server { listen {{ item.domain }}:443 ssl http2 fastopen=4096 reuseport; server_name {{ item.domain }}; access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k; error_log /var/log/nginx/{{ item.domain }}.error.log error; ssl on; include /etc/nginx/ssl_params; {% if nginx.ssl == "modern" %} include /etc/nginx/ssl_ciphers_modern; {% elif nginx.ssl == "tls13" %} include /etc/nginx/ssl_ciphers_tls13; {% else %} # Default, just use commonly accepted options: include /etc/nginx/ssl_ciphers_intermediate; {% endif %} ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem; ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem; # nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you # can serve modern EC clients and less modern RSA clients at the same time. ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem; ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem; root /srv/web/{{ item.domain }}; {% if nginx.google is defined %} location /{{ nginx.google.siteKey }}.html { root {{ nginx.google.siteKeyServeDir }}}; } {% endif %} {% if item.customConfig is defined %} {{ item.customConfig }} {% endif %} {% for location in item.uri %} location {{ location.path }} { {% if location.appServer is defined %} proxy_pass {{ location.appServer }}/$request_uri; proxy_set_header Host $host; {% else %} root /srv/web/{{ item.domain }}; {% endif %} } {% endfor %} } server { listen {{ item.domain }} fastopen=4096 reuseport; server_name www.{{ item.domain }} {{ item.domain }}; access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k; error_log /var/log/nginx/{{ item.domain }}.error.log error; location /.well-known/acme-challenge/ { alias /srv/web/challenges/; try_files $uri =404; } location / { return 301 https://{{ item.domain }}$request_uri; } }