services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f4769fdbe1fc94bf55c57f90dbf8779ec653706
homelab/nginx/nginx.conf
ducoterra 1f4769fdbe ipv6 working
2024-06-09 18:35:56 -04:00

125 lines
3.7 KiB
Nginx Configuration File
Raw Blame History

{%- set unique_ports = [] %}
{%- for item in http %}
{#- Gather http ports #}
{%- for port in item.external.extra_http_ports %}
{%- if port not in unique_ports %}
{{- unique_ports.append(port) }}
{%- endif %}
{%- endfor %}
{#- Gather https ports #}
{%- for port in item.external.extra_https_ports %}
{%- if port not in unique_ports %}
{{- unique_ports.append(port) }}
{%- endif %}
{%- endfor %}
{%- endfor %}
load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
worker_processes auto;
events {
worker_connections 1024;
}
stream {
log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ip$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
# Map all SSL parsed server names to hosts
map $ssl_preread_server_name $map_forward_ip {
# Empty ssl preread gets forwarded to internal http server
"" "unix:/var/lib/nginx/tmp/nginx_http.sock";
# These domains will get forwarded to the internal https server
{% for item in http %}
{{ item.external.domain }}{{ expose_tld }} unix:/var/lib/nginx/tmp/nginx_https.sock;
{% endfor %}
# By default forward to our internal nginx server (probably kubernetes)
default {{ defaults.forward_ip }};
}
# Since traffic being forwarded to the unix socket doesn't need a port we'll create
# a map here to enforce that case.
map $map_forward_ip $upstream_port {
{{ defaults.forward_ip }} ":443";
"unix:/var/lib/nginx/tmp/nginx_http.sock" "";
"unix:/var/lib/nginx/tmp/nginx_https.sock" "";
default ":$server_port";
}
server {
access_log /var/log/nginx/nginx_stream_access.log basic;
error_log /var/log/nginx/nginx_stream_error.log warn;
proxy_protocol on;
# The default http ports
{% for port in defaults.listen_ports %}
listen {{ port }};
listen [::]:{{ port }};
{% endfor %}
# Any unique ports listed in the extra_ports field
{% for port in unique_ports %}
listen {{ port }};
listen [::]:{{ port }};
{% endfor %}
proxy_pass $map_forward_ip$upstream_port;
ssl_preread on;
proxy_socket_keepalive on;
}
include /etc/nginx/stream.d/*.conf;
}
http {
log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward_ip$server_port | Referer: $http_referer | $request | $time_local | $status |';
map $host $map_forward_ip {
"" "unix:/var/lib/nginx/tmp/nginx_http.sock";
# We don't want to forward traffic we're terminating
# Rather we'll catch it here and redirect to 443.
{% for item in http %}
{{ item.external.domain }}{{ expose_tld }} "unix:/var/lib/nginx/tmp/nginx_https.sock";
{% endfor %}
default {{ defaults.forward_ip }};
}
# Handle internal http requests through unix:/var/lib/nginx/tmp/nginx_http.sock
server {
access_log /var/log/nginx/nginx_http_access.log basic;
error_log /var/log/nginx/nginx_http_error.log warn;
listen unix:/var/lib/nginx/tmp/nginx_http.sock default_server proxy_protocol;
location / {
# If we have an external forward IP, forward traffic
if ($map_forward_ip != "unix:/var/lib/nginx/tmp/nginx_http.sock") {
proxy_pass $map_forward_ip:80;
}
# Else redirect if the scheme is http
if ($scheme = "http") {
return 301 https://$host:443$request_uri;
}
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include /etc/nginx/http.d/*.conf;
}
Reference in New Issue View Git Blame Copy Permalink