-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplates.go
159 lines (137 loc) · 5.13 KB
/
templates.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
package nginxconf
import (
"strings"
"text/template"
)
var rootTmpl = template.New("root")
var httpToHTTPSRedirectTmpl = template.Must(rootTmpl.New("httpsRedirect").Parse(strings.TrimSpace(`
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name {{.Domain}};
{{if .IsRedirect}}
return 301 {{.RedirectSchemeHost}}$request_uri;
{{else}}
return 301 https://$host$request_uri;
{{end}}
}
{{$this := .}}
{{range .AltDomains}}
# Redirect HTTP to HTTPS from {{.}} to {{$this.Domain}}
server {
listen 80;
listen [::]:80;
server_name {{.}};
{{if $this.IsRedirect}}
return 301 {{$this.RedirectSchemeHost}}$request_uri;
{{else}}
return 301 https://{{$this.Domain}}$request_uri;
{{end}}
}{{end}}
`)))
var sslConfigTmpl = template.Must(rootTmpl.New("sslConfig").Parse(strings.TrimSpace(`
# SSL Configuration.
ssl_certificate {{.SSLCertificatePath}};
ssl_certificate_key {{.SSLCertificateKeyPath}};
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
ssl_prefer_server_ciphers on;
ssl_dhparam /opt/nginx/ssl/{{.Domain}}/dhparams.pem;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling -- fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{.SSLTrustedCertificatePath}};
# Make @konklone happy
add_header X-Konklone-Force-HTTPS TRUE;
`)))
var rootLocationTmpl = template.Must(rootTmpl.New("rootLocation").Parse(strings.TrimSpace(`
# Handle all requests.
location / {
{{if .IsStatic}}try_files $uri $uri.html $uri/index.html index.html;
{{else if .IsProxy}}proxy_pass {{.ProxyURL}};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 5s;
{{end}}
}
`)))
var mediaLocationTmpl = template.Must(rootTmpl.New("mediaLocation").Parse(strings.TrimSpace(`
## All static files will be served with a bit more nuance.
location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg|woff2)$ {
access_log off;
expires 30d;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header X-Konklone-Force-HTTPS TRUE;
etag on;
{{if .IsStatic}}
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
{{else if .IsProxy}}
proxy_pass {{.ProxyURL}};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 5s;
{{end}}
}
`)))
var siteConfigTmpl = template.Must(rootTmpl.New("rootConfig").Parse(strings.TrimSpace(`
# THIS FILE IS AUTO-GENERATED by nginx-conf-gen. DO NOT EDIT.
{{template "httpsRedirect" .}}
{{$this := .}}
{{range .AltDomains}}
# Redirect {{.}} to {{$this.Domain}}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{.}};
{{template "sslConfig" $this}}
# optional: turn on session resumption, using a 10 min cache shared across nginx processes
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
keepalive_timeout 70;
{{if $this.IsRedirect}}
return 301 {{$this.RedirectSchemeHost}}$request_uri;
{{else}}
return 301 https://{{$this.Domain}}$request_uri;
{{end}}
}
{{end}}
# Serve the site.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{.Domain}};
{{if .IsStatic}}
# Show me the files.
root {{.Webroot}};
error_page 404 = /404.html;
etag on;
{{end}}
# optional: turn on session resumption, using a 10 min cache shared across nginx processes
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
keepalive_timeout 70;
{{template "sslConfig" .}}
{{if .IsRedirect}}
return 301 {{.RedirectSchemeHost}}$request_uri;
{{else}}
{{template "rootLocation" .}}
{{template "mediaLocation" .}}
{{end}}
}
# vim: syn=nginx
`)))