|
|
@ -34,6 +34,25 @@ http {
|
|
|
|
'' $scheme;
|
|
|
|
'' $scheme;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] and not TLS_ERROR %}
|
|
|
|
|
|
|
|
# Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
|
|
|
# Listen over HTTP
|
|
|
|
|
|
|
|
listen 80;
|
|
|
|
|
|
|
|
listen [::]:80;
|
|
|
|
|
|
|
|
{% if TLS_FLAVOR == 'letsencrypt' %}
|
|
|
|
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
|
|
|
|
proxy_pass http://127.0.0.1:8008;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
# redirect to https
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
# Main HTTP server
|
|
|
|
# Main HTTP server
|
|
|
|
server {
|
|
|
|
server {
|
|
|
|
# Favicon stuff
|
|
|
|
# Favicon stuff
|
|
|
@ -48,9 +67,11 @@ http {
|
|
|
|
set $webdav {{ WEBDAV_ADDRESS }};
|
|
|
|
set $webdav {{ WEBDAV_ADDRESS }};
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
# Always listen over HTTP
|
|
|
|
# Listen on HTTP only in kubernetes or behind reverse proxy
|
|
|
|
|
|
|
|
{% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] or TLS_ERROR %}
|
|
|
|
listen 80;
|
|
|
|
listen 80;
|
|
|
|
listen [::]:80;
|
|
|
|
listen [::]:80;
|
|
|
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
# Only enable HTTPS if TLS is enabled with no error and not on kubernetes
|
|
|
|
# Only enable HTTPS if TLS is enabled with no error and not on kubernetes
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
|
|
|
@ -78,8 +99,7 @@ http {
|
|
|
|
add_header X-XSS-Protection '1; mode=block';
|
|
|
|
add_header X-XSS-Protection '1; mode=block';
|
|
|
|
add_header Referrer-Policy 'same-origin';
|
|
|
|
add_header Referrer-Policy 'same-origin';
|
|
|
|
|
|
|
|
|
|
|
|
# In any case, enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
|
|
|
|
{% if TLS_FLAVOR == 'mail-letsencrypt' %}
|
|
|
|
{% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
|
|
|
|
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
proxy_pass http://127.0.0.1:8008;
|
|
|
|
proxy_pass http://127.0.0.1:8008;
|
|
|
|
}
|
|
|
|
}
|
|
|
|