| {%- set site = salt['pillar.get']('nginx:server:site:'+site_name) %} |
| |
| {%- include "nginx/files/_limit.conf" %} |
| |
| {%- from "nginx/files/headers/_strict_transport_security.conf" import strict_transport_security %} |
| |
| server { |
| |
| {%- include "nginx/files/_name.conf" %} |
| {%- include "nginx/files/_ssl.conf" %} |
| |
| {%- if site.get('underscores_in_headers', False) %} |
| underscores_in_headers on; |
| {%- endif %} |
| |
| {%- include "nginx/files/_auth.conf" %} |
| |
| {%- set location = {} %} |
| {%- if site.get('location') %} |
| {%- do location.update(site.location) %} |
| {# If site has proxy and not location '/' defined in model, update location dictionary to contain proxy part definition #} |
| {%- if site.get('proxy') and not location.get('/')%} |
| {%- do location.update({'/': site.proxy}) %} |
| {%- endif %} |
| {%- else %} |
| {# If location is not defined in model, use proxy definition by default #} |
| {%- do location.update({'/': site.proxy}) %} |
| {%- endif %} |
| {%- if site.get('large_client_header_buffers') %} |
| large_client_header_buffers {{ site.large_client_header_buffers }}; |
| {%- endif %} |
| {%- if site.get('limit', {}).get('enabled', False) %} |
| limit_req_status {{ site.limit.get('status_code', '429') }}; |
| limit_conn_status {{ site.limit.get('status_code', '429') }}; |
| {%- endif %} |
| {%- for path, location in location.items() %} |
| location {{ path }} { |
| {%- if location.upstream_proxy_pass is defined %} |
| proxy_pass {{ location.upstream_proxy_pass }}; |
| {%- else %} |
| proxy_pass {{ location.protocol }}://{{ location.host }}:{{ location.port }}; |
| {%- endif %} |
| |
| {%- include "nginx/files/_access_policy.conf" %} |
| |
| {%- if location.size is defined %} |
| client_max_body_size {{ location.size }}; |
| {%- if location.buffer_size is defined %} |
| client_body_buffer_size {{ location.buffer_size }}; |
| {%- elif location.size.split("m")[0] | int > 200 %} |
| client_body_buffer_size 200m; |
| {%- else %} |
| client_body_buffer_size 20m; |
| {%- endif %} |
| {%- else %} |
| client_max_body_size 20m; |
| client_body_buffer_size 20m; |
| {% endif %} |
| |
| {%- if location.timeout is defined %} |
| proxy_connect_timeout {{ location.timeout }}; |
| proxy_send_timeout {{ location.timeout }}; |
| proxy_read_timeout {{ location.timeout }}; |
| send_timeout {{ location.timeout }}; |
| {%- else %} |
| proxy_connect_timeout 600; |
| proxy_send_timeout 600; |
| proxy_read_timeout 600; |
| send_timeout 600; |
| {%- endif %} |
| |
| {%- if location.filter is defined %} |
| sub_filter '{{ location.filter.search }}' {% if location.filter.replace == '$server_addr' %}$server_addr{% else %}'{{ location.filter.replace }}'{% endif %}; |
| sub_filter_types *; |
| sub_filter_once off; |
| {%- endif %} |
| |
| {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %} |
| proxy_redirect http:// https://; |
| {%- else %} |
| proxy_redirect off; |
| {%- endif %} |
| |
| {%- if location.buffer is defined %} |
| {%- set buffer_size = location.buffer.get('size', 16) * 2 %} |
| proxy_buffering on; |
| proxy_buffers {{ location.buffer.get('number', 8) }} {{ location.buffer.get('size', 16) }}k; |
| proxy_buffer_size {{ buffer_size }}k; |
| proxy_busy_buffers_size {{ location.buffer.get('busy', buffer_size) }}k; |
| {%- else %} |
| proxy_buffering off; |
| {%- endif %} |
| |
| {%- if not location.get('request_buffer', True) %} |
| proxy_request_buffering off; |
| {%- endif %} |
| |
| proxy_http_version 1.1; |
| |
| {%- if location.get('headers', True) %} |
| {%- set host_port = "$host:" + site.host.port|string if site.host.port is defined and site.host.port not in [80,443] else "$host" %} |
| {%- |
| set default_proxy_headers = { |
| 'Host': {'enabled': True, 'value': host_port}, |
| 'X-Real-IP': {'enabled': True, 'value': '$remote_addr'}, |
| 'X-Forwarded-For': {'enabled': True, 'value':'$proxy_add_x_forwarded_for'}, |
| 'X-Forwarded-Proto': {'enabled': True, 'value': '$scheme'}, |
| 'X-Forwarded-Host': {'enabled': True, 'value': host_port}, |
| 'X-Forwarded-Server': {'enabled': True, 'value': '$host'}, |
| 'X-Forwarded-Port': {'enabled': True, 'value': '$server_port'} |
| } |
| %} |
| {%- if location.websocket is defined %} |
| {%- do default_proxy_headers.update({'Upgrade': {'enabled': True, 'value': '$http_upgrade'}, |
| 'Connection': {'enabled': True, 'value': "upgrade"}}) %} |
| {%- endif %} |
| |
| {%- if site.proxy_set_header is defined %} |
| {%- set headers_dict = site.proxy_set_header %} |
| {%- else %} |
| {%- set headers_dict = default_proxy_headers %} |
| {%- endif %} |
| |
| {%- for name,header in headers_dict.iteritems() %} |
| {%- if header.enabled %} |
| proxy_set_header {{ name }} {{ header.value }}; |
| {%- endif %} |
| {%- endfor %} |
| |
| {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %} |
| add_header Front-End-Https on; |
| {{ strict_transport_security(site) | indent(6) }} |
| {%- endif %} |
| {%- endif %} |
| |
| {%- if site.limit_req_module is defined %} |
| {%- set _data = site.limit_req_module %} |
| {%- include "nginx/files/_limit_req_module.conf" %} |
| {%- endif %} |
| |
| {%- if site.limit_conn_module is defined %} |
| {%- set _data = site.limit_conn_module %} |
| {%- include "nginx/files/_limit_conn_module.conf" %} |
| {%- endif %} |
| |
| {# The approach below is deprecated, as it was limited funtionality #} |
| {# compare to flexibility that nginx provide. site:limit_req_module:limit_req shall be used instead. #} |
| |
| {%- if site.get('limit', {}).get('enabled', False) %} |
| limit_req zone={{ site_name }}{% if site.limit.get('burst', False) %} burst={{ site.limit.burst }}{% endif %}{% if site.limit.get('nodelay', False) %} nodelay{% endif %}; |
| {%- for subfilter_name, subfilter in site.limit.get('subfilters', {}).items() %} |
| limit_req zone={{ site_name }}_{{ subfilter_name }}{% if subfilter.get('burst', False) %} burst={{ subfilter.burst }}{% endif %}{% if subfilter.get('nodelay', False) %} nodelay{% endif %}; |
| {%- endfor %} |
| {%- endif %} |
| } |
| {%- endfor %} |
| } |