#### # {{ ansible_managed }} #### {% block extra_upstreams %} {% endblock %} {% block server_info %} ## SERVER INFO server { server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %}; {% if item.proto == 'http' %} listen {{ item.listen }} {% if nginx_default_vhost == item.name %} default_server{% endif %}; {% endif %} {% if item.proto == 'https' %} listen {{ item.listen }} ssl {% if item.http2 is defined %}http2{% endif %}; ssl_certificate {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'fullchain.pem' + ';' }} ssl_certificate_key {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'privkey.pem;' }} {% endif %} server_tokens off; {% if item.max_upload is defined %} client_max_body_size {{ item.max_upload }}; {% if item.htpasswd is defined %} {{ htpasswd(item.htpasswd, 1) }} {% endif %} {% endif %} {% endblock %} {% block root %} {% endblock %} {% block logs %} ## LOGS {% if item.use_access_log is defined and item.use_access_log == 'true' %} access_log {{ nginx_log_dir }}/{{ item.name }}_access.log combined; {% else %} access_log off; {% endif %} {% if item.use_error_log is defined and item.use_error_log == 'true' %} error_log {{ nginx_log_dir }}/{{ item.name }}_error.log {{ item.nginx_error_log_level }}; {% else %} error_log off; {% endif %} {% endblock %} {% block headers %} {% if item.headers is defined and item.headers == 'none' %} {% else %} ## HEADERS {% if item.secure_site is defined %} add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy {{ item.referrer | default('no-referrer') }}; {% if item.header_sameorigin is defined %} add_header X-Frame-Options "SAMEORIGIN"; {% endif %} {% endif %} {% if item.nginx_HSTS_policy is defined %} add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; {% endif %} {% if item.referrer is defined %} add_header Referrer-Policy no-referrer; {% endif %} {% if item.csp is defined %} add_header Content-Security-Policy "{{ item.csp }}"; {% endif %} {% if item.cto is defined %} {% if item.cto == 'none' %} {% else %} add_header X-Content-Type-Options {{ item.cto }}; {% endif %} {% else %} add_header X-Content-Type-Options nosniff; {% endif %} {%if item.xss is defined %} {% if item.xss == 'none' %} {% else %} add_header X-XSS-Protection "{{ item.xss }}"; {% endif %} {% else %} add_header X-XSS-Protection "1; mode=block"; {% endif %} {% if item.robots is defined %} add_header X-Robots-Tag "{{ item.robots }}"; {% else %} add_header X-Robots-Tag none; {% endif %} {% endif %} {% endblock %} {% block location %} {% endblock %} {% block extra_locations %} {% endblock %} {% block custom_locations %} {% if item.custom_locations is defined %} ## CUSTOM LOCATIONS {% for location in item.custom_locations %} location {{ location.name }} { {% for item in location.options %} {{ item }} {% endfor %} {% if location.headers is defined %} {% for item in location.headers %} {% if item.secure_site is defined %} add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy {{ item.referrer | default('no-referrer') }}; {% if item.header_sameorigin is defined %} add_header X-Frame-Options "SAMEORIGIN"; {% endif %} {% endif %} {% if item.nginx_HSTS_policy is defined %} add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; {% endif %} {% if item.referrer is defined %} add_header Referrer-Policy no-referrer; {% endif %} {% if item.csp is defined %} add_header Content-Security-Policy "{{ item.csp }}"; {% endif %} {% if item.cto is defined %} {% if item.cto == 'none' %} {% else %} add_header X-Content-Type-Options {{ item.cto }}; {% endif %} {% else %} add_header X-Content-Type-Options nosniff; {% endif %} {%if item.xss is defined %} {% if item.xss == 'none' %} {% else %} add_header X-XSS-Protection "{{ item.xss }}"; {% endif %} {% else %} add_header X-XSS-Protection "1; mode=block"; {% endif %} {% if item.robots is defined %} add_header X-Robots-Tag {{ item.robots }}; {% else %} add_header X-Robots-Tag none; {% endif %} {% endfor %} {% endif %} } {% endfor %} {% endif %} {% endblock %} {% block local_content %} {% endblock %} {% block app_specific %} {% endblock %} {% if item.letsencrypt == 'true' %} location ^~ /.well-known/acme-challenge { root {{ letsencrypt_webroot_path }}; try_files $uri =404; } {% endif %} {% block extras %} {% if item.more is defined and item.more is iterable %} {% for line in item.more %} {{ line }} {% endfor %} {% endif %} {% endblock %} } {% block redirects %} {% if item.www is defined %} server { listen 80; server_name www.{{ item.name }}; return 301 https://{{ item.name }}$request_uri; } {% endif %} {% if item.redirect_https is defined and item.redirect_https %} ## REDIRECTS ### http to https server { listen 80; server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %}; return 301 https://{{ item.name }}$request_uri; {% if item.letsencrypt == 'true' %} location /.well-known/acme-challenge { root {{ letsencrypt_webroot_path }}; try_files $uri =404; } {% endif %} } {% if item.www is defined %} ### www to fwdn server { listen 443 ssl; ssl_certificate {{ nginx_ssl_dir + '/www.' + item.ssl_name + '/' + 'fullchain.pem' + ';' }} ssl_certificate_key {{ nginx_ssl_dir + '/www.' + item.ssl_name + '/' + 'privkey.pem;' }} server_name www.{% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %}; return 301 https://{{ item.name }}{% if '443' not in item.listen %}:item.listen[0]{% endif %}$request_uri; {% if item.letsencrypt == 'true' %} location /.well-known/acme-challenge { root {{ letsencrypt_webroot_path }}; try_files $uri =404; } {% endif %} } {% endif %} {% endif %} {% endblock %}