mirror of
https://github.com/luzifer-ansible/nginx-letsencrypt.git
synced 2024-09-19 14:42:55 +00:00
127 lines
4.5 KiB
Django/Jinja
127 lines
4.5 KiB
Django/Jinja
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
user {{ nginx_letsencrypt_config.user | default('www-data') }};
|
|
worker_processes {{ nginx_letsencrypt_config.worker_processes | default('auto') }};
|
|
pid {{ nginx_letsencrypt_config.pid_file | default('/run/nginx.pid') }};
|
|
|
|
events {
|
|
worker_connections {{ nginx_letsencrypt_config.worker_connections | default('768') }};
|
|
multi_accept {{ nginx_letsencrypt_config.multi_accept | default('off') }};
|
|
}
|
|
|
|
http {
|
|
|
|
##
|
|
# Basic Settings
|
|
##
|
|
|
|
resolver {{ nginx_letsencrypt_config.resolver | default('127.0.0.1 ipv6=off') }};
|
|
sendfile {{ nginx_letsencrypt_config.sendfile | default('on') }};
|
|
tcp_nopush {{ nginx_letsencrypt_config.tcp_nopush | default('on') }};
|
|
tcp_nodelay {{ nginx_letsencrypt_config.tcp_nodelay | default('on') }};
|
|
keepalive_timeout {{ nginx_letsencrypt_config.keepalive_timeout | default('65') }};
|
|
types_hash_max_size {{ nginx_letsencrypt_config.types_hash_max_size | default('2048') }};
|
|
server_tokens {{ nginx_letsencrypt_config.server_tokens | default('off') }};
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
##
|
|
# SSL Settings
|
|
##
|
|
|
|
ssl_protocols {{ nginx_letsencrypt_config.ssl_protocols | default('TLSv1.2') }};
|
|
ssl_ciphers {{ nginx_letsencrypt_config.ssl_ciphers | default('ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256') }};
|
|
ssl_prefer_server_ciphers {{ nginx_letsencrypt_config.ssl_prefer_server_ciphers | default('on') }};
|
|
ssl_buffer_size {{ nginx_letsencrypt_config.ssl_buffer_size | default('8k') }};
|
|
ssl_stapling {{ nginx_letsencrypt_config.ssl_stapling | default('on') }};
|
|
ssl_stapling_verify {{ nginx_letsencrypt_config.ssl_stapling_verify | default('on') }};
|
|
|
|
##
|
|
# Logging Settings
|
|
##
|
|
|
|
log_format combined_w_host '$remote_addr - $remote_user [$time_local] '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" "$http_host"';
|
|
|
|
access_log /var/log/nginx/access.log combined_w_host;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
##
|
|
# Gzip Settings
|
|
##
|
|
|
|
gzip {{ nginx_letsencrypt_config.gzip | default('on') }};
|
|
gzip_disable {{ nginx_letsencrypt_config.gzip_disable | default('"msie6"') }};
|
|
gzip_comp_level {{ nginx_letsencrypt_config.gzip_comp_level | default('1') }};
|
|
gzip_proxied {{ nginx_letsencrypt_config.gzip_proxied | default('off') }};
|
|
gzip_min_length {{ nginx_letsencrypt_config.gzip_min_length | default('20') }};
|
|
gzip_vary {{ nginx_letsencrypt_config.gzip_vary | default('off') }};
|
|
gzip_types {{ nginx_letsencrypt_config.gzip_types | default('text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript')}};
|
|
|
|
##
|
|
# Custom settings
|
|
##
|
|
|
|
{% if nginx_letsencrypt_config.http_lines is defined %}
|
|
{% for line in nginx_letsencrypt_config.http_lines %}
|
|
{{ line }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
##
|
|
# Plain HTTP forwarder / ACME challenge forwarder
|
|
##
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
|
|
# Forward acme challenges to nginx-letsencrypt daemon
|
|
location ~ /.well-known/acme-challenge {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_pass http://127.0.0.1:{{ nginx_letsencrypt_port }};
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
###
|
|
# Custom servers
|
|
###
|
|
{% for server in nginx_letsencrypt_config.servers %}
|
|
|
|
server {
|
|
{% for listen in server.listen %}
|
|
listen {{ listen }};
|
|
{% endfor %}
|
|
server_name {{ server.server_names | default([server.server_name]) | join(' ') }};
|
|
{% if server.server_lines is defined %}
|
|
|
|
{% for line in server.server_lines %}
|
|
{{ line }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% for location in server.locations | default([]) %}
|
|
|
|
location {{ location.path }} {
|
|
{% for line in location.location_lines | default([]) %}
|
|
{{ line }}
|
|
{% endfor %}
|
|
{% if location.target is defined %}
|
|
|
|
return 301 {{ location.target }}{{ location.target_path | default('$request_uri') }};
|
|
{% endif %}
|
|
}
|
|
{% endfor %}
|
|
}
|
|
{% endfor %}
|
|
|
|
}
|
|
|
|
# vim: set ft=nginx:
|