diff options
Diffstat (limited to 'puppet/templates/etc/nginx/domain.erb')
-rw-r--r-- | puppet/templates/etc/nginx/domain.erb | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb new file mode 100644 index 0000000..4e9fa7d --- /dev/null +++ b/puppet/templates/etc/nginx/domain.erb @@ -0,0 +1,172 @@ +# <%= domain %> proxy config + +# Set the max size for file uploads +client_max_body_size 100M; + +# SNI Configuration +server { + listen 443 default; + server_name _; + ssl on; + ssl_certificate /etc/ssl/certs/blank.crt; + ssl_certificate_key /etc/ssl/private/blank.pem; + return 403; +} + +server { + # see config tips at + # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/ + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + # simple reverse-proxy + listen 80; + server_name *.<%= domain %> <%= domain %> + + # enable HSTS header + add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; + + # https redirection by default + rewrite ^(.*) https://$host$1 redirect; + + # rewrite rules for backups.<%= domain %> + #if ($host ~* ^backups\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for admin.<%= domain %> + #if ($host ~* ^admin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for munin.<%= domain %> + #if ($host ~* ^munin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for trac.<%= domain %> + #if ($host ~* ^trac\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for nagios.<%= domain %> + #if ($host ~* ^nagios\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for htpasswd.<%= domain %> + #if ($host ~* ^htpasswd\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for postfixadmin.<%= domain %> + #if ($host ~* ^postfixadmin\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for mail.<%= domain %> + #if ($host ~* ^mail\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # rewrite rules for lists.<%= domain %> + #if ($host ~* ^lists\.<%= domain %>$) { + # rewrite ^(.*) https://$host$1 redirect; + # break; + #} + + # pass requests for dynamic content + location / { + proxy_set_header Host $http_host; + proxy_pass http://weblocal:80; + } + +} + +server { + # https reverse proxy + listen 443; + server_name *.<%= domain %> <%= domain %>; + + # Don't log anything + access_log /dev/null; + error_log /dev/null; + + ssl on; + ssl_certificate /etc/ssl/certs/cert.crt; + ssl_certificate_key /etc/ssl/private/cert.pem; + + ssl_session_timeout 5m; + + ssl_protocols SSLv3 TLSv1; + ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH; + ssl_prefer_server_ciphers on; + + # Set the max size for file uploads + client_max_body_size 100M; + + location / { + # preserve http header and set forwarded proto + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + + proxy_read_timeout 120; + proxy_connect_timeout 120; + + # rewrite rules for admin.<%= domain %> + if ($host ~* ^admin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for munin.<%= domain %> + if ($host ~* ^munin\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for trac.<%= domain %> + if ($host ~* ^trac\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for nagios.<%= domain %> + if ($host ~* ^nagios\.<%= domain %>$) { + proxy_pass http://admin:80; + break; + } + + # rewrite rules for postfixadmin.<%= domain %> + if ($host ~* ^postfixadmin\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for mail.<%= domain %> + if ($host ~* ^mail\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # rewrite rules for lists.<%= domain %> + if ($host ~* ^lists\.<%= domain %>$) { + proxy_pass http://mail:80; + break; + } + + # default proxy pass + proxy_pass http://weblocal:80; + } + +} |