thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-02-24 09:48:14 +00:00
Code Issues Releases Wiki Activity

chore: Wrap long comments

Browse Source
This commit is contained in:
Richard Hansen 2023-01-09 17:21:35 -05:00
parent 0da38122bd
commit 1b253cd908
1 changed files with 54 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
nginx.tmpl
View File

@ -11,9 +11,15 @@
{{- define "ssl_policy" }} {{- define "ssl_policy" }}
{{- if eq .ssl_policy "Mozilla-Modern" }} {{- if eq .ssl_policy "Mozilla-Modern" }}
ssl_protocols TLSv1.3; ssl_protocols TLSv1.3;
{{- /* nginx currently lacks ability to choose ciphers in TLS 1.3 in configuration, see https://trac.nginx.org/nginx/ticket/1529 */}} {{- /*
{{- /* a possible workaround can be modify /etc/ssl/openssl.cnf to change it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12 ) */}} * nginx currently lacks ability to choose ciphers in TLS 1.3 in
{{- /* explicitly set ngnix default value in order to allow single servers to override the global http value */}} * configuration; see https://trac.nginx.org/nginx/ticket/1529. A
* possible workaround can be modify /etc/ssl/openssl.cnf to change
* it globally (see
* https://trac.nginx.org/nginx/ticket/1529#comment:12). Explicitly
* set ngnix default value in order to allow single servers to
* override the global http value.
*/}}
ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
{{- else if eq .ssl_policy "Mozilla-Intermediate" }} {{- else if eq .ssl_policy "Mozilla-Intermediate" }}
@ -110,12 +116,19 @@ upstream {{ .Upstream }} {
{{- if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }} {{- if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
## Can be connected with "{{ $containerNetwork.Name }}" network ## Can be connected with "{{ $containerNetwork.Name }}" network
{{- if $address }} {{- if $address }}
{{- /* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} {{- /*
* If we got the containers from swarm and this
* container's port is published to host, use host
* IP:PORT.
*/}}
{{- if and $container.Node.ID $address.HostPort }} {{- if and $container.Node.ID $address.HostPort }}
{{- $server_found = true }} {{- $server_found = true }}
# {{ $container.Node.Name }}/{{ $container.Name }} # {{ $container.Node.Name }}/{{ $container.Name }}
server {{ $container.Node.Address.IP }}:{{ $address.HostPort }}; server {{ $container.Node.Address.IP }}:{{ $address.HostPort }};
{{- /* If there is no swarm node or the port is not published on host, use container's IP:PORT */}} {{- /*
* If there is no swarm node or the port is not
* published on host, use container's IP:PORT.
*/}}
{{- else if $containerNetwork }} {{- else if $containerNetwork }}
{{- $server_found = true }} {{- $server_found = true }}
# {{ $container.Name }} # {{ $container.Name }}
@ -197,7 +210,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
access_log off; access_log off;
{{- /* Get the SSL_POLICY defined by this container, falling back to "Mozilla-Intermediate" */}} {{- /*
* Get the SSL_POLICY defined by this container, falling back to
* "Mozilla-Intermediate".
*/}}
{{- $ssl_policy := or ($.Env.SSL_POLICY) "Mozilla-Intermediate" }} {{- $ssl_policy := or ($.Env.SSL_POLICY) "Mozilla-Intermediate" }}
{{- template "ssl_policy" (dict "ssl_policy" $ssl_policy) }} {{- template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
error_log /dev/stderr; error_log /dev/stderr;
@ -278,17 +294,29 @@ server {
{{- $default_host := or ($.Env.DEFAULT_HOST) "" }} {{- $default_host := or ($.Env.DEFAULT_HOST) "" }}
{{- $default_server := index (dict $host "" $default_host "default_server") $host }} {{- $default_server := index (dict $host "" $default_host "default_server") $host }}
{{- /* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "" */}} {{- /*
* Get the SERVER_TOKENS defined by containers w/ the same vhost,
* falling back to "".
*/}}
{{- $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }} {{- $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }}
{{- /* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} {{- /*
* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling
* back to "redirect".
*/}}
{{- $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) (or $.Env.HTTPS_METHOD "redirect") }} {{- $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) (or $.Env.HTTPS_METHOD "redirect") }}
{{- /* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default) */}} {{- /*
* Get the SSL_POLICY defined by containers w/ the same vhost, falling
* back to empty string (use default).
*/}}
{{- $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }} {{- $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }}
{{- /* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}} {{- /*
* Get the HSTS defined by containers w/ the same vhost, falling back to
* "max-age=31536000".
*/}}
{{- $hsts := or (first (groupByKeys $containers "Env.HSTS")) (or $.Env.HSTS "max-age=31536000") }} {{- $hsts := or (first (groupByKeys $containers "Env.HSTS")) (or $.Env.HSTS "max-age=31536000") }}
{{- /* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}} {{- /* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
@ -301,11 +329,17 @@ server {
{{- /* Get the best matching cert by name for the vhost. */}} {{- /* Get the best matching cert by name for the vhost. */}}
{{- $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} {{- $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
{{- /* vhostCert is actually a filename so remove any suffixes since they are added later */}} {{- /*
* vhostCert is actually a filename so remove any suffixes since they
* are added later.
*/}}
{{- $vhostCert := trimSuffix ".crt" $vhostCert }} {{- $vhostCert := trimSuffix ".crt" $vhostCert }}
{{- $vhostCert := trimSuffix ".key" $vhostCert }} {{- $vhostCert := trimSuffix ".key" $vhostCert }}
{{- /* Use the cert specified on the container or fallback to the best vhost match */}} {{- /*
* Use the cert specified on the container or fallback to the best vhost
* match.
*/}}
{{- $cert := (coalesce $certName $vhostCert) }} {{- $cert := (coalesce $certName $vhostCert) }}
{{- $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} {{- $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
@ -395,10 +429,16 @@ server {
{{- end }} {{- end }}
{{- range $path, $containers := $paths }} {{- range $path, $containers := $paths }}
{{- /* Get the VIRTUAL_PROTO defined by containers w/ the same vhost-vpath, falling back to "http" */}} {{- /*
* Get the VIRTUAL_PROTO defined by containers w/ the same
* vhost-vpath, falling back to "http".
*/}}
{{- $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }} {{- $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
{{- /* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}} {{- /*
* Get the NETWORK_ACCESS defined by containers w/ the same vhost,
* falling back to "external".
*/}}
{{- $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }} {{- $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
{{- $upstream := $upstream_name }} {{- $upstream := $upstream_name }}
{{- $dest := "" }} {{- $dest := "" }}