template code formatting
This commit is contained in:
atnartur
parent
ccbbbeb928
commit
333b5d7497
1 changed files with 252 additions and 252 deletions
132
nginx.tmpl
132
nginx.tmpl
|
|
@ -48,7 +48,7 @@ server_names_hash_bucket_size 128;
|
|||
|
||||
# Default dhparam
|
||||
{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
|
||||
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
|
||||
{{ end }}
|
||||
|
||||
# Set appropriate X-Forwarded-Ssl header
|
||||
|
|
@ -66,26 +66,26 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
|||
access_log off;
|
||||
|
||||
{{ if $.Env.RESOLVERS }}
|
||||
resolver {{ $.Env.RESOLVERS }};
|
||||
resolver {{ $.Env.RESOLVERS }};
|
||||
{{ end }}
|
||||
|
||||
{{ if (exists "/etc/nginx/proxy.conf") }}
|
||||
include /etc/nginx/proxy.conf;
|
||||
include /etc/nginx/proxy.conf;
|
||||
{{ else }}
|
||||
# HTTP 1.1 support
|
||||
proxy_http_version 1.1;
|
||||
proxy_buffering off;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $proxy_connection;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
||||
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
||||
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
||||
# HTTP 1.1 support
|
||||
proxy_http_version 1.1;
|
||||
proxy_buffering off;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $proxy_connection;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
||||
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
||||
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
||||
|
||||
# Mitigate httpoxy attack (see README for details)
|
||||
proxy_set_header Proxy "";
|
||||
# Mitigate httpoxy attack (see README for details)
|
||||
proxy_set_header Proxy "";
|
||||
{{ end }}
|
||||
|
||||
{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
|
||||
|
|
@ -100,7 +100,7 @@ server {
|
|||
}
|
||||
|
||||
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
||||
server {
|
||||
server {
|
||||
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
||||
listen 443 ssl http2;
|
||||
{{ if $enable_ipv6 }}
|
||||
|
|
@ -112,19 +112,19 @@ server {
|
|||
ssl_session_tickets off;
|
||||
ssl_certificate /etc/nginx/certs/default.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/default.key;
|
||||
}
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
||||
|
||||
{{ $host := trim $host }}
|
||||
{{ $is_regexp := hasPrefix "~" $host }}
|
||||
{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
|
||||
{{ $host := trim $host }}
|
||||
{{ $is_regexp := hasPrefix "~" $host }}
|
||||
{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
|
||||
|
||||
# {{ $host }}
|
||||
upstream {{ $upstream_name }} {
|
||||
# {{ $host }}
|
||||
upstream {{ $upstream_name }} {
|
||||
|
||||
{{ range $container := $containers }}
|
||||
{{ range $container := $containers }}
|
||||
{{ $addrLen := len $container.Addresses }}
|
||||
|
||||
{{ range $knownNetwork := $CurrentContainer.Networks }}
|
||||
|
|
@ -148,50 +148,50 @@ upstream {{ $upstream_name }} {
|
|||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
}
|
||||
{{ end }}
|
||||
}
|
||||
|
||||
{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
|
||||
{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
|
||||
{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
|
||||
{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
|
||||
|
||||
{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
|
||||
{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
|
||||
{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
|
||||
{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
|
||||
|
||||
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
|
||||
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
|
||||
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
|
||||
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
|
||||
|
||||
{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
|
||||
{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
|
||||
{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
|
||||
{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
|
||||
|
||||
{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}}
|
||||
{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }}
|
||||
{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}}
|
||||
{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }}
|
||||
|
||||
{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
|
||||
{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
|
||||
{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
|
||||
{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
|
||||
|
||||
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
|
||||
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
|
||||
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
|
||||
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
|
||||
|
||||
|
||||
{{/* Get the first cert name defined by containers w/ the same vhost */}}
|
||||
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
|
||||
{{/* Get the first cert name defined by containers w/ the same vhost */}}
|
||||
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
|
||||
|
||||
{{/* Get the best matching cert by name for the vhost. */}}
|
||||
{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
|
||||
{{/* Get the best matching cert by name for the vhost. */}}
|
||||
{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
|
||||
|
||||
{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
|
||||
{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
|
||||
{{ $vhostCert := trimSuffix ".key" $vhostCert }}
|
||||
{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
|
||||
{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
|
||||
{{ $vhostCert := trimSuffix ".key" $vhostCert }}
|
||||
|
||||
{{/* Use the cert specified on the container or fallback to the best vhost match */}}
|
||||
{{ $cert := (coalesce $certName $vhostCert) }}
|
||||
{{/* Use the cert specified on the container or fallback to the best vhost match */}}
|
||||
{{ $cert := (coalesce $certName $vhostCert) }}
|
||||
|
||||
{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
||||
{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
||||
|
||||
{{ if $is_https }}
|
||||
{{ if $is_https }}
|
||||
|
||||
{{ if eq $https_method "redirect" }}
|
||||
server {
|
||||
{{ if eq $https_method "redirect" }}
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
listen 80 {{ $default_server }};
|
||||
{{ if $enable_ipv6 }}
|
||||
|
|
@ -199,10 +199,10 @@ server {
|
|||
{{ end }}
|
||||
access_log /var/log/nginx/access.log vhost;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
{{ end }}
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
server {
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
listen 443 ssl http2 {{ $default_server }};
|
||||
{{ if $enable_ipv6 }}
|
||||
|
|
@ -294,13 +294,13 @@ server {
|
|||
include /etc/nginx/vhost.d/default_location;
|
||||
{{ end }}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
||||
{{ if or (not $is_https) (eq $https_method "noredirect") }}
|
||||
{{ if or (not $is_https) (eq $https_method "noredirect") }}
|
||||
|
||||
server {
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
listen 80 {{ $default_server }};
|
||||
{{ if $enable_ipv6 }}
|
||||
|
|
@ -340,10 +340,10 @@ server {
|
|||
include /etc/nginx/vhost.d/default_location;
|
||||
{{ end }}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
||||
server {
|
||||
{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
listen 443 ssl http2 {{ $default_server }};
|
||||
{{ if $enable_ipv6 }}
|
||||
|
|
@ -354,8 +354,8 @@ server {
|
|||
|
||||
ssl_certificate /etc/nginx/certs/default.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/default.key;
|
||||
}
|
||||
{{ end }}
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
|
|
|||
Loading…
Reference in a new issue