diff options
author | Mike Crute <mike@crute.us> | 2022-12-03 15:55:51 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2022-12-03 15:55:51 -0800 |
commit | 245cf4f44375a7ae2a51d7412a94f46acad2c648 (patch) | |
tree | 67aeb824450a427d7ffde46a9f032126c67e3d56 | |
parent | 3f7d75ab3947da84323eb735af76568795392b12 (diff) | |
download | dockerfiles-245cf4f44375a7ae2a51d7412a94f46acad2c648.tar.bz2 dockerfiles-245cf4f44375a7ae2a51d7412a94f46acad2c648.tar.xz dockerfiles-245cf4f44375a7ae2a51d7412a94f46acad2c648.zip |
nginx-common: update config
-rw-r--r-- | nginx-common/conf/conf.d/default_hosts.conf.tpl | 63 | ||||
-rw-r--r-- | nginx-common/conf/includes/hardened_ssl.conf | 20 | ||||
-rw-r--r-- | nginx-common/conf/includes/internal_ip_allow_only.conf | 33 | ||||
-rw-r--r-- | nginx-common/conf/includes/internal_ip_cgit_acl.conf | 30 | ||||
-rw-r--r-- | nginx-common/conf/includes/public_key_pin.conf | 4 | ||||
-rw-r--r-- | nginx-common/conf/includes/star_crute_me_ssl.conf | 2 | ||||
-rw-r--r-- | nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf | 2 | ||||
-rw-r--r-- | nginx-common/conf/includes/star_sea1_crute_me_ssl.conf | 2 | ||||
-rw-r--r-- | nginx-common/conf/nginx.conf | 152 | ||||
-rw-r--r-- | nginx-common/conf/nginx.conf.tpl | 130 |
10 files changed, 256 insertions, 182 deletions
diff --git a/nginx-common/conf/conf.d/default_hosts.conf.tpl b/nginx-common/conf/conf.d/default_hosts.conf.tpl deleted file mode 100644 index 7eea7bf..0000000 --- a/nginx-common/conf/conf.d/default_hosts.conf.tpl +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | map $http_host $can_redirect { | ||
2 | hostnames; | ||
3 | |||
4 | default 0; | ||
5 | crute.me 1; | ||
6 | *.crute.me 1; | ||
7 | crute.us 1; | ||
8 | *.crute.us 1; | ||
9 | *.pomonaconsulting.com 1; | ||
10 | pomonaconsulting.com 1; | ||
11 | *.pomonaconsulting.net 1; | ||
12 | pomonaconsulting.net 1; | ||
13 | leavenworthsnowmobilerentals.com 1; | ||
14 | *.leavenworthsnowmobilerentals.com 1; | ||
15 | lakewenatcheecabins.net 1; | ||
16 | *.lakewenatcheecabins.net 1; | ||
17 | 59erdiner.com 1; | ||
18 | *.59erdiner.com 1; | ||
19 | as398223.net 1; | ||
20 | *.as398223.net 1; | ||
21 | frompythonimportpodcast.com 1; | ||
22 | *.frompythonimportpodcast.com 1; | ||
23 | } | ||
24 | |||
25 | server { | ||
26 | listen *:80 default_server; | ||
27 | listen [::]:80 default_server; | ||
28 | |||
29 | access_log /logs/default_http_vhost.log combined_host; | ||
30 | |||
31 | location / { | ||
32 | if ($can_redirect) { | ||
33 | rewrite (.*) https://$http_host$1 permanent; | ||
34 | } | ||
35 | |||
36 | default_type text/plain; | ||
37 | return 404 "not found"; | ||
38 | } | ||
39 | } | ||
40 | |||
41 | {{ if ne (.Get "NGINX_PP_DISABLE_SSL_DEFAULT") "true" }} | ||
42 | server { | ||
43 | listen *:443 ssl http2 default_server; | ||
44 | listen [::]:443 ssl http2 default_server; | ||
45 | |||
46 | access_log /logs/default_https_vhost.log combined_host; | ||
47 | |||
48 | include includes/hardened_ssl.conf; | ||
49 | include includes/hardened_headers.conf; | ||
50 | include includes/default_csp.conf; | ||
51 | |||
52 | {{ if ne (.Get "NGINX_PP_DEFAULT_SSL_FILE") "" }} | ||
53 | include includes/{{ .Get "NGINX_PP_DEFAULT_SSL_FILE" }}.conf; | ||
54 | {{ else }} | ||
55 | include includes/star_crute_me_ssl.conf; | ||
56 | {{ end }} | ||
57 | |||
58 | location / { | ||
59 | default_type text/plain; | ||
60 | return 404 "not found"; | ||
61 | } | ||
62 | } | ||
63 | {{ end }} | ||
diff --git a/nginx-common/conf/includes/hardened_ssl.conf b/nginx-common/conf/includes/hardened_ssl.conf deleted file mode 100644 index 0f729c7..0000000 --- a/nginx-common/conf/includes/hardened_ssl.conf +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | ssl_protocols TLSv1.2 TLSv1.3; | ||
2 | ssl_prefer_server_ciphers on; | ||
3 | #ssl_ecdh_curve secp521r1:secp384r1:X25519; | ||
4 | |||
5 | # These are possibly vulnerable to the ROBOT attack (https://robotattack.org) | ||
6 | # but are also important for backwards compatability for a few older, but still | ||
7 | # frequently used, Android variants. The use of ECDHE in these algorithms may | ||
8 | # mitigate the vulnerability but the conservative approach would be to disable | ||
9 | # them. | ||
10 | # | ||
11 | # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: | ||
12 | # | ||
13 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; | ||
14 | |||
15 | ssl_stapling on; | ||
16 | ssl_stapling_verify on; | ||
17 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
18 | resolver_timeout 5s; | ||
19 | |||
20 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; | ||
diff --git a/nginx-common/conf/includes/internal_ip_allow_only.conf b/nginx-common/conf/includes/internal_ip_allow_only.conf deleted file mode 100644 index 0a4e152..0000000 --- a/nginx-common/conf/includes/internal_ip_allow_only.conf +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | # Global V4 Internal Network | ||
2 | allow 172.16.0.0/16; | ||
3 | # FKL1 V4 Internal Network | ||
4 | allow 172.18.0.0/16; | ||
5 | # SEA4 V4 Internal Network | ||
6 | allow 172.19.0.0/16; | ||
7 | # ORD1 V4 Internal Network | ||
8 | allow 172.20.0.0/16; | ||
9 | # Mobile V4 Internal Network | ||
10 | allow 172.21.0.0/16; | ||
11 | # PDX1 V6 Network | ||
12 | allow 2600:1f14:f39:e000::/56; | ||
13 | # CMH1 V6 Network | ||
14 | allow 2600:1f16:33:500::/56; | ||
15 | # LHR1 V6 Network | ||
16 | allow 2a05:d01c:7ba:b800::/56; | ||
17 | # SEA1 Internal V6 Network | ||
18 | allow 2602:0803:4070::/48; | ||
19 | # SEA4 Internal V6 Network | ||
20 | allow 2602:0803:4072::/48; | ||
21 | # SEA4 Remote Access VPN V6 Network | ||
22 | allow 2602:0803:4075::/48; | ||
23 | # ORD1 Internal V6 Network | ||
24 | allow 2602:0803:4073::/48; | ||
25 | # FKL1 Internal V6 Network | ||
26 | allow 2602:0803:4074::/48; | ||
27 | # Wireguard RAS V6 Network | ||
28 | allow 2602:0803:4075::/48; | ||
29 | # Mobile V6 Internal Network | ||
30 | allow 2602:0803:4076::/48; | ||
31 | |||
32 | allow 127.0.0.1; | ||
33 | deny all; | ||
diff --git a/nginx-common/conf/includes/internal_ip_cgit_acl.conf b/nginx-common/conf/includes/internal_ip_cgit_acl.conf deleted file mode 100644 index 833d4db..0000000 --- a/nginx-common/conf/includes/internal_ip_cgit_acl.conf +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | geo $cgit_config { | ||
2 | default "/srv/code/etc/cgit-public.cfg"; | ||
3 | |||
4 | # Global V4 Internal Network | ||
5 | 172.16.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
6 | # FKL1 V4 Internal network | ||
7 | 172.18.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
8 | # SEA4 V4 Internal network | ||
9 | 172.19.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
10 | # ORD1 V4 Internal network | ||
11 | 172.20.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
12 | # Mobile V4 Internal network | ||
13 | 172.21.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
14 | # PDX1 V6 Network | ||
15 | 2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg"; | ||
16 | # CMH1 V6 Network | ||
17 | 2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg"; | ||
18 | # SEA1 Internal V6 Network | ||
19 | 2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg"; | ||
20 | # SEA4 Internal V6 Network | ||
21 | 2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg"; | ||
22 | # ORD1 Internal V6 Network | ||
23 | 2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg"; | ||
24 | # FKL1 Internal V6 Network | ||
25 | 2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg"; | ||
26 | # Wireguard RAS V6 Network | ||
27 | 2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg"; | ||
28 | # Mobile V6 Internal Network | ||
29 | 2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg"; | ||
30 | } | ||
diff --git a/nginx-common/conf/includes/public_key_pin.conf b/nginx-common/conf/includes/public_key_pin.conf deleted file mode 100644 index 80e0e83..0000000 --- a/nginx-common/conf/includes/public_key_pin.conf +++ /dev/null | |||
@@ -1,4 +0,0 @@ | |||
1 | # This is not used because it's too risky in the case of CA changes | ||
2 | # | ||
3 | # openssl x509 -in le2 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64 | ||
4 | add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=0; includeSubDomains' always; | ||
diff --git a/nginx-common/conf/includes/star_crute_me_ssl.conf b/nginx-common/conf/includes/star_crute_me_ssl.conf deleted file mode 100644 index 536e8d0..0000000 --- a/nginx-common/conf/includes/star_crute_me_ssl.conf +++ /dev/null | |||
@@ -1,2 +0,0 @@ | |||
1 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem; | ||
2 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem; | ||
diff --git a/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf b/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf deleted file mode 100644 index d14c833..0000000 --- a/nginx-common/conf/includes/star_pomonaconsulting_com_ssl.conf +++ /dev/null | |||
@@ -1,2 +0,0 @@ | |||
1 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_pomonaconsulting_com.pem; | ||
2 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_pomonaconsulting_com_key.pem; | ||
diff --git a/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf b/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf deleted file mode 100644 index af0a3a4..0000000 --- a/nginx-common/conf/includes/star_sea1_crute_me_ssl.conf +++ /dev/null | |||
@@ -1,2 +0,0 @@ | |||
1 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_sea1_crute_me.pem; | ||
2 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_sea1_crute_me_key.pem; | ||
diff --git a/nginx-common/conf/nginx.conf b/nginx-common/conf/nginx.conf index c04990a..6b7a47b 100644 --- a/nginx-common/conf/nginx.conf +++ b/nginx-common/conf/nginx.conf | |||
@@ -1,3 +1,5 @@ | |||
1 | # vim:ft=nginx | ||
2 | |||
1 | user nginx; | 3 | user nginx; |
2 | worker_processes 1; | 4 | worker_processes 1; |
3 | 5 | ||
@@ -5,42 +7,140 @@ error_log /dev/stdout warn; | |||
5 | pid /var/run/nginx.pid; | 7 | pid /var/run/nginx.pid; |
6 | 8 | ||
7 | events { | 9 | events { |
8 | worker_connections 1024; | 10 | worker_connections 1024; |
9 | } | 11 | } |
10 | 12 | ||
11 | http { | 13 | http { |
12 | include mime.types; | 14 | include mime.types; |
13 | default_type application/octet-stream; | 15 | |
16 | default_type application/octet-stream; | ||
17 | |||
18 | log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' | ||
19 | '"$request" $status $body_bytes_sent ' | ||
20 | '"$http_referer" "$http_user_agent"'; | ||
21 | |||
22 | access_log /logs/default_server.log combined_host; | ||
23 | |||
24 | sendfile on; | ||
25 | tcp_nopush on; | ||
26 | server_tokens off; | ||
27 | |||
28 | keepalive_timeout 128; | ||
29 | |||
30 | # Try to avoid buffering requests to disk This is about 4MB | ||
31 | client_body_buffer_size 4000k; | ||
32 | |||
33 | # Try to avoid buffering backend responses to disk This is about 4MB | ||
34 | proxy_buffers 1000 4k; | ||
35 | |||
36 | gzip on; | ||
37 | gzip_proxied any; | ||
38 | gzip_disable "msie6"; | ||
39 | gzip_types | ||
40 | application/javascript | ||
41 | application/rss+xml | ||
42 | application/x-javascript | ||
43 | application/xhtml+xml | ||
44 | application/xml | ||
45 | image/svg+xml | ||
46 | image/x-icon | ||
47 | text/css | ||
48 | text/javascript | ||
49 | text/plain | ||
50 | text/xml; | ||
51 | |||
52 | ssl_session_cache shared:SSL:10m; | ||
53 | ssl_session_timeout 10m; | ||
54 | ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; | ||
55 | ssl_prefer_server_ciphers on; | ||
56 | #ssl_ecdh_curve secp521r1:secp384r1:X25519; | ||
57 | |||
58 | # These are possibly vulnerable to the ROBOT attack | ||
59 | # (https://robotattack.org) but are also important for backwards | ||
60 | # compatability for a few older, but still frequently used, Android | ||
61 | # variants. The use of ECDHE in these algorithms may mitigate the | ||
62 | # vulnerability but the conservative approach would be to disable them. | ||
63 | # | ||
64 | # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: | ||
65 | # | ||
66 | ssl_ciphers | ||
67 | 'ECDHE-ECDSA-CHACHA20-POLY1305:' | ||
68 | 'ECDHE-RSA-CHACHA20-POLY1305:' | ||
69 | 'AES256+EECDH:' | ||
70 | 'AES256+EDH:' | ||
71 | '!DHE-RSA-AES256-SHA256:' | ||
72 | '!DHE-RSA-AES256-SHA:' | ||
73 | '!aNULL'; | ||
74 | |||
75 | ssl_stapling on; | ||
76 | ssl_stapling_verify on; | ||
77 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
78 | resolver_timeout 5s; | ||
79 | |||
80 | |||
81 | map $http_host $can_redirect { | ||
82 | hostnames; | ||
83 | |||
84 | default 0; | ||
85 | |||
86 | crute.me 1; | ||
87 | *.crute.me 1; | ||
88 | crute.us 1; | ||
89 | *.crute.us 1; | ||
90 | *.pomonaconsulting.com 1; | ||
91 | pomonaconsulting.com 1; | ||
92 | *.pomonaconsulting.net 1; | ||
93 | pomonaconsulting.net 1; | ||
94 | leavenworthsnowmobilerentals.com 1; | ||
95 | *.leavenworthsnowmobilerentals.com 1; | ||
96 | lakewenatcheecabins.net 1; | ||
97 | *.lakewenatcheecabins.net 1; | ||
98 | 59erdiner.com 1; | ||
99 | *.59erdiner.com 1; | ||
100 | as398223.net 1; | ||
101 | *.as398223.net 1; | ||
102 | frompythonimportpodcast.com 1; | ||
103 | *.frompythonimportpodcast.com 1; | ||
104 | } | ||
105 | |||
106 | |||
107 | server { | ||
108 | listen *:80 default_server; | ||
109 | listen [::]:80 default_server; | ||
14 | 110 | ||
15 | log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' | 111 | access_log /logs/default_http_vhost.log combined_host; |
16 | '"$request" $status $body_bytes_sent ' | ||
17 | '"$http_referer" "$http_user_agent"'; | ||
18 | 112 | ||
19 | access_log /logs/default_server.log combined_host; | 113 | location / { |
114 | if ($can_redirect) { | ||
115 | rewrite (.*) https://$http_host$1 permanent; | ||
116 | } | ||
20 | 117 | ||
21 | sendfile on; | 118 | default_type text/plain; |
22 | tcp_nopush on; | 119 | return 404 "not found"; |
23 | server_tokens off; | 120 | } |
121 | } | ||
24 | 122 | ||
25 | keepalive_timeout 128; | 123 | |
124 | server { | ||
125 | listen *:443 ssl http2 default_server; | ||
126 | listen [::]:443 ssl http2 default_server; | ||
26 | 127 | ||
27 | # Try to avoid buffering requests to disk | 128 | access_log /logs/default_https_vhost.log combined_host; |
28 | # This is about 4MB | ||
29 | client_body_buffer_size 4000k; | ||
30 | 129 | ||
31 | # Try to avoid buffering backend responses to disk | 130 | include includes/hardened_headers.conf; |
32 | # This is about 4MB | 131 | include includes/default_csp.conf; |
33 | proxy_buffers 1000 4k; | ||
34 | 132 | ||
35 | gzip on; | 133 | ssl_protocols TLSv1.2 TLSv1.3; |
36 | gzip_proxied any; | 134 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; |
37 | gzip_disable "msie6"; | 135 | ssl_certificate {{ getSSLCert }}; |
38 | gzip_types application/javascript application/rss+xml application/x-javascript application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; | 136 | ssl_certificate_key {{ getSSLKey }}; |
39 | 137 | ||
40 | ssl_session_cache shared:SSL:10m; | 138 | location / { |
41 | ssl_session_timeout 10m; | 139 | default_type text/plain; |
42 | ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; | 140 | return 404 "not found"; |
141 | } | ||
142 | } | ||
143 | |||
43 | 144 | ||
44 | include conf.d/*.conf; | 145 | include sites-enabled/*; |
45 | include sites-enabled/*; | ||
46 | } | 146 | } |
diff --git a/nginx-common/conf/nginx.conf.tpl b/nginx-common/conf/nginx.conf.tpl new file mode 100644 index 0000000..9f4d3ef --- /dev/null +++ b/nginx-common/conf/nginx.conf.tpl | |||
@@ -0,0 +1,130 @@ | |||
1 | # vim:ft=nginx | ||
2 | |||
3 | user nginx; | ||
4 | worker_processes 1; | ||
5 | |||
6 | error_log /dev/stdout warn; | ||
7 | pid /var/run/nginx.pid; | ||
8 | |||
9 | events { | ||
10 | worker_connections 1024; | ||
11 | } | ||
12 | |||
13 | http { | ||
14 | include mime.types; | ||
15 | |||
16 | default_type application/octet-stream; | ||
17 | |||
18 | log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' | ||
19 | '"$request" $status $body_bytes_sent ' | ||
20 | '"$http_referer" "$http_user_agent"'; | ||
21 | |||
22 | access_log /logs/default_server.log combined_host; | ||
23 | |||
24 | sendfile on; | ||
25 | tcp_nopush on; | ||
26 | server_tokens off; | ||
27 | |||
28 | keepalive_timeout 128; | ||
29 | |||
30 | # Try to avoid buffering requests to disk This is about 4MB | ||
31 | client_body_buffer_size 4000k; | ||
32 | |||
33 | # Try to avoid buffering backend responses to disk This is about 4MB | ||
34 | proxy_buffers 1000 4k; | ||
35 | |||
36 | gzip on; | ||
37 | gzip_proxied any; | ||
38 | gzip_disable "msie6"; | ||
39 | gzip_types | ||
40 | application/javascript | ||
41 | application/rss+xml | ||
42 | application/x-javascript | ||
43 | application/xhtml+xml | ||
44 | application/xml | ||
45 | image/svg+xml | ||
46 | image/x-icon | ||
47 | text/css | ||
48 | text/javascript | ||
49 | text/plain | ||
50 | text/xml; | ||
51 | |||
52 | ssl_session_cache shared:SSL:10m; | ||
53 | ssl_session_timeout 10m; | ||
54 | ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; | ||
55 | ssl_prefer_server_ciphers on; | ||
56 | #ssl_ecdh_curve secp521r1:secp384r1:X25519; | ||
57 | |||
58 | # These are possibly vulnerable to the ROBOT attack | ||
59 | # (https://robotattack.org) but are also important for backwards | ||
60 | # compatability for a few older, but still frequently used, Android | ||
61 | # variants. The use of ECDHE in these algorithms may mitigate the | ||
62 | # vulnerability but the conservative approach would be to disable them. | ||
63 | # | ||
64 | # !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384: | ||
65 | # | ||
66 | ssl_ciphers | ||
67 | 'ECDHE-ECDSA-CHACHA20-POLY1305:' | ||
68 | 'ECDHE-RSA-CHACHA20-POLY1305:' | ||
69 | 'AES256+EECDH:' | ||
70 | 'AES256+EDH:' | ||
71 | '!DHE-RSA-AES256-SHA256:' | ||
72 | '!DHE-RSA-AES256-SHA:' | ||
73 | '!aNULL'; | ||
74 | |||
75 | ssl_stapling on; | ||
76 | ssl_stapling_verify on; | ||
77 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
78 | resolver_timeout 5s; | ||
79 | |||
80 | {{ if .HTTPRedirects }} | ||
81 | map $http_host $can_redirect { | ||
82 | hostnames; | ||
83 | |||
84 | default 0; | ||
85 | |||
86 | {{ range $_, $h := .HTTPRedirects -}} | ||
87 | {{ . }} 1; | ||
88 | {{ end -}} | ||
89 | } | ||
90 | {{ end }} | ||
91 | |||
92 | server { | ||
93 | listen *:80 default_server; | ||
94 | listen [::]:80 default_server; | ||
95 | |||
96 | access_log /logs/default_http_vhost.log combined_host; | ||
97 | |||
98 | location / { | ||
99 | {{ if .HTTPRedirects -}} | ||
100 | if ($can_redirect) { | ||
101 | rewrite (.*) https://$http_host$1 permanent; | ||
102 | } | ||
103 | {{- end }} | ||
104 | |||
105 | default_type text/plain; | ||
106 | return 404 "not found"; | ||
107 | } | ||
108 | } | ||
109 | |||
110 | {{ if .DefaultSSLVhost }} | ||
111 | server { | ||
112 | listen *:443 ssl http2 default_server; | ||
113 | listen [::]:443 ssl http2 default_server; | ||
114 | |||
115 | access_log /logs/default_https_vhost.log combined_host; | ||
116 | |||
117 | include includes/hardened_headers.conf; | ||
118 | include includes/default_csp.conf; | ||
119 | |||
120 | {{ renderHardenedSSLSlice .DefaultSSLVhost }} | ||
121 | |||
122 | location / { | ||
123 | default_type text/plain; | ||
124 | return 404 "not found"; | ||
125 | } | ||
126 | } | ||
127 | {{ end }} | ||
128 | |||
129 | include sites-enabled/*; | ||
130 | } | ||