server {
- listen 443 default_server ssl;
- server_name {{ fqdn }};
+ server_name {{ item.fqdn }};
+ location '/.well-known/acme-challenge' {
+ default_type "text/plain";
+ root {{ ssl_webroot_base_path }}/{{ item.fqdn }};
+ }
+ location / {
+ add_header Strict-Transport-Security max-age=31536000;
+ return 301 https://$server_name$request_uri;
+ }
+}
- ssl_certificate /etc/ssl/certs/{{ fqdn }}-bundled.crt;
- ssl_certificate_key /etc/ssl/private/{{ fqdn }}.key;
+server {
+ listen 443 ssl;
+ server_name {{ item.fqdn }};
+ {% if development_server %}
+ ssl_certificate /etc/ssl/certs/{{ item.fqdn }}-bundled.crt;
+ ssl_certificate_key /etc/ssl/private/{{ item.fqdn }}.key;
+ {% else %}
+ ssl_certificate /etc/letsencrypt/live/{{ item.fqdn }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ item.fqdn }}/privkey.pem;
+ {% endif %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+ ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";
- access_log /var/log/nginx/{{ app_name }}-access.log;
- error_log /var/log/nginx/{{ app_name }}-error.log;
+ access_log /var/log/nginx/{{ item.app_name }}-access.log upstreamlog;
+ error_log /var/log/nginx/{{ item.app_name }}-error.log;
- # Some binaries are gigantic
- client_max_body_size 2048m;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:8000;
- proxy_read_timeout 500;
+
+ {% if item.upstreams is defined %}
+ proxy_pass https://{{ item.upstreams.name }};
+ {% elif item.proxy_pass is defined %}
+ proxy_pass {{ item.proxy_pass }};
+ {% endif %}
+ proxy_read_timeout 30;
}
}
projects / ceph-build.git / commitdiff