jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-04-12 00:03:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
ansible-roles/roles/lemonldap_ng/templates/nginx_portal.conf.j2
Daniel Berteaud a1c2d0131a Update to 2024-11-06 12:00
2024-11-06 12:00:48 +01:00

159 lines
5.3 KiB
Django/Jinja
Raw Blame History

server {
listen 80;
listen 443 ssl http2;
server_name {{ llng_portal_vhost }};
include /etc/nginx/ansible_conf.d/acme.inc;
include /etc/nginx/ansible_conf.d/perf.inc;
include /etc/nginx/ansible_conf.d/force_ssl.inc;
root /usr/share/lemonldap-ng/portal/htdocs/;
{% if llng_portal_ssl is defined %}
{% if llng_portal_ssl.cert is defined and llng_portal_ssl.key is defined %}
ssl_certificate {{ llng_portal_ssl.cert }};
ssl_certificate_key {{ llng_portal_ssl.key }};
{% elif llng_portal_ssl.letsencrypt_cert is defined %}
ssl_certificate /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/privkey.pem;
{% endif %}
{% endif %}
if ($uri !~ ^/((static|javascript|favicon|\.well\-known/acme\-challenge/).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
location ~ ^/(?<sc>/index\.psgi)/((adminS|s)essions|config|notification) {
{% if llng_engine == 'fastcgi' %}
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
{% elif llng_engine == 'uwsgi' %}
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
uwsgi_param LLTYPE psgi;
uwsgi_param SCRIPT_FILENAME $document_root$sc;
uwsgi_param SCRIPT_NAME $sc;
{% endif %}
{% for ip in llng_api_src_ip %}
allow {{ ip }};
{% endfor %}
deny all;
{% if llng_api_pass is defined %}
auth_basic "Lemonldap::NG API";
auth_basic_user_file /etc/lemonldap-ng/api.htpasswd;
satisfy all;
{% endif %}
}
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
{% if llng_engine == 'fastcgi' %}
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
{% elif llng_engine == 'uwsgi' %}
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
uwsgi_param LLTYPE psgi;
uwsgi_param SCRIPT_FILENAME $document_root$sc;
uwsgi_param SCRIPT_NAME $sc;
{% endif %}
{% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~/CN=(?<CN>[^/]+) $CN;
}
{{ (llng_engine == 'uwsgi') | ternary('uwsgi', 'fastcgi') }}_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
{% endif %}
}
index index.psgi;
location / {
try_files $uri $uri/ =404;
}
}
{% if llng_api_src_ip | length > 0 or llng_api_pass is defined %}
server {
listen 443 ssl http2;
server_name {{ llng_api_vhost }};
include /etc/nginx/ansible_conf.d/acme.inc;
include /etc/nginx/ansible_conf.d/perf.inc;
root /usr/share/lemonldap-ng/portal/htdocs/;
{% if llng_api_ssl is defined %}
{% if llng_api_ssl.cert is defined and llng_api_ssl.key is defined %}
ssl_certificate {{ llng_api_ssl.cert }};
ssl_certificate_key {{ llng_api_ssl.key }};
{% elif llng_api_ssl.letsencrypt_cert is defined %}
ssl_certificate /var/lib/dehydrated/certificates/certs/{{ llng_api_ssl.letsencrypt_cert }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ llng_api_ssl.letsencrypt_cert }}/privkey.pem;
{% endif %}
{% endif %}
index index.psgi;
location ~ ^(?<sc>/index\.psgi)/config {
{% if llng_engine == 'fastcgi' %}
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
{% elif llng_engine == 'uwsgi' %}
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
uwsgi_param LLTYPE psgi;
uwsgi_param SCRIPT_FILENAME $document_root$sc;
uwsgi_param SCRIPT_NAME $sc;
{% endif %}
{% for ip in llng_api_src_ip %}
allow {{ ip }};
{% endfor %}
deny all;
{% if llng_api_pass is defined %}
auth_basic "Lemonldap::NG API";
auth_basic_user_file /etc/lemonldap-ng/api.htpasswd;
satisfy all;
{% endif %}
}
location ~ ^(?<sc>/index\.psgi)/(adminSessions|sessions) {
{% if llng_engine == 'fastcgi' %}
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
{% elif llng_engine == 'uwsgi' %}
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
uwsgi_param LLTYPE psgi;
uwsgi_param SCRIPT_FILENAME $document_root$sc;
uwsgi_param SCRIPT_NAME $sc;
{% endif %}
{% for ip in llng_api_src_ip %}
allow {{ ip }};
{% endfor %}
deny all;
{% if llng_api_pass is defined %}
auth_basic "Lemonldap::NG API";
auth_basic_user_file /etc/lemonldap-ng/api.htpasswd;
satisfy all;
access_log off;
{% endif %}
}
location / {
deny all;
}
}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink