bundlewrap/bundles/nginx/files/site_template

server {
% if domain_aliases:
    server_name ${domain} ${' '.join(sorted(domain_aliases))};
% else:
    server_name ${domain};
% endif
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

    listen       80;
    listen       [::]:80;

% if ssl:
    location / {
        return 308 https://$host$request_uri;
    }

%   if ssl == 'letsencrypt':
    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }
%   endif
}

server {
%   if domain_aliases:
    server_name ${domain} ${' '.join(sorted(domain_aliases))};
%   else:
    server_name ${domain};
%   endif
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

%   if ssl == 'letsencrypt':
    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
%   else:
    ssl_certificate /etc/nginx/ssl/${vhost}.crt;
    ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
%   endif
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
% endif

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

% if max_body_size:
    client_max_body_size ${max_body_size};
% elif proxy or php:
    client_max_body_size 5M;
% endif

% if not do_not_set_content_security_headers:
    add_header Referrer-Policy same-origin;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
% endif
    add_header Permissions-Policy interest-cohort=();

    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }

% if security_txt:
    location = /.well-known/security.txt {
        alias /etc/nginx/security.txt.d/${vhost};
    }
% endif

% if proxy:
%     for location, options in proxy.items():
    location ${location} {
        proxy_pass           ${options['target']};
        proxy_http_version   ${options.get('http_version', '1.1')};
        proxy_set_header     Host ${domain};
% if options.get('websockets', False):
        proxy_set_header     Connection "upgrade";
        proxy_set_header     Upgrade $http_upgrade;
% endif
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
% if ssl:
        proxy_set_header     X-Forwarded-Proto HTTPS;
% endif
        proxy_set_header     X-Forwarded-Host ${domain};
% for option, value in options.get('proxy_set_header', {}).items():
        proxy_set_header     ${option} ${value};
% endfor
% if location != '/':
        proxy_set_header     X-Script-Name ${location};
% endif
        proxy_buffering      off;
    }
%     endfor
% endif

% if php:
    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
    }
% endif

% if extras:
<%include file="extras/${node.name}/${vhost}" />
% endif
}
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`server {`
dns: deploy MTA-STS 2020-11-11 10:41:06 +00:00			`% if domain_aliases:`
			`server_name ${domain} ${' '.join(sorted(domain_aliases))};`
			`% else:`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`server_name ${domain};`
dns: deploy MTA-STS 2020-11-11 10:41:06 +00:00			`% endif`
bundles/nginx: use metadata reactor to determine index files 2020-10-31 09:41:33 +00:00			`root ${webroot if webroot else '/var/www/{}/'.format(vhost)};`
			`index ${' '.join(index)};`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00
bundles/nginx: only redirect to ssl for sites which actually have ssl enabled 2021-04-25 07:20:16 +00:00			`listen 80;`
			`listen [::]:80;`

bundles/nginx: support disabling ssl for each vhost individually 2021-02-20 13:25:27 +00:00			`% if ssl:`
bundles/nginx: only redirect to ssl for sites which actually have ssl enabled 2021-04-25 07:20:16 +00:00			`location / {`
			`return 308 https://$host$request_uri;`
			`}`

			`% if ssl == 'letsencrypt':`
			`location /.well-known/acme-challenge/ {`
			`alias /var/lib/dehydrated/acme-challenges/;`
			`}`
			`% endif`
			`}`

			`server {`
			`% if domain_aliases:`
			`server_name ${domain} ${' '.join(sorted(domain_aliases))};`
			`% else:`
			`server_name ${domain};`
			`% endif`
			`root ${webroot if webroot else '/var/www/{}/'.format(vhost)};`
			`index ${' '.join(index)};`

bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

bundles/nginx: only redirect to ssl for sites which actually have ssl enabled 2021-04-25 07:20:16 +00:00			`% if ssl == 'letsencrypt':`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;`
			`ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;`
bundles/nginx: only redirect to ssl for sites which actually have ssl enabled 2021-04-25 07:20:16 +00:00			`% else:`
bundles/ssl: support using a preexisting ssl certificate 2021-04-25 07:09:23 +00:00			`ssl_certificate /etc/nginx/ssl/${vhost}.crt;`
			`ssl_certificate_key /etc/nginx/ssl/${vhost}.key;`
bundles/nginx: only redirect to ssl for sites which actually have ssl enabled 2021-04-25 07:20:16 +00:00			`% endif`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`ssl_dhparam /etc/ssl/certs/dhparam.pem;`
bundles/nginx: switch to TLS 1.2 and 1.3 only 2020-06-01 09:01:00 +00:00			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`
bundles/nginx: better ssl 2021-01-24 17:44:13 +00:00			`ssl_session_tickets off;`
bundles/nginx: do not set X-Forwarded-Proto if https is disabled, do not use http2 without ssl 2020-09-20 13:46:39 +00:00
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
bundles/nginx: add metadata option to disable https 2020-09-20 12:36:43 +00:00			`% endif`
bundles/{letsencrypt,nginx}: fix ocsp stapling 2020-07-19 10:10:19 +00:00
			`resolver 8.8.8.8 8.8.4.4 valid=300s;`
			`resolver_timeout 5s;`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00
bundles/nginx: add configuration option for client_max_body_size 2021-03-30 19:26:25 +00:00			`% if max_body_size:`
			`client_max_body_size ${max_body_size};`
			`% elif proxy or php:`
			`client_max_body_size 5M;`
			`% endif`

htz.ex42-1048908: add missing domains 2020-07-19 09:26:12 +00:00			`% if not do_not_set_content_security_headers:`
add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`add_header Referrer-Policy same-origin;`
bundles/nginx: set default X-Frame-Options to SAMEORIGIN 2020-08-18 13:07:43 +00:00			`add_header X-Frame-Options "SAMEORIGIN";`
add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`add_header X-Content-Type-Options nosniff;`
bundles/nginx: better ssl 2021-01-24 17:44:13 +00:00			`add_header X-XSS-Protection "1; mode=block";`
htz.ex42-1048908: add missing domains 2020-07-19 09:26:12 +00:00			`% endif`
bundles/nginx: disable Federated Learning of Cohorts for all hosts 2021-04-16 16:36:50 +00:00			`add_header Permissions-Policy interest-cohort=();`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00
bundles/nginx: ensure we're doing letsencrypt, since we're enforcing ssl 2020-06-01 09:16:22 +00:00			`location /.well-known/acme-challenge/ {`
			`alias /var/lib/dehydrated/acme-challenges/;`
			`}`

bundles/nginx: add a default security.txt to all vhosts 2021-06-03 16:56:28 +00:00			`% if security_txt:`
			`location = /.well-known/security.txt {`
			`alias /etc/nginx/security.txt.d/${vhost};`
			`}`
			`% endif`

add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`% if proxy:`
bundles/nginx: proxy is a dict now, add some more configuration options 2020-09-22 16:36:10 +00:00			`% for location, options in proxy.items():`
add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`location ${location} {`
bundles/nginx: proxy is a dict now, add some more configuration options 2020-09-22 16:36:10 +00:00			`proxy_pass ${options['target']};`
			`proxy_http_version ${options.get('http_version', '1.1')};`
bundles/nginx: also set host header for proxy connections 2020-08-19 19:43:37 +00:00			`proxy_set_header Host ${domain};`
bundles/nginx: proxy is a dict now, add some more configuration options 2020-09-22 16:36:10 +00:00			`% if options.get('websockets', False):`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Upgrade $http_upgrade;`
			`% endif`
add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
bundles/nginx: support disabling ssl for each vhost individually 2021-02-20 13:25:27 +00:00			`% if ssl:`
add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`proxy_set_header X-Forwarded-Proto HTTPS;`
bundles/nginx: do not set X-Forwarded-Proto if https is disabled, do not use http2 without ssl 2020-09-20 13:46:39 +00:00			`% endif`
add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`proxy_set_header X-Forwarded-Host ${domain};`
bundles/nginx: proxy is a dict now, add some more configuration options 2020-09-22 16:36:10 +00:00			`% for option, value in options.get('proxy_set_header', {}).items():`
			`proxy_set_header ${option} ${value};`
			`% endfor`
			`% if location != '/':`
			`proxy_set_header X-Script-Name ${location};`
			`% endif`
add proxy feature to nginx 2020-06-01 09:31:13 +00:00			`proxy_buffering off;`
			`}`
			`% endfor`
			`% endif`

bundles/nginx: support PHP 7.3 2020-07-19 09:09:53 +00:00			`% if php:`
			`location ~ \.php$ {`
bundles/php: introduce 2020-10-31 12:00:38 +00:00			`include fastcgi.conf;`
bundles/nginx: support PHP 7.3 2020-07-19 09:09:53 +00:00			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`
bundles/php: introduce 2020-10-31 12:00:38 +00:00			`fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;`
bundles/nginx: support PHP 7.3 2020-07-19 09:09:53 +00:00			`}`
			`% endif`

bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`% if extras:`
bundles/php: introduce 2020-10-31 12:00:38 +00:00			`<%include file="extras/${node.name}/${vhost}" />`
bundles/nginx: add deployment of vhost configs 2020-06-01 08:52:52 +00:00			`% endif`
			`}`