nginx_site.conf.erb
3.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Generated by Chef
#
<%
@init_statements.each do |ins|
-%>
<%= ins %>
<%
end
@upstreams.each do |us|
-%>
upstream <%= us[:name] %> {
server <%= us[:ip] %>:<%= us[:port] %>;
}
<%
end
servers = [@server_name]
@aliases.each do |aname|
servers << aname
end
servers.uniq!
if @catch_all
-%>
server {
listen 80 default_server;
server_name _;
return 444;
}
<%
end
if @ssl
if @catch_all
-%>
server {
listen 443 default_server;
server_name _;
return 444;
}
<%
end
-%>
server {
listen 80;
server_name <%= servers.join(' ') %>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl_certificate <%= @path_crt %>;
ssl_certificate_key <%= @path_key %>;
<% unless @ssl[:self_signed] -%>
# Modern cipher suite:
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
# Medium compatibility cipher suite (compatible with IE7 WinXP):
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_dhparam <%= @path_dhparam %>;
<% end -%>
<%
hsts = "max-age=#{@ssl[:hsts_max_age]};"
hsts << 'includeSubDomains;' if @ssl[:hsts_include_subdomains]
-%>
add_header Strict-Transport-Security "<%= hsts %>";
<%
else
-%>
server {
listen 80;
<%
end
-%>
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
server_name <%= servers.join(' ') %>;
root <%= @doc_root %>;
index <%= @index %>;
<% if @auth -%>
auth_basic "<%= @auth[:msg] %>";
auth_basic_user_file <%= @path_pass %>;
<% end -%>
access_log <%= node['nginx']['log_dir'] %>/<%= @server_name %>.access.log<% if @access_log_options %> <%= @access_log_options %><% end %>;
error_log <%= node['nginx']['log_dir'] %>/<%= @server_name %>.error.log;
include <%= @path_rest %>;
<% @includes.each do |inc| -%>
include <%= inc %>;
<% end -%>
<% @custom_statements.each do |sm| -%>
<%= sm %>
<% end -%>
}