aboutsummaryrefslogtreecommitdiff
path: root/puppet/templates/etc/nginx/domain.erb
blob: 4e9fa7dcf3e4024e00f2aaa7f1c09997f1218523 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# <%= domain %> proxy config

# Set the max size for file uploads
client_max_body_size 100M;

# SNI Configuration
server {
  listen              443 default;
  server_name         _;
  ssl                 on;
  ssl_certificate     /etc/ssl/certs/blank.crt;
  ssl_certificate_key /etc/ssl/private/blank.pem;
  return              403;
}

server {
  # see config tips at
  # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/

  # Don't log anything
  access_log /dev/null;
  error_log  /dev/null;

  # simple reverse-proxy
  listen       80;
  server_name  *.<%= domain %> <%= domain %>

  # enable HSTS header
  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";

  # https redirection by default
  rewrite ^(.*)      https://$host$1 redirect;

  # rewrite rules for backups.<%= domain %>
  #if ($host ~* ^backups\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for admin.<%= domain %>
  #if ($host ~* ^admin\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for munin.<%= domain %>
  #if ($host ~* ^munin\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for trac.<%= domain %>
  #if ($host ~* ^trac\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for nagios.<%= domain %>
  #if ($host ~* ^nagios\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for htpasswd.<%= domain %>
  #if ($host ~* ^htpasswd\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for postfixadmin.<%= domain %>
  #if ($host ~* ^postfixadmin\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for mail.<%= domain %>
  #if ($host ~* ^mail\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # rewrite rules for lists.<%= domain %>
  #if ($host ~* ^lists\.<%= domain %>$) {
  #  rewrite ^(.*)    https://$host$1 redirect;
  #  break;
  #}

  # pass requests for dynamic content
  location / {
    proxy_set_header Host $http_host;
    proxy_pass       http://weblocal:80;
  }

}

server {
  # https reverse proxy
  listen      443;
  server_name *.<%= domain %> <%= domain %>;

  # Don't log anything
  access_log /dev/null;
  error_log  /dev/null;

  ssl on;
  ssl_certificate     /etc/ssl/certs/cert.crt;
  ssl_certificate_key /etc/ssl/private/cert.pem;

  ssl_session_timeout 5m;

  ssl_protocols SSLv3 TLSv1;
  ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
  ssl_prefer_server_ciphers on;

  # Set the max size for file uploads
  client_max_body_size 100M;

  location / {
    # preserve http header and set forwarded proto
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;  

    proxy_read_timeout 120;
    proxy_connect_timeout 120;

    # rewrite rules for admin.<%= domain %>
    if ($host ~* ^admin\.<%= domain %>$) {
      proxy_pass       http://admin:80;
      break;
    }

    # rewrite rules for munin.<%= domain %>
    if ($host ~* ^munin\.<%= domain %>$) {
      proxy_pass       http://admin:80;
      break;
    }

    # rewrite rules for trac.<%= domain %>
    if ($host ~* ^trac\.<%= domain %>$) {
      proxy_pass       http://admin:80;
      break;
    }

    # rewrite rules for nagios.<%= domain %>
    if ($host ~* ^nagios\.<%= domain %>$) {
      proxy_pass       http://admin:80;
      break;
    }

    # rewrite rules for postfixadmin.<%= domain %>
    if ($host ~* ^postfixadmin\.<%= domain %>$) {
      proxy_pass       http://mail:80;
      break;
    }

    # rewrite rules for mail.<%= domain %>
    if ($host ~* ^mail\.<%= domain %>$) {
      proxy_pass       http://mail:80;
      break;
    }

    # rewrite rules for lists.<%= domain %>
    if ($host ~* ^lists\.<%= domain %>$) {
      proxy_pass       http://mail:80;
      break;
    }

    # default proxy pass
    proxy_pass       http://weblocal:80;
  }

}