl.cert; ssl_certificate_key /etc/nginx/ssl.key; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; default_type text/html; return 200 "Nothing to see here"; } {% for app in otherapps -%} {%- if "web" in otherapps[app]["imports"] -%} {%- for onesite in otherapps[app]["imports"]["web"]["sites"] -%} {# Redirect http to https. We only support https sites #} server { listen [{{ config.listenhttpaddress6 }}]:{{ ports.http }}; listen {{ config.listenhttpaddress4 }}:{{ ports.http }}; {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.http }};{% endif %} {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.http }};{% endif %} server_name {{ onesite.publicname }}; root /var/www/empty; location / { rewrite ^/(.*)$ https://{{ onesite.publicname }}/$1 permanent; } } server { listen [{{ config.listenhttpaddress6 }}]:{{ ports.https }} ssl; listen {{ config.listenhttpaddress4 }}:{{ ports.https }} ssl; {% if config.listenhttpaddress6 != "::1" %}listen [::1]:{{ ports.https }} ssl;{% endif %} {% if config.listenhttpaddress4 != "127.0.0.1" %}listen 127.0.0.1:{{ ports.https }} ssl;{% endif %} server_name {{ onesite.publicname }}; ssl_certificate /etc/nginx/ssl.cert; ssl_certificate_key /etc/nginx/ssl.key; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; {# allow large file uploads, currently 500 meg. Should be increased if we really need big uploads #} client_max_body_size 500M; # Set headers proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; {# enable websockets: http://nginx.org/en/docs/http/websocket.html #} proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; {# The Connection header defines, comma seperated, which headers are hop-to-hop. So it doesn't hurt to define the upgrade header at all times, we don't have any other hop-to-hop headers anyway. #} proxy_set_header Connection "upgrade"; proxy_redirect off; {# set timeout #} proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; location / { proxy_pass {{ onesite.proxyaddress }}/; } } {% endfor -%} {%- endif -%} {%- endfor %} }