infra/roles/mirrors/templates/01-mirrors.conf.j2

server {
    listen 443 ssl http2;
    {% if inventory_hostname in wg_clients -%}
    listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
    {% endif -%}

    #listen   [::]:443 ssl; # listen for ipv6

    include listen-proxy-protocol.conf;
    server_name {{ mirrors_url }};

    root {{ mirrors_path }};

    location / {
        index index.html index.htm;
    }


    location ~ ^(.*)/$ {
        autoindex on;
        autoindex_exact_size off;
    }

    location ~* ^.+\.(whois|log|grep|pub)$ {
        add_header Content-Type text/plain;
    }

    access_log /var/log/nginx/access_{{ mirrors_url }}.log main;
    error_log /var/log/nginx/error_{{ mirrors_url }}.log;

    ssl_session_timeout 5m;

    ssl_certificate /usr/local/etc/certs/{{ mirrors_url }}/fullchain.pem;
    ssl_certificate_key /usr/local/etc/certs/{{ mirrors_url }}/privkey.pem;

    add_header Referrer-Policy "no-referrer" always;
    #add_header Content-Security-Policy "default-src 'self' {{ mirrors_url }}; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'";
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;

    add_header X-Permitted-Cross-Domain-Policies "none" always;
    # add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
}