mirror of
https://github.com/YunoHost/yunohost.git
synced 2024-09-03 20:06:10 +02:00
80 lines
2.6 KiB
Text
80 lines
2.6 KiB
Text
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ domain }};
|
|
|
|
access_by_lua_file /usr/share/ssowat/access.lua;
|
|
|
|
include /etc/nginx/conf.d/acme-challenge.conf.inc;
|
|
|
|
location ^~ '/.well-known/ynh-diagnosis/' {
|
|
alias /var/www/.well-known/ynh-diagnosis/;
|
|
}
|
|
|
|
{% if mail_enabled == "True" %}
|
|
location ^~ '/.well-known/autoconfig/mail/' {
|
|
alias /var/www/.well-known/{{ domain }}/autoconfig/mail/;
|
|
}
|
|
{% endif %}
|
|
|
|
{# Note that this != "False" is meant to be failure-safe, in the case the redrect_to_https would happen to contain empty string or whatever value. We absolutely don't want to disable the HTTPS redirect *except* when it's explicitly being asked to be disabled. #}
|
|
{% if redirect_to_https != "False" %}
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
{# The app config snippets are not included in the HTTP conf unless HTTPS redirect is disabled, because app's location may blocks will conflict or bypass/ignore the HTTPS redirection. #}
|
|
{% else %}
|
|
include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
|
|
{% endif %}
|
|
|
|
include /etc/nginx/conf.d/yunohost_http_errors.conf.inc;
|
|
|
|
access_log /var/log/nginx/{{ domain }}-access.log;
|
|
error_log /var/log/nginx/{{ domain }}-error.log;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name {{ domain }};
|
|
|
|
include /etc/nginx/conf.d/security.conf.inc;
|
|
|
|
ssl_certificate /etc/yunohost/certs/{{ domain }}/crt.pem;
|
|
ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem;
|
|
|
|
{% if domain_cert_ca != "selfsigned" %}
|
|
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
|
|
{% endif %}
|
|
{% if domain_cert_ca == "letsencrypt" %}
|
|
# OCSP settings
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /etc/yunohost/certs/{{ domain }}/crt.pem;
|
|
resolver 1.1.1.1 9.9.9.9 valid=300s;
|
|
resolver_timeout 5s;
|
|
{% endif %}
|
|
|
|
{% if mail_enabled == "True" %}
|
|
location ^~ '/.well-known/autoconfig/mail/' {
|
|
alias /var/www/.well-known/{{ domain }}/autoconfig/mail/;
|
|
}
|
|
{% endif %}
|
|
|
|
access_by_lua_file /usr/share/ssowat/access.lua;
|
|
|
|
include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
|
|
|
|
include /etc/nginx/conf.d/yunohost_sso.conf.inc;
|
|
include /etc/nginx/conf.d/yunohost_admin.conf.inc;
|
|
include /etc/nginx/conf.d/yunohost_api.conf.inc;
|
|
include /etc/nginx/conf.d/yunohost_http_errors.conf.inc;
|
|
|
|
access_log /var/log/nginx/{{ domain }}-access.log;
|
|
error_log /var/log/nginx/{{ domain }}-error.log;
|
|
}
|