diff --git a/nginx.tmpl b/nginx.tmpl index c2409e1..a262a96 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -239,25 +239,19 @@ server { {{ end }} {{ $access_log }} return 503; -} {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} -server { - server_name _; # This is just an invalid value which will never trigger on a real hostname. - server_tokens off; listen {{ $external_https_port }} ssl http2; {{ if $enable_ipv6 }} listen [::]:{{ $external_https_port }} ssl http2; {{ end }} - {{ $access_log }} - return 503; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_certificate /etc/nginx/certs/default.crt; ssl_certificate_key /etc/nginx/certs/default.key; -} {{ end }} +} {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} @@ -317,9 +311,7 @@ server { {{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} -{{ if $is_https }} - -{{ if eq $https_method "redirect" }} +{{ if and $is_https (eq $https_method "redirect") }} server { server_name {{ $host }}; {{ if $server_tokens }} @@ -356,11 +348,18 @@ server { {{ if $server_tokens }} server_tokens {{ $server_tokens }}; {{ end }} + {{ $access_log }} + {{- if or (not $is_https) (eq $https_method "noredirect") }} + listen {{ $external_http_port }} {{ $default_server }}; + {{ if $enable_ipv6 }} + listen [::]:{{ $external_http_port }} {{ $default_server }}; + {{ end }} + {{- end }} + {{- if $is_https }} listen {{ $external_https_port }} ssl http2 {{ $default_server }}; {{ if $enable_ipv6 }} listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }}; {{ end }} - {{ $access_log }} {{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }} @@ -382,51 +381,13 @@ server { {{ end }} {{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }} - add_header Strict-Transport-Security "{{ trim $hsts }}" always; + set $sts_header ""; + if ($https) { + set $sts_header "{{ trim $hsts }}"; + } + add_header Strict-Transport-Security $sts_header always; {{ end }} - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - {{ range $path, $containers := $paths }} - {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost-vpath, falling back to "http" */}} - {{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }} - - {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}} - {{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }} - {{ $upstream := $upstream_name }} - {{ $dest := "" }} - {{ if gt $nPaths 0 }} - {{ $sum := sha1 $path }} - {{ $upstream = printf "%s-%s" $upstream $sum }} - {{ $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }} - {{ end }} - {{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }} - {{ end }} - {{ if (not (contains $paths "/")) }} - location / { - return {{ $default_root_response }}; - } - {{ end }} -} - -{{ end }} - -{{ if or (not $is_https) (eq $https_method "noredirect") }} - -server { - server_name {{ $host }}; - {{ if $server_tokens }} - server_tokens {{ $server_tokens }}; - {{ end }} - listen {{ $external_http_port }} {{ $default_server }}; - {{ if $enable_ipv6 }} - listen [::]:{{ $external_http_port }} {{ $default_server }}; - {{ end }} - {{ $access_log }} + {{- end }} {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} include {{ printf "/etc/nginx/vhost.d/%s" $host }}; @@ -475,4 +436,3 @@ server { {{ end }} {{ end }} -{{ end }}