2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
9 {% if vhost_custom.vhost_custom_pre_server != "" %}
11 ###############################
12 ### vhost_custom_pre_server ###
13 ###############################
14 {{ vhost_custom.vhost_custom_pre_server }}
18 {% if vhost_cache_on %}
19 proxy_cache_path /tmp/nginx_cachep_{{vhost_name}} levels=1:2 keys_zone=cachep_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off;
20 fastcgi_cache_path /tmp/nginx_cachef_{{vhost_name}} levels=1:2 keys_zone=cachef_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off;
23 {% if vhost_https_on %}
26 listen [::]:443 ssl http2;
27 server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}};
29 ssl_certificate /etc/ssl/letsencrypt/{{vhost_name}}/fullchain.pem;
30 ssl_certificate_key /etc/ssl/letsencrypt/{{vhost_name}}/privkey.pem;
31 ssl_certificate /etc/ssl/letsencrypt-rsa/{{vhost_name}}/fullchain.pem;
32 ssl_certificate_key /etc/ssl/letsencrypt-rsa/{{vhost_name}}/privkey.pem;
33 ssl_protocols TLSv1.2 TLSv1.3;
34 ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384;
35 ssl_prefer_server_ciphers on;
36 # ssl_dhparam /etc/nginx/dhparams.pem;
37 ssl_session_cache shared:SSL:10m;
39 ssl_stapling_verify on;
40 add_header Strict-Transport-Security "max-age=31536000" always;
42 access_log /var/log/nginx/{{vhost_name}}-access.log;
43 error_log /var/log/nginx/{{vhost_name}}-error.log;
45 client_max_body_size 16G;
46 fastcgi_buffers 64 4K;
47 # fix 414 Request-URI Too Large.
48 large_client_header_buffers 4 64k;
50 {% if vhost_gzip_on %}
57 gzip_http_version 1.1;
58 gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
64 {% if vhost_cache_on %}
66 proxy_cache cachep_{{vhost_name}};
67 proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
68 proxy_cache_background_update on;
69 proxy_cache_revalidate on;
70 # proxy_cache_key $scheme$proxy_host$request_uri;
71 # proxy_cache_valid 200 302 60m;
72 # proxy_cache_valid 301 90m;
73 # proxy_cache_valid any 10m;
75 fastcgi_cache cachef_{{vhost_name}};
76 fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
77 fastcgi_cache_background_update on;
78 fastcgi_cache_revalidate on;
79 fastcgi_cache_key $request_uri;
80 # fastcgi_cache_valid 200 302 60m;
81 # fastcgi_cache_valid 301 90m;
82 # fastcgi_cache_valid any 10m;
84 add_header X-Cache-Status $upstream_cache_status always;
91 location ^~ /.well-known/acme-challenge {
92 alias /var/www/html/dehydrated;
95 {%- if vhost_dotfile_protection %}
97 ### <dotfile protection>
98 location ~ /\.(?!well-known\/).* {
101 ### </dotfile protection>
104 ### dotfile protection DISABLED! (not vhost_dotfile_protection)
108 location = /robots.txt {
110 try_files /{{vhost_name}}/$uri /html/$uri =404;
114 location ^~ /awstats-icon {
115 alias /usr/share/awstats/icon/;
117 auth_pam_service_name "nginx-awstats";
120 location = /awstats.pl {
121 root /usr/lib/cgi-bin/;
123 auth_pam_service_name "nginx-awstats";
127 include fastcgi_params;
128 fastcgi_pass unix:/var/run/fcgiwrap.socket;
129 fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl;
132 ### <maintenance part1>
133 error_page 503 @maintenance;
134 location @maintenance {
135 default_type text/html;
137 try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404;
139 set $maintenance "0";
140 if (-f "/var/www/maintenance.html") {
141 set $maintenance "1";
143 if (-f "/var/www/maintenance.html.{{vhost_name}}") {
144 set $maintenance "1";
146 {% for ip in vhost_maintenance_ips %}
147 if ($remote_addr = "{{ip}}") {
148 set $maintenance "0";
151 ### </maintenance part1>
153 ###############################
154 ### real config starts here ###
155 ###############################
156 {%- if vhost_type|lower() in ["php", "static"] %}
158 root /var/www/{{vhost_name}};
160 try_files $uri $uri/index.html $uri/ =404;
163 {%- if vhost_type|lower() == "static" %}
165 # remove /index.html from path
166 location ~ ^(.*/)index.html$ {
167 rewrite ^(.*/)index.html$ $1 permanent;
170 # remote trailing slashes from path
171 location ~ ^/(.*)/$ {
172 rewrite ^/(.*)/$ /$1 permanent;
175 {%- elif vhost_type|lower() == "php" %}
179 location ~ \.php($|/.*) {
180 if (!-f $document_root$fastcgi_script_name) {
184 include fastcgi_params;
185 fastcgi_pass unix:/var/run/php/php-fpm.sock;
186 fastcgi_param SCRIPT_FILENAME $request_filename;
188 fastcgi_split_path_info ^(.+\.php)($|/.*);
189 fastcgi_param PATH_INFO $fastcgi_path_info;
193 {%- elif vhost_type|lower() == "proxypass" %}
195 root /var/www/{{vhost_name}};
197 try_files $uri @proxy;
200 proxy_pass {{vhost_proxypass_target}};
201 proxy_http_version 1.1;
202 proxy_set_header Upgrade $http_upgrade;
203 proxy_set_header Connection $connection_upgrade;
204 proxy_set_header Host $http_host;
205 proxy_set_header X-Real-IP $remote_addr;
206 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
207 proxy_set_header X-Forwarded-Proto $scheme;
208 proxy_set_header X-Frame-Options SAMEORIGIN;
209 proxy_set_header Accept-Encoding "";
212 {%- elif vhost_type|lower() == "redirect" %}
214 return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri;
217 {%- if vhost_custom.vhost_custom != "" %}
222 {{ vhost_custom.vhost_custom | indent(width=4) }}
226 #############################
227 ### real config ends here ###
228 #############################
229 ### <maintenance part2>
230 if ($maintenance = "1") {
233 ### </maintenance part2>
237 {% if vhost_http_on %}
241 server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}};
243 access_log /var/log/nginx/{{vhost_name}}-access.log;
244 error_log /var/log/nginx/{{vhost_name}}-error.log;
246 client_max_body_size 1025M;
247 fastcgi_buffers 64 4K;
248 # fix 414 Request-URI Too Large.
249 large_client_header_buffers 4 64k;
251 {% if vhost_cache_on %}
253 proxy_cache cachep_{{vhost_name}};
254 proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
255 proxy_cache_background_update on;
256 proxy_cache_revalidate on;
257 # proxy_cache_key $scheme$proxy_host$request_uri;
258 # proxy_cache_valid 200 302 60m;
259 # proxy_cache_valid 301 90m;
260 # proxy_cache_valid any 10m;
262 fastcgi_cache cachef_{{vhost_name}};
263 fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
264 fastcgi_cache_background_update on;
265 fastcgi_cache_revalidate on;
266 fastcgi_cache_key $request_uri;
267 # fastcgi_cache_valid 200 302 60m;
268 # fastcgi_cache_valid 301 90m;
269 # fastcgi_cache_valid any 10m;
271 add_header X-Cache-Status $upstream_cache_status always;
274 ### proxy_cache DISABLED!
278 location ^~ /.well-known/acme-challenge {
279 alias /var/www/html/dehydrated;
282 {%- if vhost_dotfile_protection %}
284 ### <dotfile protection>
285 location ~ /\.(?!well-known\/).* {
288 ### </dotfile protection>
291 ### dotfile protection DISABLED! (not vhost_dotfile_protection)
295 location = /robots.txt {
297 try_files /{{vhost_name}}/$uri /html/$uri =404;
301 location ^~ /awstats-icon {
302 alias /usr/share/awstats/icon/;
304 auth_pam_service_name "nginx-awstats";
307 location = /awstats.pl {
308 root /usr/lib/cgi-bin/;
310 auth_pam_service_name "nginx-awstats";
314 include fastcgi_params;
315 fastcgi_pass unix:/var/run/fcgiwrap.socket;
316 fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl;
319 ### <maintenance part1>
320 error_page 503 @maintenance;
321 location @maintenance {
322 default_type text/html;
324 try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404;
326 set $maintenance "0";
327 if (-f "/var/www/maintenance.html") {
328 set $maintenance "1";
330 if (-f "/var/www/maintenance.html.{{vhost_name}}") {
331 set $maintenance "1";
333 {% for ip in vhost_maintenance_ips %}
334 if ($remote_addr = "{{ip}}") {
335 set $maintenance "0";
338 ### </maintenance part1>
340 ###############################
341 ### real config starts here ###
342 ###############################
343 {%- if vhost_type|lower() in ["php", "static"] %}
345 root /var/www/{{vhost_name}};
347 try_files $uri $uri/index.html $uri/ =404;
350 {%- if vhost_type|lower() == "static" %}
352 # remove /index.html from path
353 location ~ ^(.*/)index.html$ {
354 rewrite ^(.*/)index.html$ $1 permanent;
357 # remote trailing slashes from path
358 location ~ ^/(.*)/$ {
359 rewrite ^/(.*)/$ /$1 permanent;
362 {%- elif vhost_type|lower() == "php" %}
366 location ~ \.php($|/.*) {
367 if (!-f $document_root$fastcgi_script_name) {
371 include fastcgi_params;
372 fastcgi_pass unix:/var/run/php/php-fpm.sock;
373 fastcgi_param SCRIPT_FILENAME $request_filename;
375 fastcgi_split_path_info ^(.+\.php)($|/.*);
376 fastcgi_param PATH_INFO $fastcgi_path_info;
380 {%- elif vhost_type|lower() == "proxypass" %}
382 root /var/www/{{vhost_name}};
384 try_files $uri @proxy;
387 proxy_pass {{vhost_proxypass_target}};
388 proxy_http_version 1.1;
389 proxy_set_header Upgrade $http_upgrade;
390 proxy_set_header Connection $connection_upgrade;
391 proxy_set_header Host $http_host;
392 proxy_set_header X-Real-IP $remote_addr;
393 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
394 proxy_set_header X-Forwarded-Proto $scheme;
395 proxy_set_header X-Frame-Options SAMEORIGIN;
396 proxy_set_header Accept-Encoding "";
399 {%- elif vhost_type|lower() == "redirect" %}
401 return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri;
404 {%- if vhost_custom.vhost_custom != "" %}
409 {{ vhost_custom.vhost_custom | indent(width=4) }}
413 #############################
414 ### real config ends here ###
415 #############################
416 ### <maintenance part2>
417 if ($maintenance = "1") {
420 ### </maintenance part2>