blob: 454b2bd217177acec70f239ef2b8f0a8cd262e0d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
server {
listen {{ item.domain }}:443 ssl http2 fastopen=4096 reuseport;
server_name {{ item.domain }};
access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
error_log /var/log/nginx/{{ item.domain }}.error.log error;
ssl on;
include /etc/nginx/ssl_params;
{% if nginx.ssl == "modern" %}
include /etc/nginx/ssl_ciphers_modern;
{% elif nginx.ssl == "tls13" %}
include /etc/nginx/ssl_ciphers_tls13;
{% else %}
# Default, just use commonly accepted options:
include /etc/nginx/ssl_ciphers_intermediate;
{% endif %}
ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem;
ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem;
# nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you
# can serve modern EC clients and less modern RSA clients at the same time.
ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem;
ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem;
root /srv/web/{{ item.domain }};
{% if nginx.google is defined %}
location /{{ nginx.google.siteKey }}.html {
root {{ nginx.google.siteKeyServeDir }}};
}
{% endif %}
{% if item.customConfig is defined %}
{{ item.customConfig }}
{% endif %}
{% for location in item.uri %}
location {{ location.path }} {
{% if location.appServer is defined %}
proxy_pass {{ location.appServer }}/$request_uri;
proxy_set_header Host $host;
{% else %}
root /srv/web/{{ item.domain }};
{% endif %}
}
{% endfor %}
}
server {
listen {{ item.domain }} fastopen=4096 reuseport;
server_name www.{{ item.domain }} {{ item.domain }};
access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
error_log /var/log/nginx/{{ item.domain }}.error.log error;
location /.well-known/acme-challenge/ {
alias /srv/web/challenges/;
try_files $uri =404;
}
location / {
return 301 https://{{ item.domain }}$request_uri;
}
}
|
