bundles/nginx: redirect domain_aliases to primary domain

2024-02-13 13:57:53 +01:00 · 2024-02-13 13:57:53 +01:00 · 050931edf2
commit 050931edf2
parent fa375d0d69
1 changed files with 43 additions and 8 deletions
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@ -12,22 +12,20 @@ server {

 % if ssl:
    location / {
-        return 308 https://$host$request_uri;
+        return 301 https://${domain}$request_uri;
    }

-%   if ssl == 'letsencrypt':
+%  if ssl == 'letsencrypt':
    location /.well-known/acme-challenge/ {
        alias /var/lib/dehydrated/acme-challenges/;
    }
-%   endif
+%  endif
 }

+%  if domain_aliases:
 server {
-%   if domain_aliases:
-    server_name ${domain} ${' '.join(sorted(domain_aliases))};
-%   else:
-    server_name ${domain};
-%   endif
+    server_name ${' '.join(sorted(domain_aliases))};
+
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

@ -48,6 +46,43 @@ server {
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+%  if ssl == 'letsencrypt':
+    location /.well-known/acme-challenge/ {
+        alias /var/lib/dehydrated/acme-challenges/;
+    }
+%  endif
+
+    location / {
+        return 301 https://${domain}$request_uri;
+    }
+}
+
+%  endif
+server {
+    server_name ${domain};
+
+    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
+    index ${' '.join(index)};
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+%  if ssl == 'letsencrypt':
+    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
+%  else:
+    ssl_certificate /etc/nginx/ssl/${vhost}.crt;
+    ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
+%  endif
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 % endif