ipv6 working
This commit is contained in:
108
nginx/https.conf
108
nginx/https.conf
@@ -1,4 +1,3 @@
|
||||
# Internal Server
|
||||
server {
|
||||
access_log /var/log/nginx/nginx_https_access.log basic;
|
||||
error_log /var/log/nginx/nginx_https_error.log warn;
|
||||
@@ -12,109 +11,29 @@ server {
|
||||
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
|
||||
gzip_disable "MSIE [1-6]\.";
|
||||
|
||||
# Listen for the default http internal ports
|
||||
listen 127.0.0.1:{{ defaults.http.internal_http_port }} proxy_protocol;
|
||||
listen 127.0.0.1:{{ defaults.http.internal_https_port }} ssl proxy_protocol;
|
||||
|
||||
# Listen for any extra http ports specified by the user
|
||||
{% for port in item.external.extra_http_ports %}
|
||||
listen 127.0.0.1:{{ port }} proxy_protocol;
|
||||
{% endfor %}
|
||||
|
||||
# Listen for any extra https ports specified by the user
|
||||
{% for port in item.external.extra_https_ports %}
|
||||
listen 127.0.0.1:{{ port }} ssl proxy_protocol;
|
||||
{% endfor %}
|
||||
listen unix:/var/lib/nginx/tmp/nginx_http.sock proxy_protocol;
|
||||
listen unix:/var/lib/nginx/tmp/nginx_https.sock ssl proxy_protocol;
|
||||
|
||||
if ($scheme = "http") {
|
||||
return 301 https://$host:443$request_uri;
|
||||
}
|
||||
|
||||
set_real_ip_from 127.0.0.1;
|
||||
set_real_ip_from unix:;
|
||||
set_real_ip_from {{ internal_ipv4 }};
|
||||
set_real_ip_from {{ internal_ipv6 }};
|
||||
real_ip_header X-Real-IP;
|
||||
real_ip_recursive on;
|
||||
|
||||
server_name {{ item.external.domain }}{{ internal_tld }};
|
||||
|
||||
location / {
|
||||
{% for port in item.external.extra_http_ports %}
|
||||
if ($server_port = "{{ port }}") {
|
||||
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
|
||||
}
|
||||
{% endfor %}
|
||||
{% for port in item.external.extra_https_ports %}
|
||||
if ($server_port = "{{ port }}") {
|
||||
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
|
||||
}
|
||||
{% endfor %}
|
||||
if ($server_port = "{{ defaults.http.internal_https_port }}"){
|
||||
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
|
||||
}
|
||||
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $proxy_protocol_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
||||
|
||||
client_body_buffer_size 512k;
|
||||
proxy_read_timeout 86400s;
|
||||
client_max_body_size 0;
|
||||
|
||||
# Websocket
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem; # managed by certbot on host machine
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem;
|
||||
|
||||
# replace with the IP address of your resolver
|
||||
resolver 127.0.0.1;
|
||||
}
|
||||
|
||||
# External Server
|
||||
{% if item.external.expose %}
|
||||
server {
|
||||
access_log /var/log/nginx/nginx_https_access.log basic;
|
||||
error_log /var/log/nginx/nginx_https_error.log warn;
|
||||
|
||||
http2 on;
|
||||
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_min_length 10240;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
|
||||
gzip_disable "MSIE [1-6]\.";
|
||||
|
||||
listen 127.0.0.1:{{ defaults.http.external_http_port }} proxy_protocol;
|
||||
listen 127.0.0.1:{{ defaults.http.external_https_port }} ssl proxy_protocol;
|
||||
|
||||
if ($scheme = "http") {
|
||||
return 301 https://$host:443$request_uri;
|
||||
}
|
||||
|
||||
set_real_ip_from 127.0.0.1;
|
||||
|
||||
server_name {{ item.external.domain }}{{ expose_tld }};
|
||||
|
||||
location / {
|
||||
|
||||
{% if item.external.protect %}
|
||||
auth_basic "Restricted";
|
||||
auth_basic_user_file /etc/nginx/.htpasswd;
|
||||
{% endif %}
|
||||
|
||||
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
|
||||
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
@@ -155,4 +74,3 @@ server {
|
||||
# replace with the IP address of your resolver
|
||||
resolver 127.0.0.1;
|
||||
}
|
||||
{%- endif %}
|
||||
|
||||
Reference in New Issue
Block a user