kanootoko/ssl-nginx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Version 0.6.0 (2026-04-01)

Browse Source 
Changes:
- add config validation option via Makefile
- add `default-http{,s}-port` commands to add_servers.py
- update add_servers.py to pass generic parameters to servers in templates
- add nginx_conf.d directory usage for more than one custom nginx configurations
- rename `port` and `ssl_port` to `http{,s}_port` for templates
- add `http{,s}_custom_params` to templates
This commit is contained in:
Aleksei Sokol
2026-03-25 16:16:01 +03:00
parent 94259c5f99
commit 8946fa4244
14 changed files with 314 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
nginx/examples/domains.txt Normal file
View File

@@ -0,0 +1,5 @@
your.domain.to_listen
your_other.doma.in
*.doma.in
#commented.domain
domain.without.proxy

107
nginx/examples/nginx.conf.j2 Normal file
View File

@@ -0,0 +1,107 @@
{# input variables ~ examples:
- acme_challenge_location ~ /ssl/:
- resolver ~ 127.0.0.11:
- servers
- name ~ doma.in,
- all_names ~ doma.in testing.doma.in
- proxy_pass ~ http://localhost:3333
- certificate_dir ~ /ssl/other.doma.in (configured by certificate_name parameter)
- server_options
- opt_1;
...
- location_options
- opt_1;
...
- http_port ~ 80
- https_port ~ 443
- http_custom_params ~ proxy_protocol
- https_custom_params ~ proxy_protocol
-#}
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_tokens off;
gzip on;
proxy_connect_timeout 300;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
client_max_body_size 500M;
server {
return 404;
}
{%- for server in servers %}
{# #}
server {
{%- if server["http_port"] %}
listen {{ server["http_port"] }} {{- " " + server["http_custom_params"] if server["http_custom_params"] else ""}};
{%- endif %}
{%- if server["certificate_dir"] %}
listen {{ server["https_port"] }} ssl {{- " " + server["https_custom_params"] if server["https_custom_params"] else ""}};
ssl_certificate {{ server["certificate_dir"] }}/fullchain.pem;
ssl_certificate_key {{ server["certificate_dir"] }}/privkey.pem;
if ($scheme = 'http') {
return 302 https://$host$request_uri;
}
{%- endif %}
keepalive_timeout 70;
server_name {{ server["all_names"] or server["name"] }};
{%- if acme_challenge_location %}
{# #}
location /.well-known/acme-challenge {
root {{ acme_challenge_location }};
}
{%- endif %}
{%- if server["server_options"] %}
{# #}
{%- for server_option in server["server_options"] %}
{{ server_option }}
{%- endfor %}
{%- endif %}
{%- if server["proxy_pass"] %}
{# #}
location / {
resolver {{ resolver }};
set $host_{{ loop.index }} {{ server["proxy_pass"] }};
proxy_pass $host_{{ loop.index }};
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Real-IP $remote_addr;
{%- if server["location_options"] %}
{# #}
{%- for location_option in server["location_options"] %}
{{ location_option }}
{%- endfor %}
{%- endif %}
}
{%- endif %}
}
{%- endfor %}
}
include /etc/nginx/conf.d/*.conf;

131
nginx/examples/nginx.middle.conf.j2 Normal file
View File

@@ -0,0 +1,131 @@
{# input variables ~ examples:
- acme_challenge_location ~ /ssl/:
- resolver ~ 127.0.0.11:
- servers
- name ~ doma.in,
- all_names ~ doma.in testing.doma.in
- proxy_pass ~ http://localhost:3333
- certificate_dir ~ /ssl/other.doma.in (configured by certificate_name parameter)
- server_options
- opt_1;
...
- location_options
- opt_1;
...
- http_port ~ 80
- https_port ~ 443
- http_custom_params ~ proxy_protocol
- https_custom_params ~ proxy_protocol
-#}
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_tokens off;
gzip on;
proxy_connect_timeout 300;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
client_max_body_size 500M;
server {
return 404;
}
map $http_host $proxied_host {
"" $host;
default $http_host;
}
map $http_x_forwarded_port $proxied_port {
"" $server_port;
default $http_x_forwarded_port;
}
map $http_x_forwarded_host $proxied_x_host {
"" $host:$proxied_port;
default $http_x_forwarded_host;
}
map $http_x_forwarded_proto $proxied_proto {
"" $scheme;
default $http_x_forwarded_proto;
}
map $http_x_real_ip $proxied_remote_addr {
"" $remote_addr;
default $http_x_real_ip;
}
map $http_x_forwarded_for $proxied_forwarded_for {
"" $proxy_add_x_forwarded_for;
default $http_x_forwarded_for;
}
{%- for server in servers %}
{# #}
server {
{%- if server["http_port"] %}
listen {{ server["http_port"] }} {{- " " + server["http_custom_params"] if server["http_custom_params"] else ""}};
{%- endif %}
{%- if server["certificate_dir"] %}
listen {{ server["https_port"] }} ssl {{- " " + server["https_custom_params"] if server["https_custom_params"] else ""}};
ssl_certificate {{ server["certificate_dir"] }}/fullchain.pem;
ssl_certificate_key {{ server["certificate_dir"] }}/privkey.pem;
if ($scheme = 'http') {
return 302 https://$host$request_uri;
}
{%- endif %}
keepalive_timeout 70;
server_name {{ server["all_names"] or server["name"] }};
{%- if acme_challenge_location %}
{# #}
location /.well-known/acme-challenge {
root {{ acme_challenge_location }};
}
{%- endif %}
{%- if server["server_options"] %}
{# #}
{%- for server_option in server["server_options"] %}
{{ server_option }}
{%- endfor %}
{%- endif %}
{%- if server["proxy_pass"] %}
{# #}
location / {
resolver {{ resolver }};
set $host_{{ loop.index }} {{ server["proxy_pass"] }};
proxy_pass $host_{{ loop.index }};
proxy_set_header HOST $proxied_host;
proxy_set_header X-Forwarded-Host $proxied_x_host;
proxy_set_header X-Forwarded-Port $proxied_port;
proxy_set_header X-Forwarded-Proto $proxied_proto;
proxy_set_header X-Forwarded-For $proxied_forwarded_for;
proxy_set_header X-Real-IP $proxied_remote_addr;
{%- if server["location_options"] %}
{# #}
{%- for location_option in server["location_options"] %}
{{ location_option }}
{%- endfor %}
{%- endif %}
}
{%- endif %}
}
{%- endfor %}
}
include /etc/nginx/conf.d/*.conf;

31
nginx/examples/servers.yaml Normal file
View File

@@ -0,0 +1,31 @@
resolver: 127.0.0.1 # 127.0.0.11 for docker
acme_challenge_location: /etc/nginx/acme/ # /ssl for docker volume
servers:
your.domain.to_redirect:
proxy_pass: "http://redirection.address"
your_other.doma.in:
proxy_pass: "http://redirection-other.address"
server_options:
- "proxy_buffering off;"
- "proxy_request_buffering off;"
location_options:
- "proxy_http_version 1.1;"
- "proxy_set_header Upgrade $http_upgrade;"
- 'proxy_set_header Connection "upgrade";'
- "proxy_read_timeout 86400;"
"*.doma.in":
all_names: "*.doma.in doma.in"
certificate_name: doma.in
proxy_pass: "http://full.subdomain.proxy"
server_options:
- "proxy_buffering off;"
- "proxy_request_buffering off;"
- "client_max_body_size 0;"
- "http2 on;"
"custom.doma.in":
proxy_pass: "http://custom"
http_port: 4480
https_port: 4443
https_custom_params: "http2 proxy_protocol"

27
nginx/examples/stream.conf Normal file
View File

@@ -0,0 +1,27 @@
stream {
log_format stream '$remote_addr [$time_local] host=$ssl_preread_server_name '
'prot=$protocol status=$status out=$bytes_sent in=$bytes_received';
# access_log /var/log/nginx/stream_access.log stream;
# error_log /var/log/nginx/stream_error.log;
map $ssl_preread_server_name $backend_name {
your.special.domain proxy_protocol_backend;
default nginx_https;
}
upstream nginx_https {
server 127.0.0.1:4443;
}
upstream proxy_protocol_backend {
server container_backend:443;
}
server {
listen 443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
proxy_protocol on;
}
}