{{ ansible_managed | comment }} user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; #worker_processes auto; # <- default is 1 } http { sendfile on; tcp_nopush on; types_hash_max_size 2048; server_tokens off; server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip off; # compression and crypto don't mix # include /etc/nginx/conf.d/*.conf; # Ansible include /etc/nginx/snippets/connection_upgrade.conf; include /etc/nginx/sites-enabled/*; } stream { # Map the SNI from the TLS hello packet to an upstream server. # This allow to RP request without breaking the TLS encryption # like a proxy_pass does map $ssl_preread_server_name $upstream_server { acme-v02.api.letsencrypt.org acme; r3.o.lencr.org r3; {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%} {{ rp.value.sni_server_name }} {{ rp.key }}; {% endfor %} default local; } # let's encrypt servers, to generate LE cert from isolated network upstream acme { server acme-v02.api.letsencrypt.org:443; } upstream r3 { server r3.o.lencr.org:443; } {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%} upstream {{ rp.key }} { server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }}; } {%- endfor %} # default to this server sites upstream local { server 127.0.0.1:8443; } server { listen 0.0.0.0:443; proxy_pass $upstream_server; ssl_preread on; } }