# Internal Server server { access_log /var/log/nginx/nginx_https_access.log basic; error_log /var/log/nginx/nginx_https_error.log warn; http2 on; gzip on; gzip_vary on; gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; # Listen for the default http internal ports listen 127.0.0.1:{{ defaults.http.internal_http_port }} proxy_protocol; listen 127.0.0.1:{{ defaults.http.internal_https_port }} ssl proxy_protocol; # Listen for any extra http ports specified by the user {% for port in item.external.extra_http_ports %} listen 127.0.0.1:{{ port }} proxy_protocol; {% endfor %} # Listen for any extra https ports specified by the user {% for port in item.external.extra_https_ports %} listen 127.0.0.1:{{ port }} ssl proxy_protocol; {% endfor %} if ($scheme = "http") { return 301 https://$host:443$request_uri; } set_real_ip_from 127.0.0.1; server_name {{ item.external.domain }}{{ internal_tld }}; location / { {% for port in item.external.extra_http_ports %} if ($server_port = "{{ port }}") { proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri; } {% endfor %} {% for port in item.external.extra_https_ports %} if ($server_port = "{{ port }}") { proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri; } {% endfor %} if ($server_port = "{{ defaults.http.internal_https_port }}"){ proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri; } proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_protocol_addr; client_body_buffer_size 512k; proxy_read_timeout 86400s; client_max_body_size 0; # Websocket proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem; # managed by certbot on host machine ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem; # replace with the IP address of your resolver resolver 127.0.0.1; } # External Server {% if item.external.expose %} server { access_log /var/log/nginx/nginx_https_access.log basic; error_log /var/log/nginx/nginx_https_error.log warn; http2 on; gzip on; gzip_vary on; gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; listen 127.0.0.1:{{ defaults.http.external_http_port }} proxy_protocol; listen 127.0.0.1:{{ defaults.http.external_https_port }} ssl proxy_protocol; if ($scheme = "http") { return 301 https://$host:443$request_uri; } set_real_ip_from 127.0.0.1; server_name {{ item.external.domain }}{{ expose_tld }}; location / { proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_protocol_addr; client_body_buffer_size 512k; proxy_read_timeout 86400s; client_max_body_size 0; # Websocket proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem; # managed by certbot on host machine ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem; # replace with the IP address of your resolver resolver 127.0.0.1; } {%- endif %}