map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; server_name {{ domain }}{% if xmpp_enabled == "True" %} xmpp-upload.{{ domain }} muc.{{ domain }}{% endif %}; access_by_lua_file /usr/share/ssowat/access.lua; include /etc/nginx/conf.d/acme-challenge.conf.inc; location ^~ '/.well-known/ynh-diagnosis/' { alias /var/www/.well-known/ynh-diagnosis/; } {% if mail_enabled == "True" %} location ^~ '/.well-known/autoconfig/mail/' { alias /var/www/.well-known/{{ domain }}/autoconfig/mail/; } {% endif %} {# Note that this != "False" is meant to be failure-safe, in the case the redrect_to_https would happen to contain empty string or whatever value. We absolutely don't want to disable the HTTPS redirect *except* when it's explicitly being asked to be disabled. #} {% if redirect_to_https != "False" %} location / { return 301 https://$host$request_uri; } {# The app config snippets are not included in the HTTP conf unless HTTPS redirect is disabled, because app's location may blocks will conflict or bypass/ignore the HTTPS redirection. #} {% else %} include /etc/nginx/conf.d/{{ domain }}.d/*.conf; {% endif %} include /etc/nginx/conf.d/yunohost_http_errors.conf.inc; access_log /var/log/nginx/{{ domain }}-access.log; error_log /var/log/nginx/{{ domain }}-error.log; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ domain }}; include /etc/nginx/conf.d/security.conf.inc; ssl_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem; {% if domain_cert_ca != "selfsigned" %} more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; {% endif %} {% if domain_cert_ca == "letsencrypt" %} # OCSP settings ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; resolver 1.1.1.1 9.9.9.9 valid=300s; resolver_timeout 5s; {% endif %} {% if mail_enabled == "True" %} location ^~ '/.well-known/autoconfig/mail/' { alias /var/www/.well-known/{{ domain }}/autoconfig/mail/; } {% endif %} access_by_lua_file /usr/share/ssowat/access.lua; include /etc/nginx/conf.d/{{ domain }}.d/*.conf; include /etc/nginx/conf.d/yunohost_sso.conf.inc; include /etc/nginx/conf.d/yunohost_admin.conf.inc; include /etc/nginx/conf.d/yunohost_api.conf.inc; include /etc/nginx/conf.d/yunohost_http_errors.conf.inc; access_log /var/log/nginx/{{ domain }}-access.log; error_log /var/log/nginx/{{ domain }}-error.log; } {% if xmpp_enabled == "True" %} # vhost dedicated to XMPP http_upload server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name xmpp-upload.{{ domain }}; root /dev/null; location /upload/ { alias /var/xmpp-upload/{{ domain }}/upload/; # Pass all requests to metronome, except for GET and HEAD requests. limit_except GET HEAD { proxy_pass http://localhost:5290; } include proxy_params; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'Authorization'; add_header 'Access-Control-Allow-Credentials' 'true'; client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server } include /etc/nginx/conf.d/security.conf.inc; ssl_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem; {% if domain_cert_ca != "selfsigned" %} more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; {% endif %} {% if domain_cert_ca == "letsencrypt" %} # OCSP settings ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; resolver 1.1.1.1 9.9.9.9 valid=300s; resolver_timeout 5s; {% endif %} access_log /var/log/nginx/xmpp-upload.{{ domain }}-access.log; error_log /var/log/nginx/xmpp-upload.{{ domain }}-error.log; } {% endif %}