|
@@ -0,0 +1,75 @@
|
|
|
+#
|
|
|
+# FF Frontend configuration (Salt managed)
|
|
|
+#
|
|
|
+
|
|
|
+{%- set acme_thumbprint = salt['pillar.get']('acme:thumbprint', False) %}
|
|
|
+
|
|
|
+{%- for domain, config in pillar.get('frontend', {}).items()|sort if 'file' not in config %}
|
|
|
+ {%- set https = domain in salt['pillar.get']('cert', {}) and salt['pillar.get']('frontend:' ~ domain ~ ':https', True) %}
|
|
|
+ {%- set http = salt['pillar.get']('frontend:' ~ domain ~ ':http', not https) %}
|
|
|
+ {%- set host = salt['pillar.get']('frontend:' ~ domain ~ ':host', domain) %}
|
|
|
+
|
|
|
+#
|
|
|
+# {{ domain }}
|
|
|
+server {
|
|
|
+ {%- if http %}
|
|
|
+ listen 80{% if http == 'default_server' %} default_server{% endif %};
|
|
|
+ listen [::]:80{% if http == 'default_server' %} default_server{% endif %};
|
|
|
+ {%- endif %}
|
|
|
+ {%- if https %}
|
|
|
+ listen 443{% if https == 'default_server' %} default_server{% endif %};
|
|
|
+ listen [::]:443{% if https == 'default_server' %} default_server{% endif %};
|
|
|
+ {%- endif %}
|
|
|
+
|
|
|
+ {#- set server_name #}
|
|
|
+ {%- if 'server_name' in config %}
|
|
|
+ server_name {{ config.server_name }};
|
|
|
+ {%- elif 'domains' in config %}
|
|
|
+ {%- set domains = config.domains %}
|
|
|
+ {%- do domains.append(domain) %}
|
|
|
+ server_name ~^({{ domains|join('|') }})$;
|
|
|
+ {%- else %}
|
|
|
+ server_name "{{ domain }}";
|
|
|
+ {%- endif %}
|
|
|
+
|
|
|
+ {%- if https %}
|
|
|
+ ssl on;
|
|
|
+ ssl_certificate /etc/ssl/certs/{{ domain }}.cert.pem;
|
|
|
+ ssl_certificate_key /etc/ssl/private/{{ domain }}.key.pem;
|
|
|
+ {%- endif %}
|
|
|
+
|
|
|
+ {%- if 'proxy_pass' in config %}
|
|
|
+ location / {
|
|
|
+ proxy_pass {{ config.proxy_pass }};
|
|
|
+ proxy_redirect default;
|
|
|
+ proxy_set_header Host "{{ host }}";
|
|
|
+ proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
+ }
|
|
|
+ {%- elif 'redirect' in config %}
|
|
|
+ location / {
|
|
|
+ return 302 {{ config.redirect }};
|
|
|
+ }
|
|
|
+ {%- elif 'location' in config %}
|
|
|
+ {%- for location, loc_conf in config.location.items()|sort %}
|
|
|
+ location {{ location }} {
|
|
|
+ {%- if 'proxy_pass' in loc_conf %}
|
|
|
+ {%- set loc_host = salt['pillar.get']('frontend:' ~ domain ~ ':location:' ~ location ~ ':host', host) %}
|
|
|
+ proxy_pass {{ loc_conf.proxy_pass }};
|
|
|
+ proxy_redirect default;
|
|
|
+ proxy_set_header Host "{{ loc_host }}";
|
|
|
+ proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
+ {%- elif 'redirect' in loc_conf %}
|
|
|
+ return 302 {{ loc_conf.redirect }};
|
|
|
+ {%- endif %}
|
|
|
+ }
|
|
|
+ {% endfor %}
|
|
|
+ {%- endif %}
|
|
|
+
|
|
|
+ {%- if acme_thumbprint %}
|
|
|
+ location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
|
|
|
+ default_type text/plain;
|
|
|
+ return 200 "$1.{{ acme_thumbprint }}";
|
|
|
+ }
|
|
|
+ {%- endif %}
|
|
|
+}
|
|
|
+{%- endfor %}
|