summaryrefslogtreecommitdiff
path: root/puppet/templates/etc/nginx/domain.erb
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/templates/etc/nginx/domain.erb')
-rw-r--r--puppet/templates/etc/nginx/domain.erb172
1 files changed, 172 insertions, 0 deletions
diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb
new file mode 100644
index 0000000..4e9fa7d
--- /dev/null
+++ b/puppet/templates/etc/nginx/domain.erb
@@ -0,0 +1,172 @@
+# <%= domain %> proxy config
+
+# Set the max size for file uploads
+client_max_body_size 100M;
+
+# SNI Configuration
+server {
+ listen 443 default;
+ server_name _;
+ ssl on;
+ ssl_certificate /etc/ssl/certs/blank.crt;
+ ssl_certificate_key /etc/ssl/private/blank.pem;
+ return 403;
+}
+
+server {
+ # see config tips at
+ # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/
+
+ # Don't log anything
+ access_log /dev/null;
+ error_log /dev/null;
+
+ # simple reverse-proxy
+ listen 80;
+ server_name *.<%= domain %> <%= domain %>
+
+ # enable HSTS header
+ add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+
+ # https redirection by default
+ rewrite ^(.*) https://$host$1 redirect;
+
+ # rewrite rules for backups.<%= domain %>
+ #if ($host ~* ^backups\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for admin.<%= domain %>
+ #if ($host ~* ^admin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for munin.<%= domain %>
+ #if ($host ~* ^munin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for trac.<%= domain %>
+ #if ($host ~* ^trac\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for nagios.<%= domain %>
+ #if ($host ~* ^nagios\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for htpasswd.<%= domain %>
+ #if ($host ~* ^htpasswd\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for postfixadmin.<%= domain %>
+ #if ($host ~* ^postfixadmin\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for mail.<%= domain %>
+ #if ($host ~* ^mail\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # rewrite rules for lists.<%= domain %>
+ #if ($host ~* ^lists\.<%= domain %>$) {
+ # rewrite ^(.*) https://$host$1 redirect;
+ # break;
+ #}
+
+ # pass requests for dynamic content
+ location / {
+ proxy_set_header Host $http_host;
+ proxy_pass http://weblocal:80;
+ }
+
+}
+
+server {
+ # https reverse proxy
+ listen 443;
+ server_name *.<%= domain %> <%= domain %>;
+
+ # Don't log anything
+ access_log /dev/null;
+ error_log /dev/null;
+
+ ssl on;
+ ssl_certificate /etc/ssl/certs/cert.crt;
+ ssl_certificate_key /etc/ssl/private/cert.pem;
+
+ ssl_session_timeout 5m;
+
+ ssl_protocols SSLv3 TLSv1;
+ ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
+ ssl_prefer_server_ciphers on;
+
+ # Set the max size for file uploads
+ client_max_body_size 100M;
+
+ location / {
+ # preserve http header and set forwarded proto
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-Proto https;
+
+ proxy_read_timeout 120;
+ proxy_connect_timeout 120;
+
+ # rewrite rules for admin.<%= domain %>
+ if ($host ~* ^admin\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for munin.<%= domain %>
+ if ($host ~* ^munin\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for trac.<%= domain %>
+ if ($host ~* ^trac\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for nagios.<%= domain %>
+ if ($host ~* ^nagios\.<%= domain %>$) {
+ proxy_pass http://admin:80;
+ break;
+ }
+
+ # rewrite rules for postfixadmin.<%= domain %>
+ if ($host ~* ^postfixadmin\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # rewrite rules for mail.<%= domain %>
+ if ($host ~* ^mail\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # rewrite rules for lists.<%= domain %>
+ if ($host ~* ^lists\.<%= domain %>$) {
+ proxy_pass http://mail:80;
+ break;
+ }
+
+ # default proxy pass
+ proxy_pass http://weblocal:80;
+ }
+
+}