services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

external and internal http/https ports working

Browse Source
This commit is contained in:
Reese Wells
2024-05-29 12:48:18 -04:00
parent 21d7cef56b
commit 861617d387
4 changed files with 70 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
nginx/https.conf
View File

@@ -3,13 +3,27 @@ server {
access_log /var/log/nginx/nginx_https_access.log basic;
error_log /var/log/nginx/nginx_https_error.log warn;
http2 on;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
# Listen for the default http internal ports
listen 127.0.0.1:{{ defaults.http.internal_http_port }} proxy_protocol;
listen 127.0.0.1:{{ defaults.http.internal_https_port }} ssl proxy_protocol;
# Listen for any extra ports specified by the user
{% for port in item.external.extra_ports %}
listen 127.0.0.1:{{ port }} proxy_protocol ssl;
# Listen for any extra http ports specified by the user
{% for port in item.external.extra_http_ports %}
listen 127.0.0.1:{{ port }} proxy_protocol;
{% endfor %}
# Listen for any extra https ports specified by the user
{% for port in item.external.extra_https_ports %}
listen 127.0.0.1:{{ port }} ssl proxy_protocol;
{% endfor %}
if ($scheme = "http") {
@@ -21,7 +35,12 @@ server {
server_name {{ item.external.domain }}{{ internal_tld }};
location / {
{% for port in item.external.extra_ports %}
{% for port in item.external.extra_http_ports %}
if ($server_port = "{{ port }}") {
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
}
{% endfor %}
{% for port in item.external.extra_https_ports %}
if ($server_port = "{{ port }}") {
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
}
@@ -57,7 +76,7 @@ server {
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
# OCSP stapling
@@ -75,6 +94,15 @@ server {
access_log /var/log/nginx/nginx_https_access.log basic;
error_log /var/log/nginx/nginx_https_error.log warn;
http2 on;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
listen 127.0.0.1:{{ defaults.http.external_http_port }} proxy_protocol;
listen 127.0.0.1:{{ defaults.http.external_https_port }} ssl proxy_protocol;
@@ -116,7 +144,7 @@ server {
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
# OCSP stapling