ansible-infra/roles/mumble/templates/nginx.conf.j2

65 lines
1.7 KiB
Django/Jinja

{{ ansible_managed | comment }}
server {
listen 80;
listen [::]:80;
server_name {{ mumble_web_domain }};
location / {
return 301 https://$host$request_uri;
}
{% if acme_challenge_dir is defined %}
location ^~ /.well-known/acme-challenge/ {
allow all;
root {{ acme_challenge_dir }};
try_files $uri =404;
}
{% endif %}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ mumble_web_domain }};
ssl_certificate {{ mumble_web_certificate }};
ssl_certificate_key {{ mumble_web_private_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:AnsibleSSL:10m; # about 40000 sessions
ssl_session_tickets off;
{% if mumble_web_dhparam is defined and mumble_web_dhparam != '' %}
ssl_dhparam {{ mumble_web_dhparam }};
{% endif %}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate {{ mumble_web_trusted_certificate }};
location / {
root /var/www/mumble-web/dist/;
}
location /mumble {
proxy_pass http://127.0.0.1:{{ mumble_web_websockify_port }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}