server { listen 80; listen [::]:80; server_name {{ item.domain }}; return 301 https://{{ item.domain }}$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ item.domain }}; access_log /var/log/nginx/{{ item.domain }}.log main; {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %} {% for wildcard in proxy.dns_cloudflare.wildcard_domains %} {% set domain_regex = '^\*\.' + wildcard + '$' %} {% if item.domain | regex_search(wildcard) %} ssl_certificate /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem; {% endif %} {% endfor %} {% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %} ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem; {% elif proxy.production is defined and proxy.production and item.tls.cert is defined %} ssl_certificate {{ item.tls.cert }}; ssl_certificate_key {{ item.tls.key }}; {% else %} ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; {% endif %} {% if item.hsts is defined %} add_header Strict-Transport-Security "max-age={{ item.hsts }}" always; {% endif %} {% if item.client_max_body_size is defined %} client_max_body_size {{ item.client_max_body_size }}; {% endif %} location / { {% if item.allowedips is defined %} {% for ip in item.allowedips %} allow {{ ip }}; {% endfor %} deny all; {% endif %} {% if item.restrict is defined and item.restrict %} auth_basic "{{ item.restrict_name | default('Restricted Access') }}"; auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }}; proxy_set_header Authorization ""; {% endif %} proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass {{ item.proxy_pass }}; {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %} proxy_ssl_verify off; {% endif %} {% if item.websockets is defined and item.websockets %} proxy_http_version 1.1; proxy_set_header Connection $http_connection; proxy_set_header Origin http://$host; proxy_set_header Upgrade $http_upgrade; {% endif %} } }