73 lines
1.9 KiB
Nginx Configuration File
73 lines
1.9 KiB
Nginx Configuration File
{{ ansible_managed | comment }}
|
|
|
|
user www-data;
|
|
worker_processes auto;
|
|
pid /run/nginx.pid;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
events {
|
|
worker_connections 768;
|
|
#worker_processes auto; # <- default is 1
|
|
}
|
|
|
|
http {
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
types_hash_max_size 2048;
|
|
server_tokens off;
|
|
|
|
server_name_in_redirect off;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
gzip off; # compression and crypto don't mix
|
|
# include /etc/nginx/conf.d/*.conf; # Ansible
|
|
|
|
include /etc/nginx/snippets/connection_upgrade.conf;
|
|
|
|
include /etc/nginx/sites-enabled/*;
|
|
}
|
|
|
|
stream {
|
|
# Map the SNI from the TLS hello packet to an upstream server.
|
|
# This allow to RP request without breaking the TLS encryption
|
|
# like a proxy_pass does
|
|
map $ssl_preread_server_name $upstream_server {
|
|
acme-v02.api.letsencrypt.org acme;
|
|
r3.o.lencr.org r3;
|
|
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
|
|
{{ rp.value.sni_server_name }} {{ rp.key }};
|
|
{%- endfor %}
|
|
default local;
|
|
}
|
|
|
|
# let's encrypt servers, to generate LE cert from isolated network
|
|
upstream acme {
|
|
server acme-v02.api.letsencrypt.org:443;
|
|
}
|
|
upstream r3 {
|
|
server r3.o.lencr.org:443;
|
|
}
|
|
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
|
|
upstream {{ rp.key }} {
|
|
server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
|
|
}
|
|
{%- endfor %}
|
|
# default to this server sites
|
|
upstream local {
|
|
server 127.0.0.1:8443;
|
|
}
|
|
|
|
server {
|
|
listen 0.0.0.0:443;
|
|
proxy_pass $upstream_server;
|
|
ssl_preread on;
|
|
}
|
|
}
|