nginx/files/_ssl.conf - salt-formulas/nginx - Gitiles


   {%- from "nginx/files/headers/_strict_transport_security.conf" import strict_transport_security %}

   {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}

   {%- set ca_file=site.ssl.get('ca_file', '') %}
   {%- set key_file=site.ssl.get('key_file', '/etc/ssl/private/{0}.key'.format(site.host.name)) %}
   {%- set cert_file=site.ssl.get('cert_file', '/etc/ssl/certs/{0}.crt'.format(site.host.name)) %}
   {%- set chain_file=site.ssl.get('chain_file', '/etc/ssl/certs/{0}-with-chain.crt'.format(site.host.name)) %}

   ssi on;
   ssl on;
   ssl_session_cache {{ site.ssl.get('session_cache', 'shared:SSL:10m') }};
   ssl_session_timeout {{ site.ssl.get('session_timeout', '10m') }};
     {%- if site.ssl.engine is not defined %}

   ssl_certificate_key {{ key_file }};
       {%- if site.ssl.chain is defined or site.ssl.authority is defined %}
   ssl_certificate {{ chain_file }};
       {%- else %}
   ssl_certificate {{ cert_file }};
       {%- endif %}

     {%- elif site.ssl.engine == 'letsencrypt' %}

     {%- set cert = site.ssl.get("certificate", site.host.name) %}
   ssl_certificate         /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
   ssl_certificate_key     /etc/letsencrypt/live/{{ cert }}/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
     {%- include "nginx/files/_letsencrypt.conf" %}

     {%- elif site.ssl.engine == 'salt' %}

   ssl_certificate_key {{ key_file }};
   ssl_certificate {{ chain_file }};

     {%- endif %}

     {%- if site.ssl.get('mode', 'secure') not in ["secure", "normal"] %}
       {%- if site.ssl.protocols is defined  %}
         {%- set _protocols = [] %}
           {%- for protocol_name, protocols in site.ssl.get('protocols', {}).iteritems() %}
             {%- if protocols.get('enabled', False) %}
               {%- do _protocols.append(protocols.name) %}
             {%- endif %}
           {%- endfor %}
   ssl_protocols {{ ' '.join(_protocols) }};
       {%- endif %}
       {%- if site.ssl.ciphers is defined %}
         {%- set _ciphers = [] %}
           {%- for cipher_name, ciphers in site.ssl.get('ciphers', {}).iteritems() %}
             {%- if ciphers.get('enabled', False) %}
               {%- do _ciphers.append(ciphers.name) %}
             {%- endif %}
           {%- endfor %}
   ssl_ciphers {{ ':'.join(_ciphers) }};
       {%- endif %}
       {%- if site.ssl.prefer_server_ciphers is defined %}
   ssl_prefer_server_ciphers {{ site.ssl.prefer_server_ciphers }};
       {%- endif %}
       {%- if site.ssl.buffer_size is defined %}
   ssl_buffer_size {{ site.ssl.buffer_size }};
       {%- endif %}
       {%- if site.ssl.get('crl', {'enabled': False}).enabled and site.ssl.crl.file is defined %}
   ssl_crl {{ site.ssl.crl.file }};
       {%- endif %}
       {%- if site.ssl.get('dhparam', {'enabled': False}).enabled %}
   ssl_dhparam /etc/ssl/dhparams_{{ site_name }}.pem;
       {%- endif %}
       {%- if site.ssl.ecdh_curve is defined %}
         {%- set _ecdh_curve = [] %}
           {%- for ecdh_curve_name, ecdh_curve in site.ssl.get('ecdh_curve', {}).iteritems() %}
             {%- if ecdh_curve.get('enabled', False) %}
               {%- do _ecdh_curve.append(ecdh_curve.name) %}
             {%- endif %}
           {%- endfor %}
   ssl_ecdh_curve {{ ':'.join(_ecdh_curve) }};
       {%- endif %}
       {%- if site.ssl.password_file is defined and site.ssl.get('password_file', {'enabled': False}).enabled %}
         {%- if site.ssl.password_file.content is defined and site.ssl.password_file.file is not defined %}
   ssl_password_file /etc/ssl/password_{{ site_name }}.key;
         {%- endif %}
         {%- if site.ssl.password_file.file is defined %}
   ssl_password_file {{ site.ssl.password_file.file }};
         {%- endif %}
       {%- endif %}
       {%- if site.ssl.get('ticket_key', {'enabled': False}).enabled %}
   ssl_session_ticket_key /etc/ssl/ticket_{{ site_name }}.key;
       {%- endif %}
       {%- if site.ssl.session_tickets is defined %}
   ssl_session_tickets {{ site.ssl.session_tickets }};
       {%- endif %}
       {%- if site.ssl.stapling is defined %}
   ssl_stapling {{ site.ssl.stapling }};
       {%- endif %}
       {%- if site.ssl.resolver is defined %}
         {%- if site.ssl.resolver.valid_seconds is defined %}
   resolver {{ site.ssl.resolver.address }} valid={{ site.ssl.resolver.valid_seconds }}s;
         {%- else %}
   resolver {{ site.ssl.resolver }};
         {%- endif %}
         {%- if site.ssl.resolver.timeout_seconds is defined %}
   resolver_timeout {{ site.ssl.resolver.timeout_seconds }}s;
         {%- endif %}
       {%- endif %}
       {%- if site.ssl.stapling_file is defined %}
   ssl_stapling_file {{ site.ssl.stapling_file }};
       {%- endif %}
       {%- if site.ssl.stapling_responder is defined %}
   ssl_stapling_responder {{ site.ssl.stapling_responder }};
       {%- endif %}
       {%- if site.ssl.stapling_verify is defined %}
   ssl_stapling_verify {{ site.ssl.stapling_verify }};
       {%- endif %}
       {%- if site.ssl.verify_client is defined %}
   ssl_verify_client {{ site.ssl.verify_client }};
       {%- endif %}
       {%- if site.ssl.get('client_certificate', {'enabled': False}).enabled and site.ssl.client_certificate.file is defined %}
   ssl_client_certificate {{ site.ssl.client_certificate.file }};
       {%- endif %}
       {%- if site.ssl.verify_depth is defined %}
   ssl_verify_depth {{ site.ssl.verify_depth }};
       {%- endif %}
   {{ strict_transport_security(site) | indent(2) }}
     {%- else %}
       {#- Using this file is deprecated, it may be silensly removed in future. All options are now set from _ssl.conf #}
       {#- Please check README about new option types #}
       {%- set ssl_mode = site.ssl.get('mode', 'secure') %}
       {%- include "nginx/files/_ssl_"+ssl_mode+".conf" %}

     {%- endif %}
   {%- endif %}

	{%- from "nginx/files/headers/_strict_transport_security.conf" import strict_transport_security %}

	{%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}

	{%- set ca_file=site.ssl.get('ca_file', '') %}
	{%- set key_file=site.ssl.get('key_file', '/etc/ssl/private/{0}.key'.format(site.host.name)) %}
	{%- set cert_file=site.ssl.get('cert_file', '/etc/ssl/certs/{0}.crt'.format(site.host.name)) %}
	{%- set chain_file=site.ssl.get('chain_file', '/etc/ssl/certs/{0}-with-chain.crt'.format(site.host.name)) %}

	ssi on;
	ssl on;
	ssl_session_cache {{ site.ssl.get('session_cache', 'shared:SSL:10m') }};
	ssl_session_timeout {{ site.ssl.get('session_timeout', '10m') }};
	{%- if site.ssl.engine is not defined %}

	ssl_certificate_key {{ key_file }};
	{%- if site.ssl.chain is defined or site.ssl.authority is defined %}
	ssl_certificate {{ chain_file }};
	{%- else %}
	ssl_certificate {{ cert_file }};
	{%- endif %}

	{%- elif site.ssl.engine == 'letsencrypt' %}

	{%- set cert = site.ssl.get("certificate", site.host.name) %}
	ssl_certificate /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/{{ cert }}/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
	{%- include "nginx/files/_letsencrypt.conf" %}

	{%- elif site.ssl.engine == 'salt' %}

	ssl_certificate_key {{ key_file }};
	ssl_certificate {{ chain_file }};

	{%- endif %}

	{%- if site.ssl.get('mode', 'secure') not in ["secure", "normal"] %}
	{%- if site.ssl.protocols is defined %}
	{%- set _protocols = [] %}
	{%- for protocol_name, protocols in site.ssl.get('protocols', {}).iteritems() %}
	{%- if protocols.get('enabled', False) %}
	{%- do _protocols.append(protocols.name) %}
	{%- endif %}
	{%- endfor %}
	ssl_protocols {{ ' '.join(_protocols) }};
	{%- endif %}
	{%- if site.ssl.ciphers is defined %}
	{%- set _ciphers = [] %}
	{%- for cipher_name, ciphers in site.ssl.get('ciphers', {}).iteritems() %}
	{%- if ciphers.get('enabled', False) %}
	{%- do _ciphers.append(ciphers.name) %}
	{%- endif %}
	{%- endfor %}
	ssl_ciphers {{ ':'.join(_ciphers) }};
	{%- endif %}
	{%- if site.ssl.prefer_server_ciphers is defined %}
	ssl_prefer_server_ciphers {{ site.ssl.prefer_server_ciphers }};
	{%- endif %}
	{%- if site.ssl.buffer_size is defined %}
	ssl_buffer_size {{ site.ssl.buffer_size }};
	{%- endif %}
	{%- if site.ssl.get('crl', {'enabled': False}).enabled and site.ssl.crl.file is defined %}
	ssl_crl {{ site.ssl.crl.file }};
	{%- endif %}
	{%- if site.ssl.get('dhparam', {'enabled': False}).enabled %}
	ssl_dhparam /etc/ssl/dhparams_{{ site_name }}.pem;
	{%- endif %}
	{%- if site.ssl.ecdh_curve is defined %}
	{%- set _ecdh_curve = [] %}
	{%- for ecdh_curve_name, ecdh_curve in site.ssl.get('ecdh_curve', {}).iteritems() %}
	{%- if ecdh_curve.get('enabled', False) %}
	{%- do _ecdh_curve.append(ecdh_curve.name) %}
	{%- endif %}
	{%- endfor %}
	ssl_ecdh_curve {{ ':'.join(_ecdh_curve) }};
	{%- endif %}
	{%- if site.ssl.password_file is defined and site.ssl.get('password_file', {'enabled': False}).enabled %}
	{%- if site.ssl.password_file.content is defined and site.ssl.password_file.file is not defined %}
	ssl_password_file /etc/ssl/password_{{ site_name }}.key;
	{%- endif %}
	{%- if site.ssl.password_file.file is defined %}
	ssl_password_file {{ site.ssl.password_file.file }};
	{%- endif %}
	{%- endif %}
	{%- if site.ssl.get('ticket_key', {'enabled': False}).enabled %}
	ssl_session_ticket_key /etc/ssl/ticket_{{ site_name }}.key;
	{%- endif %}
	{%- if site.ssl.session_tickets is defined %}
	ssl_session_tickets {{ site.ssl.session_tickets }};
	{%- endif %}
	{%- if site.ssl.stapling is defined %}
	ssl_stapling {{ site.ssl.stapling }};
	{%- endif %}
	{%- if site.ssl.resolver is defined %}
	{%- if site.ssl.resolver.valid_seconds is defined %}
	resolver {{ site.ssl.resolver.address }} valid={{ site.ssl.resolver.valid_seconds }}s;
	{%- else %}
	resolver {{ site.ssl.resolver }};
	{%- endif %}
	{%- if site.ssl.resolver.timeout_seconds is defined %}
	resolver_timeout {{ site.ssl.resolver.timeout_seconds }}s;
	{%- endif %}
	{%- endif %}
	{%- if site.ssl.stapling_file is defined %}
	ssl_stapling_file {{ site.ssl.stapling_file }};
	{%- endif %}
	{%- if site.ssl.stapling_responder is defined %}
	ssl_stapling_responder {{ site.ssl.stapling_responder }};
	{%- endif %}
	{%- if site.ssl.stapling_verify is defined %}
	ssl_stapling_verify {{ site.ssl.stapling_verify }};
	{%- endif %}
	{%- if site.ssl.verify_client is defined %}
	ssl_verify_client {{ site.ssl.verify_client }};
	{%- endif %}
	{%- if site.ssl.get('client_certificate', {'enabled': False}).enabled and site.ssl.client_certificate.file is defined %}
	ssl_client_certificate {{ site.ssl.client_certificate.file }};
	{%- endif %}
	{%- if site.ssl.verify_depth is defined %}
	ssl_verify_depth {{ site.ssl.verify_depth }};
	{%- endif %}
	{{ strict_transport_security(site) \| indent(2) }}
	{%- else %}
	{#- Using this file is deprecated, it may be silensly removed in future. All options are now set from _ssl.conf #}
	{#- Please check README about new option types #}
	{%- set ssl_mode = site.ssl.get('mode', 'secure') %}
	{%- include "nginx/files/_ssl_"+ssl_mode+".conf" %}

	{%- endif %}
	{%- endif %}