-
Notifications
You must be signed in to change notification settings - Fork 25
/
template.conf
151 lines (129 loc) · 5.61 KB
/
template.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
{# Let folks know this wasn't a manual configuration #}
# This configuration file was generated with mechanic.
{% macro httpsSettings(settings, site) %}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate {{ settings.conf }}/../certs/{{ site.shortname }}.cer;
ssl_certificate_key {{ settings.conf }}/../certs/{{ site.shortname }}.key;
ssl_prefer_server_ciphers on;
{% endmacro %}
{% macro server(site, settings, options) %}
include "{{ settings.overrides }}/{{ site.shortname }}/top";
server {
gzip on;
gzip_types text/css text/javascript image/svg+xml
application/vnd.ms-fontobject application/x-font-ttf
application/x-javascript application/javascript;
listen {{ settings.bind }}:{{ options.port }}{% if options.https %} ssl {% if settings.http2 %}http2{% endif %}{% endif %}{% if site.default and not site.canonical %} default_server{% endif %};
server_name {{ site.host }}{% if site.aliases and (not site.canonical) %} {{ site.aliases | join(" ") }}{% endif %};
{% if options.https %}
{{ httpsSettings(settings, site) }}
{% endif %}
client_max_body_size 32M;
access_log {{ settings.logs }}/{{ site.shortname }}.access.log;
error_log {{ settings.logs }}/{{ site.shortname }}.error.log;
{% if site.https and site['redirect-to-https'] and not options.https %}
location / {
rewrite ^(.*)$ https://{{ site.host }}$1{% if site.permanent %} permanent{% endif %};
}
{% elif site['redirect'] %}
location / {
rewrite ^(.*)$ {{ site['redirect'] }}{% if site.permanent %} permanent{% endif %};
}
{% elif site['redirect-full'] %}
location / {
rewrite ^(.*)$ {{ site['redirect-full'] }}$1{% if site.permanent %} permanent{% endif %};
}
{% else %}
include "{{ settings.overrides }}/{{ site.shortname }}/server";
{# We need a named location block in order to use try_files. #}
{% set defaultBackendGroup = site.backendGroups[0] %}
{% set proxyRoot = defaultBackendGroup and (defaultBackendGroup.path == '/') %}
{% if proxyRoot %}
location @proxy-{{ site.shortname }}-{{ options.port }} {
{% if site['https-upstream'] %}
proxy_pass https://upstream-{{ site.shortname }}-1;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
{% else %}
proxy_pass http://upstream-{{ site.shortname }}-1;
{% endif %}
{% if site['websockets'] or site['websocket'] %}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
{% endif %}
proxy_next_upstream error timeout invalid_header http_500 http_502
http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
include "{{ settings.overrides }}/{{ site.shortname }}/proxy";
}
{% endif %}
location / {
{%- if site.static %}root {{ site.static }};{% endif %}
{% if site.autoindex %}
autoindex on;
{% if proxyRoot %}
try_files $uri $uri/ @proxy-{{ site.shortname }}-{{ options.port }};
{% endif %}
{% else %}
{% if proxyRoot %}
try_files $uri @proxy-{{ site.shortname }}-{{ options.port }};
{% endif %}
{% endif %}
expires 7d;
include "{{ settings.overrides }}/{{ site.shortname }}/location";
}
{% for backendGroup in site.backendGroups %}
{% if backendGroup.path != '/' %}
location {{ backendGroup.path }} {
{% if site['https-upstream'] %}
proxy_pass https://upstream-{{ site.shortname }}-{{ loop.index }};
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
{% else %}
proxy_pass http://upstream-{{ site.shortname }}-{{ loop.index }};
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
{% endif %}
{% endfor %}
{% endif %}
}
{% if site.default or (site.canonical and site.aliases) %}
server {
listen {{ settings.bind }}:{{ options.port }}{% if site.default and site.canonical %} default_server{% endif %}{% if options.https %} ssl {% if settings.http2 %}http2{% endif %}{% endif %};
server_name _{{ site.shortname }}_{{ options.port }}{% if site.aliases %} {{ site.aliases | join(' ') }}{% endif %};
# canonicalize
{% if options.https %}
{{ httpsSettings(settings, site) }}
{% endif %}
location / {
rewrite ^(.*)$ {% if options.https or (site.https and site['redirect-to-https']) %}https:{% else %}http:{% endif %}//{{ site.host }}$1{% if site.permanent %} permanent{% endif %} ;
}
}
{% endif %}
{% endmacro %}
{% macro renderSite(site, settings) %}
{% for backendGroup in site.backendGroups %}
upstream upstream-{{ site.shortname }}-{{ loop.index }} {
{% for backend in backendGroup.backends -%}
server {{ backend }};
{%- endfor %}
}
{% endfor %}
{{ server(site, settings, { port: 80 }) }}
{% if (site.https) %}
{{ server(site, settings, { port: 443, https: true }) }}
{% endif %}
{% endmacro %}
{% for site in sites %}
{{ renderSite(site, settings) }}
{% endfor %}