generated from nginxinc/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 12
/
nginx.conf
92 lines (74 loc) · 3.4 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
##
# Example configuration showing a single server block to handle HTTP and HTTP
# communications, as well as automatcally issuing / renewing the TLS
# certificate. See the other files in this directory for other examples.
##
daemon off;
user nginx;
load_module modules/ngx_http_js_module.so;
error_log /dev/stdout debug;
events {
}
http {
js_path "/usr/lib/nginx/njs_modules/";
js_fetch_trusted_certificate /etc/ssl/certs/ISRG_Root_X1.pem;
# Read the .js file into the `acme` namespace.
js_import acme from acme.js;
# IMPORTANT: One `resolver` directive *must* be defined.
resolver 127.0.0.11 ipv6=off; # docker-compose
# resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
# resolver 8.8.8.8 8.8.4.4; # Google
# resolver 172.16.0.23; # AWS EC2 Classic
# resolver 169.254.169.253; # AWS VPC
resolver_timeout 5s;
##
# `njs-acme` can use a shared dict to cache cert/key pairs to avoid
# filesystem calls on TLS handshake. If you want to use a shared zone name
# that is not `acme`, then ensure the variable $njs_acme_shared_dict_zone_name
# also contains the desired name. The zone size should be enough to store all
# certs and keys. 1MB should be enough to store 100 certs/keys.
js_shared_dict_zone zone=acme:1m;
server {
listen 8000;
listen 8443 ssl;
server_name _default;
## Mandatory Variables
# These, and other variables, may also be defined in
# environment variables, just without the leading dollar sign and with the
# variable name in upper case, e.g. `NJS_ACME_SERVER_NAMES`.
js_var $njs_acme_server_names 'proxy.nginx.com proxy2.nginx.com';
js_var $njs_acme_account_email 'test@example.com';
## Optional Variables and their defaults.
# js_var $njs_acme_dir /etc/nginx/njs-acme;
# js_var $njs_acme_challenge_dir /etc/nginx/njs-acme/challenge;
# js_var $njs_acme_account_private_jwk /etc/nginx/njs-acme/account_private_key.json;
# js_var $njs_acme_directory_uri https://acme-staging-v02.api.letsencrypt.org/directory;
# js_var $njs_acme_verify_provider_https true;
# js_var $njs_acme_shared_dict_zone_name acme;
## Let's Encrypt Production URL (uncomment after you are done testing with their staging environment)
# js_var $njs_acme_directory_uri https://acme-v02.api.letsencrypt.org/directory
# Stores the key/cert content in these variables.
js_set $dynamic_ssl_cert acme.js_cert;
js_set $dynamic_ssl_key acme.js_key;
# Uses the key/cert stored in variables for HTTPS
ssl_certificate data:$dynamic_ssl_cert;
ssl_certificate_key data:$dynamic_ssl_key;
# `js_periodic` must be in a location {} block, so use a named location to
# avoid affecting URI space.
# From https://nginx.org/en/docs/http/ngx_http_core_module.html#location
# The “@” prefix defines a named location. Such a location is not used for a
# regular request processing, but instead used for request redirection.
location @acmePeriodicAuto {
# Check certificate validity each minute
js_periodic acme.clientAutoMode interval=1m;
}
# Respond challenges from the ACME server (e.g. Let's Encrypt)
location ~ "^/\.well-known/acme-challenge/[-_A-Za-z0-9]{22,128}$" {
js_content acme.challengeResponse;
}
# Your location(s) go here
location = / {
return 200 "hello server_name:$server_name\nssl_session_id:$ssl_session_id\n";
}
}
}