ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/nginx-websites/templates/nginx-static-vhost.j2

132 lines
3.7 KiB
Django/Jinja
Raw Permalink Blame History

server {
listen 80;
server_name {{ item.name }} {{ item.aliases | default([]) | join (" ") }};
return 301 https://$host$request_uri;
}
server {
{% if item.interface is defined %}
listen {{ item.interface }}:443 ssl http2;
{% else %}
listen 443 ssl http2;
# listen [::]:443 ssl; # listen for ipv6
{% endif %}
server_name {{ item.name }} {{ item.aliases | default([]) |join (" ") }};
charset utf-8;
{% if 'root_dir' in item -%}
root {{ item.root_dir }};
{% else -%}
root /var/www/{{ item.name }};
{% endif -%}
{% if item.require_auth | default(False) -%}
include /etc/nginx/authelia_internal.conf;
include /etc/nginx/require_auth.conf;
{% endif %}
location / {
index index.html index.htm;
}
{% if item.name == archives_url|default(False) -%}
location ~ "^/([0-9]{14}[a-z]{0,2}_?)/" {
autoindex on;
autoindex_exact_size off;
root {{ archives_pub }}/web.archive.org/web;
}
{% endif -%}
location ~ ^(.*)/$ {
autoindex {{ item.autoindex|default('on') }};
autoindex_exact_size off;
{% if item.custom_autoindex|default(True) %}
add_before_body /.shared/header.html;
add_after_body /.shared/footer.html;
{% endif %}
{% if item.fancyindex|default(false) %}
fancyindex on;
{% endif %}
}
{# a .php file here is probably actually a html file, since this -#}
{# vhost should only by servering static content -#}
{# actual php would be proxied to fpm or apache or something -#}
{% if item.name == archives_url -%}
location ~* ^.+\.php$ {
default_type text/html;
}
{% endif -%}
location ~* ^.+\.(whois|log|grep|pub)$ {
add_header Content-Type text/plain;
}
location ~* ^.+\.json$ {
add_header Content-Type application/json;
}
{% if item.name == www_domain or item.name == domain %}
# we are handling the top-level {{ domain }}
location = /.well-known/matrix/server {
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.server": "{{ matrix_url }}:443"}';
}
location = /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.homeserver":{"base_url":"https://{{ matrix_url }}"}}';
}
# sometimes clients misbehave and contact the top level domain when they
# shouldnt so we point them to {{ matrix_url }} instead
location ~* "^/_matrix.*" {
return 301 https://{{ matrix_url }}$request_uri;
}
location = /.well-known/carddav {
return 301 https://{{ nextcloud_url }}/remote.php/dav;
}
location = /.well-known/caldav {
return 301 https://{{ nextcloud_url }}/remote.php/dav;
}
{% endif %}
{% if item.force_download | default(false) %}
add_header Content-disposition "attachment; filename=$1";
{% endif %}
access_log /var/log/nginx/access_{{ item.name }}.log main;
error_log /var/log/nginx/error_{{ item.name }}.log warn;
ssl_session_timeout 5m;
# using wildcard for our domain, but cloudflare doesnt care
{% set domain = '.'.join(item.name.split('.')[-2:]) %}
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
add_header Referrer-Policy "no-referrer" always;
#add_header Content-Security-Policy "default-src 'self' sudo.is *.sudo.is; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'";
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
}
View Git Blame Copy Permalink