smartmachine 1.0.1 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +2 -14
- data/lib/smart_machine/apps/container.rb +1 -0
- data/lib/smart_machine/apps/manager.rb +1 -1
- data/lib/smart_machine/base.rb +6 -0
- data/lib/smart_machine/buildpackers/buildpacker.rb +49 -1
- data/lib/smart_machine/buildpackers/rails.rb +87 -12
- data/lib/smart_machine/commands/grid.rb +8 -0
- data/lib/smart_machine/commands/grid_commands/elasticsearch.rb +0 -3
- data/lib/smart_machine/commands/grid_commands/nextcloud.rb +65 -0
- data/lib/smart_machine/commands/grid_commands/terminal.rb +107 -0
- data/lib/smart_machine/commands/machine.rb +8 -0
- data/lib/smart_machine/configuration.rb +23 -1
- data/lib/smart_machine/credentials.rb +9 -0
- data/lib/smart_machine/docker.rb +10 -9
- data/lib/smart_machine/engine.rb +44 -9
- data/lib/smart_machine/grids/nextcloud.rb +93 -0
- data/lib/smart_machine/grids/prereceiver/Dockerfile +10 -13
- data/lib/smart_machine/grids/redis.rb +8 -3
- data/lib/smart_machine/grids/redmine.rb +61 -0
- data/lib/smart_machine/grids/terminal/entrypoint.rb +95 -0
- data/lib/smart_machine/grids/terminal/haproxy.cfg +45 -0
- data/lib/smart_machine/grids/terminal/init.el +310 -0
- data/lib/smart_machine/grids/terminal/wetty.rb +44 -0
- data/lib/smart_machine/grids/terminal.rb +179 -0
- data/lib/smart_machine/machine.rb +26 -5
- data/lib/smart_machine/syncer.rb +8 -7
- data/lib/smart_machine/templates/dotsmartmachine/config/nextcloud.yml +27 -0
- data/lib/smart_machine/templates/dotsmartmachine/config/redis.yml +6 -1
- data/lib/smart_machine/templates/dotsmartmachine/config/terminal.yml +13 -0
- data/lib/smart_machine/templates/dotsmartmachine/grids/nginx/fastcgi.conf +1 -1
- data/lib/smart_machine/templates/dotsmartmachine/grids/nginx/nginx.tmpl +448 -314
- data/lib/smart_machine/version.rb +3 -3
- data/lib/smart_machine.rb +3 -1
- metadata +57 -24
- data/lib/smart_machine/buildpackers/rails/Dockerfile +0 -21
- data/lib/smart_machine/commands/grid_commands/scheduler.rb +0 -15
- data/lib/smart_machine/engine/Dockerfile +0 -30
- data/lib/smart_machine/grids/elasticsearch/.keep +0 -0
- data/lib/smart_machine/grids/minio/.keep +0 -0
- data/lib/smart_machine/grids/nginx/.keep +0 -0
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/APKBUILD +0 -49
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/fcgiwrap.confd +0 -6
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/fcgiwrap.initd +0 -43
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/fcgiwrap.pre-install +0 -7
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/packages/main/x86_64/APKINDEX.tar.gz +0 -0
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/packages/main/x86_64/fcgiwrap-1.1.1-r4.apk +0 -0
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/packages/main/x86_64/fcgiwrap-doc-1.1.1-r4.apk +0 -0
- data/lib/smart_machine/grids/prereceiver/fcgiwrap/packages/main/x86_64/fcgiwrap-openrc-1.1.1-r4.apk +0 -0
- data/lib/smart_machine/grids/redis/.keep +0 -0
- data/lib/smart_machine/grids/scheduler/Dockerfile +0 -14
- data/lib/smart_machine/grids/scheduler.rb +0 -188
- data/lib/smart_machine/templates/dotsmartmachine/grids/scheduler/crontabs/.keep +0 -0
|
@@ -1,81 +1,259 @@
|
|
|
1
|
-
{{
|
|
2
|
-
|
|
3
|
-
{{
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
1
|
+
# nginx-proxy{{ if $.Env.NGINX_PROXY_VERSION }} version : {{ $.Env.NGINX_PROXY_VERSION }}{{ end }}
|
|
2
|
+
|
|
3
|
+
{{- /*
|
|
4
|
+
* Global values. Values are stored in this map rather than in individual
|
|
5
|
+
* global variables so that the values can be easily passed to embedded
|
|
6
|
+
* templates. (Go templates cannot access variables outside of their own
|
|
7
|
+
* scope.)
|
|
8
|
+
*/}}
|
|
9
|
+
{{- $globals := dict }}
|
|
10
|
+
{{- $_ := set $globals "containers" $ }}
|
|
11
|
+
{{- $_ := set $globals "Env" $.Env }}
|
|
12
|
+
{{- $_ := set $globals "Docker" $.Docker }}
|
|
13
|
+
{{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
|
|
14
|
+
{{- $_ := set $globals "external_http_port" (coalesce $globals.Env.HTTP_PORT "80") }}
|
|
15
|
+
{{- $_ := set $globals "external_https_port" (coalesce $globals.Env.HTTPS_PORT "443") }}
|
|
16
|
+
{{- $_ := set $globals "sha1_upstream_name" (parseBool (coalesce $globals.Env.SHA1_UPSTREAM_NAME "false")) }}
|
|
17
|
+
{{- $_ := set $globals "default_root_response" (coalesce $globals.Env.DEFAULT_ROOT "404") }}
|
|
18
|
+
{{- $_ := set $globals "trust_downstream_proxy" (parseBool (coalesce $globals.Env.TRUST_DOWNSTREAM_PROXY "true")) }}
|
|
19
|
+
{{- $_ := set $globals "access_log" (or (and (not $globals.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
|
|
20
|
+
{{- $_ := set $globals "enable_ipv6" (parseBool (coalesce $globals.Env.ENABLE_IPV6 "false")) }}
|
|
21
|
+
{{- $_ := set $globals "ssl_policy" (or ($globals.Env.SSL_POLICY) "Mozilla-Intermediate") }}
|
|
22
|
+
{{- $_ := set $globals "networks" (dict) }}
|
|
23
|
+
# networks available to nginx-proxy:
|
|
24
|
+
{{- range $globals.CurrentContainer.Networks }}
|
|
25
|
+
{{- $_ := set $globals.networks .Name . }}
|
|
26
|
+
# {{ .Name }}
|
|
27
|
+
{{- end }}
|
|
28
|
+
|
|
29
|
+
{{- define "ssl_policy" }}
|
|
30
|
+
{{- if eq .ssl_policy "Mozilla-Modern" }}
|
|
31
|
+
ssl_protocols TLSv1.3;
|
|
32
|
+
{{- /*
|
|
33
|
+
* nginx currently lacks ability to choose ciphers in TLS 1.3 in
|
|
34
|
+
* configuration; see https://trac.nginx.org/nginx/ticket/1529. A
|
|
35
|
+
* possible workaround can be modify /etc/ssl/openssl.cnf to change
|
|
36
|
+
* it globally (see
|
|
37
|
+
* https://trac.nginx.org/nginx/ticket/1529#comment:12). Explicitly
|
|
38
|
+
* set ngnix default value in order to allow single servers to
|
|
39
|
+
* override the global http value.
|
|
40
|
+
*/}}
|
|
41
|
+
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
42
|
+
ssl_prefer_server_ciphers off;
|
|
43
|
+
{{- else if eq .ssl_policy "Mozilla-Intermediate" }}
|
|
44
|
+
ssl_protocols TLSv1.2 TLSv1.3;
|
|
45
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
|
|
46
|
+
ssl_prefer_server_ciphers off;
|
|
47
|
+
{{- else if eq .ssl_policy "Mozilla-Old" }}
|
|
48
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
49
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
|
|
50
|
+
ssl_prefer_server_ciphers on;
|
|
51
|
+
{{- else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
|
|
52
|
+
ssl_protocols TLSv1.2 TLSv1.3;
|
|
53
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
|
|
54
|
+
ssl_prefer_server_ciphers on;
|
|
55
|
+
{{- else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
|
|
56
|
+
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
57
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
|
|
58
|
+
ssl_prefer_server_ciphers on;
|
|
59
|
+
{{- else if eq .ssl_policy "AWS-2016-08" }}
|
|
60
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
61
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
|
|
62
|
+
ssl_prefer_server_ciphers on;
|
|
63
|
+
{{- else if eq .ssl_policy "AWS-2015-05" }}
|
|
64
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
65
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
|
|
66
|
+
ssl_prefer_server_ciphers on;
|
|
67
|
+
{{- else if eq .ssl_policy "AWS-2015-03" }}
|
|
68
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
69
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
|
|
70
|
+
ssl_prefer_server_ciphers on;
|
|
71
|
+
{{- else if eq .ssl_policy "AWS-2015-02" }}
|
|
72
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
73
|
+
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
|
|
74
|
+
ssl_prefer_server_ciphers on;
|
|
75
|
+
{{- end }}
|
|
76
|
+
{{- end }}
|
|
77
|
+
|
|
78
|
+
{{- define "location" }}
|
|
79
|
+
{{- $override := printf "/etc/nginx/vhost.d/%s_%s_location_override" .Host (sha1 .Path) }}
|
|
80
|
+
{{- if and (eq .Path "/") (not (exists $override)) }}
|
|
81
|
+
{{- $override = printf "/etc/nginx/vhost.d/%s_location_override" .Host }}
|
|
82
|
+
{{- end }}
|
|
83
|
+
{{- if exists $override }}
|
|
84
|
+
include {{ $override }};
|
|
85
|
+
{{- else }}
|
|
86
|
+
location {{ .Path }} {
|
|
87
|
+
{{- if eq .NetworkTag "internal" }}
|
|
88
|
+
# Only allow traffic from internal clients
|
|
89
|
+
include /etc/nginx/network_internal.conf;
|
|
90
|
+
{{- end }}
|
|
91
|
+
|
|
92
|
+
{{- if eq .Proto "uwsgi" }}
|
|
93
|
+
include uwsgi_params;
|
|
94
|
+
uwsgi_pass {{ trim .Proto }}://{{ trim .Upstream }};
|
|
95
|
+
{{- else if eq .Proto "fastcgi" }}
|
|
96
|
+
root {{ trim .VhostRoot }};
|
|
97
|
+
include fastcgi.conf;
|
|
98
|
+
fastcgi_pass {{ trim .Upstream }};
|
|
99
|
+
{{- else if eq .Proto "grpc" }}
|
|
100
|
+
grpc_pass {{ trim .Proto }}://{{ trim .Upstream }};
|
|
101
|
+
{{- else }}
|
|
102
|
+
set {{`$proxy_pass_url`}} {{ trim .Proto }}://{{ trim .Upstream }}{{ trim .Dest }};
|
|
103
|
+
if ({{`$cookie_appenv`}}) {
|
|
104
|
+
set {{`$proxy_pass_url`}} {{ trim .Proto }}://{{`$cookie_appenv`}}.{{ trim .Upstream }}{{ trim .Dest }};
|
|
105
|
+
}
|
|
106
|
+
proxy_pass {{`$proxy_pass_url`}};
|
|
107
|
+
{{- end }}
|
|
108
|
+
|
|
109
|
+
{{- if (exists (printf "/etc/nginx/htpasswd/%s" .Host)) }}
|
|
110
|
+
auth_basic "Restricted {{ .Host }}";
|
|
111
|
+
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" .Host) }};
|
|
112
|
+
{{- end }}
|
|
113
|
+
|
|
114
|
+
{{- if (exists (printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) )) }}
|
|
115
|
+
include {{ printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) }};
|
|
116
|
+
{{- else if (exists (printf "/etc/nginx/vhost.d/%s_location" .Host)) }}
|
|
117
|
+
include {{ printf "/etc/nginx/vhost.d/%s_location" .Host}};
|
|
118
|
+
{{- else if (exists "/etc/nginx/vhost.d/default_location") }}
|
|
119
|
+
include /etc/nginx/vhost.d/default_location;
|
|
120
|
+
{{- end }}
|
|
121
|
+
}
|
|
122
|
+
{{- end }}
|
|
123
|
+
{{- end }}
|
|
124
|
+
|
|
125
|
+
{{- define "upstream" }}
|
|
126
|
+
{{- $networks := .Networks }}
|
|
127
|
+
upstream {{ .Upstream }} {
|
|
128
|
+
{{- $server_found := false }}
|
|
129
|
+
{{- range $container := .Containers }}
|
|
130
|
+
# Container: {{ $container.Name }}
|
|
131
|
+
{{- /* If only 1 port exposed, use that as a default, else 80 */}}
|
|
132
|
+
{{- $defaultPort := (when (eq (len $container.Addresses) 1) (first $container.Addresses) (dict "Port" "80")).Port }}
|
|
133
|
+
{{- $ip := "" }}
|
|
134
|
+
{{- $port := (coalesce $container.Env.VIRTUAL_PORT $defaultPort) }}
|
|
135
|
+
{{- $addr_obj := where $container.Addresses "Port" $port | first }}
|
|
136
|
+
# Exposed ports:{{ range $container.Addresses }} {{ .Port }}/{{ .Proto }}{{ else }} (none){{ end }}
|
|
137
|
+
# Default virtual port: {{ $defaultPort }}
|
|
138
|
+
# VIRTUAL_PORT: {{ $container.Env.VIRTUAL_PORT }}
|
|
139
|
+
{{- if and $addr_obj $addr_obj.HostPort }}
|
|
140
|
+
# /!\ WARNING: Virtual port published on host. Clients might be able to
|
|
141
|
+
# bypass nginx-proxy and access the container's server
|
|
142
|
+
# directly.
|
|
143
|
+
{{- end }}
|
|
144
|
+
{{- if $container.Node.ID }}
|
|
145
|
+
# Swarm node name: {{ $container.Node.Name }}
|
|
146
|
+
{{- end }}
|
|
147
|
+
# Container networks:
|
|
148
|
+
{{- range $containerNetwork := sortObjectsByKeysAsc $container.Networks "Name" }}
|
|
149
|
+
{{- if eq $containerNetwork.Name "ingress" }}
|
|
150
|
+
# {{ $containerNetwork.Name }} (ignored)
|
|
151
|
+
{{- continue }}
|
|
152
|
+
{{- end }}
|
|
153
|
+
{{- if and (not (index $networks $containerNetwork.Name)) (not $networks.host) }}
|
|
154
|
+
# {{ $containerNetwork.Name }} (unreachable)
|
|
155
|
+
{{- continue }}
|
|
156
|
+
{{- end }}
|
|
157
|
+
{{- /*
|
|
158
|
+
* Do not emit multiple `server` directives for this container
|
|
159
|
+
* if it is reachable over multiple networks. This avoids
|
|
160
|
+
* accidentally inflating the effective round-robin weight of
|
|
161
|
+
* this container due to the redundant upstreams that nginx sees
|
|
162
|
+
* as belonging to distinct servers.
|
|
163
|
+
*/}}
|
|
164
|
+
{{- if $ip }}
|
|
165
|
+
# {{ $containerNetwork.Name }} (ignored; reachable but redundant)
|
|
166
|
+
{{- continue }}
|
|
167
|
+
{{- end }}
|
|
168
|
+
# {{ $containerNetwork.Name }} (reachable)
|
|
169
|
+
{{- /*
|
|
170
|
+
* If we got the containers from swarm and this container's
|
|
171
|
+
* port is published to host, use host IP:PORT.
|
|
172
|
+
*/}}
|
|
173
|
+
{{- if and $container.Node.ID $addr_obj $addr_obj.HostPort }}
|
|
174
|
+
{{- $ip = $container.Node.Address.IP }}
|
|
175
|
+
{{- $port = $addr_obj.HostPort }}
|
|
176
|
+
{{- else if and $containerNetwork $containerNetwork.IP }}
|
|
177
|
+
{{- $ip = $containerNetwork.IP }}
|
|
178
|
+
{{- else }}
|
|
179
|
+
# /!\ No IP for this network!
|
|
180
|
+
{{- end }}
|
|
181
|
+
{{- else }}
|
|
182
|
+
# (none)
|
|
183
|
+
{{- end }}
|
|
184
|
+
{{- if $ip }}
|
|
185
|
+
{{- $server_found = true }}
|
|
186
|
+
server {{ $ip }}:{{ $port }};
|
|
187
|
+
{{- end }}
|
|
188
|
+
{{- end }}
|
|
189
|
+
{{- /* nginx-proxy/nginx-proxy#1105 */}}
|
|
190
|
+
{{- if not $server_found }}
|
|
191
|
+
# Fallback entry
|
|
192
|
+
server 127.0.0.1 down;
|
|
193
|
+
{{- end }}
|
|
194
|
+
}
|
|
195
|
+
{{- end }}
|
|
24
196
|
|
|
25
197
|
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
|
|
26
198
|
# scheme used to connect to this server
|
|
27
199
|
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
28
|
-
|
|
29
|
-
|
|
200
|
+
default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
|
|
201
|
+
'' $scheme;
|
|
202
|
+
}
|
|
203
|
+
|
|
204
|
+
map $http_x_forwarded_host $proxy_x_forwarded_host {
|
|
205
|
+
default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$http_host{{ end }};
|
|
206
|
+
'' $http_host;
|
|
30
207
|
}
|
|
31
208
|
|
|
32
209
|
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
|
|
33
210
|
# server port the client connected to
|
|
34
211
|
map $http_x_forwarded_port $proxy_x_forwarded_port {
|
|
35
|
-
|
|
36
|
-
|
|
212
|
+
default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
|
|
213
|
+
'' $server_port;
|
|
37
214
|
}
|
|
38
215
|
|
|
39
|
-
# If we receive Upgrade, set Connection to "upgrade"; otherwise,
|
|
40
|
-
#
|
|
216
|
+
# If we receive Upgrade, set Connection to "upgrade"; otherwise, preserve
|
|
217
|
+
# NGINX's default behavior ("Connection: close").
|
|
41
218
|
map $http_upgrade $proxy_connection {
|
|
42
|
-
|
|
43
|
-
|
|
219
|
+
default upgrade;
|
|
220
|
+
'' close;
|
|
44
221
|
}
|
|
45
222
|
|
|
46
223
|
# Apply fix for very long server names
|
|
47
224
|
server_names_hash_bucket_size 128;
|
|
48
225
|
|
|
49
226
|
# Default dhparam
|
|
50
|
-
{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
|
|
227
|
+
{{- if (exists "/etc/nginx/dhparam/dhparam.pem") }}
|
|
51
228
|
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
|
|
52
|
-
{{ end }}
|
|
229
|
+
{{- end }}
|
|
53
230
|
|
|
54
|
-
# Set appropriate X-Forwarded-Ssl header
|
|
55
|
-
map $
|
|
56
|
-
|
|
57
|
-
|
|
231
|
+
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
|
|
232
|
+
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
|
|
233
|
+
default off;
|
|
234
|
+
https on;
|
|
58
235
|
}
|
|
59
236
|
|
|
60
237
|
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
|
61
238
|
|
|
62
|
-
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
|
|
63
|
-
'"$request" $status $body_bytes_sent '
|
|
64
|
-
'"$http_referer" "$http_user_agent"';
|
|
239
|
+
log_format vhost '{{ or $globals.Env.LOG_FORMAT "$host $remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$upstream_addr\"" }}';
|
|
65
240
|
|
|
66
241
|
access_log off;
|
|
67
242
|
server_tokens off;
|
|
68
243
|
|
|
69
244
|
# Default is client_max_body_size 1M
|
|
70
|
-
client_max_body_size
|
|
245
|
+
client_max_body_size 1M;
|
|
71
246
|
|
|
72
|
-
{{
|
|
73
|
-
|
|
74
|
-
{{ end }}
|
|
247
|
+
{{- template "ssl_policy" (dict "ssl_policy" $globals.ssl_policy) }}
|
|
248
|
+
error_log /dev/stderr;
|
|
75
249
|
|
|
76
|
-
{{ if
|
|
250
|
+
{{- if $globals.Env.RESOLVERS }}
|
|
251
|
+
resolver {{ $globals.Env.RESOLVERS }};
|
|
252
|
+
{{- end }}
|
|
253
|
+
|
|
254
|
+
{{- if (exists "/etc/nginx/proxy.conf") }}
|
|
77
255
|
include /etc/nginx/proxy.conf;
|
|
78
|
-
{{ else }}
|
|
256
|
+
{{- else }}
|
|
79
257
|
# HTTP 1.1 support
|
|
80
258
|
proxy_http_version 1.1;
|
|
81
259
|
proxy_buffering off;
|
|
@@ -84,290 +262,246 @@ proxy_set_header Upgrade $http_upgrade;
|
|
|
84
262
|
proxy_set_header Connection $proxy_connection;
|
|
85
263
|
proxy_set_header X-Real-IP $remote_addr;
|
|
86
264
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
265
|
+
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
|
|
87
266
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
88
267
|
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
|
89
268
|
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
|
|
269
|
+
proxy_set_header X-Original-URI $request_uri;
|
|
90
270
|
|
|
91
271
|
# Mitigate httpoxy attack (see README for details)
|
|
92
272
|
proxy_set_header Proxy "";
|
|
93
|
-
{{ end }}
|
|
94
|
-
|
|
95
|
-
{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
|
|
96
|
-
server {
|
|
97
|
-
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
|
98
|
-
listen 80;
|
|
99
|
-
{{ if $enable_ipv6 }}
|
|
100
|
-
listen [::]:80;
|
|
101
|
-
{{ end }}
|
|
102
|
-
access_log /var/log/nginx/access.log vhost;
|
|
103
|
-
return 503;
|
|
104
|
-
}
|
|
105
|
-
|
|
106
|
-
{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
107
|
-
server {
|
|
108
|
-
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
|
109
|
-
listen 443 ssl http2;
|
|
110
|
-
{{ if $enable_ipv6 }}
|
|
111
|
-
listen [::]:443 ssl http2;
|
|
112
|
-
{{ end }}
|
|
113
|
-
access_log /var/log/nginx/access.log vhost;
|
|
114
|
-
return 503;
|
|
115
|
-
|
|
116
|
-
ssl_session_tickets off;
|
|
117
|
-
ssl_certificate /etc/nginx/certs/default.crt;
|
|
118
|
-
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
119
|
-
}
|
|
120
|
-
{{ end }}
|
|
121
|
-
|
|
122
|
-
{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
|
|
123
|
-
|
|
124
|
-
{{ $host := trim $host }}
|
|
125
|
-
{{ $is_regexp := hasPrefix "~" $host }}
|
|
126
|
-
{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
|
|
127
|
-
|
|
128
|
-
# {{ $host }}
|
|
129
|
-
upstream {{ $upstream_name }} {
|
|
130
|
-
|
|
131
|
-
{{ range $container := $containers }}
|
|
132
|
-
{{ $addrLen := len $container.Addresses }}
|
|
133
|
-
|
|
134
|
-
{{ range $knownNetwork := $CurrentContainer.Networks }}
|
|
135
|
-
{{ range $containerNetwork := $container.Networks }}
|
|
136
|
-
{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
|
|
137
|
-
## Can be connected with "{{ $containerNetwork.Name }}" network
|
|
138
|
-
|
|
139
|
-
{{/* If only 1 port exposed, use that */}}
|
|
140
|
-
{{ if eq $addrLen 1 }}
|
|
141
|
-
{{ $address := index $container.Addresses 0 }}
|
|
142
|
-
{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
|
|
143
|
-
{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}
|
|
144
|
-
{{ else }}
|
|
145
|
-
{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}
|
|
146
|
-
{{ $address := where $container.Addresses "Port" $port | first }}
|
|
147
|
-
{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
|
|
148
|
-
{{ end }}
|
|
149
|
-
{{ else }}
|
|
150
|
-
# Cannot connect to network of this container
|
|
151
|
-
server 127.0.0.1 down;
|
|
152
|
-
{{ end }}
|
|
153
|
-
{{ end }}
|
|
154
|
-
{{ end }}
|
|
155
|
-
{{ end }}
|
|
156
|
-
}
|
|
157
|
-
|
|
158
|
-
{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
|
|
159
|
-
{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
|
|
160
|
-
|
|
161
|
-
{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
|
|
162
|
-
{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
|
|
163
|
-
|
|
164
|
-
{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
|
|
165
|
-
{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
|
|
273
|
+
{{- end }}
|
|
166
274
|
|
|
167
|
-
{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
|
|
168
|
-
{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
|
|
169
|
-
|
|
170
|
-
{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}}
|
|
171
|
-
{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }}
|
|
172
|
-
|
|
173
|
-
{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
|
|
174
|
-
{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
|
|
175
|
-
|
|
176
|
-
{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
|
|
177
|
-
{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
{{/* Get the first cert name defined by containers w/ the same vhost */}}
|
|
181
|
-
{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
|
|
182
|
-
|
|
183
|
-
{{/* Get the best matching cert by name for the vhost. */}}
|
|
184
|
-
{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
|
|
185
|
-
|
|
186
|
-
{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
|
|
187
|
-
{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
|
|
188
|
-
{{ $vhostCert := trimSuffix ".key" $vhostCert }}
|
|
189
|
-
|
|
190
|
-
{{/* Use the cert specified on the container or fallback to the best vhost match */}}
|
|
191
|
-
{{ $cert := (coalesce $certName $vhostCert) }}
|
|
192
|
-
|
|
193
|
-
{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
|
194
|
-
|
|
195
|
-
{{ if $is_https }}
|
|
196
|
-
|
|
197
|
-
{{ if eq $https_method "redirect" }}
|
|
198
275
|
server {
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
276
|
+
server_name _; # This is just an invalid value which will never trigger on a real hostname.
|
|
277
|
+
server_tokens off;
|
|
278
|
+
listen {{ $globals.external_http_port }};
|
|
279
|
+
{{- if $globals.enable_ipv6 }}
|
|
280
|
+
listen [::]:{{ $globals.external_http_port }};
|
|
281
|
+
{{- end }}
|
|
282
|
+
{{ $globals.access_log }}
|
|
283
|
+
return 503;
|
|
284
|
+
|
|
285
|
+
{{- if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
286
|
+
listen {{ $globals.external_https_port }} ssl http2;
|
|
287
|
+
{{- if $globals.enable_ipv6 }}
|
|
288
|
+
listen [::]:{{ $globals.external_https_port }} ssl http2;
|
|
289
|
+
{{- end }}
|
|
290
|
+
|
|
291
|
+
ssl_session_cache shared:SSL:50m;
|
|
292
|
+
ssl_session_tickets off;
|
|
293
|
+
ssl_certificate /etc/nginx/certs/default.crt;
|
|
294
|
+
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
295
|
+
{{- end }}
|
|
206
296
|
}
|
|
207
|
-
{{ end }}
|
|
208
297
|
|
|
298
|
+
{{- range $host, $containers := groupByMulti $globals.containers "Env.VIRTUAL_HOST" "," }}
|
|
299
|
+
|
|
300
|
+
{{- $host := trim $host }}
|
|
301
|
+
{{- if not $host }}
|
|
302
|
+
{{- /* Ignore containers with VIRTUAL_HOST set to the empty string. */}}
|
|
303
|
+
{{- continue }}
|
|
304
|
+
{{- end }}
|
|
305
|
+
{{- $is_regexp := hasPrefix "~" $host }}
|
|
306
|
+
{{- $upstream_name := when (or $is_regexp $globals.sha1_upstream_name) (sha1 $host) $host }}
|
|
307
|
+
|
|
308
|
+
{{- $paths := groupBy $containers "Env.VIRTUAL_PATH" }}
|
|
309
|
+
{{- $nPaths := len $paths }}
|
|
310
|
+
{{- if eq $nPaths 0 }}
|
|
311
|
+
{{- $paths = dict "/" $containers }}
|
|
312
|
+
{{- end }}
|
|
313
|
+
|
|
314
|
+
{{- range $path, $containers := $paths }}
|
|
315
|
+
{{- $upstream := $upstream_name }}
|
|
316
|
+
{{- if gt $nPaths 0 }}
|
|
317
|
+
{{- $sum := sha1 $path }}
|
|
318
|
+
{{- $upstream = printf "%s-%s" $upstream $sum }}
|
|
319
|
+
{{- end }}
|
|
320
|
+
# {{ $host }}{{ $path }}
|
|
321
|
+
{{ template "upstream" (dict "Upstream" $upstream "Containers" $containers "Networks" $globals.networks) }}
|
|
322
|
+
{{- end }}
|
|
323
|
+
|
|
324
|
+
{{- $default_host := or ($globals.Env.DEFAULT_HOST) "" }}
|
|
325
|
+
{{- $default_server := index (dict $host "" $default_host "default_server") $host }}
|
|
326
|
+
|
|
327
|
+
{{- /*
|
|
328
|
+
* Get the SERVER_TOKENS defined by containers w/ the same vhost,
|
|
329
|
+
* falling back to "".
|
|
330
|
+
*/}}
|
|
331
|
+
{{- $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }}
|
|
332
|
+
|
|
333
|
+
|
|
334
|
+
{{- /*
|
|
335
|
+
* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling
|
|
336
|
+
* back to "redirect".
|
|
337
|
+
*/}}
|
|
338
|
+
{{- $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) (or $globals.Env.HTTPS_METHOD "redirect") }}
|
|
339
|
+
|
|
340
|
+
{{- /*
|
|
341
|
+
* Get the SSL_POLICY defined by containers w/ the same vhost, falling
|
|
342
|
+
* back to empty string (use default).
|
|
343
|
+
*/}}
|
|
344
|
+
{{- $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }}
|
|
345
|
+
|
|
346
|
+
{{- /*
|
|
347
|
+
* Get the HSTS defined by containers w/ the same vhost, falling back to
|
|
348
|
+
* "max-age=31536000".
|
|
349
|
+
*/}}
|
|
350
|
+
{{- $hsts := or (first (groupByKeys $containers "Env.HSTS")) (or $globals.Env.HSTS "max-age=31536000") }}
|
|
351
|
+
|
|
352
|
+
{{- /* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
|
|
353
|
+
{{- $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
|
|
354
|
+
|
|
355
|
+
|
|
356
|
+
{{- /* Get the first cert name defined by containers w/ the same vhost */}}
|
|
357
|
+
{{- $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
|
|
358
|
+
|
|
359
|
+
{{- /* Get the best matching cert by name for the vhost. */}}
|
|
360
|
+
{{- $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
|
|
361
|
+
|
|
362
|
+
{{- /*
|
|
363
|
+
* vhostCert is actually a filename so remove any suffixes since they
|
|
364
|
+
* are added later.
|
|
365
|
+
*/}}
|
|
366
|
+
{{- $vhostCert := trimSuffix ".crt" $vhostCert }}
|
|
367
|
+
{{- $vhostCert := trimSuffix ".key" $vhostCert }}
|
|
368
|
+
|
|
369
|
+
{{- /*
|
|
370
|
+
* Use the cert specified on the container or fallback to the best vhost
|
|
371
|
+
* match.
|
|
372
|
+
*/}}
|
|
373
|
+
{{- $cert := (coalesce $certName $vhostCert) }}
|
|
374
|
+
|
|
375
|
+
{{- $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
|
|
376
|
+
|
|
377
|
+
{{- if and $is_https (eq $https_method "redirect") }}
|
|
209
378
|
server {
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
{{ else if eq $ssl_policy "AWS-2016-08" }}
|
|
238
|
-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
239
|
-
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
|
|
240
|
-
{{ else if eq $ssl_policy "AWS-2015-05" }}
|
|
241
|
-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
242
|
-
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
|
|
243
|
-
{{ else if eq $ssl_policy "AWS-2015-03" }}
|
|
244
|
-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
245
|
-
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
|
|
246
|
-
{{ else if eq $ssl_policy "AWS-2015-02" }}
|
|
247
|
-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
248
|
-
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
|
|
249
|
-
{{ end }}
|
|
250
|
-
|
|
251
|
-
ssl_prefer_server_ciphers on;
|
|
252
|
-
ssl_session_timeout 5m;
|
|
253
|
-
ssl_session_cache shared:SSL:50m;
|
|
254
|
-
ssl_session_tickets off;
|
|
255
|
-
|
|
256
|
-
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
|
|
257
|
-
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
|
|
258
|
-
|
|
259
|
-
{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
|
|
260
|
-
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
|
|
261
|
-
{{ end }}
|
|
262
|
-
|
|
263
|
-
{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
|
|
264
|
-
ssl_stapling on;
|
|
265
|
-
ssl_stapling_verify on;
|
|
266
|
-
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
|
|
267
|
-
{{ end }}
|
|
268
|
-
|
|
269
|
-
{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
|
|
270
|
-
add_header Strict-Transport-Security "{{ trim $hsts }}" always;
|
|
271
|
-
{{ end }}
|
|
272
|
-
|
|
273
|
-
{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
|
274
|
-
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
|
275
|
-
{{ else if (exists "/etc/nginx/vhost.d/default") }}
|
|
276
|
-
include /etc/nginx/vhost.d/default;
|
|
277
|
-
{{ end }}
|
|
278
|
-
|
|
279
|
-
location / {
|
|
280
|
-
{{ if eq $proto "uwsgi" }}
|
|
281
|
-
include uwsgi_params;
|
|
282
|
-
uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
|
|
283
|
-
{{ else if eq $proto "fastcgi" }}
|
|
284
|
-
root {{ trim $vhost_root }};
|
|
285
|
-
include fastcgi.conf;
|
|
286
|
-
fastcgi_pass {{ trim $upstream_name }};
|
|
287
|
-
{{ else }}
|
|
288
|
-
set {{`$proxy_pass_url`}} {{ trim $proto }}://{{ trim $upstream_name }};
|
|
289
|
-
if ({{`$cookie_appenv`}}) {
|
|
290
|
-
set {{`$proxy_pass_url`}} {{ trim $proto }}://{{`$cookie_appenv`}}.{{ trim $upstream_name }};
|
|
291
|
-
}
|
|
292
|
-
proxy_pass {{`$proxy_pass_url`}};
|
|
293
|
-
{{ end }}
|
|
294
|
-
|
|
295
|
-
{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
|
|
296
|
-
auth_basic "Restricted {{ $host }}";
|
|
297
|
-
auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
|
|
298
|
-
{{ end }}
|
|
299
|
-
{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
|
|
300
|
-
include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
|
|
301
|
-
{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
|
|
302
|
-
include /etc/nginx/vhost.d/default_location;
|
|
303
|
-
{{ end }}
|
|
304
|
-
}
|
|
379
|
+
server_name {{ $host }};
|
|
380
|
+
{{- if $server_tokens }}
|
|
381
|
+
server_tokens {{ $server_tokens }};
|
|
382
|
+
{{- end }}
|
|
383
|
+
listen {{ $globals.external_http_port }} {{ $default_server }};
|
|
384
|
+
{{- if $globals.enable_ipv6 }}
|
|
385
|
+
listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
|
|
386
|
+
{{- end }}
|
|
387
|
+
{{ $globals.access_log }}
|
|
388
|
+
|
|
389
|
+
# Do not HTTPS redirect Let's Encrypt ACME challenge
|
|
390
|
+
location ^~ /.well-known/acme-challenge/ {
|
|
391
|
+
auth_basic off;
|
|
392
|
+
auth_request off;
|
|
393
|
+
allow all;
|
|
394
|
+
root /usr/share/nginx/html;
|
|
395
|
+
try_files $uri =404;
|
|
396
|
+
break;
|
|
397
|
+
}
|
|
398
|
+
|
|
399
|
+
location / {
|
|
400
|
+
{{- if eq $globals.external_https_port "443" }}
|
|
401
|
+
return 301 https://$host$request_uri;
|
|
402
|
+
{{- else }}
|
|
403
|
+
return 301 https://$host:{{ $globals.external_https_port }}$request_uri;
|
|
404
|
+
{{- end }}
|
|
405
|
+
}
|
|
305
406
|
}
|
|
306
|
-
|
|
307
|
-
{{ end }}
|
|
308
|
-
|
|
309
|
-
{{ if or (not $is_https) (eq $https_method "noredirect") }}
|
|
407
|
+
{{- end }}
|
|
310
408
|
|
|
311
409
|
server {
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
|
|
315
|
-
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
|
|
346
|
-
|
|
347
|
-
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
|
|
351
|
-
|
|
352
|
-
|
|
353
|
-
|
|
354
|
-
|
|
410
|
+
server_name {{ $host }};
|
|
411
|
+
{{- if $server_tokens }}
|
|
412
|
+
server_tokens {{ $server_tokens }};
|
|
413
|
+
{{- end }}
|
|
414
|
+
{{ $globals.access_log }}
|
|
415
|
+
{{- if or (not $is_https) (eq $https_method "noredirect") }}
|
|
416
|
+
listen {{ $globals.external_http_port }} {{ $default_server }};
|
|
417
|
+
{{- if $globals.enable_ipv6 }}
|
|
418
|
+
listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
|
|
419
|
+
{{- end }}
|
|
420
|
+
{{- end }}
|
|
421
|
+
{{- if $is_https }}
|
|
422
|
+
listen {{ $globals.external_https_port }} ssl http2 {{ $default_server }};
|
|
423
|
+
{{- if $globals.enable_ipv6 }}
|
|
424
|
+
listen [::]:{{ $globals.external_https_port }} ssl http2 {{ $default_server }};
|
|
425
|
+
{{- end }}
|
|
426
|
+
|
|
427
|
+
{{- template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
|
|
428
|
+
|
|
429
|
+
ssl_session_timeout 5m;
|
|
430
|
+
ssl_session_cache shared:SSL:50m;
|
|
431
|
+
ssl_session_tickets off;
|
|
432
|
+
|
|
433
|
+
ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
|
|
434
|
+
ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
|
|
435
|
+
|
|
436
|
+
{{- if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
|
|
437
|
+
ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
|
|
438
|
+
{{- end }}
|
|
439
|
+
|
|
440
|
+
{{- if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
|
|
441
|
+
ssl_stapling on;
|
|
442
|
+
ssl_stapling_verify on;
|
|
443
|
+
ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
|
|
444
|
+
{{- end }}
|
|
445
|
+
|
|
446
|
+
{{- if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
|
|
447
|
+
set $sts_header "";
|
|
448
|
+
if ($https) {
|
|
449
|
+
set $sts_header "{{ trim $hsts }}";
|
|
450
|
+
}
|
|
451
|
+
add_header Strict-Transport-Security $sts_header always;
|
|
452
|
+
{{- end }}
|
|
453
|
+
{{- end }}
|
|
454
|
+
|
|
455
|
+
{{- if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
|
|
456
|
+
include {{ printf "/etc/nginx/vhost.d/%s" $host }};
|
|
457
|
+
{{- else if (exists "/etc/nginx/vhost.d/default") }}
|
|
458
|
+
include /etc/nginx/vhost.d/default;
|
|
459
|
+
{{- end }}
|
|
460
|
+
|
|
461
|
+
{{- range $path, $containers := $paths }}
|
|
462
|
+
{{- /*
|
|
463
|
+
* Get the VIRTUAL_PROTO defined by containers w/ the same
|
|
464
|
+
* vhost-vpath, falling back to "http".
|
|
465
|
+
*/}}
|
|
466
|
+
{{- $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
|
|
467
|
+
|
|
468
|
+
{{- /*
|
|
469
|
+
* Get the NETWORK_ACCESS defined by containers w/ the same vhost,
|
|
470
|
+
* falling back to "external".
|
|
471
|
+
*/}}
|
|
472
|
+
{{- $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
|
|
473
|
+
{{- $upstream := $upstream_name }}
|
|
474
|
+
{{- $dest := "" }}
|
|
475
|
+
{{- if gt $nPaths 0 }}
|
|
476
|
+
{{- $sum := sha1 $path }}
|
|
477
|
+
{{- $upstream = printf "%s-%s" $upstream $sum }}
|
|
478
|
+
{{- $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }}
|
|
479
|
+
{{- end }}
|
|
480
|
+
{{- template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }}
|
|
481
|
+
{{- end }}
|
|
482
|
+
{{- if and (not (contains $paths "/")) (ne $globals.default_root_response "none")}}
|
|
483
|
+
location / {
|
|
484
|
+
return {{ $globals.default_root_response }};
|
|
485
|
+
}
|
|
486
|
+
{{- end }}
|
|
355
487
|
}
|
|
356
488
|
|
|
357
|
-
{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
489
|
+
{{- if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
|
|
358
490
|
server {
|
|
359
|
-
|
|
360
|
-
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
|
|
491
|
+
server_name {{ $host }};
|
|
492
|
+
{{- if $server_tokens }}
|
|
493
|
+
server_tokens {{ $server_tokens }};
|
|
494
|
+
{{- end }}
|
|
495
|
+
listen {{ $globals.external_https_port }} ssl http2 {{ $default_server }};
|
|
496
|
+
{{- if $globals.enable_ipv6 }}
|
|
497
|
+
listen [::]:{{ $globals.external_https_port }} ssl http2 {{ $default_server }};
|
|
498
|
+
{{- end }}
|
|
499
|
+
{{ $globals.access_log }}
|
|
500
|
+
return 500;
|
|
501
|
+
|
|
502
|
+
ssl_certificate /etc/nginx/certs/default.crt;
|
|
503
|
+
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
369
504
|
}
|
|
370
|
-
{{ end }}
|
|
505
|
+
{{- end }}
|
|
371
506
|
|
|
372
|
-
{{ end }}
|
|
373
|
-
{{ end }}
|
|
507
|
+
{{- end }}
|