summaryrefslogtreecommitdiff
path: root/data/templates/https/nginx.default.j2
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-09 19:28:41 +0100
committerGitHub <noreply@github.com>2024-01-09 19:28:41 +0100
commit10f6eac581ba46a0c235ae7c97541c7094567e70 (patch)
treecff914f134f7e71e9c1cce570e4a8e0320e95877 /data/templates/https/nginx.default.j2
parent864524ba86b0a4d57ab64d6e9398c3fd5eb2fce4 (diff)
parent07e802a2d3f98cdf29928bf321cc8b89cb41766c (diff)
downloadvyos-1x-10f6eac581ba46a0c235ae7c97541c7094567e70.tar.gz
vyos-1x-10f6eac581ba46a0c235ae7c97541c7094567e70.zip
Merge pull request #2773 from c-po/https-rework-t5766
https: T5902: remove virtual-host configuration
Diffstat (limited to 'data/templates/https/nginx.default.j2')
-rw-r--r--data/templates/https/nginx.default.j2101
1 files changed, 53 insertions, 48 deletions
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index a530c14ba..5d17df001 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -1,60 +1,65 @@
### Autogenerated by service_https.py ###
-# Default server configuration
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
server {
- # SSL configuration
- #
-{% if server.address == '*' %}
- listen {{ server.port }} ssl;
- listen [::]:{{ server.port }} ssl;
-{% else %}
- listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{% endif %}
+ listen 80 default_server;
+ server_name {{ hostname }};
+ return 301 https://$host$request_uri;
+}
+{% endif %}
-{% for name in server.name %}
- server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{% for address in listen_address %}
+ listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
{% endfor %}
+{% else %}
+ listen {{ port }} ssl;
+ listen [::]:{{ port }} ssl;
+{% endif %}
- root /srv/localui;
+ server_name {{ hostname }};
+ root /srv/localui;
-{% if server.vyos_cert %}
- ssl_certificate {{ server.vyos_cert.crt }};
- ssl_certificate_key {{ server.vyos_cert.key }};
-{% else %}
- #
- # Self signed certs generated by the ssl-cert package
- # Don't use them in a production server!
- #
- include snippets/snakeoil.conf;
+ # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+ ssl_certificate {{ certificates.cert_path }};
+ ssl_certificate_key {{ certificates.key_path }};
+{% if certificates.dh_file is vyos_defined %}
+ ssl_dhparam {{ certificates.dh_file }};
{% endif %}
- ssl_session_cache shared:le_nginx_SSL:10m;
- ssl_session_timeout 1440m;
- ssl_session_tickets off;
+{% else %}
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ include snippets/snakeoil.conf;
+{% endif %}
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+ # Improve HTTPS performance with session resumption
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
+ ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
- # proxy settings for HTTP API, if enabled; 503, if not
- location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
-{% if server.api %}
- proxy_pass http://unix:/run/api.sock;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_read_timeout 600;
- proxy_buffering off;
-{% else %}
- return 503;
-{% endif %}
-{% if server.allow_client %}
-{% for client in server.allow_client %}
- allow {{ client }};
-{% endfor %}
- deny all;
-{% endif %}
- }
+ # From LetsEncrypt
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
- error_page 497 =301 https://$host:{{ server.port }}$request_uri;
+ # proxy settings for HTTP API, if enabled; 503, if not
+ location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+ proxy_pass http://unix:/run/api.sock;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 600;
+ proxy_buffering off;
+{% else %}
+ return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{% for address in allow_client.address %}
+ allow {{ address }};
+{% endfor %}
+ deny all;
+{% endif %}
+ }
+ error_page 497 =301 https://$host:{{ port }}$request_uri;
}
-
-{% endfor %}