|
|
|
@ -53,7 +53,7 @@ http {
|
|
|
|
|
gzip_min_length 1024;
|
|
|
|
|
# TODO: figure out how to server pre-compressed assets from admin container
|
|
|
|
|
|
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
|
|
|
|
|
{% if not KUBERNETES_INGRESS and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
|
|
|
|
|
# Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
|
|
|
|
|
#
|
|
|
|
|
server {
|
|
|
|
@ -99,7 +99,7 @@ http {
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# Only enable HTTPS if TLS is enabled with no error and not on kubernetes
|
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
|
|
|
|
|
{% if not KUBERNETES_INGRESS and TLS and not TLS_ERROR %}
|
|
|
|
|
listen 443 ssl http2;
|
|
|
|
|
{% if SUBNET6 %}
|
|
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
@ -158,7 +158,7 @@ http {
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# If TLS is failing, prevent access to anything except certbot
|
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS_ERROR and not (TLS_FLAVOR in [ 'mail-letsencrypt', 'mail' ]) %}
|
|
|
|
|
{% if not KUBERNETES_INGRESS and TLS_ERROR and not (TLS_FLAVOR in [ 'mail-letsencrypt', 'mail' ]) %}
|
|
|
|
|
location / {
|
|
|
|
|
return 403;
|
|
|
|
|
}
|
|
|
|
|