|
| 1 | +{{ range $subdir, $containers := groupByMulti $ "Env.NGINX_PROXY_SUBDIRECTORY" "," }} |
| 2 | +upstream {{ $subdir }} { |
| 3 | +{{ range $index, $value := $containers }} |
| 4 | + {{ $addrLen := len $value.Addresses }} |
| 5 | + {{/* If only 1 port exposed, use that */}} |
| 6 | + {{ if eq $addrLen 1 }} |
| 7 | + {{ with $address := index $value.Addresses 0 }} |
| 8 | + server {{ $address.IP }}:{{ $address.Port }}; |
| 9 | + {{ end }} |
| 10 | + {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}} |
| 11 | + {{ else if $value.Env.VIRTUAL_PORT }} |
| 12 | + {{ range $i, $address := $value.Addresses }} |
| 13 | + {{ if eq $address.Port $value.Env.VIRTUAL_PORT }} |
| 14 | + server {{ $address.IP }}:{{ $address.Port }}; |
| 15 | + {{ end }} |
| 16 | + {{ end }} |
| 17 | + {{/* Else default to standard web port 80 */}} |
| 18 | + {{ else }} |
| 19 | + {{ range $i, $address := $value.Addresses }} |
| 20 | + {{ if eq $address.Port "80" }} |
| 21 | + server {{ $address.IP }}:{{ $address.Port }}; |
| 22 | + {{ end }} |
| 23 | + {{ end }} |
| 24 | + {{ end }} |
| 25 | +{{ end }} |
| 26 | +} |
| 27 | +{{ end }} |
| 28 | + |
| 29 | +{{ define "locations" }} |
| 30 | +{{ range $subdir, $containers := groupByMulti $ "Env.NGINX_PROXY_SUBDIRECTORY" "," }} |
| 31 | + location /{{ $subdir }} { |
| 32 | + {{ $c := where $containers "Env.NGINX_PROXY_SUBDIRECTORY_MAP_TO_ROOT" "1" }} |
| 33 | + {{ $l := len $c }} |
| 34 | + {{ if eq $l 0 }} |
| 35 | + proxy_pass http://{{ $subdir }}; |
| 36 | + {{ else }} |
| 37 | + proxy_pass http://{{ $subdir }}/; |
| 38 | + {{ end }} |
| 39 | + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $subdir)) }} |
| 40 | + auth_basic "Restricted {{ $subdir }}"; |
| 41 | + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $subdir) }}; |
| 42 | + {{ end }} |
| 43 | + {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $subdir)) }} |
| 44 | + include {{ printf "/etc/nginx/vhost.d/%s_location" $subdir}}; |
| 45 | + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} |
| 46 | + include /etc/nginx/vhost.d/default_location; |
| 47 | + {{ end }} |
| 48 | + } |
| 49 | +{{ end }} |
| 50 | +{{ end }} |
| 51 | + |
| 52 | +# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the |
| 53 | +# scheme used to connect to this server |
| 54 | +map $http_x_forwarded_proto $proxy_x_forwarded_proto { |
| 55 | + default $http_x_forwarded_proto; |
| 56 | + '' $scheme; |
| 57 | +} |
| 58 | + |
| 59 | +# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any |
| 60 | +# Connection header that may have been passed to this server |
| 61 | +map $http_upgrade $proxy_connection { |
| 62 | + default upgrade; |
| 63 | + '' close; |
| 64 | +} |
| 65 | + |
| 66 | +gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; |
| 67 | + |
| 68 | +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' |
| 69 | + '"$request" $status $body_bytes_sent ' |
| 70 | + '"$http_referer" "$http_user_agent"'; |
| 71 | + |
| 72 | +access_log off; |
| 73 | + |
| 74 | +{{ if (exists "/etc/nginx/proxy.conf") }} |
| 75 | +include /etc/nginx/proxy.conf; |
| 76 | +{{ else }} |
| 77 | +# HTTP 1.1 support |
| 78 | +proxy_http_version 1.1; |
| 79 | +proxy_buffering off; |
| 80 | +proxy_set_header Host $http_host; |
| 81 | +proxy_set_header Upgrade $http_upgrade; |
| 82 | +proxy_set_header Connection $proxy_connection; |
| 83 | +proxy_set_header X-Real-IP $remote_addr; |
| 84 | +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 85 | +proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; |
| 86 | +{{ end }} |
| 87 | + |
| 88 | +{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} |
| 89 | + |
| 90 | +server { |
| 91 | + server_name _; |
| 92 | + listen 80; |
| 93 | + access_list /var/log/nginx/access.log vhost; |
| 94 | + return 301 https://$host$request_uri; |
| 95 | +} |
| 96 | + |
| 97 | +server { |
| 98 | + server_name _; |
| 99 | + listen 443; |
| 100 | + access_list /var/log/nginx/access.log vhost; |
| 101 | + |
| 102 | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| 103 | + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; |
| 104 | + |
| 105 | + ssl_prefer_server_ciphers on; |
| 106 | + ssl_session_timeout 5m; |
| 107 | + ssl_session_cache shared:SSL:50m; |
| 108 | + |
| 109 | + ssl_certificate /etc/nginx/certs/default.crt; |
| 110 | + ssl_certificate_key /etc/nginx/certs/default.key; |
| 111 | + |
| 112 | + {{ if (exists "/etc/nginx/certs/default.dhparam.pem") }} |
| 113 | + ssl_dhparam /etc/nginx/certs/default.dhparam.pem; |
| 114 | + {{ end }} |
| 115 | + |
| 116 | + add_header Strict-Transport-Security "max-age=31536000"; |
| 117 | + |
| 118 | + {{ template "locations" $ }} |
| 119 | +} |
| 120 | + |
| 121 | +{{ else }} |
| 122 | + |
| 123 | +server { |
| 124 | + server_name _; |
| 125 | + listen 80; |
| 126 | + access_log /var/log/nginx/access.log vhost; |
| 127 | + |
| 128 | + {{ template "locations" $ }} |
| 129 | +} |
| 130 | + |
| 131 | +{{ end }} |
0 commit comments