nginx/templates/nginx.conf

73 lines
1.9 KiB
Nginx Configuration File

{{ ansible_managed | comment }}
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
#worker_processes auto; # <- default is 1
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip off; # compression and crypto don't mix
# include /etc/nginx/conf.d/*.conf; # Ansible
include /etc/nginx/snippets/connection_upgrade.conf;
include /etc/nginx/sites-enabled/*;
}
stream {
# Map the SNI from the TLS hello packet to an upstream server.
# This allow to RP request without breaking the TLS encryption
# like a proxy_pass does
map $ssl_preread_server_name $upstream_server {
acme-v02.api.letsencrypt.org acme;
r3.o.lencr.org r3;
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
{{ rp.value.sni_server_name }} {{ rp.key }};
{%- endfor %}
default local;
}
# let's encrypt servers, to generate LE cert from isolated network
upstream acme {
server acme-v02.api.letsencrypt.org:443;
}
upstream r3 {
server r3.o.lencr.org:443;
}
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
upstream {{ rp.key }} {
server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
}
{%- endfor %}
# default to this server sites
upstream local {
server 127.0.0.1:8443;
}
server {
listen 0.0.0.0:443;
proxy_pass $upstream_server;
ssl_preread on;
}
}