summaryrefslogtreecommitdiffstats
path: root/templates/nginx.j2
blob: 0e05c027e8fb4b756535aec1bd185d29c9749f91 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{# vim: set filetype=django : #}

server {
	listen 80;
	listen [::]:80;

	server_name {{ nginx_domain }};
	access_log /var/log/nginx/{{ nginx_domain }}.access.log;
	error_log /var/log/nginx/{{ nginx_domain }}.error.log;

{% if letsencrypt_activate %}
	location ^~ /.well-known/acme-challenge {
		root {{ letsencrypt_wellknown }};
	}

{% if letsencrypt_https %}
	location / {
		rewrite ^(.*)$ https://{{ nginx_domain }}$1 permanent;
	}
}

server {
	listen 443 ssl {% if nginx_enable_http2 %}http2{% endif %};
	listen [::]:443 ssl {% if nginx_enable_http2 %}http2{% endif %};

	server_name {{ nginx_domain }};
	access_log /var/log/nginx/{{ nginx_domain }}.access.log;
	error_log /var/log/nginx/{{ nginx_domain }}.error.log;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem;

	include /etc/nginx/snippets/ssl.conf;

{% endif %}
{% endif %}

	root {{ nginx_root }};

	index index.html;

	location / {
		{% if nginx_autoindex %}
		autoindex on;
		{% endif %}

		{% if nginx_rewrite_html %}
		rewrite ^(/.+)\.html$ $1;
		try_files $uri.html $uri $uri/ =404;
		default_type text/html;
		{% else %}
		try_files $uri $uri/ =404;
		{% endif %}

		{% if nginx_auth_file %}
		auth_basic "Restricted";
		auth_basic_user_file {{ nginx_auth_file }};
		{% endif %}
	}

	location ~ ~$ {
		# deny access to temp editor files, e.g. "script.php~"
		access_log off;
		log_not_found off;
		deny all;
	}

	{% if nginx_cache_static %}
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# cache static assets and compress them
		gzip on;
		expires    max;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}
	{% endif %}

	{{ nginx_custom }}
}