-
Notifications
You must be signed in to change notification settings - Fork 312
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
https: T5902: remove virtual-host configuration
- Loading branch information
Showing
16 changed files
with
348 additions
and
367 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,60 +1,65 @@ | ||
### Autogenerated by service_https.py ### | ||
# Default server configuration | ||
|
||
{% for server in server_block_list %} | ||
{% if enable_http_redirect is vyos_defined %} | ||
server { | ||
# SSL configuration | ||
# | ||
{% if server.address == '*' %} | ||
listen {{ server.port }} ssl; | ||
listen [::]:{{ server.port }} ssl; | ||
{% else %} | ||
listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl; | ||
{% endif %} | ||
listen 80 default_server; | ||
server_name {{ hostname }}; | ||
return 301 https://$host$request_uri; | ||
} | ||
{% endif %} | ||
|
||
{% for name in server.name %} | ||
server_name {{ name }}; | ||
server { | ||
{% if listen_address is vyos_defined %} | ||
{% for address in listen_address %} | ||
listen {{ address | bracketize_ipv6 }}:{{ port }} ssl; | ||
{% endfor %} | ||
{% else %} | ||
listen {{ port }} ssl; | ||
listen [::]:{{ port }} ssl; | ||
{% endif %} | ||
|
||
root /srv/localui; | ||
server_name {{ hostname }}; | ||
root /srv/localui; | ||
|
||
{% if server.vyos_cert %} | ||
ssl_certificate {{ server.vyos_cert.crt }}; | ||
ssl_certificate_key {{ server.vyos_cert.key }}; | ||
{% else %} | ||
# | ||
# Self signed certs generated by the ssl-cert package | ||
# Don't use them in a production server! | ||
# | ||
include snippets/snakeoil.conf; | ||
# SSL configuration | ||
{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %} | ||
ssl_certificate {{ certificates.cert_path }}; | ||
ssl_certificate_key {{ certificates.key_path }}; | ||
{% if certificates.dh_file is vyos_defined %} | ||
ssl_dhparam {{ certificates.dh_file }}; | ||
{% endif %} | ||
ssl_session_cache shared:le_nginx_SSL:10m; | ||
ssl_session_timeout 1440m; | ||
ssl_session_tickets off; | ||
{% else %} | ||
# Self signed certs generated by the ssl-cert package | ||
# Don't use them in a production server! | ||
include snippets/snakeoil.conf; | ||
{% endif %} | ||
|
||
ssl_protocols TLSv1.2 TLSv1.3; | ||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | ||
# Improve HTTPS performance with session resumption | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_timeout 10m; | ||
ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }}; | ||
|
||
# proxy settings for HTTP API, if enabled; 503, if not | ||
location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { | ||
{% if server.api %} | ||
proxy_pass http://unix:/run/api.sock; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_read_timeout 600; | ||
proxy_buffering off; | ||
{% else %} | ||
return 503; | ||
{% endif %} | ||
{% if server.allow_client %} | ||
{% for client in server.allow_client %} | ||
allow {{ client }}; | ||
{% endfor %} | ||
deny all; | ||
{% endif %} | ||
} | ||
# From LetsEncrypt | ||
ssl_prefer_server_ciphers on; | ||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | ||
|
||
error_page 497 =301 https://$host:{{ server.port }}$request_uri; | ||
# proxy settings for HTTP API, if enabled; 503, if not | ||
location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { | ||
{% if api is vyos_defined %} | ||
proxy_pass http://unix:/run/api.sock; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_read_timeout 600; | ||
proxy_buffering off; | ||
{% else %} | ||
return 503; | ||
{% endif %} | ||
{% if allow_client.address is vyos_defined %} | ||
{% for address in allow_client.address %} | ||
allow {{ address }}; | ||
{% endfor %} | ||
deny all; | ||
{% endif %} | ||
} | ||
error_page 497 =301 https://$host:{{ port }}$request_uri; | ||
} | ||
|
||
{% endfor %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<!-- include start from pki/certificate-multi.xml.i --> | ||
<leafNode name="dh-params"> | ||
<properties> | ||
<help>Diffie Hellman parameters (server only)</help> | ||
<completionHelp> | ||
<path>pki dh</path> | ||
</completionHelp> | ||
</properties> | ||
</leafNode> | ||
<!-- include end --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.