templating - init work on site templates

2021-05-24 17:39:38 +02:00 · 2021-05-24 17:39:38 +02:00 · 633a07686f
parent 996c45df42
commit 633a07686f
34 changed files with 310 additions and 152 deletions
--- a/confs2/site/antibot-captcha.conf
+++ b/confs2/site/antibot-captcha.conf
@ -1,4 +1,4 @@
-location = %ANTIBOT_URI% {
+location = {{ ANTIBOT_URI }} {

 	default_type 'text/html';
 	
@ -13,7 +13,7 @@ location = %ANTIBOT_URI% {
 			end
 			local img, res = captcha.get_challenge()
 			cookie.set({captchares = res})
-			local code = captcha.get_code(img, "%ANTIBOT_URI%")
+			local code = captcha.get_code(img, "{{ ANTIBOT_URI }}")
 			ngx.say(code)
 		}
 	}
@ -37,7 +37,7 @@ location = %ANTIBOT_URI% {
 			local check		= captcha.check(captcha_user, cookie.get("captchares"))
 			if not check then
 				logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
-				return ngx.redirect("%ANTIBOT_URI%")
+				return ngx.redirect("{{ ANTIBOT_URI }}")
 			end
 			cookie.set({captcha = "ok"})
 			return ngx.redirect(cookie.get("uri"))
--- a/confs2/site/antibot-javascript.conf
+++ b/confs2/site/antibot-javascript.conf
@ -1,4 +1,4 @@
-location = %ANTIBOT_URI% {
+location = {{ ANTIBOT_URI }} {

 	default_type 'text/html';
 	
@ -12,7 +12,7 @@ location = %ANTIBOT_URI% {
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local challenge	= cookie.get("challenge")
-			local code	= javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
+			local code	= javascript.get_code(challenge, "{{ ANTIBOT_URI }}", cookie.get("uri"))
 			ngx.say(code)
 		}
 	}
--- a/confs2/site/antibot-recaptcha.conf
+++ b/confs2/site/antibot-recaptcha.conf
@ -1,4 +1,4 @@
-location = %ANTIBOT_URI% {
+location = {{ ANTIBOT_URI }} {

 	default_type 'text/html';
 	
@ -11,7 +11,7 @@ location = %ANTIBOT_URI% {
 				logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
-			local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
+			local code = recaptcha.get_code("{{ ANTIBOT_URI }}", "{{ ANTIBOT_RECAPTCHA_SITEKEY }}")
 			ngx.say(code)
 		}
 	}
@ -32,8 +32,8 @@ location = %ANTIBOT_URI% {
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
 			local token	= args["token"]
-			local check	= recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
-			if check < %ANTIBOT_RECAPTCHA_SCORE% then
+			local check	= recaptcha.check(token, "{{ ANTIBOT_RECAPTCHA_SECRET }}")
+			if check < {{ ANTIBOT_RECAPTCHA_SCORE }} then
 				logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
 				return ngx.exit(ngx.HTTP_FORBIDDEN)
 			end
--- a/confs2/site/auth-basic-sitewide.conf
+++ b/confs2/site/auth-basic-sitewide.conf
@ -1,2 +1,2 @@
-auth_basic "%AUTH_BASIC_TEXT%";
-auth_basic_user_file %NGINX_PREFIX%.htpasswd;
+auth_basic "{{ AUTH_BASIC_TEXT }}";
+auth_basic_user_file {{ NGINX_PREFIX }}.htpasswd;
--- a/confs2/site/auth-basic.conf
+++ b/confs2/site/auth-basic.conf
@ -1,4 +1,4 @@
-location %AUTH_BASIC_LOCATION% {
-	auth_basic "%AUTH_BASIC_TEXT%";
-	auth_basic_user_file %NGINX_PREFIX%.htpasswd; 
+location {{ AUTH_BASIC_LOCATION }} {
+	auth_basic "{{ AUTH_BASIC_TEXT }}";
+	auth_basic_user_file {{ NGINX_PREFIX }}.htpasswd; 
 }
--- a/confs2/site/brotli.conf
+++ b/confs2/site/brotli.conf
@ -1,4 +1,4 @@
 brotli on;
-brotli_types %BROTLI_TYPES%;
-brotli_comp_level %BROTLI_COMP_LEVEL%;
-brotli_min_length %BROTLI_MIN_LENGTH%;
+brotli_types {{ BROTLI_TYPES }};
+brotli_comp_level {{ BROTLI_COMP_LEVEL }};
+brotli_min_length {{ BROTLI_MIN_LENGTH }};
--- a/confs2/site/client-cache.conf
+++ b/confs2/site/client-cache.conf
@ -1,6 +1,6 @@
-etag %CLIENT_CACHE_ETAG%;
+etag {{ CLIENT_CACHE_ETAG }};
 set $cache "";
-if ($uri ~* \.(%CLIENT_CACHE_EXTENSIONS%)$) {
-	set $cache "%CLIENT_CACHE_CONTROL%";
+if ($uri ~* \.({{ CLIENT_CACHE_EXTENSIONS }})$) {
+	set $cache "{{ CLIENT_CACHE_CONTROL }}";
 }
 add_header Cache-Control $cache;
--- a/confs2/site/content-security-policy.conf
+++ b/confs2/site/content-security-policy.conf
@ -1 +1 @@
-more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%";
+more_set_headers "Content-Security-Policy: {{ CONTENT_SECURITY_POLICY }}";
--- a/confs2/site/cookie-flags.conf
+++ b/confs2/site/cookie-flags.conf
@ -1 +1 @@
-set_cookie_flag %COOKIE_FLAGS%;
+set_cookie_flag {{ COOKIE_FLAGS }}{% if COOKIE_AUTO_SECURE_FLAG == "yes" %} Secure{% endif %};
--- a/confs2/site/custom-https.conf
+++ b/confs2/site/custom-https.conf
@ -1,7 +1,9 @@
-listen 0.0.0.0:443 ssl %HTTP2%;
-ssl_certificate %HTTPS_CUSTOM_CERT%;
-ssl_certificate_key %HTTPS_CUSTOM_KEY%;
+listen 0.0.0.0:443 ssl {% if HTTP2 == "yes" %}http2{% endif %};
+ssl_certificate {{ HTTPS_CUSTOM_CERT }};
+ssl_certificate_key {{ HTTPS_CUSTOM_KEY }};
 ssl_protocols TLSv1.3;
 ssl_prefer_server_ciphers off;
 ssl_session_tickets off;
-%STRICT_TRANSPORT_SECURITY%
+{% if STRICT_TRANSPORT_SECURITY != "" %}
+more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
+{% endif %}
--- a/confs2/site/disable-default-server.conf
+++ b/confs2/site/disable-default-server.conf
@ -1,3 +1,3 @@
-if ($host !~ ^(%SERVER_NAME%)$) {
+if ($host !~ ^({{ SERVER_NAME.replace(" ", "|") }})$) {
 	return 444;
 }
--- a/confs2/site/error.conf
+++ b/confs2/site/error.conf
@ -1,7 +1,7 @@
-error_page %CODE% %PAGE%;
+error_page {{ CODE }} {{ PAGE }};

-location = %PAGE% {
-    root %ROOT_FOLDER%;
+location = {{ PAGE }} {
+    root {{ ROOT_FOLDER }};
    modsecurity off;
    internal;
 }
--- a/confs2/site/fastcgi.conf
+++ b/confs2/site/fastcgi.conf
@ -13,7 +13,7 @@ fastcgi_param  REQUEST_SCHEME     $scheme;
 fastcgi_param  HTTPS              $https if_not_empty;

 fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
-fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+fastcgi_param  SERVER_SOFTWARE    nginx;

 fastcgi_param  REMOTE_ADDR        $remote_addr;
 fastcgi_param  REMOTE_PORT        $remote_port;
--- a/confs2/site/feature-policy.conf
+++ b/confs2/site/feature-policy.conf
@ -1 +1 @@
-more_set_headers "Feature-Policy: %FEATURE_POLICY%";
+more_set_headers "Feature-Policy: {{ FEATURE_POLICY }}";
--- a/confs2/site/gzip.conf
+++ b/confs2/site/gzip.conf
@ -1,4 +1,4 @@
 gzip on;
-gzip_comp_level %GZIP_COMP_LEVEL%;
-gzip_min_length %GZIP_MIN_LENGTH%;
-gzip_types %GZIP_TYPES%;
+gzip_comp_level {{ GZIP_COMP_LEVEL }};
+gzip_min_length {{ GZIP_MIN_LENGTH }};
+gzip_types {{ GZIP_TYPES }};
--- a/confs2/site/https.conf
+++ b/confs2/site/https.conf
@ -1,12 +1,18 @@
-listen 0.0.0.0:%HTTPS_PORT% ssl %HTTP2%;
-ssl_certificate %HTTPS_CERT%;
-ssl_certificate_key %HTTPS_KEY%;
-ssl_protocols %HTTPS_PROTOCOLS%;
+listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" }}http2{% endif %};
+ssl_certificate {{ HTTPS_CERT }};
+ssl_certificate_key {{ HTTPS_KEY }};
+ssl_protocols {{ HTTPS_PROTOCOLS }};
 ssl_prefer_server_ciphers on;
 ssl_session_tickets off;
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;
-%STRICT_TRANSPORT_SECURITY%
-%SSL_DHPARAM%
-%SSL_CIPHERS%
-%LETS_ENCRYPT_WEBROOT%
+{% if STRICT_TRANSPORT_SECURITY != "" }}
+more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
+{% endif %}
+{% if "TLSv1.2" in {{ HTTPS_PROTOCOLS }} %}
+ssl_dhparam /etc/nginx/dhparam;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+{% endif %}
+{% if AUTO_LETS_ENCRYPT %}
+include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
+{% endif %}
--- a/confs2/site/limit-conn.conf
+++ b/confs2/site/limit-conn.conf
@ -1 +1 @@
-limit_conn ddos %LIMIT_CONN_MAX%;
+limit_conn ddos {{ LIMIT_CONN_MAX }};
--- a/confs2/site/limit-req.conf
+++ b/confs2/site/limit-req.conf
@ -1,3 +1,3 @@
 limit_req_status 429;
-limit_req zone=limit burst=%LIMIT_REQ_BURST% nodelay;
+limit_req zone=limit burst={{ LIMIT_REQ_BURST }} nodelay;

--- a/confs2/site/log-lua.conf
+++ b/confs2/site/log-lua.conf
@ -1,12 +1,12 @@
 log_by_lua_block {

 -- bad behavior
-local use_bad_behavior		= %USE_BAD_BEHAVIOR%
+local use_bad_behavior		= {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}
 local behavior			= require "behavior"
-local bad_behavior_status_codes = {{ BAD_BEHAVIOR_STATUS_CODES }}
-local bad_behavior_threshold    = %BAD_BEHAVIOR_THRESHOLD%
-local bad_behavior_count_time   = %BAD_BEHAVIOR_COUNT_TIME%
-local bad_behavior_ban_time     = %BAD_BEHAVIOR_BAN_TIME%
+local bad_behavior_status_codes = {% raw %}{{% endraw %}{% set elements = BAD_BEHAVIOR_STATUS_CODES.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
+local bad_behavior_threshold    = {{ BAD_BEHAVIOR_THRESHOLD }}
+local bad_behavior_count_time   = {{ BAD_BEHAVIOR_COUNT_TIME }}
+local bad_behavior_ban_time     = {{ BAD_BEHAVIOR_BAN_TIME }}

 if use_bad_behavior then
 	behavior.count(bad_behavior_status_codes, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
--- a/confs2/site/main-lua.conf
+++ b/confs2/site/main-lua.conf
@ -1,51 +1,51 @@
-set $session_secret %ANTIBOT_SESSION_SECRET%;
+set $session_secret {{ ANTIBOT_SESSION_SECRET }};
 set $session_check_addr on;

 access_by_lua_block {

 -- let's encrypt
-local use_lets_encrypt		= %USE_LETS_ENCRYPT%
+local use_lets_encrypt		= {% if AUTO_LETS_ENCRYPT == "yes" %}true{% else %}false{% endif %}

 -- external blacklists
-local use_user_agents		= %USE_USER_AGENTS%
-local use_proxies		= %USE_PROXIES%
-local use_abusers		= %USE_ABUSERS%
-local use_tor_exit_nodes	= %USE_TOR_EXIT_NODES%
-local use_referrers		= %USE_REFERRERS%
+local use_user_agents		= {% if BLOCK_USER_AGENT == "yes" %}true{% else %}false{% endif %}
+local use_proxies		= {% if BLOCK_PROXIES == "yes" %}true{% else %}false{% endif %}
+local use_abusers		= {% if BLOCK_ABUSERS == "yes" %}true{% else %}false{% endif %}
+local use_tor_exit_nodes	= {% if BLOCK_TOR_EXIT_NODE == "yes" %}true{% else %}false{% endif %}
+local use_referrers		= {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% endif %}

 -- countries
-local use_country		= %USE_COUNTRY%
+local use_country		= {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif %}

 -- crowdsec
-local use_crowdsec		= %USE_CROWDSEC%
+local use_crowdsec		= {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif %}

 -- antibot
-local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
-local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
-local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
-local use_antibot_recaptcha	= %USE_ANTIBOT_RECAPTCHA%
+local use_antibot_cookie	= {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif %}
+local use_antibot_javascript	= {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif %}
+local use_antibot_captcha	= {% if USE_ANTIBOT == "captcha" %}true{% else %}false{% endif %}
+local use_antibot_recaptcha	= {% if USE_ANTIBOT == "recaptcha" %}true{% else %}false{% endif %}

 -- resolvers
-local dns_resolvers		= {{ DNS_RESOLVERS }}
+local dns_resolvers		= {% raw %}{{% endraw %}{% set elements = DNS_RESOLVERS.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}

 -- whitelist
-local use_whitelist_ip		= %USE_WHITELIST_IP%
-local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
-local whitelist_ip_list		= {{ WHITELIST_IP_LIST }}
-local whitelist_reverse_list	= {{ WHITELIST_REVERSE_LIST }}
+local use_whitelist_ip		= {% if USE_WHITELIST_IP == "yes" %}true{% else %}false{% endif %}
+local use_whitelist_reverse	= {% if USE_WHITELIST_REVERSE == "yes %}true{% else %}false{% endif %}
+local whitelist_ip_list		= {% raw %}{{% endraw %}{% set elements = WHITELIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
+local whitelist_reverse_list	= {% raw %}{{% endraw %}{% set elements = WHITELIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}

 -- blacklist
-local use_blacklist_ip		= %USE_BLACKLIST_IP%
-local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
-local blacklist_ip_list		= {{ BLACKLIST_IP_LIST }}
-local blacklist_reverse_list	= {{ BLACKLIST_REVERSE_LIST }}
+local use_blacklist_ip		= {% if USE_BLACKLIST_IP == "yes" %}true{% else %}false{% endif %}
+local use_blacklist_reverse	= {% if USE_BLACKLIST_REVERSE == "yes %}true{% else %}false{% endif %}
+local blacklist_ip_list		= {% raw %}{{% endraw %}{% set elements = BLACKLIST_IP_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
+local blacklist_reverse_list	= {% raw %}{{% endraw %}{% set elements = BLACKLIST_REVERSE_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}

 -- dnsbl
-local use_dnsbl			= %USE_DNSBL%
-local dnsbl_list		= {{ DNSBL_LIST }}
+local use_dnsbl			= {% if USE_DNSBL == "yes" %}true{% else %}false{% endif %}
+local dnsbl_list		= {% raw %}{{% endraw %}{% set elements = DNSBL_LIST.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}

 -- bad behavior
-local use_bad_behavior		= %USE_BAD_BEHAVIOR%
+local use_bad_behavior		= {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif %}

 -- include LUA code
 local whitelist			= require "whitelist"
@ -60,9 +60,9 @@ local behavior			= require "behavior"
 local logger			= require "logger"

 -- user variables
-local antibot_uri		= "%ANTIBOT_URI%"
-local whitelist_user_agent	= {{ WHITELIST_USER_AGENT }}
-local whitelist_uri		= {{ WHITELIST_URI }}
+local antibot_uri		= "{{ ANTIBOT_URI }}"
+local whitelist_user_agent	= {% raw %}{{% endraw %}{% set elements = WHITELIST_USER_AGENT.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}
+local whitelist_uri		= {% raw %}{{% endraw %}{% set elements = WHITELIST_URI.split(" ") %}{% for i in range(0, elements|length) %}"{{ elements[i] }}"{% if i < elements|length-1 %},{% endif %}{% endfor %}{% raw %}}{% endraw %}

 -- check if already in whitelist cache
 if use_whitelist_ip and whitelist.ip_cached_ok() then
@ -291,8 +291,10 @@ ngx.exit(ngx.OK)

 }

-%INCLUDE_ANTIBOT_JAVASCRIPT%
-
-%INCLUDE_ANTIBOT_CAPTCHA%
-
-%INCLUDE_ANTIBOT_RECAPTCHA%
+{% if USE_ANTIBOT == "javascript" %}
+include {{ NGINX_PREFIX }}antibot-javascript.conf;
+{% elif USE_ANTIBOT == "captcha" %}
+include {{ NGINX_PREFIX }}antibot-captcha.conf;
+{% elif USE_ANTIBOT == "recaptcha" %}
+include {{ NGINX_PREFIX }}antibot-recaptcha.conf;
+{% endif %}
--- a/confs2/site/modsecurity-rules.conf
+++ b/confs2/site/modsecurity-rules.conf
@ -49,17 +49,22 @@ SecResponseBodyLimit 524288
 SecResponseBodyLimitAction ProcessPartial

 # log usefull stuff
-SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
+SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
 SecAuditLogType Serial
 SecAuditLog /var/log/nginx/modsec_audit.log

 # scan uploaded files with clamv
-%USE_CLAMAV_UPLOAD%
+{% if USE_CLAMAV_UPLOAD == "yes" %}
+include {{ NGINX_PREFIX }}modsecurity-clamav.conf
+{% endif %}

 # include OWASP CRS rules
-%MODSECURITY_INCLUDE_CRS%
-%MODSECURITY_INCLUDE_CUSTOM_CRS%
-%MODSECURITY_INCLUDE_CRS_RULES%
+{% if USE_MODSECURITY_CRS == "yes" %}
+include /opt/owasp/crs.conf
+# TODO : include without errors ?
+#{{ MODSECURITY_INCLUDE_CUSTOM_CRS }}
+include /opt/owasp/crs/*.conf
+{% endif %}

-# include custom rules
-%MODSECURITY_INCLUDE_CUSTOM_RULES%
+# TODO : include custom rules
+# {{ MODSECURITY_INCLUDE_CUSTOM_RULES }}
--- a/confs2/site/modsecurity.conf
+++ b/confs2/site/modsecurity.conf
@ -1,2 +1,2 @@
 modsecurity on;
-modsecurity_rules_file %MODSEC_RULES_FILE%;
+modsecurity_rules_file {{ NGINX_PREFIX }}modsecurity-rules.conf;
--- a/confs2/site/open-file-cache.conf
+++ b/confs2/site/open-file-cache.conf
@ -1,4 +1,4 @@
-open_file_cache %OPEN_FILE_CACHE%;
-open_file_cache_errors %OPEN_FILE_CACHE_ERRORS%;
-open_file_cache_min_uses %OPEN_FILE_CACHE_MIN_USES%;
-open_file_cache_valid %OPEN_FILE_CACHE_VALID%;
+open_file_cache {{ OPEN_FILE_CACHE }};
+open_file_cache_errors {{ OPEN_FILE_CACHE_ERRORS }};
+open_file_cache_min_uses {{ OPEN_FILE_CACHE_MIN_USES }};
+open_file_cache_valid {{ OPEN_FILE_CACHE_VALID }};
--- a/confs2/site/permissions-policy.conf
+++ b/confs2/site/permissions-policy.conf
@ -1 +1 @@
-more_set_headers "Permissions-Policy: %PERMISSIONS_POLICY%";
+more_set_headers "Permissions-Policy: {{ PERMISSIONS_POLICY }}";
--- a/confs2/site/php.conf
+++ b/confs2/site/php.conf
@ -1,4 +1,4 @@
 location ~ \.php$ {
-	fastcgi_pass      %REMOTE_PHP%:9000;
+	fastcgi_pass      {{ REMOTE_PHP }}:9000;
 	fastcgi_index     index.php;
 }
--- a/confs2/site/proxy-cache.conf
+++ b/confs2/site/proxy-cache.conf
@ -1,7 +1,11 @@
 proxy_cache proxycache;
-proxy_cache_methods %PROXY_CACHE_METHODS%;
-proxy_cache_min_uses %PROXY_CACHE_MIN_USES%;
-proxy_cache_key %PROXY_CACHE_KEY%;
-proxy_no_cache %PROXY_NO_CACHE%;
-proxy_cache_bypass %PROXY_CACHE_BYPASS%;
-%PROXY_CACHE_VALID%
+proxy_cache_methods {{ PROXY_CACHE_METHODS }};
+proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
+proxy_cache_key {{ PROXY_CACHE_KEY }};
+proxy_no_cache {{ PROXY_NO_CACHE }};
+proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
+{% if PROXY_CACHE_VALID != "" %}
+{% for element in PROXY_CACHE_VALID.split(" ") %}
+proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
+{% endfor %}
+{% endif %}
--- a/confs2/site/proxy-real-ip.conf
+++ b/confs2/site/proxy-real-ip.conf
@ -1,4 +1,8 @@
-%PROXY_REAL_IP_FROM%
-real_ip_header %PROXY_REAL_IP_HEADER%;
-real_ip_recursive %PROXY_REAL_IP_RECURSIVE%;
+{% if PROXY_REAL_IP_FROM != "" %}
+	{% for element in PROXY_REAL_IP_FROM.split(" ") %}
+set_real_ip_from {{ element }};
+	{% endfor %}
+{% endif %}
+real_ip_header {{ PROXY_REAL_IP_HEADER }};
+real_ip_recursive {{ PROXY_REAL_IP_RECURSIVE }};

--- a/confs2/site/referrer-policy.conf
+++ b/confs2/site/referrer-policy.conf
@ -1 +1 @@
-more_set_headers "Referrer-Policy: %REFERRER_POLICY%";
+more_set_headers "Referrer-Policy: {{ REFERRER_POLICY }}";
--- a/confs2/site/reverse-proxy.conf
+++ b/confs2/site/reverse-proxy.conf
@ -1,7 +1,7 @@
-location %REVERSE_PROXY_URL% {
+location {{ REVERSE_PROXY_URL }} {
 	etag off;
-	proxy_pass %REVERSE_PROXY_HOST%;
-	%REVERSE_PROXY_HEADERS%
-	%REVERSE_PROXY_WS%
-	%REVERSE_PROXY_CUSTOM_HEADERS%
+	proxy_pass {{ REVERSE_PROXY_HOST }};
+	{{ REVERSE_PROXY_HEADERS }}
+	{{ REVERSE_PROXY_WS }}
+	{{ REVERSE_PROXY_CUSTOM_HEADERS }}
 }
--- a/confs2/site/serve-files.conf
+++ b/confs2/site/serve-files.conf
@ -1,3 +1,3 @@
-root %ROOT_FOLDER%;
+root {{ ROOT_FOLDER }}/{{ FIRST_SERVER }};
 index index.html index.php;
 try_files $uri $uri/ =404;
--- a/confs2/site/server.conf
+++ b/confs2/site/server.conf
@ -1,41 +1,176 @@
-%PRE_SERVER_CONF%
+# custom config before server block
+include /pre-server-confs/*.conf;
+{% if MULTISITE == "yes" %}
+include /pre-server-confs/{{ FIRST_SERVER }}/*.conf;
+{% endif %}

 server {
-	%FASTCGI_PATH%
-	%SERVER_CONF%
-	%PROXY_REAL_IP%
-	%INCLUDE_LUA%
-	%USE_MODSECURITY%
-	%LISTEN_HTTP%
-	%USE_HTTPS%
-	%REDIRECT_HTTP_TO_HTTPS%
-	server_name %SERVER_NAME%;
-	%DISABLE_DEFAULT_SERVER%
-	%SERVE_FILES%
-	if ($request_method !~ ^(%ALLOWED_METHODS%)$)
-	{
+
+	# FastCGI variables
+{% if REMOTE_PHP != "" %}
+	include {{ NGINX_PREFIX }}fastcgi.conf;
+{% endif %}
+
+	# custom config
+	include /server-confs/*.conf;
+{% if MULTISITE == "yes" %}
+	include /server-confs/{{ FIRST_SERVER }}/*.conf;
+{% endif %}
+
+	# proxy real IP
+{% if PROXY_REAL_IP == "yes" %}
+	include {{ NGINX_PREFIX }}proxy-real-ip.conf;
+{% endif %}
+
+	# include LUA files
+	include {{ NGINX_PREFIX }}main-lua.conf;
+	include {{ NGINX_PREFIX }}log-lua.conf;
+
+	# ModSecurity
+{% if USE_MODSECURITY == "yes" }}
+	include {{ NGINX_PREFIX }}modsecurity.conf;
+{% endif %}
+
+	# HTTP listen
+{% if LISTEN_HTTP == "yes" }}
+	listen 0.0.0.0:{{ HTTP_PORT }};
+{% endif %}
+
+	# HTTPS listen + config
+{% if AUTO_LETS_ENCRYPT == "yes" or USE_CUSTOM_HTTPS == "yes" or GENERATE_SELF_SIGNED_SSL == "yes" %}
+	include {{ NGINX_PREFIX }}https.conf;
+{% endif %}
+
+	# HTTP to HTTPS
+{% if REDIRECT_HTTP_TO_HTTPS == "yes" %}
+	include {{ NGINX_PREFIX }}redirect-http-to-https.conf;
+{% endif %}
+
+	# server name (vhost)
+	server_name {{ SERVER_NAME }};
+
+	# disable default server
+{% if DISABLE_DEFAULT_SERVER == "yes" and MULTISITE != "yes" %}
+	include {{ NGINX_PREFIX }}disable-default-server.conf;
+{% endif %}
+
+	# serve local files
+{% if SERVE_FILES == "yes" %}
+	include {{ NGINX_PREFIX}}serve-files.conf;
+{% endif %}
+
+	# allowed HTTP methods
+	if ($request_method !~ ^({{ ALLOWED_METHODS }})$) {
 		return 405;
 	}
-	%LIMIT_REQ%
-	%LIMIT_CONN%
-	%AUTH_BASIC%
-	%REMOVE_HEADERS%
-	%X_FRAME_OPTIONS%
-	%X_XSS_PROTECTION%
-	%X_CONTENT_TYPE_OPTIONS%
-	%CONTENT_SECURITY_POLICY%
-	%REFERRER_POLICY%
-	%FEATURE_POLICY%
-	%PERMISSIONS_POLICY%
-	%COOKIE_FLAGS%
-	%ERRORS%
-	%USE_CLIENT_CACHE%
-	%USE_GZIP%
-	%USE_BROTLI%
-	client_max_body_size %MAX_CLIENT_SIZE%;
-	server_tokens %SERVER_TOKENS%;
-	%USE_OPEN_FILE_CACHE%
-	%USE_PROXY_CACHE%
-	%USE_REVERSE_PROXY%
-	%USE_PHP%
+
+	# requests limiting
+{% if USE_LIMIT_REQ == "yes" %}
+	include {{ NGINX_PREFIX }}limit-req.conf;
+{% endif %}
+
+	# connections limiting
+{% if USE_LIMIT_CONN == "yes" %}
+	include {{ NGINX_PREFIX }}limit-conn.conf;
+{% endif %}
+
+	# auth basic
+{% if USE_AUTH_BASIC == "yes" %}
+	{% if AUTH_BASIC_LOCATION == "sitewide" %}
+	include {{ NGINX_PREFIX }}auth-basic-sitewide.conf;
+	{% else %}
+	include {{ NGINX_PREFIX }}auth-basic.conf;
+	{% endif %}
+{% endif %}
+
+	# remove headers
+{% if REMOVE_HEADERS != "" %}
+	{% for header in REMOVE_HEADERS.split(" ") %}
+	more_clear_headers '{{ header }}';
+	{% endfor %}
+{% endif %}
+
+	# X-Frame-Option header
+{% if X_FRAME_OPTIONS != "" %}
+	include {{ NGINX_PREFIX }}x-frame-options.conf;
+{% endif %}
+
+	# X-XSS-Protection header
+{% if X_XSS_PROTECTION != "" %}
+	include {{ NGINX_PREFIX }}x-xss-protection.conf;
+{% endif %}
+
+	# X-Content-Type header
+{% if X_CONTENT_TYPE != "" %}
+	include {{ NGINX_PREFIX }}x-content-type.conf;
+{% endif %}
+
+	# Content-Security-Policy header
+{% if CONTENT_SECURITY_POLICY != "" %}
+	include {{ NGINX_PREFIX }}content-security-policy.conf;
+{% endif %}
+
+	# Referrer-Policy header
+{% if REFERRER_POLICY != "" %}
+	include {{ NGINX_PREFIX }}referrer-policy.conf;
+{% endif %}
+
+	# Feature-Policy header
+{% if FEATURE_POLICY != "" %}
+	include {{ NGINX_PREFIX }}feature-policy.conf;
+{% endif %}
+
+	# Permissions-Policy header
+{% if PERMISSIONS_POLICY != "" %}
+	include {{ NGINX_PREFIX }}permissions-policy.conf;
+{% endif %}
+
+	# cookie flags
+{% if COOKIE_FLAGS != "" %}
+	include {{ NGINX_PREFIX }}cookie-flags.conf;
+{% endif %}
+
+	# TODO : ERRORS
+
+	# client caching
+{% if USE_CLIENT_CACHE == "yes" %}
+	include {{ NGINX_PREFIX }}client-cache.conf;
+{% endif %}
+
+	# gzip compression
+{% if USE_GZIP == "yes" %}
+	include {{ NGINX_PREFIX }}gzip.conf;
+{% endif %}
+
+	# brotli compression
+{% if USE_GZIP == "yes" %}
+	include {{ NGINX_PREFIX }}gzip.conf;
+{% endif %}
+
+	# maximum body size
+	client_max_body_size {{ MAX_CLIENT_SIZE }};
+	
+	# enable/disable showing version
+	server_tokens {{ SERVER_TOKENS }};
+
+	# open file caching
+{% if USE_OPEN_FILE_CACHE == "yes" %}
+	include {{ NGINX_PREFIX }}open-file-cache.conf;	
+{% endif %}
+
+	# proxy caching
+{% if USE_PROXY_CACHE == "yes" %}
+	include {{ NGINX_PREFIX }}proxy-cache.conf;	
+{% endif %}
+
+	# reverse proxy
+{% if USE_REVERSE_PROXY == "yes" %}
+	include {{ NGINX_PREFIX }}reverse-proxy-*.conf;
+{% endif %}
+
+	# remote PHP
+{% if REMOTE_PHP != "" %}
+	include {{ NGINX_PREFIX }}php.conf;
+{% endif %}
+
 }
--- a/confs2/site/x-content-type-options.conf
+++ b/confs2/site/x-content-type-options.conf
@ -1 +1 @@
-more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";
+more_set_headers "X-Content-Type-Options: {{ X_CONTENT_TYPE_OPTIONS }}";
--- a/confs2/site/x-frame-options.conf
+++ b/confs2/site/x-frame-options.conf
@ -1 +1 @@
-more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";
+more_set_headers "X-Frame-Options: {{ X_FRAME_OPTIONS }}";
--- a/confs2/site/x-xss-protection.conf
+++ b/confs2/site/x-xss-protection.conf
@ -1 +1 @@
-more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";
+more_set_headers "X-XSS-Protection: {{ X_XSS_PROTECTION }}";