From a1e210183872b79b52624a17639f2c939d105165 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Mon, 5 Jul 2021 22:44:42 +0200 Subject: [PATCH] wip --- bundles/nginx/files/site_template | 118 ------------------------------ 1 file changed, 118 deletions(-) delete mode 100644 bundles/nginx/files/site_template diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template deleted file mode 100644 index 597718a..0000000 --- a/bundles/nginx/files/site_template +++ /dev/null @@ -1,118 +0,0 @@ -server { -% if domain_aliases: - server_name ${domain} ${' '.join(sorted(domain_aliases))}; -% else: - server_name ${domain}; -% endif - root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; - index index.php index.html index.htm; - - listen 80; - listen [::]:80; - -% if ssl: - location / { - return 308 https://$host$request_uri; - } - -% if ssl == 'letsencrypt': - location /.well-known/acme-challenge/ { - alias /var/lib/dehydrated/acme-challenges/; - } -% endif -} - -server { -% if domain_aliases: - server_name ${domain} ${' '.join(sorted(domain_aliases))}; -% else: - server_name ${domain}; -% endif - root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; - index index.php index.html index.htm; - - listen 443 ssl http2; - listen [::]:443 ssl http2; - -% if ssl == 'letsencrypt': - ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem; -% else: - ssl_certificate /etc/nginx/ssl/${vhost}.crt; - ssl_certificate_key /etc/nginx/ssl/${vhost}.key; -% endif - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; -% endif - - access_log /var/log/nginx/access-${vhost}.log; - error_log /var/log/nginx/error-${vhost}.log; - -% if max_body_size: - client_max_body_size ${max_body_size}; -% elif proxy or php: - client_max_body_size 5M; -% endif - -% if not do_not_set_content_security_headers: - add_header Referrer-Policy same-origin; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; -% endif - add_header Permissions-Policy interest-cohort=(); - - location /.well-known/acme-challenge/ { - alias /var/lib/dehydrated/acme-challenges/; - } - -% if security_txt: - location = /.well-known/security.txt { - alias /etc/nginx/security.txt.d/${vhost}; - } -% endif - -% if proxy: -% for location, options in proxy.items(): - location ${location} { - proxy_pass ${options['target']}; - proxy_http_version ${options.get('http_version', '1.1')}; - proxy_set_header Host ${domain}; -% if options.get('websockets', False): - proxy_set_header Connection "upgrade"; - proxy_set_header Upgrade $http_upgrade; -% endif - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -% if ssl: - proxy_set_header X-Forwarded-Proto HTTPS; -% endif - proxy_set_header X-Forwarded-Host ${domain}; -% for option, value in options.get('proxy_set_header', {}).items(): - proxy_set_header ${option} ${value}; -% endfor -% if location != '/': - proxy_set_header X-Script-Name ${location}; -% endif - proxy_buffering off; - } -% endfor -% endif - -% if php: - location ~ \.php$ { - include fastcgi.conf; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php/php${php_version}-fpm.sock; - } -% endif - -% if extras: -<%include file="extras/${node.name}/${vhost}" /> -% endif -}