### Autogenerated by https.py ### # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } {% for server in server_block_list %} server { # SSL configuration # {% if server.address == '*' %} listen {{ server.port }} ssl; listen [::]:{{ server.port }} ssl; {% else %} listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl; {% endif %} {% for name in server.name %} server_name {{ name }}; {% endfor %} {% if server.certbot %} ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem; include {{ server.certbot_dir }}/options-ssl-nginx.conf; ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem; {% elif server.vyos_cert %} include {{ server.vyos_cert.conf }}; {% else %} # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # include snippets/snakeoil.conf; {% endif %} ssl_protocols TLSv1.2 TLSv1.3; # proxy settings for HTTP API, if enabled; 503, if not location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc) { {% if server.api %} proxy_pass http://localhost:{{ server.api.port }}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600; proxy_buffering off; {% else %} return 503; {% endif %} } error_page 497 =301 https://$host:{{ server.port }}$request_uri; error_page 501 502 503 =200 @50*_json; {% if api_set %} location @50*_json { default_type application/json; return 200 '{"error": "service https api unavailable at this proxy address: set service https api-restrict virtual-host"}'; } {% else %} location @50*_json { default_type application/json; return 200 '{"error": "Start service in configuration mode: set service https api"}'; } {% endif %} } {% endfor %}