25d423e6b6
The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility.
92 lines
3.1 KiB
Django/Jinja
92 lines
3.1 KiB
Django/Jinja
#jinja2: lstrip_blocks: "True"
|
|
|
|
{% macro render_vhost_directives() %}
|
|
gzip on;
|
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Content-Type-Options nosniff;
|
|
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
|
|
{{- configuration_block }}
|
|
{% endfor %}
|
|
|
|
location / {
|
|
{% if matrix_nginx_proxy_enabled %}
|
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
resolver 127.0.0.11 valid=5s;
|
|
set $backend "matrix-dimension:8184";
|
|
proxy_pass http://$backend;
|
|
{% else %}
|
|
{# Generic configuration for use outside of our container setup #}
|
|
proxy_pass http://127.0.0.1:8184;
|
|
{% endif %}
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
{% endmacro %}
|
|
|
|
server {
|
|
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
|
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
{% if matrix_nginx_proxy_https_enabled %}
|
|
location /.well-known/acme-challenge {
|
|
{% if matrix_nginx_proxy_enabled %}
|
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
resolver 127.0.0.11 valid=5s;
|
|
set $backend "matrix-certbot:8080";
|
|
proxy_pass http://$backend;
|
|
{% else %}
|
|
{# Generic configuration for use outside of our container setup #}
|
|
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
|
{% endif %}
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$http_host$request_uri;
|
|
}
|
|
{% else %}
|
|
{{ render_vhost_directives() }}
|
|
{% endif %}
|
|
}
|
|
|
|
{% if matrix_nginx_proxy_https_enabled %}
|
|
server {
|
|
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
|
|
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
|
|
|
{% if matrix_nginx_proxy_ssl_protocols == "" %}
|
|
ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }};
|
|
{% else %}
|
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
|
{% endif %}
|
|
|
|
{% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %}
|
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }};
|
|
{% else %}
|
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
|
{% endif %}
|
|
|
|
{% if matrix_nginx_proxy_ssl_ciphers == "" %}
|
|
{% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %}
|
|
ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}";
|
|
{% endif %}
|
|
{% else %}
|
|
ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}";
|
|
{% endif %}
|
|
|
|
{{ render_vhost_directives() }}
|
|
}
|
|
{% endif %}
|