Merge 302cb5db69 into 44a5322ce7
This commit is contained in:
Andreas Elvers
commit
f31f70f4c4
2 changed files with 12 additions and 20 deletions
|
|
@ -97,7 +97,7 @@ session caches.
|
|||
|
||||
The behavior for the proxy when port 80 and 443 are exposed is as follows:
|
||||
|
||||
* If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS
|
||||
* If a container has a usable cert and not SSL_REDIRECT=no is set, port 80 will redirect to 443 for that container so that HTTPS
|
||||
is always preferred when available.
|
||||
* If the container does not have a usable cert, a 503 will be returned.
|
||||
|
||||
|
|
|
|||
30
nginx.tmpl
30
nginx.tmpl
|
|
@ -71,6 +71,9 @@ upstream {{ $host }} {
|
|||
{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
|
||||
{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }}
|
||||
|
||||
{{/* Get redirect behaviour defined by containers w/ the same vhost, falling back to redirecting to https */}}
|
||||
{{ $sslRedirect := or (first (groupByKeys $containers "Env.SSL_REDIRECT")) "yes" }}
|
||||
|
||||
{{/* Get the first cert name defined by containers w/ the same vhost */}}
|
||||
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
|
||||
|
||||
|
|
@ -84,15 +87,20 @@ upstream {{ $host }} {
|
|||
{{/* Use the cert specifid on the container or fallback to the best vhost match */}}
|
||||
{{ $cert := (coalesce $certName $vhostCert) }}
|
||||
|
||||
{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
||||
{{ $enabledSSL := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
||||
|
||||
{{ if (and $enabledSSL (eq $sslRedirect "yes")) }}
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
{{ if (ne $sslRedirect "yes") }} listen 80; {{ end }}
|
||||
|
||||
{{ if $enabledSSL }}
|
||||
listen 443 ssl;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
|
|
@ -106,6 +114,7 @@ server {
|
|||
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
{{ end }}
|
||||
|
||||
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
||||
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
||||
|
|
@ -118,26 +127,10 @@ server {
|
|||
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
|
||||
{{ end }}
|
||||
}
|
||||
}
|
||||
{{ else }}
|
||||
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
|
||||
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
||||
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
||||
{{ end }}
|
||||
|
||||
location / {
|
||||
proxy_pass {{ $proto }}://{{ $host }};
|
||||
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
|
||||
auth_basic "Restricted {{ $host }}";
|
||||
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
|
||||
{{ end }}
|
||||
}
|
||||
}
|
||||
|
||||
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
||||
{{ if (and (not $enabledSSL) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
||||
server {
|
||||
server_name {{ $host }};
|
||||
listen 443 ssl;
|
||||
|
|
@ -149,4 +142,3 @@ server {
|
|||
{{ end }}
|
||||
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
|
|
|||
Loading…
Reference in a new issue