standardize http/https ports in nginx config

2024-05-29 11:46:23 -04:00
parent a853df3cbc
commit 21d7cef56b
7 changed files with 197 additions and 144 deletions
--- a/nginx/https.conf
+++ b/nginx/https.conf
@@ -1,18 +1,16 @@
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    '' close;
-}
-
+# Internal Server
 server {
    access_log /var/log/nginx/nginx_https_access.log basic;
    error_log /var/log/nginx/nginx_https_error.log warn;

-    {%- for port in item.0.external.ports +%}
-    listen 127.0.0.1:{{ port }} ssl proxy_protocol;
-    {%- endfor +%}
+    # Listen for the default http internal ports
+    listen 127.0.0.1:{{ defaults.http.internal_http_port }} proxy_protocol;
+    listen 127.0.0.1:{{ defaults.http.internal_https_port }} ssl proxy_protocol;

-    listen 127.0.0.1:80 proxy_protocol;
-    listen 127.0.0.1:81 proxy_protocol;
+    # Listen for any extra ports specified by the user
+{% for port in item.external.extra_ports %}
+    listen 127.0.0.1:{{ port }} proxy_protocol ssl;
+{% endfor %}

    if ($scheme = "http") {
        return 301 https://$host:443$request_uri;
@@ -20,10 +18,17 @@ server {

    set_real_ip_from  127.0.0.1;

-    server_name {{ item.1 }};
+    server_name {{ item.external.domain }}{{ internal_tld }};

    location / {
-        proxy_pass {{ item.0.internal.protocol }}://{{ item.0.internal.ip }}:{{ item.0.internal.port }}$request_uri;
+{% for port in item.external.extra_ports %}
+        if ($server_port = "{{ port }}") {
+            proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
+        }
+{% endfor %}
+        if ($server_port = "{{ defaults.http.internal_https_port }}"){
+            proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
+        }

        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
@@ -44,8 +49,8 @@ server {
        proxy_set_header Connection $connection_upgrade;
    }

-    ssl_certificate /etc/letsencrypt/live/{{ item.1 }}/fullchain.pem;   # managed by certbot on host machine
-    ssl_certificate_key /etc/letsencrypt/live/{{ item.1 }}/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem;   # managed by certbot on host machine
+    ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
@@ -58,8 +63,68 @@ server {
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ item.1 }}/fullchain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem;

    # replace with the IP address of your resolver
    resolver 127.0.0.1;
 }
+
+# External Server
+{% if item.external.expose %}
+server {
+    access_log /var/log/nginx/nginx_https_access.log basic;
+    error_log /var/log/nginx/nginx_https_error.log warn;
+
+    listen 127.0.0.1:{{ defaults.http.external_http_port }} proxy_protocol;
+    listen 127.0.0.1:{{ defaults.http.external_https_port }} ssl proxy_protocol;
+
+    if ($scheme = "http") {
+        return 301 https://$host:443$request_uri;
+    }
+
+    set_real_ip_from  127.0.0.1;
+
+    server_name {{ item.external.domain }}{{ expose_tld }};
+
+    location / {
+        proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
+
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Accept-Encoding "";
+
+        proxy_set_header Host            $host;
+        proxy_set_header X-Real-IP       $proxy_protocol_addr;
+        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+
+        client_body_buffer_size 512k;
+        proxy_read_timeout 86400s;
+        client_max_body_size 0;
+
+        # Websocket
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+
+    ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem;   # managed by certbot on host machine
+    ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/privkey.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers on;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 127.0.0.1;
+}
+{%- endif %}