Skip to content

Commit e57eecc

Browse files
evertramosevertramos
committed
Last version tested of nginx.tmpl
1 parent 85cf7aa commit e57eecc

File tree

1 file changed

+56
-13
lines changed

1 file changed

+56
-13
lines changed

nginx.tmpl

+56-13
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,9 @@ map $http_upgrade $proxy_connection {
4242
server_names_hash_bucket_size 128;
4343

4444
# Default dhparam
45+
{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
4546
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
47+
{{ end }}
4648

4749
# Set appropriate X-Forwarded-Ssl header
4850
map $scheme $proxy_x_forwarded_ssl {
@@ -58,6 +60,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
5860

5961
access_log off;
6062

63+
{{ if $.Env.RESOLVERS }}
64+
resolver {{ $.Env.RESOLVERS }};
65+
{{ end }}
66+
6167
{{ if (exists "/etc/nginx/proxy.conf") }}
6268
include /etc/nginx/proxy.conf;
6369
{{ else }}
@@ -118,7 +124,7 @@ upstream {{ $upstream_name }} {
118124

119125
{{ range $knownNetwork := $CurrentContainer.Networks }}
120126
{{ range $containerNetwork := $container.Networks }}
121-
{{ if or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host") }}
127+
{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
122128
## Can be connect with "{{ $containerNetwork.Name }}" network
123129

124130
{{/* If only 1 port exposed, use that */}}
@@ -143,9 +149,22 @@ upstream {{ $upstream_name }} {
143149
{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
144150
{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
145151

152+
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
153+
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
154+
155+
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
156+
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
157+
146158
{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
147159
{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
148160

161+
{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
162+
{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
163+
164+
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
165+
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
166+
167+
149168
{{/* Get the first cert name defined by containers w/ the same vhost */}}
150169
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
151170

@@ -183,6 +202,11 @@ server {
183202
{{ end }}
184203
access_log /var/log/nginx/access.log vhost;
185204

205+
{{ if eq $network_tag "internal" }}
206+
# Only allow traffic from internal clients
207+
include /etc/nginx/network_internal.conf;
208+
{{ end }}
209+
186210
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
187211
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
188212

@@ -198,8 +222,14 @@ server {
198222
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
199223
{{ end }}
200224

201-
{{ if (ne $https_method "noredirect") }}
202-
add_header Strict-Transport-Security "max-age=31536000";
225+
{{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }}
226+
ssl_stapling on;
227+
ssl_stapling_verify on;
228+
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
229+
{{ end }}
230+
231+
{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
232+
add_header Strict-Transport-Security "{{ trim $hsts }}";
203233
{{ end }}
204234

205235
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
@@ -212,6 +242,10 @@ server {
212242
{{ if eq $proto "uwsgi" }}
213243
include uwsgi_params;
214244
uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
245+
{{ else if eq $proto "fastcgi" }}
246+
root {{ trim $vhost_root }};
247+
include fastcgi.conf;
248+
fastcgi_pass {{ trim $upstream_name }};
215249
{{ else }}
216250
proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
217251
{{ end }}
@@ -220,11 +254,11 @@ server {
220254
auth_basic "Restricted {{ $host }}";
221255
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
222256
{{ end }}
223-
{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
224-
include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
225-
{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
226-
include /etc/nginx/vhost.d/default_location;
227-
{{ end }}
257+
{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
258+
include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
259+
{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
260+
include /etc/nginx/vhost.d/default_location;
261+
{{ end }}
228262
}
229263
}
230264

@@ -240,6 +274,11 @@ server {
240274
{{ end }}
241275
access_log /var/log/nginx/access.log vhost;
242276

277+
{{ if eq $network_tag "internal" }}
278+
# Only allow traffic from internal clients
279+
include /etc/nginx/network_internal.conf;
280+
{{ end }}
281+
243282
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
244283
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
245284
{{ else if (exists "/etc/nginx/vhost.d/default") }}
@@ -250,18 +289,22 @@ server {
250289
{{ if eq $proto "uwsgi" }}
251290
include uwsgi_params;
252291
uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
292+
{{ else if eq $proto "fastcgi" }}
293+
root {{ trim $vhost_root }};
294+
include fastcgi.conf;
295+
fastcgi_pass {{ trim $upstream_name }};
253296
{{ else }}
254297
proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
255298
{{ end }}
256299
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
257300
auth_basic "Restricted {{ $host }}";
258301
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
259302
{{ end }}
260-
{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
261-
include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
262-
{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
263-
include /etc/nginx/vhost.d/default_location;
264-
{{ end }}
303+
{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
304+
include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
305+
{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
306+
include /etc/nginx/vhost.d/default_location;
307+
{{ end }}
265308
}
266309
}
267310

0 commit comments

Comments
 (0)