Skip to content
Permalink
Browse files

Move shit around

  • Loading branch information...
psineur committed Apr 1, 2018
1 parent 9310092 commit 0e51d5ae852f46d63623bad631a1dac6b129adaf
@@ -32,11 +32,11 @@ RUN apt update && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

ADD ./crontab /certcrontab
ADD ./updatecerts.sh /
ADD ./entrypoint.sh /
ADD ./config/crontab /certcrontab
ADD ./scripts/updatecerts.sh /
ADD ./scripts/entrypoint.sh /

ADD ./nginx.conf.erb /tmp
ADD ./config/nginx.conf.erb /tmp
RUN SERVER_NAME=$SERVER_NAME \
REDIRECT_SERVER_NAMES=$REDIRECT_DOMAINS \
HTTPS_CERT_NAME=$HTTPS_CERT_NAME \
File renamed without changes.
@@ -1,3 +1,24 @@
<%# params: -%>
<%# - fake_hosts string[] - when set only fake vhosts will be created - used for certbot initial run-%>
<%# - server_name string - main domain/server_name for the wewbie -%>
<%# - redirect_server_names string[] - all domains that will redirect to server_name and server_name (to redirect http->https) -%>
<%# - https_cert_name string - used in /etc/letsencrypt/NAME, if null - only http will be enabled -%>
<%
fake_hosts = (fake_hosts or ENV['FAKE_HOSTS']);
server_name = (server_name or ENV['SERVER_NAME']);
redirect_server_names = (redirect_server_names or ENV['REDIRECT_SERVER_NAMES']);
https_cert_name = (https_cert_name or ENV['HTTPS_CERT_NAME']);
if fake_hosts then
fake_hosts = fake_hosts.split ','
end;
if redirect_server_names then
redirect_server_names = redirect_server_names.split ','
end;
redirect_server_names = (redirect_server_names or []);
redirect_server_names.push(server_name);
redirect_server_names = redirect_server_names.uniq;
-%>

user www-data;
worker_processes auto;
pid /run/nginx.pid;
@@ -32,40 +53,55 @@ http {
open_file_cache_errors on;

include /etc/nginx/snippets/*.conf;
<% if (fake_hosts.length > 0) then -%>
<% for fake_host in fake_hosts-%>
server {
server_name <%= fake_host -%>;
listen 80;
root /var/wwwnossl/;
location / {
return 200 "Fake NGINX";
}
location ~ /.well-known {
allow all;
}
}
<% end -%>
<% else -%>

server {
set $website_host __ARG_SERVER_NAME;
set $website_host <%= server_name -%>;
server_name "$website_host";
access_log "/var/log/nginx/$website_host.access.log";
access_log "/var/log/nginx/$website_host.error.log";

set $website_root "/var/www/public";
set $symfony_root "/var/www/lib/vendor/symfony";
set $default_controller "index.php";
index $default_controller;

listen 443 ssl http2;
server_name "$website_host";
set $website_root "/var/www/public";
root $website_root;
charset utf-8;

access_log "/var/log/nginx/$website_host.access.log";
access_log "/var/log/nginx/$website_host.error.log";

<% if https_cert_name -%>
listen 443 ssl http2;
ssl_certificate "/etc/letsencrypt/live/<%=https_cert_name-%>/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/<%=https_cert_name-%>/privkey.pem";
<% else -%>
listen 80;
listen [::]:80;
<% end -%>

# Security headers
# THE FOLLOWING REFERRER HEADER BREAKS THE APP; THIS IS A TODO
#add_header Referrer-Policy: strict-origin-when-cross-origin;
#TODO: fix app and enable: add_header Referrer-Policy: strict-origin-when-cross-origin;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

#### let's encrypt's x509 certificates
ssl_certificate "/etc/letsencrypt/live/__ARG_HTTPS_CERT_NAME/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/__ARG_HTTPS_CERT_NAME/privkey.pem";

root $website_root;
index $default_controller;
charset utf-8;

location /sf {
# path to folder where all symfony assets are located
alias $symfony_root/data/web/sf;
alias /var/www/lib/vendor/symfony/data/web/sf;
expires max;
}

@@ -101,14 +137,13 @@ http {
}
}

# redirect with 302 (Moved Temporarily) to
# redirect with 302 (Moved Temporarily) to
# avoid caching URLs that we might change (prod, staging, etc)
server {
listen 80;
listen [::]:80;
set $main_website_host __ARG_SERVER_NAME;
set $all_website_hosts __ARG_REDIRECT_DOMAINS;
server_name "$all_website_hosts";
return 302 "https://$main_website_host$request_uri";
server_name <%=redirect_server_names.join(' ')-%>;
return 302 "https://<%=server_name-%>$request_uri";
}
<% end -%>
}

This file was deleted.

Oops, something went wrong.

0 comments on commit 0e51d5a

Please sign in to comment.
You can’t perform that action at this time.