2019-01-10 11:50:54 +01:00
{{ ansible_managed | comment }}
2016-06-27 16:50:49 +02:00
2015-12-09 22:29:33 +01:00
{# helper variables and per-site defaults that we can't set in role defaults #}
2015-12-09 23:25:44 +01:00
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
2016-09-13 13:51:49 +02:00
{# assume optional features are off unless a vhost explicitly sets them #}
2022-09-10 21:33:19 +02:00
{% set enable_hsts = item.enable_hsts | default(false) %}
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
2014-08-27 19:03:34 +02:00
2014-09-06 20:32:37 +02:00
# http -> https vhost
2014-08-16 23:35:57 +02:00
server {
2014-08-27 19:03:34 +02:00
listen 80;
2015-05-21 22:31:41 +02:00
listen [::]:80;
2014-09-06 20:32:37 +02:00
server_name {{ domain_name }} {{ domain_aliases }};
2021-03-19 22:39:30 +01:00
{% include 'well-known.j2' %}
2014-09-06 20:32:37 +02:00
# redirect http -> https
location / {
# ? in rewrite makes sure nginx doesn't append query string again
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
}
}
server {
2015-12-09 23:38:53 +01:00
listen 443 ssl http2;
listen [::]:443 ssl http2;
2014-08-16 23:35:57 +02:00
2020-12-28 21:53:32 +01:00
{# Allow sites to override the nginx document root #}
{% if item.document_root is defined %}
root {{ item.document_root }};
{% else %}
2014-08-27 19:03:34 +02:00
root {{ nginx_root_prefix }}/{{ domain_name }};
2020-12-28 21:53:32 +01:00
{% endif %}
2014-08-16 23:35:57 +02:00
2015-12-09 23:38:53 +01:00
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }};
2014-08-16 23:35:57 +02:00
2022-09-10 21:33:19 +02:00
index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
2014-08-28 11:27:24 +02:00
2014-08-27 19:26:12 +02:00
access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log;
2015-12-09 23:38:53 +01:00
{% include 'https.j2' %}
2014-09-06 20:32:37 +02:00
2022-09-10 21:33:19 +02:00
{% if has_wordpress == true %}
2014-09-07 21:51:34 +02:00
{% include 'wordpress.j2' %}
{% endif %}
2014-08-16 23:35:57 +02:00
2022-09-10 21:33:19 +02:00
{% if has_gitea == true %}
2021-09-27 11:15:47 +02:00
{% include 'gitea.j2' %}
{% endif %}
2014-08-16 23:35:57 +02:00
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
2022-09-10 21:33:19 +02:00
{% if has_wordpress == true or needs_php == true %}
2015-02-26 14:40:38 +01:00
location ~ [^/]\.php(/|$) {
2014-08-16 23:35:57 +02:00
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
2016-07-21 13:45:41 +02:00
# Protect against "HTTPoxy" vulnerability in PHP libraries
# See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
# See: https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
2023-07-27 17:46:13 +02:00
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
2020-07-13 22:25:32 +02:00
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
2016-04-22 17:19:30 +02:00
{% else %}
2014-08-27 19:03:34 +02:00
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
2016-04-22 17:19:30 +02:00
{% endif %}
2014-08-16 23:35:57 +02:00
fastcgi_index index.php;
# set script path relative to document root in server block
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
2015-02-10 21:04:28 +01:00
fastcgi_cache global;
# Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
add_header X-Fastcgi-Cache $upstream_cache_status;
# Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
2015-03-11 11:51:48 +01:00
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in;
2015-03-19 07:25:28 +01:00
2022-09-10 21:33:19 +02:00
{% if enable_hsts == true %}
2015-03-19 07:25:28 +01:00
# Enable this if you want HSTS (recommended, but be careful)
2015-05-13 17:30:28 +02:00
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
2021-03-23 14:36:28 +01:00
add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
2015-03-19 07:25:28 +01:00
{% endif %}
2015-03-19 07:32:06 +01:00
include extra-security.conf;
2014-08-16 23:35:57 +02:00
}
2016-09-13 14:59:24 +02:00
{% endif %}
2015-01-24 11:05:42 +01:00
include extra-security.conf;
2014-08-16 23:35:57 +02:00
}
2015-02-10 21:04:28 +01:00
2022-09-10 21:33:19 +02:00
{% if has_wordpress == true %}
2015-02-10 21:04:28 +01:00
# Check if a user is logged in
2015-03-11 11:51:48 +01:00
# if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0
2015-02-10 21:04:28 +01:00
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
2015-03-11 11:51:48 +01:00
map $http_cookie $wordpress_logged_in {
2015-02-10 21:04:28 +01:00
default 0;
~wordpress_logged_in 1;
}
2016-09-12 19:57:10 +02:00
{% endif %}