-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathzestedesavoir.j2
167 lines (135 loc) · 4.35 KB
/
zestedesavoir.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
limit_req_zone $binary_remote_addr zone=remote_addr:10m rate=5r/s;
limit_req_zone $request_uri zone=request_uri:10m rate=10r/s;
upstream zdsappserver {
server unix:{{ rundir }}/gunicorn.sock fail_timeout=0;
}
map $http_user_agent $loggable {
~^HetrixTools 0;
default 1;
}
{% if env == "vagrant" %}
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:{{ pass_manager_port }};
keepalive 2;
}
{% endif %}
server {
listen 80 default_server;
listen [::]:80 default_server;
{% if enable_https %}
{% if http_host %}
server_name {{ http_host }};
{% endif %}
access_log {{ logdir }}/nginx-https-redirect-access.log combined if=$loggable;
error_log {{ logdir }}/nginx-https-redirect-error.log;
root /var/www/html;
location /.well-known {
allow all;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
{% endif %}
{% if env != "vagrant" %}
server_name {{ http_host }};
## Deny unexpected Host headers (otherwise Django raises "Invalid HTTP_HOST header" exceptions)
if ($host !~* ^({{ http_host }})$ ) {
return 444;
}
{% else %}
# On Vagrant installations, we don't have server name, so serve Munin content as a subfolder
# (not 'munin' because it's a route used by Django)
location /munin-web/ {
alias /var/cache/munin/www/;
access_log off;
log_not_found off;
}
# On Vagrant installations, 127.0.0.1 is already used to serve the website, so
# we put here the /nginx_status end-point, instead of creating a 127.0.0.1 vhost.
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
# Serve also Vaultwarden in subfolder
location /vault/ {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
{% endif %}
root {{ webroot }};
try_files $uri @proxy;
server_tokens off;
client_max_body_size 100M;
{% if enable_https and certificate is defined %}
ssl_certificate {{ certificate.cert }};
ssl_certificate_key {{ certificate.key }};
include snippets/ssl.conf;
{% endif %}
access_log {{ logdir }}/nginx-access.log combined if=$loggable;
error_log {{ logdir }}/nginx-error.log;
# Rewrite de l'ancienne page de teasing
rewrite ^/teasing/$ / permanent;
# Désactivation temporaire de l'inscription en cas de spam
# location /membres/inscription/ {
# rewrite ^(.*)$ /inscription.html break;
# }
include snippets/ban.conf;
{% if not public %}
add_header X-Robots-Tag "none" always;
{% endif %}
location @proxy {
# 503 si la maintenance est active
if (-f $document_root/maintenance.html) {
return 503;
}
limit_req zone=remote_addr burst=10;
limit_req zone=request_uri burst=20;
limit_req_status 429;
include snippets/proxy.conf;
proxy_pass http://zdsappserver;
}
location @maintenance {
rewrite ^(.*)$ /errors/maintenance.html break;
}
# Cache headers on static resources
location ~* ^/(static|media|errors)/ {
access_log off;
log_not_found off;
include snippets/static-cache.conf;
include snippets/clem_smileys.conf;
}
# HOTFIX 20171116 vhf
# disallow everything except this because of security issues
# with DELETE on API endpoints
error_page 405 @error405;
location @error405 {
add_header Allow "GET, POST, HEAD, PUT" always;
}
if ( $request_method !~ ^(GET|POST|HEAD|PUT)$ ) {
return 405;
}
# END HOTFIX
# Error pages
error_page 403 /errors/403.html;
error_page 404 /errors/404.html;
error_page 429 /errors/429.html;
error_page 500 502 504 /errors/500.html;
error_page 503 @maintenance;
include snippets/headers.conf;
{% if env != "vagrant" %}
{# antispam bans Perl user agent, which is used by Munin; in non-Vagrant setup, nginx status is in its own vhost which doesn't include antispam.conf #}
include snippets/antispam.conf;
{% endif %}
}