{% set cert_prefix = nginx_proxy_sites[0].server_name %} {% for item in nginx_proxy_sites %} server { listen {{ nginx_proxy_nginx_port }} ssl; http2 on; server_name {{ item.server_name }}; ssl_certificate {{ item.ssl_certificate | default('/etc/letsencrypt/live/' + cert_prefix + '/fullchain.pem') }}; ssl_certificate_key {{ item.ssl_certificate_key | default('/etc/letsencrypt/live/' + cert_prefix + '/privkey.pem') }}; ssl_protocols {{ nginx_proxy_nginx_ssl_protocols }}; ssl_ciphers {{ nginx_proxy_nginx_ssl_ciphers }}; ssl_prefer_server_ciphers {{ nginx_proxy_nginx_ssl_prefer_server_ciphers }}; add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always; {% if not (item.no_auth | default(false) | bool) %} # Redirect unauthenticated requests to OAuth2 sign-in error_page 401 = /oauth2/sign_in; # OAuth2 auth_request location = /oauth2/auth { proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/auth; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; proxy_set_header Content-Length ""; proxy_pass_request_body off; proxy_method GET; } location = /oauth2/callback { proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/callback; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; proxy_buffer_size 16k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; } location = /oauth2/sign_in { proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/sign_in; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; } location /oauth2/ { proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; } {% endif %} location / { {% if not (item.no_auth | default(false) | bool) %} auth_request /oauth2/auth; auth_request_set $auth_status $upstream_status; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; {% endif %} add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always; proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; # WebSocket support {% if item.websocket | default(true) | bool %} proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {% endif %} # Timeouts proxy_read_timeout {{ item.proxy_read_timeout | default('3600s') }}; proxy_send_timeout {{ item.proxy_send_timeout | default('3600s') }}; } # Extra location blocks {% if item.extra_locations | default([]) %} {% for location in item.extra_locations %} location {{ location.path }} { {% for key, value in location.config.items() %} {{ key }} {{ value }}; {% endfor %} } {% endfor %} {% endif %} } {% endfor %}