# ################################################ ### Managed by someone's ansible provisioner ### ################################################ # Part of: https://git.somenet.org/root/pub/somesible.git # 2017-2024 by someone # {% if vhost_custom.vhost_custom_pre_server != "" %} ############################### ### vhost_custom_pre_server ### ############################### {{ vhost_custom.vhost_custom_pre_server }} {% endif %} {% if vhost_cache_on %} proxy_cache_path /tmp/nginx_cachep_{{vhost_name}} levels=1:2 keys_zone=cachep_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off; fastcgi_cache_path /tmp/nginx_cachef_{{vhost_name}} levels=1:2 keys_zone=cachef_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off; {% endif %} {% if vhost_https_on %} server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}}; ssl_certificate /etc/ssl/letsencrypt/{{vhost_name}}/fullchain.pem; ssl_certificate_key /etc/ssl/letsencrypt/{{vhost_name}}/privkey.pem; ssl_certificate /etc/ssl/letsencrypt-rsa/{{vhost_name}}/fullchain.pem; ssl_certificate_key /etc/ssl/letsencrypt-rsa/{{vhost_name}}/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384; ssl_prefer_server_ciphers on; # ssl_dhparam /etc/nginx/dhparams.pem; ssl_session_cache shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=31536000" always; access_log /var/log/nginx/{{vhost_name}}-access.log; error_log /var/log/nginx/{{vhost_name}}-error.log; client_max_body_size 16G; fastcgi_buffers 64 4K; # fix 414 Request-URI Too Large. large_client_header_buffers 4 64k; {% if vhost_gzip_on %} ### gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ### {%- else %} ### gzip DISABLED! {%- endif %} {% if vhost_cache_on %} ### proxy_cache cachep_{{vhost_name}}; proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; proxy_cache_background_update on; proxy_cache_revalidate on; # proxy_cache_key $scheme$proxy_host$request_uri; # proxy_cache_valid 200 302 60m; # proxy_cache_valid 301 90m; # proxy_cache_valid any 10m; fastcgi_cache cachef_{{vhost_name}}; fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; fastcgi_cache_background_update on; fastcgi_cache_revalidate on; fastcgi_cache_key $request_uri; # fastcgi_cache_valid 200 302 60m; # fastcgi_cache_valid 301 90m; # fastcgi_cache_valid any 10m; add_header X-Cache-Status $upstream_cache_status always; ### {%- else %} ### cache DISABLED! {%- endif %} ### location ^~ /.well-known/acme-challenge { alias /var/www/html/dehydrated; } ### {%- if vhost_dotfile_protection %} ### location ~ /\.(?!well-known\/).* { return 404; } ### {%- else %} ### dotfile protection DISABLED! (not vhost_dotfile_protection) {%- endif %} ### location = /robots.txt { root /var/www/; try_files /{{vhost_name}}/$uri /html/$uri =404; } ### ### location ^~ /awstats-icon { alias /usr/share/awstats/icon/; auth_pam "awstats"; auth_pam_service_name "nginx-awstats"; access_log off; } location = /awstats.pl { root /usr/lib/cgi-bin/; auth_pam "awstats"; auth_pam_service_name "nginx-awstats"; access_log off; gzip off; include fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl; } ### ### error_page 503 @maintenance; location @maintenance { default_type text/html; root /var/www; try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404; } set $maintenance "0"; if (-f "/var/www/maintenance.html") { set $maintenance "1"; } if (-f "/var/www/maintenance.html.{{vhost_name}}") { set $maintenance "1"; } {% for ip in vhost_maintenance_ips %} if ($remote_addr = "{{ip}}") { set $maintenance "0"; } {% endfor %} ### ############################### ### real config starts here ### ############################### {%- if vhost_type|lower() in ["php", "static"] %} root /var/www/{{vhost_name}}; location / { try_files $uri $uri/index.html $uri/ =404; } {%- if vhost_type|lower() == "static" %} # remove /index.html from path location ~ ^(.*/)index.html$ { rewrite ^(.*/)index.html$ $1 permanent; } # remote trailing slashes from path location ~ ^/(.*)/$ { rewrite ^/(.*)/$ /$1 permanent; } {%- elif vhost_type|lower() == "php" %} index index.php; location ~ \.php($|/.*) { if (!-f $document_root$fastcgi_script_name) { return 404; } include fastcgi_params; fastcgi_pass unix:/var/run/php/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_split_path_info ^(.+\.php)($|/.*); fastcgi_param PATH_INFO $fastcgi_path_info; } {% endif %} {%- elif vhost_type|lower() == "proxypass" %} root /var/www/{{vhost_name}}; location / { try_files $uri @proxy; } location @proxy { proxy_pass {{vhost_proxypass_target}}; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header Accept-Encoding ""; } {%- elif vhost_type|lower() == "redirect" %} return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri; {%- endif %} {%- if vhost_custom.vhost_custom != "" %} #################### ### vhost_custom ### #################### {{ vhost_custom.vhost_custom | indent(width=4) }} {%- endif %} ############################# ### real config ends here ### ############################# ### if ($maintenance = "1") { return 503; } ### } {% endif %} {% if vhost_http_on %} server { listen 80; listen [::]:80; server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}}; access_log /var/log/nginx/{{vhost_name}}-access.log; error_log /var/log/nginx/{{vhost_name}}-error.log; client_max_body_size 1025M; fastcgi_buffers 64 4K; # fix 414 Request-URI Too Large. large_client_header_buffers 4 64k; {% if vhost_cache_on %} ### proxy_cache cachep_{{vhost_name}}; proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; proxy_cache_background_update on; proxy_cache_revalidate on; # proxy_cache_key $scheme$proxy_host$request_uri; # proxy_cache_valid 200 302 60m; # proxy_cache_valid 301 90m; # proxy_cache_valid any 10m; fastcgi_cache cachef_{{vhost_name}}; fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; fastcgi_cache_background_update on; fastcgi_cache_revalidate on; fastcgi_cache_key $request_uri; # fastcgi_cache_valid 200 302 60m; # fastcgi_cache_valid 301 90m; # fastcgi_cache_valid any 10m; add_header X-Cache-Status $upstream_cache_status always; ### {%- else %} ### proxy_cache DISABLED! {%- endif %} ### location ^~ /.well-known/acme-challenge { alias /var/www/html/dehydrated; } ### {%- if vhost_dotfile_protection %} ### location ~ /\.(?!well-known\/).* { return 404; } ### {%- else %} ### dotfile protection DISABLED! (not vhost_dotfile_protection) {%- endif %} ### location = /robots.txt { root /var/www/; try_files /{{vhost_name}}/$uri /html/$uri =404; } ### ### location ^~ /awstats-icon { alias /usr/share/awstats/icon/; auth_pam "awstats"; auth_pam_service_name "nginx-awstats"; access_log off; } location = /awstats.pl { root /usr/lib/cgi-bin/; auth_pam "awstats"; auth_pam_service_name "nginx-awstats"; access_log off; gzip off; include fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl; } ### ### error_page 503 @maintenance; location @maintenance { default_type text/html; root /var/www; try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404; } set $maintenance "0"; if (-f "/var/www/maintenance.html") { set $maintenance "1"; } if (-f "/var/www/maintenance.html.{{vhost_name}}") { set $maintenance "1"; } {% for ip in vhost_maintenance_ips %} if ($remote_addr = "{{ip}}") { set $maintenance "0"; } {% endfor %} ### ############################### ### real config starts here ### ############################### {%- if vhost_type|lower() in ["php", "static"] %} root /var/www/{{vhost_name}}; location / { try_files $uri $uri/index.html $uri/ =404; } {%- if vhost_type|lower() == "static" %} # remove /index.html from path location ~ ^(.*/)index.html$ { rewrite ^(.*/)index.html$ $1 permanent; } # remote trailing slashes from path location ~ ^/(.*)/$ { rewrite ^/(.*)/$ /$1 permanent; } {%- elif vhost_type|lower() == "php" %} index index.php; location ~ \.php($|/.*) { if (!-f $document_root$fastcgi_script_name) { return 404; } include fastcgi_params; fastcgi_pass unix:/var/run/php/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_split_path_info ^(.+\.php)($|/.*); fastcgi_param PATH_INFO $fastcgi_path_info; } {% endif %} {%- elif vhost_type|lower() == "proxypass" %} root /var/www/{{vhost_name}}; location / { try_files $uri @proxy; } location @proxy { proxy_pass {{vhost_proxypass_target}}; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header Accept-Encoding ""; } {%- elif vhost_type|lower() == "redirect" %} return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri; {%- endif %} {%- if vhost_custom.vhost_custom != "" %} #################### ### vhost_custom ### #################### {{ vhost_custom.vhost_custom | indent(width=4) }} {%- endif %} ############################# ### real config ends here ### ############################# ### if ($maintenance = "1") { return 503; } ### } {% endif %}