diff options
Diffstat (limited to 'data/templates/https/nginx.default.j2')
-rw-r--r-- | data/templates/https/nginx.default.j2 | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 new file mode 100644 index 000000000..70e62ae7a --- /dev/null +++ b/data/templates/https/nginx.default.j2 @@ -0,0 +1,56 @@ +### Autogenerated by https.py ### +# Default server configuration + +{% for server in server_block_list %} +server { + # SSL configuration + # +{% if server.address == '*' %} + listen {{ server.port }} ssl; + listen [::]:{{ server.port }} ssl; +{% else %} + listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl; +{% endif %} + +{% for name in server.name %} + server_name {{ name }}; +{% endfor %} + +{% if server.certbot %} + ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; + ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem; + include {{ server.certbot_dir }}/options-ssl-nginx.conf; + ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem; +{% elif server.vyos_cert %} + ssl_certificate {{ server.vyos_cert.crt }}; + ssl_certificate_key {{ server.vyos_cert.key }}; +{% else %} + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + include snippets/snakeoil.conf; +{% endif %} + ssl_protocols TLSv1.2 TLSv1.3; + + # proxy settings for HTTP API, if enabled; 503, if not + location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc|graphql) { +{% if server.api %} +{% if server.api.socket %} + proxy_pass http://unix:/run/api.sock; +{% else %} + proxy_pass http://localhost:{{ server.api.port }}; +{% endif %} + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 600; + proxy_buffering off; +{% else %} + return 503; +{% endif %} + } + + error_page 497 =301 https://$host:{{ server.port }}$request_uri; +} + +{% endfor %} |