{% if nginx_websockets_support is defined and nginx_websockets_support %} include /etc/nginx/snippets/nginx-websockets.conf; {% else %} {% if item.websockets is defined and item.websockets %} include /etc/nginx/snippets/nginx-websockets.conf; {% endif %} {% endif %} {% if item.upstream_backends is defined %} {% for u_bk in item.upstream_backends %} upstream {{ u_bk.name }} { {% for srv in u_bk.servers %} server {{ srv }}; {% endfor %} } {% endfor %} {% endif %} server { listen {{ item.http_port | default ('80') }}; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; {% if nginx_block_dotfiles %} location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; return 404; } {% elif nginx_block_dangerous_dotfiles %} location ~ /\.(?ht).* { deny all; access_log off; log_not_found off; return 404; } {% endif %} {% if letsencrypt_acme_install %} include /etc/nginx/snippets/letsencrypt-proxy.conf; {% endif %} {% if item.access_log is defined %} access_log {{ item.access_log }}; {% else %} access_log /var/log/nginx/{{ item.server_name }}_access.log; {% endif %} {% if item.error_log is defined %} error_log {{ item.error_log }}; {% else %} error_log /var/log/nginx/{{ item.server_name }}_error.log; {% endif %} server_tokens {{ item.server_tokens | default('off') }}; {% if item.ssl_enabled and item.ssl_only %} location / { return 301 https://{{ item.server_name }}$request_uri; } {% else %} root {{ item.root | default('/usr/share/nginx/html/') }}; index {{ item.index | default('index.html index.htm') }}; error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; location = /50x.html { root {{ item.error_path | default('/usr/share/nginx/html') }}; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } {% if haproxy_ips is defined %} # We are behind haproxy {% for ip in haproxy_ips %} set_real_ip_from {{ ip }}; {% endfor %} real_ip_header X-Forwarded-For; {% endif %} {% if item.max_body is defined %} client_max_body_size {{ item.max_body }}; {% else %} client_max_body_size {{ nginx_client_max_body_size }}; {% endif %} {% if item.body_timeout is defined %} client_body_timeout {{ item.body_timeout }}; {% else %} client_body_timeout {{ nginx_client_body_timeout }}; {% endif %} {% if nginx_cors_enabled %} {% if nginx_cors_global %} include /etc/nginx/snippets/nginx-cors.conf; {% endif %} {% endif %} {% if item.additional_options is defined %} {% for add_opt in item.additional_options %} {{ add_opt }}; {% endfor %} {% endif %} {% if item.http_acls is defined %} {% for acl in item.http_acls %} {{ acl }}; {% endfor %} {% endif %} {% if nginx_websockets_support is defined and nginx_websockets_support %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {% else %} {% if item.websockets is defined and item.websockets %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {% endif %} {% endif %} # See https://www.redmine.org/projects/redmine/wiki/BrowserCaching # location ~* /(javascripts|stylesheets)/.+(css|js|jpg|gif|ico|png)(\?[0-9]+)?$ { #location ~* \.(ico|css|js|gif|jp?g|png)(\?[0-9]+)?$ { # add_header X-SV-test 304-killer; use this do-nothing HTTP Header, if you need to play with the regexp #- for testing without fear of breaking anything! expires {{ redmine_nginx_static_data_valid_time }}; } {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} # Proxy stuff {% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %} {% else %} include /etc/nginx/snippets/nginx-proxy-params.conf; {% endif %} {% if item.proxy_additional_options is defined %} {% for popt in item.proxy_additional_options %} {{ popt }}; {% endfor %} {% endif %} {% if item.locations is defined %} {% for location in item.locations -%} location {{ location.location }} { {% if nginx_cors_enabled %} {% if not nginx_cors_global %} {% if location.cors is defined and location.cors %} include /etc/nginx/snippets/nginx-cors.conf; {% endif %} {% endif %} {% endif %} {% if location.target is defined %} proxy_pass {{ location.target }}; {% elif location.php_target is defined %} try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass {% if phpfpm_listen_on_socket is defined and phpfpm_listen_on_socket %}unix:{% endif %}{{ location.php_target }}; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REMOTE_ADDR $http_x_forwarded_for; #fastcgi_param REMOTE_ADDR $remote_addr; include fastcgi_params; {% endif %} {% if location.websockets is defined and location.websockets %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; {% endif %} {% if location.extra_conf is defined %} {{ location.extra_conf }} {% endif %} {% if location.acls is defined %} {% for acl in location.acls %} {{ acl }}; {% endfor %} {% endif %} {% if location.other_opts is defined %} {% for opt in location.other_opts %} {{ opt }}; {% endfor %} {% endif %} } {% endfor %} {% endif %} {% endif %} {% if item.extra_parameters is defined %} {{ item.extra_parameters }} {% endif %} {% endif %} } {% if item.ssl_enabled %} server { listen {% if item.https_port is defined %} {{ item.https_port }} {% else %} {{ https_port | default('443') }} {% endif %} ssl {% if ansible_distribution_release != "trusty" %} http2{% endif %}; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; {% if item.access_log is defined %} access_log {{ item.access_log }}; {% else %} access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log; {% endif %} {% if item.error_log is defined %} error_log {{ item.error_log }}; {% else %} error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log; {% endif %} root {{ item.root | default('/usr/share/nginx/html/') }}; index {{ item.index | default('index.html index.htm') }}; error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; location = /50x.html { root {{ item.error_path | default('/usr/share/nginx/html') }}; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } {% if nginx_block_dotfiles %} location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; return 404; } {% elif nginx_block_dangerous_dotfiles %} location ~ /\.(?ht).* { deny all; access_log off; log_not_found off; return 404; } {% endif %} {% if haproxy_ips is defined %} # We are behind haproxy {% for ip in haproxy_ips %} set_real_ip_from {{ ip }}; {% endfor %} real_ip_header X-Forwarded-For; {% endif %} {% if item.max_body is defined %} client_max_body_size {{ item.max_body }}; {% else %} client_max_body_size {{ nginx_client_max_body_size }}; {% endif %} {% if item.body_timeout is defined %} client_body_timeout {{ item.body_timeout }}; {% else %} client_body_timeout {{ nginx_client_body_timeout }}; {% endif %} include /etc/nginx/snippets/nginx-server-ssl.conf; server_tokens {{ item.server_tokens | default('off') }}; {% if nginx_cors_enabled %} {% if nginx_cors_global %} include /etc/nginx/snippets/nginx-cors.conf; {% endif %} {% endif %} {% if nginx_websockets_support is defined and nginx_websockets_support %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {% else %} {% if item.websockets is defined and item.websockets %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {% endif %} {% endif %} {% if item.additional_options is defined %} {% for add_opt in item.additional_options %} {{ add_opt }}; {% endfor %} {% endif %} {% if item.https_acls is defined %} {% for acl in item.https_acls %} {{ acl }}; {% endfor %} {% endif %} # See https://www.redmine.org/projects/redmine/wiki/BrowserCaching # location ~* /(javascripts|stylesheets)/.+(css|js|jpg|gif|ico|png)(\?[0-9]+)?$ { #location ~* \.(ico|css|js|gif|jp?g|png)(\?[0-9]+)?$ { # add_header X-SV-test 304-killer; use this do-nothing HTTP Header, if you need to play with the regexp #- for testing without fear of breaking anything! expires {{ redmine_nginx_static_data_valid_time }}; } {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} # Proxy stuff {% if item.include_global_proxy_conf is defined and not item.include_global_proxy_conf %} {% else %} include /etc/nginx/snippets/nginx-proxy-params.conf; {% endif %} {% if item.proxy_additional_options is defined %} {% for popt in item.proxy_additional_options %} {{ popt }} {% endfor %} {% endif %} {% if item.locations is defined %} {% for location in item.locations -%} location {{ location.location }} { {% if nginx_cors_enabled %} {% if not nginx_cors_global %} {% if location.cors is defined and location.cors %} include /etc/nginx/snippets/nginx-cors.conf; {% endif %} {% endif %} {% endif %} {% if location.target is defined %} proxy_pass {{ location.target }}; {% elif location.php_target is defined %} try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass {% if phpfpm_listen_on_socket is defined and phpfpm_listen_on_socket %}unix:{% endif %}{{ location.php_target }}; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REMOTE_ADDR $http_x_forwarded_for; #fastcgi_param REMOTE_ADDR $remote_addr; include fastcgi_params; {% endif %} {% if location.websockets is defined and location.websockets %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; {% endif %} {% if location.extra_conf is defined %} {{ location.extra_conf }} {% endif %} {% if location.acls is defined %} {% for acl in location.acls %} {{ acl }}; {% endfor %} {% endif %} {% if location.other_opts is defined %} {% for opt in location.other_opts %} {{ opt }}; {% endfor %} {% endif %} } {% endfor %} {% endif %} {% endif %} {% if item.extra_parameters is defined %} {{ item.extra_parameters }} {% endif %} } {% endif %}