thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-02-24 01:38:15 +00:00
Code Issues Releases Wiki Activity

fix: Move NETWORK_ACCESS to location block

Browse Source
This commit is contained in:
Alexander Lieret 2021-08-24 15:51:39 +02:00 committed by Nicolas Duchon
parent 6a580ad664
commit 28c74e8dae
No known key found for this signature in database
GPG Key ID: 91EF7BB1EECB961A
2 changed files with 18 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
network_internal.conf
View File

@ -3,4 +3,5 @@ allow 127.0.0.0/8;
allow 10.0.0.0/8; allow 10.0.0.0/8;
allow 192.168.0.0/16; allow 192.168.0.0/16;
allow 172.16.0.0/12; allow 172.16.0.0/12;
allow fc00::/7; # IPv6 local address range
deny all; deny all;

33
nginx.tmpl
View File

@ -52,6 +52,11 @@
{{ define "location" }} {{ define "location" }}
location {{ .Path }} { location {{ .Path }} {
{{ if eq .NetworkTag "internal" }}
# Only allow traffic from internal clients
include /etc/nginx/network_internal.conf;
{{ end }}
{{ if eq .Proto "uwsgi" }} {{ if eq .Proto "uwsgi" }}
include uwsgi_params; include uwsgi_params;
uwsgi_pass {{ trim .Proto }}://{{ trim .Upstream }}; uwsgi_pass {{ trim .Proto }}://{{ trim .Upstream }};
@ -277,8 +282,6 @@ server {
{{/* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "" */}} {{/* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "" */}}
{{ $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }} {{ $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }}
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) (or $.Env.HTTPS_METHOD "redirect") }} {{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) (or $.Env.HTTPS_METHOD "redirect") }}
@ -353,11 +356,6 @@ server {
{{ end }} {{ end }}
{{ $access_log }} {{ $access_log }}
{{ if eq $network_tag "internal" }}
# Only allow traffic from internal clients
include /etc/nginx/network_internal.conf;
{{ end }}
{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }} {{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -388,13 +386,17 @@ server {
{{ end }} {{ end }}
{{ if eq $nPaths 0 }} {{ if eq $nPaths 0 }}
{{ template "location" (dict "Path" "/" "Proto" $proto "Upstream" $upstream_name "Host" $host "Vhostroot" $vhost_root "Dest" "") }} {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
{{ template "location" (dict "Path" "/" "Proto" $proto "Upstream" $upstream_name "Host" $host "Vhostroot" $vhost_root "Dest" "" "NetworkTag" $network_tag) }}
{{ else }} {{ else }}
{{ range $path, $container := $paths }} {{ range $path, $container := $paths }}
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
{{ $network_tag := or (first (groupByKeys $container "Env.NETWORK_ACCESS")) "external" }}
{{ $sum := sha1 $path }} {{ $sum := sha1 $path }}
{{ $upstream := printf "%s-%s" $upstream_name $sum }} {{ $upstream := printf "%s-%s" $upstream_name $sum }}
{{ $dest := (or (first (groupByKeys $container "Env.VIRTUAL_DEST")) "") }} {{ $dest := (or (first (groupByKeys $container "Env.VIRTUAL_DEST")) "") }}
{{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "Vhostroot" $vhost_root "Dest" $dest) }} {{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "Vhostroot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }}
{{ end }} {{ end }}
{{ if (not (contains $paths "/")) }} {{ if (not (contains $paths "/")) }}
location / { location / {
@ -419,11 +421,6 @@ server {
{{ end }} {{ end }}
{{ $access_log }} {{ $access_log }}
{{ if eq $network_tag "internal" }}
# Only allow traffic from internal clients
include /etc/nginx/network_internal.conf;
{{ end }}
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
include {{ printf "/etc/nginx/vhost.d/%s" $host }}; include {{ printf "/etc/nginx/vhost.d/%s" $host }};
{{ else if (exists "/etc/nginx/vhost.d/default") }} {{ else if (exists "/etc/nginx/vhost.d/default") }}
@ -431,13 +428,17 @@ server {
{{ end }} {{ end }}
{{ if eq $nPaths 0 }} {{ if eq $nPaths 0 }}
{{ template "location" (dict "Path" "/" "Proto" $proto "Upstream" $upstream_name "Host" $host "Vhostroot" $vhost_root "Dest" "") }} {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
{{ template "location" (dict "Path" "/" "Proto" $proto "Upstream" $upstream_name "Host" $host "Vhostroot" $vhost_root "Dest" "" "NetworkTag" $network_tag) }}
{{ else }} {{ else }}
{{ range $path, $container := $paths }} {{ range $path, $container := $paths }}
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
{{ $network_tag := or (first (groupByKeys $container "Env.NETWORK_ACCESS")) "external" }}
{{ $sum := sha1 $path }} {{ $sum := sha1 $path }}
{{ $upstream := printf "%s-%s" $upstream_name $sum }} {{ $upstream := printf "%s-%s" $upstream_name $sum }}
{{ $dest := (or (first (groupByKeys $container "Env.VIRTUAL_DEST")) "") }} {{ $dest := (or (first (groupByKeys $container "Env.VIRTUAL_DEST")) "") }}
{{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "Vhostroot" $vhost_root "Dest" $dest) }} {{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "Vhostroot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }}
{{ end }} {{ end }}
{{ if (not (contains $paths "/")) }} {{ if (not (contains $paths "/")) }}
location / { location / {