mirror of
https://github.com/thib8956/nginx-proxy
synced 2024-11-22 03:46:29 +00:00
080a5157e6
Looks like it was not actually working before and failing silently because ssl_trusted_certificate was not specified. Will need to revisit implementing this functionality so removing it for now to prevent the warnings logged by nginx now.
132 lines
4.5 KiB
Cheetah
132 lines
4.5 KiB
Cheetah
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
|
|
# scheme used to connect to this server
|
|
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
default $http_x_forwarded_proto;
|
|
'' $scheme;
|
|
}
|
|
|
|
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
|
|
# Connection header that may have been passed to this server
|
|
map $http_upgrade $proxy_connection {
|
|
default upgrade;
|
|
'' '';
|
|
}
|
|
|
|
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
|
|
|
access_log /proc/self/fd/1;
|
|
error_log /proc/self/fd/2;
|
|
|
|
# HTTP 1.1 support
|
|
proxy_http_version 1.1;
|
|
proxy_buffering off;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $proxy_connection;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
|
error_log /proc/self/fd/2;
|
|
access_log /proc/self/fd/1;
|
|
return 503;
|
|
}
|
|
|
|
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
|
|
|
upstream {{ $host }} {
|
|
{{ range $container := $containers }}
|
|
{{ $addrLen := len $container.Addresses }}
|
|
{{/* If only 1 port exposed, use that */}}
|
|
{{ if eq $addrLen 1 }}
|
|
{{ with $address := index $container.Addresses 0 }}
|
|
# {{$container.Name}}
|
|
server {{ $address.IP }}:{{ $address.Port }};
|
|
{{ end }}
|
|
{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}}
|
|
{{ else if $container.Env.VIRTUAL_PORT }}
|
|
{{ range $address := .Addresses }}
|
|
{{ if eq $address.Port $container.Env.VIRTUAL_PORT }}
|
|
# {{$container.Name}}
|
|
server {{ $address.IP }}:{{ $address.Port }};
|
|
{{ end }}
|
|
{{ end }}
|
|
{{/* Else default to standard web port 80 */}}
|
|
{{ else }}
|
|
{{ range $address := $container.Addresses }}
|
|
{{ if eq $address.Port "80" }}
|
|
# {{$container.Name}}
|
|
server {{ $address.IP }}:{{ $address.Port }};
|
|
{{ end }}
|
|
{{ end }}
|
|
{{ end }}
|
|
{{ end }}
|
|
}
|
|
|
|
{{/* Get the first cert name defined by containers w/ the same vhost */}}
|
|
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
|
|
|
|
{{/* Get the best matching cert by name for the vhost. */}}
|
|
{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
|
|
|
|
{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
|
|
{{ $vhostCert := replace $vhostCert ".crt" "" -1 }}
|
|
{{ $vhostCert := replace $vhostCert ".key" "" -1 }}
|
|
|
|
{{/* Use the cert specifid on the container or fallback to the best vhost match */}}
|
|
{{ $cert := (coalesce $certName $vhostCert) }}
|
|
|
|
{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
|
|
|
server {
|
|
server_name {{ $host }};
|
|
rewrite ^(.*) https://{{ $host }}$1 permanent;
|
|
}
|
|
|
|
server {
|
|
server_name {{ $host }};
|
|
listen 443 ssl;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_timeout 5m;
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
|
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
|
|
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
|
|
|
|
location / {
|
|
proxy_pass http://{{ $host }};
|
|
}
|
|
}
|
|
{{ else }}
|
|
|
|
server {
|
|
server_name {{ $host }};
|
|
|
|
location / {
|
|
proxy_pass http://{{ $host }};
|
|
}
|
|
}
|
|
|
|
server {
|
|
server_name {{ $host }};
|
|
listen 443 ssl;
|
|
return 503;
|
|
|
|
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
{{ end }}
|
|
}
|
|
|
|
{{ end }}
|
|
{{ end }}
|