25d423e6b6
The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility.
78 lines
2.6 KiB
Django/Jinja
78 lines
2.6 KiB
Django/Jinja
#jinja2: lstrip_blocks: "True"
|
|
|
|
{% macro render_vhost_directives() %}
|
|
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
|
|
{{- configuration_block }}
|
|
{% endfor %}
|
|
|
|
location / {
|
|
return 301 https://{{ matrix_nginx_proxy_proxy_element_hostname }}$request_uri;
|
|
}
|
|
{% endmacro %}
|
|
|
|
server {
|
|
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
|
|
|
server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
{% if matrix_nginx_proxy_https_enabled %}
|
|
location /.well-known/acme-challenge {
|
|
{% if matrix_nginx_proxy_enabled %}
|
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
resolver 127.0.0.11 valid=5s;
|
|
set $backend "matrix-certbot:8080";
|
|
proxy_pass http://$backend;
|
|
{% else %}
|
|
{# Generic configuration for use outside of our container setup #}
|
|
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
|
{% endif %}
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$http_host$request_uri;
|
|
}
|
|
{% else %}
|
|
{{ render_vhost_directives() }}
|
|
{% endif %}
|
|
}
|
|
|
|
{% if matrix_nginx_proxy_https_enabled %}
|
|
server {
|
|
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
|
|
server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
|
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
|
|
|
|
{% if matrix_nginx_proxy_ssl_protocols == "" %}
|
|
ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }};
|
|
{% else %}
|
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
|
{% endif %}
|
|
|
|
{% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %}
|
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }};
|
|
{% else %}
|
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
|
{% endif %}
|
|
|
|
{% if matrix_nginx_proxy_ssl_ciphers == "" %}
|
|
{% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %}
|
|
ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}";
|
|
{% endif %}
|
|
{% else %}
|
|
ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}";
|
|
{% endif %}
|
|
|
|
{{ render_vhost_directives() }}
|
|
}
|
|
{% endif %}
|