35 lines
1.6 KiB
Plaintext
35 lines
1.6 KiB
Plaintext
listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
|
|
{% set paths = {"cert": "", "key": ""} %}
|
|
{% if AUTO_LETS_ENCRYPT == "yes" %}
|
|
{% set x = paths.update({"cert": "/etc/letsencrypt/live/" + FIRST_SERVER + "/fullchain.pem"}) %}
|
|
{% set x = paths.update({"key": "/etc/letsencrypt/live/" + FIRST_SERVER + "/privkey.pem"}) %}
|
|
{% elif USE_CUSTOM_HTTPS == "yes" %}
|
|
{% set x = paths.update({"cert": CUSTOM_HTTPS_CERT}) %}
|
|
{% set x = paths.update({"key": CUSTOM_HTTPS_KEY}) %}
|
|
{% elif GENERATE_SELF_SIGNED_SSL == "yes" %}
|
|
{% if MULTISITE == "yes" %}
|
|
{% set x = paths.update({"cert": "/etc/nginx/" + FIRST_SERVER + "/self-cert.pem"}) %}
|
|
{% set x = paths.update({"key": "/etc/nginx/" + FIRST_SERVER + "/self-key.pem"}) %}
|
|
{% else %}
|
|
{% set x = paths.update({"cert": "/etc/nginx/self-cert.pem"}) %}
|
|
{% set x = paths.update({"key": "/etc/nginx/self-key.pem"}) %}
|
|
{% endif %}
|
|
{% endif %}
|
|
ssl_certificate {{ paths["cert"] }};
|
|
ssl_certificate_key {{ paths["key"] }};
|
|
ssl_protocols {{ HTTPS_PROTOCOLS }};
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_tickets off;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:MozSSL:10m;
|
|
{% if STRICT_TRANSPORT_SECURITY != "" %}
|
|
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
|
|
{% endif %}
|
|
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
|
|
ssl_dhparam /etc/nginx/dhparam;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
{% endif %}
|
|
{% if AUTO_LETS_ENCRYPT %}
|
|
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
|
|
{% endif %}
|