bundlewrap/bundles/c3voc-addons/files/site_template

server {
    server_name ${domain};
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index index.html index.htm;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_trusted_certificate /etc/letsencrypt/live/${domain}/chain.pem;
    ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
    ssl_dhparam /etc/ssl/dhparam4096.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

% if max_body_size:
    client_max_body_size ${max_body_size};
% elif proxy:
    client_max_body_size 5M;
% endif

    add_header Permissions-Policy interest-cohort=();

    location /.well-known/acme-challenge/ {
        alias /var/www/dehydrated;
    }

% if locations:
%     for location, options in locations.items():
    location ${location} {
        proxy_pass           ${options['target']};
        proxy_http_version   ${options.get('http_version', '1.1')};
        proxy_set_header     Host ${domain};
% if options.get('websockets', False):
        proxy_set_header     Connection "upgrade";
        proxy_set_header     Upgrade $http_upgrade;
% endif
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header     X-Forwarded-Proto HTTPS;
        proxy_set_header     X-Forwarded-Host ${domain};
% for option, value in options.get('proxy_set_header', {}).items():
        proxy_set_header     ${option} ${value};
% endfor
% if location != '/':
        proxy_set_header     X-Script-Name ${location};
% endif
        proxy_buffering      off;
    }
%     endfor
% endif

% if extras:
<%include file="extras/${node.name}/${vhost}" />
% endif
}
add pseudo-bundle to add configs to c3voc ansible managed hosts 2021-01-16 19:57:33 +00:00			`server {`
			`server_name ${domain};`
			`root ${webroot if webroot else '/var/www/{}/'.format(vhost)};`
			`index index.html index.htm;`

			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

			`ssl_trusted_certificate /etc/letsencrypt/live/${domain}/chain.pem;`
			`ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;`
			`ssl_dhparam /etc/ssl/dhparam4096.pem;`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;`
			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`

			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`

			`resolver 8.8.8.8 8.8.4.4 valid=300s;`
			`resolver_timeout 5s;`

bundles/nginx: add configuration option for client_max_body_size 2021-03-30 19:26:25 +00:00			`% if max_body_size:`
			`client_max_body_size ${max_body_size};`
			`% elif proxy:`
			`client_max_body_size 5M;`
			`% endif`

bundles/nginx: disable Federated Learning of Cohorts for all hosts 2021-04-16 16:36:50 +00:00			`add_header Permissions-Policy interest-cohort=();`

add pseudo-bundle to add configs to c3voc ansible managed hosts 2021-01-16 19:57:33 +00:00			`location /.well-known/acme-challenge/ {`
			`alias /var/www/dehydrated;`
			`}`

bundles/nginx: rename 'proxy' metadata to 'locations', support more generic options, move extras files to metadata 2021-07-04 17:27:12 +00:00			`% if locations:`
			`% for location, options in locations.items():`
add pseudo-bundle to add configs to c3voc ansible managed hosts 2021-01-16 19:57:33 +00:00			`location ${location} {`
			`proxy_pass ${options['target']};`
			`proxy_http_version ${options.get('http_version', '1.1')};`
			`proxy_set_header Host ${domain};`
			`% if options.get('websockets', False):`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Upgrade $http_upgrade;`
			`% endif`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto HTTPS;`
			`proxy_set_header X-Forwarded-Host ${domain};`
			`% for option, value in options.get('proxy_set_header', {}).items():`
			`proxy_set_header ${option} ${value};`
			`% endfor`
			`% if location != '/':`
			`proxy_set_header X-Script-Name ${location};`
			`% endif`
			`proxy_buffering off;`
			`}`
			`% endfor`
			`% endif`

			`% if extras:`
			`<%include file="extras/${node.name}/${vhost}" />`
			`% endif`
			`}`