diff options
author | Christian Breunig <christian@breunig.cc> | 2024-01-09 19:28:41 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-09 19:28:41 +0100 |
commit | 10f6eac581ba46a0c235ae7c97541c7094567e70 (patch) | |
tree | cff914f134f7e71e9c1cce570e4a8e0320e95877 /data/templates/https/nginx.default.j2 | |
parent | 864524ba86b0a4d57ab64d6e9398c3fd5eb2fce4 (diff) | |
parent | 07e802a2d3f98cdf29928bf321cc8b89cb41766c (diff) | |
download | vyos-1x-10f6eac581ba46a0c235ae7c97541c7094567e70.tar.gz vyos-1x-10f6eac581ba46a0c235ae7c97541c7094567e70.zip |
Merge pull request #2773 from c-po/https-rework-t5766
https: T5902: remove virtual-host configuration
Diffstat (limited to 'data/templates/https/nginx.default.j2')
-rw-r--r-- | data/templates/https/nginx.default.j2 | 101 |
1 files changed, 53 insertions, 48 deletions
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index a530c14ba..5d17df001 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -1,60 +1,65 @@ ### Autogenerated by service_https.py ### -# Default server configuration -{% for server in server_block_list %} +{% if enable_http_redirect is vyos_defined %} server { - # SSL configuration - # -{% if server.address == '*' %} - listen {{ server.port }} ssl; - listen [::]:{{ server.port }} ssl; -{% else %} - listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl; -{% endif %} + listen 80 default_server; + server_name {{ hostname }}; + return 301 https://$host$request_uri; +} +{% endif %} -{% for name in server.name %} - server_name {{ name }}; +server { +{% if listen_address is vyos_defined %} +{% for address in listen_address %} + listen {{ address | bracketize_ipv6 }}:{{ port }} ssl; {% endfor %} +{% else %} + listen {{ port }} ssl; + listen [::]:{{ port }} ssl; +{% endif %} - root /srv/localui; + server_name {{ hostname }}; + root /srv/localui; -{% if server.vyos_cert %} - ssl_certificate {{ server.vyos_cert.crt }}; - ssl_certificate_key {{ server.vyos_cert.key }}; -{% else %} - # - # Self signed certs generated by the ssl-cert package - # Don't use them in a production server! - # - include snippets/snakeoil.conf; + # SSL configuration +{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %} + ssl_certificate {{ certificates.cert_path }}; + ssl_certificate_key {{ certificates.key_path }}; +{% if certificates.dh_file is vyos_defined %} + ssl_dhparam {{ certificates.dh_file }}; {% endif %} - ssl_session_cache shared:le_nginx_SSL:10m; - ssl_session_timeout 1440m; - ssl_session_tickets off; +{% else %} + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + include snippets/snakeoil.conf; +{% endif %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + # Improve HTTPS performance with session resumption + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }}; - # proxy settings for HTTP API, if enabled; 503, if not - location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { -{% if server.api %} - proxy_pass http://unix:/run/api.sock; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 600; - proxy_buffering off; -{% else %} - return 503; -{% endif %} -{% if server.allow_client %} -{% for client in server.allow_client %} - allow {{ client }}; -{% endfor %} - deny all; -{% endif %} - } + # From LetsEncrypt + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - error_page 497 =301 https://$host:{{ server.port }}$request_uri; + # proxy settings for HTTP API, if enabled; 503, if not + location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { +{% if api is vyos_defined %} + proxy_pass http://unix:/run/api.sock; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 600; + proxy_buffering off; +{% else %} + return 503; +{% endif %} +{% if allow_client.address is vyos_defined %} +{% for address in allow_client.address %} + allow {{ address }}; +{% endfor %} + deny all; +{% endif %} + } + error_page 497 =301 https://$host:{{ port }}$request_uri; } - -{% endfor %} |