services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
642c0011ffe27ea9845a0e4c6b71a43932ba33c8
homelab/nginx/https.conf

159 lines
5.5 KiB
Plaintext
Raw Blame History

# Internal Server
server {
access_log /var/log/nginx/nginx_https_access.log basic;
error_log /var/log/nginx/nginx_https_error.log warn;
http2 on;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
# Listen for the default http internal ports
listen 127.0.0.1:{{ defaults.http.internal_http_port }} proxy_protocol;
listen 127.0.0.1:{{ defaults.http.internal_https_port }} ssl proxy_protocol;
# Listen for any extra http ports specified by the user
{% for port in item.external.extra_http_ports %}
listen 127.0.0.1:{{ port }} proxy_protocol;
{% endfor %}
# Listen for any extra https ports specified by the user
{% for port in item.external.extra_https_ports %}
listen 127.0.0.1:{{ port }} ssl proxy_protocol;
{% endfor %}
if ($scheme = "http") {
return 301 https://$host:443$request_uri;
}
set_real_ip_from 127.0.0.1;
server_name {{ item.external.domain }}{{ internal_tld }};
location / {
{% for port in item.external.extra_http_ports %}
if ($server_port = "{{ port }}") {
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
}
{% endfor %}
{% for port in item.external.extra_https_ports %}
if ($server_port = "{{ port }}") {
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
}
{% endfor %}
if ($server_port = "{{ defaults.http.internal_https_port }}"){
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
}
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem;
# replace with the IP address of your resolver
resolver 127.0.0.1;
}
# External Server
{% if item.external.expose %}
server {
access_log /var/log/nginx/nginx_https_access.log basic;
error_log /var/log/nginx/nginx_https_error.log warn;
http2 on;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
listen 127.0.0.1:{{ defaults.http.external_http_port }} proxy_protocol;
listen 127.0.0.1:{{ defaults.http.external_https_port }} ssl proxy_protocol;
if ($scheme = "http") {
return 301 https://$host:443$request_uri;
}
set_real_ip_from 127.0.0.1;
server_name {{ item.external.domain }}{{ expose_tld }};
location / {
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem;
# replace with the IP address of your resolver
resolver 127.0.0.1;
}
{%- endif %}
Reference in New Issue View Git Blame Copy Permalink