diff --git a/bundles/nginx/files/port80.conf b/bundles/nginx/files/port80.conf index 9d2444e..158c2e8 100644 --- a/bundles/nginx/files/port80.conf +++ b/bundles/nginx/files/port80.conf @@ -4,11 +4,6 @@ server { server_name _; location / { - return 308 https://$host$request_uri; + return 404; } -% if needs_le: - location /.well-known/acme-challenge/ { - alias /var/lib/dehydrated/acme-challenges/; - } -% endif } diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index 83f3ec7..0e234e7 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -7,17 +7,40 @@ server { root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; index ${' '.join(index)}; + listen 80; + listen [::]:80; + % if ssl: + location / { + return 308 https://$host$request_uri; + } + +% if ssl == 'letsencrypt': + location /.well-known/acme-challenge/ { + alias /var/lib/dehydrated/acme-challenges/; + } +% endif +} + +server { +% if domain_aliases: + server_name ${domain} ${' '.join(sorted(domain_aliases))}; +% else: + server_name ${domain}; +% endif + root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; + index ${' '.join(index)}; + listen 443 ssl http2; listen [::]:443 ssl http2; -% if ssl == 'letsencrypt': +% if ssl == 'letsencrypt': ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem; -% else: +% else: ssl_certificate /etc/nginx/ssl/${vhost}.crt; ssl_certificate_key /etc/nginx/ssl/${vhost}.key; -% endif +% endif ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -26,9 +49,6 @@ server { ssl_session_tickets off; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; -% else: - listen 80; - listen [::]:80; % endif resolver 8.8.8.8 8.8.4.4 valid=300s; diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index cf857ba..4c42991 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -32,6 +32,12 @@ files = { 'svc_systemd:nginx:restart', }, }, + '/etc/nginx/sites/000-port80.conf': { + 'source': 'port80.conf', + 'triggers': { + 'svc_systemd:nginx:restart', + }, + }, '/usr/local/share/icinga/plugins/check_nginx_status': { 'mode': '0755', }, @@ -53,8 +59,6 @@ svc_systemd = { }, } -install_port80_redirect = False -port80_has_letsencrypt = False for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): if not 'domain' in config: config['domain'] = vhost @@ -90,8 +94,6 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): if config.get('ssl', 'letsencrypt') == 'letsencrypt': files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain'])) files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates') - port80_has_letsencrypt = True - install_port80_redirect = True elif config.get('ssl', 'letsencrypt'): files[f'/etc/nginx/ssl/{vhost}.crt'] = { @@ -122,16 +124,3 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt') files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key') - install_port80_redirect = True - -if install_port80_redirect: - files['/etc/nginx/sites/000-port80.conf'] = { - 'source': 'port80.conf', - 'content_type': 'mako', - 'context': { - 'needs_le': port80_has_letsencrypt, - }, - 'triggers': { - 'svc_systemd:nginx:restart', - }, - }