2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
9 {% if vhost_custom.vhost_custom_pre_server != "" %}
11 ###############################
12 ### vhost_custom_pre_server ###
13 ###############################
14 {{ vhost_custom.vhost_custom_pre_server }}
18 {% if vhost_cache_on %}
19 proxy_cache_path /tmp/nginx_cachep_{{vhost_name}} levels=1:2 keys_zone=cachep_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off;
20 fastcgi_cache_path /tmp/nginx_cachef_{{vhost_name}} levels=1:2 keys_zone=cachef_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off;
23 {% if vhost_https_on %}
26 listen [::]:443 ssl http2;
27 server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}};
29 ssl_certificate /etc/ssl/letsencrypt/{{vhost_name}}/fullchain.pem;
30 ssl_certificate_key /etc/ssl/letsencrypt/{{vhost_name}}/privkey.pem;
31 ssl_protocols TLSv1.2 TLSv1.3;
32 ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384;
33 ssl_prefer_server_ciphers on;
34 # ssl_dhparam /etc/nginx/dhparams.pem;
35 ssl_session_cache shared:SSL:10m;
37 ssl_stapling_verify on;
38 add_header Strict-Transport-Security "max-age=31536000" always;
40 access_log /var/log/nginx/{{vhost_name}}-access.log;
41 error_log /var/log/nginx/{{vhost_name}}-error.log;
43 client_max_body_size 1025M;
44 fastcgi_buffers 64 4K;
45 # fix 414 Request-URI Too Large.
46 large_client_header_buffers 4 64k;
48 {% if vhost_gzip_on %}
55 gzip_http_version 1.1;
56 gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
62 {% if vhost_cache_on %}
64 proxy_cache cachep_{{vhost_name}};
65 proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
66 proxy_cache_background_update on;
67 proxy_cache_revalidate on;
68 # proxy_cache_key $scheme$proxy_host$request_uri;
69 # proxy_cache_valid 200 302 60m;
70 # proxy_cache_valid 301 90m;
71 # proxy_cache_valid any 10m;
73 fastcgi_cache cachef_{{vhost_name}};
74 fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
75 fastcgi_cache_background_update on;
76 fastcgi_cache_revalidate on;
77 fastcgi_cache_key $request_uri;
78 # fastcgi_cache_valid 200 302 60m;
79 # fastcgi_cache_valid 301 90m;
80 # fastcgi_cache_valid any 10m;
82 add_header X-Cache-Status $upstream_cache_status always;
89 location ^~ /.well-known/acme-challenge {
90 alias /var/www/html/dehydrated;
93 {%- if vhost_dotfile_protection %}
95 ### <dotfile protection>
96 location ~ /\.(?!well-known\/).* {
99 ### </dotfile protection>
102 ### dotfile protection DISABLED! (not vhost_dotfile_protection)
106 location = /robots.txt {
108 try_files /{{vhost_name}}/$uri /html/$uri =404;
112 location ^~ /awstats-icon {
113 alias /usr/share/awstats/icon/;
115 auth_pam_service_name "nginx-awstats";
118 location = /awstats.pl {
119 root /usr/lib/cgi-bin/;
121 auth_pam_service_name "nginx-awstats";
125 include fastcgi_params;
126 fastcgi_pass unix:/var/run/fcgiwrap.socket;
127 fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl;
130 ### <maintenance part1>
131 error_page 503 @maintenance;
132 location @maintenance {
133 default_type text/html;
135 try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404;
137 set $maintenance "0";
138 if (-f "/var/www/maintenance.html") {
139 set $maintenance "1";
141 if (-f "/var/www/maintenance.html.{{vhost_name}}") {
142 set $maintenance "1";
144 {% for ip in vhost_maintenance_ips %}
145 if ($remote_addr = "{{ip}}") {
146 set $maintenance "0";
149 ### </maintenance part1>
151 ###############################
152 ### real config starts here ###
153 ###############################
154 {%- if vhost_type|lower() in ["php", "static"] %}
156 root /var/www/{{vhost_name}};
158 try_files $uri $uri/index.html $uri/ =404;
161 {%- if vhost_type|lower() == "static" %}
163 # remove /index.html from path
164 location ~ ^(.*/)index.html$ {
165 rewrite ^(.*/)index.html$ $1 permanent;
168 # remote trailing slashes from path
169 location ~ ^/(.*)/$ {
170 rewrite ^/(.*)/$ /$1 permanent;
173 {%- elif vhost_type|lower() == "php" %}
177 location ~ \.php($|/.*) {
178 if (!-f $document_root$fastcgi_script_name) {
182 include fastcgi_params;
183 fastcgi_pass unix:/var/run/php/php-fpm.sock;
184 fastcgi_param SCRIPT_FILENAME $request_filename;
186 fastcgi_split_path_info ^(.+\.php)($|/.*);
187 fastcgi_param PATH_INFO $fastcgi_path_info;
191 {%- elif vhost_type|lower() == "proxypass" %}
193 root /var/www/{{vhost_name}};
195 try_files $uri @proxy;
198 proxy_pass {{vhost_proxypass_target}};
199 proxy_http_version 1.1;
200 proxy_set_header Upgrade $http_upgrade;
201 proxy_set_header Connection $connection_upgrade;
202 proxy_set_header Host $http_host;
203 proxy_set_header X-Real-IP $remote_addr;
204 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
205 proxy_set_header X-Forwarded-Proto $scheme;
206 proxy_set_header X-Frame-Options SAMEORIGIN;
207 proxy_set_header Accept-Encoding "";
210 {%- elif vhost_type|lower() == "redirect" %}
212 return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri;
215 {%- if vhost_custom.vhost_custom != "" %}
220 {{ vhost_custom.vhost_custom | indent(width=4) }}
224 #############################
225 ### real config ends here ###
226 #############################
227 ### <maintenance part2>
228 if ($maintenance = "1") {
231 ### </maintenance part2>
235 {% if vhost_http_on %}
239 server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}};
241 access_log /var/log/nginx/{{vhost_name}}-access.log;
242 error_log /var/log/nginx/{{vhost_name}}-error.log;
244 client_max_body_size 1025M;
245 fastcgi_buffers 64 4K;
246 # fix 414 Request-URI Too Large.
247 large_client_header_buffers 4 64k;
249 {% if vhost_cache_on %}
251 proxy_cache cachep_{{vhost_name}};
252 proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
253 proxy_cache_background_update on;
254 proxy_cache_revalidate on;
255 # proxy_cache_key $scheme$proxy_host$request_uri;
256 # proxy_cache_valid 200 302 60m;
257 # proxy_cache_valid 301 90m;
258 # proxy_cache_valid any 10m;
260 fastcgi_cache cachef_{{vhost_name}};
261 fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
262 fastcgi_cache_background_update on;
263 fastcgi_cache_revalidate on;
264 fastcgi_cache_key $request_uri;
265 # fastcgi_cache_valid 200 302 60m;
266 # fastcgi_cache_valid 301 90m;
267 # fastcgi_cache_valid any 10m;
269 add_header X-Cache-Status $upstream_cache_status always;
272 ### proxy_cache DISABLED!
276 location ^~ /.well-known/acme-challenge {
277 alias /var/www/html/dehydrated;
280 {%- if vhost_dotfile_protection %}
282 ### <dotfile protection>
283 location ~ /\.(?!well-known\/).* {
286 ### </dotfile protection>
289 ### dotfile protection DISABLED! (not vhost_dotfile_protection)
293 location = /robots.txt {
295 try_files /{{vhost_name}}/$uri /html/$uri =404;
299 location ^~ /awstats-icon {
300 alias /usr/share/awstats/icon/;
302 auth_pam_service_name "nginx-awstats";
305 location = /awstats.pl {
306 root /usr/lib/cgi-bin/;
308 auth_pam_service_name "nginx-awstats";
312 include fastcgi_params;
313 fastcgi_pass unix:/var/run/fcgiwrap.socket;
314 fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl;
317 ### <maintenance part1>
318 error_page 503 @maintenance;
319 location @maintenance {
320 default_type text/html;
322 try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404;
324 set $maintenance "0";
325 if (-f "/var/www/maintenance.html") {
326 set $maintenance "1";
328 if (-f "/var/www/maintenance.html.{{vhost_name}}") {
329 set $maintenance "1";
331 {% for ip in vhost_maintenance_ips %}
332 if ($remote_addr = "{{ip}}") {
333 set $maintenance "0";
336 ### </maintenance part1>
338 ###############################
339 ### real config starts here ###
340 ###############################
341 {%- if vhost_type|lower() in ["php", "static"] %}
343 root /var/www/{{vhost_name}};
345 try_files $uri $uri/index.html $uri/ =404;
348 {%- if vhost_type|lower() == "static" %}
350 # remove /index.html from path
351 location ~ ^(.*/)index.html$ {
352 rewrite ^(.*/)index.html$ $1 permanent;
355 # remote trailing slashes from path
356 location ~ ^/(.*)/$ {
357 rewrite ^/(.*)/$ /$1 permanent;
360 {%- elif vhost_type|lower() == "php" %}
364 location ~ \.php($|/.*) {
365 if (!-f $document_root$fastcgi_script_name) {
369 include fastcgi_params;
370 fastcgi_pass unix:/var/run/php/php-fpm.sock;
371 fastcgi_param SCRIPT_FILENAME $request_filename;
373 fastcgi_split_path_info ^(.+\.php)($|/.*);
374 fastcgi_param PATH_INFO $fastcgi_path_info;
378 {%- elif vhost_type|lower() == "proxypass" %}
380 root /var/www/{{vhost_name}};
382 try_files $uri @proxy;
385 proxy_pass {{vhost_proxypass_target}};
386 proxy_http_version 1.1;
387 proxy_set_header Upgrade $http_upgrade;
388 proxy_set_header Connection $connection_upgrade;
389 proxy_set_header Host $http_host;
390 proxy_set_header X-Real-IP $remote_addr;
391 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
392 proxy_set_header X-Forwarded-Proto $scheme;
393 proxy_set_header X-Frame-Options SAMEORIGIN;
394 proxy_set_header Accept-Encoding "";
397 {%- elif vhost_type|lower() == "redirect" %}
399 return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri;
402 {%- if vhost_custom.vhost_custom != "" %}
407 {{ vhost_custom.vhost_custom | indent(width=4) }}
411 #############################
412 ### real config ends here ###
413 #############################
414 ### <maintenance part2>
415 if ($maintenance = "1") {
418 ### </maintenance part2>