map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; server_name __DOMAIN__ xmpp-upload.__DOMAIN__; access_by_lua_file /usr/share/ssowat/access.lua; include /etc/nginx/conf.d/acme-challenge.conf.inc; location /yunohost { return 301 https://$http_host$request_uri; } location ^~ '/.well-known/ynh-diagnosis/' { alias /tmp/.well-known/ynh-diagnosis/; } location ^~ '/.well-known/autoconfig/mail/' { alias /var/www/.well-known/__DOMAIN__/autoconfig/mail/; } access_log /var/log/nginx/__DOMAIN__-access.log; error_log /var/log/nginx/__DOMAIN__-error.log; } # vhost dedicated to XMPP http_upload server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name xmpp-upload.__DOMAIN__; root /dev/null; location /upload/ { alias /var/xmpp-upload/__DOMAIN__/upload/; # Pass all requests to metronome, except for GET and HEAD requests. limit_except GET HEAD { proxy_pass http://localhost:5290; } include proxy_params; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'Authorization'; add_header 'Access-Control-Allow-Credentials' 'true'; client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server } include /etc/nginx/conf.d/security.conf.inc; ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem; ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem; more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; # OCSP settings ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem; resolver 127.0.0.1 127.0.1.1 valid=300s; resolver_timeout 5s; access_log /var/log/nginx/xmpp-upload.__DOMAIN__-access.log; error_log /var/log/nginx/xmpp-upload.__DOMAIN__-error.log; } # base ssl path server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name __DOMAIN__; include /etc/nginx/conf.d/security.conf.inc; ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem; ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem; more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; # OCSP settings ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem; resolver 127.0.0.1 127.0.1.1 valid=300s; resolver_timeout 5s; location / { proxy_pass http://localhost:8899; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $remote_addr:$remote_port; proxy_set_header X-Forwarded-Proto $scheme; # for websocket proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } location ^~ '/.well-known/autoconfig/mail/' { alias /var/www/.well-known/__DOMAIN__/autoconfig/mail/; } access_by_lua_file /usr/share/ssowat/access.lua; include /etc/nginx/conf.d/yunohost_sso.conf.inc; include /etc/nginx/conf.d/yunohost_admin.conf.inc; include /etc/nginx/conf.d/yunohost_api.conf.inc; access_log /var/log/nginx/__DOMAIN__-access.log; error_log /var/log/nginx/__DOMAIN__-error.log; } # alias ssl paths server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name "~^(?\w+)\.__DOMAINREGEX__$"; include /etc/nginx/conf.d/security.conf.inc; ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem; ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem; more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; # OCSP settings ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem; resolver 127.0.0.1 127.0.1.1 valid=300s; resolver_timeout 5s; location = / { proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $remote_addr:$remote_port; proxy_set_header X-Forwarded-Proto $scheme; # "rewrite" requests with subdomains to the non-wildcard url for alias resolving # $is_args$args pass on ?encoding=json if present proxy_pass http://localhost:8899/alias/$alias$is_args$args; } location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $remote_addr:$remote_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://localhost:8899; } access_by_lua_file /usr/share/ssowat/access.lua; #include /etc/nginx/conf.d/yunohost_sso.conf.inc; #include /etc/nginx/conf.d/yunohost_admin.conf.inc; #include /etc/nginx/conf.d/yunohost_api.conf.inc; access_log /var/log/nginx/__DOMAIN__-access.log; error_log /var/log/nginx/__DOMAIN__-error.log; } # redirect http to https server { if ($host ~ __DOMAIN__$ ) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name __DOMAIN__; return 404; # managed by Certbot }