2018-09-17 21:00:29 +02:00
|
|
|
#######################################################################
|
|
|
|
# WARNING: This file is generated. Do not make changes to this file. #
|
|
|
|
# They will be overwritten on update. You can manage various settings #
|
|
|
|
# used in this file from the ./bwdata/config.yml file for your #
|
|
|
|
# installation. #
|
|
|
|
#######################################################################
|
2018-08-30 17:35:44 +02:00
|
|
|
|
|
|
|
server {
|
|
|
|
listen 8080 default_server;
|
|
|
|
listen [::]:8080 default_server;
|
|
|
|
server_name {{{Domain}}};
|
|
|
|
{{#if Ssl}}
|
|
|
|
|
|
|
|
return 301 {{{Url}}}$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 8443 ssl http2;
|
|
|
|
listen [::]:8443 ssl http2;
|
|
|
|
server_name {{{Domain}}};
|
|
|
|
|
|
|
|
ssl_certificate {{{CertificatePath}}};
|
|
|
|
ssl_certificate_key {{{KeyPath}}};
|
|
|
|
ssl_session_timeout 30m;
|
|
|
|
ssl_session_cache shared:SSL:20m;
|
|
|
|
ssl_session_tickets off;
|
|
|
|
{{#if DiffieHellmanPath}}
|
|
|
|
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
|
|
|
ssl_dhparam {{{DiffieHellmanPath}}};
|
|
|
|
{{/if}}
|
|
|
|
|
2018-08-31 18:11:44 +02:00
|
|
|
ssl_protocols {{{SslProtocols}}};
|
2018-08-30 17:35:44 +02:00
|
|
|
ssl_ciphers "{{{SslCiphers}}}";
|
|
|
|
# Enables server-side protection from BEAST attacks
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
{{#if CaPath}}
|
|
|
|
|
|
|
|
# OCSP Stapling ---
|
|
|
|
# Fetch OCSP records from URL in ssl_certificate and cache them
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
|
|
|
|
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
|
|
|
|
ssl_trusted_certificate {{{CaPath}}};
|
2019-08-05 13:36:31 +02:00
|
|
|
resolver 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 valid=300s;
|
2018-08-30 17:35:44 +02:00
|
|
|
{{/if}}
|
|
|
|
|
2018-08-31 18:55:54 +02:00
|
|
|
include /etc/nginx/security-headers-ssl.conf;
|
2018-08-30 17:35:44 +02:00
|
|
|
{{/if}}
|
2018-08-31 23:02:49 +02:00
|
|
|
include /etc/nginx/security-headers.conf;
|
2019-04-26 18:26:54 +02:00
|
|
|
{{#if RealIps}}
|
|
|
|
|
|
|
|
{{#each RealIps}}
|
2019-05-16 04:11:22 +02:00
|
|
|
set_real_ip_from {{{this}}};
|
2019-04-26 18:26:54 +02:00
|
|
|
{{/each}}
|
2019-04-28 05:13:14 +02:00
|
|
|
real_ip_header X-Forwarded-For;
|
|
|
|
real_ip_recursive on;
|
2019-04-26 18:26:54 +02:00
|
|
|
{{/if}}
|
2018-08-30 17:35:44 +02:00
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://web:5000/;
|
2018-08-31 18:55:54 +02:00
|
|
|
{{#if Ssl}}
|
|
|
|
include /etc/nginx/security-headers-ssl.conf;
|
|
|
|
{{/if}}
|
2018-08-31 23:02:49 +02:00
|
|
|
include /etc/nginx/security-headers.conf;
|
2018-08-30 17:35:44 +02:00
|
|
|
add_header Content-Security-Policy "{{{ContentSecurityPolicy}}}";
|
2018-09-01 04:37:49 +02:00
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
2019-01-17 22:45:53 +01:00
|
|
|
add_header X-Robots-Tag "noindex, nofollow";
|
2018-08-30 17:35:44 +02:00
|
|
|
}
|
|
|
|
|
2019-07-26 18:43:06 +02:00
|
|
|
location /alive {
|
|
|
|
return 200 'alive';
|
|
|
|
add_header Content-Type text/plain;
|
|
|
|
}
|
|
|
|
|
2018-08-30 17:35:44 +02:00
|
|
|
location = /app-id.json {
|
|
|
|
proxy_pass http://web:5000/app-id.json;
|
2018-08-31 18:55:54 +02:00
|
|
|
{{#if Ssl}}
|
|
|
|
include /etc/nginx/security-headers-ssl.conf;
|
|
|
|
{{/if}}
|
2018-08-31 23:02:49 +02:00
|
|
|
include /etc/nginx/security-headers.conf;
|
2018-08-30 17:35:44 +02:00
|
|
|
proxy_hide_header Content-Type;
|
|
|
|
add_header Content-Type $fido_content_type;
|
|
|
|
}
|
|
|
|
|
2018-08-31 18:16:36 +02:00
|
|
|
location = /duo-connector.html {
|
|
|
|
proxy_pass http://web:5000/duo-connector.html;
|
|
|
|
}
|
|
|
|
|
|
|
|
location = /u2f-connector.html {
|
|
|
|
proxy_pass http://web:5000/u2f-connector.html;
|
|
|
|
}
|
|
|
|
|
2021-03-22 23:21:43 +01:00
|
|
|
location = /webauthn-connector.html {
|
|
|
|
proxy_pass http://web:5000/webauthn-connector.html;
|
|
|
|
}
|
|
|
|
|
|
|
|
location = /webauthn-fallback-connector.html {
|
|
|
|
proxy_pass http://web:5000/webauthn-fallback-connector.html;
|
|
|
|
}
|
|
|
|
|
2020-09-01 18:44:45 +02:00
|
|
|
location = /sso-connector.html {
|
|
|
|
proxy_pass http://web:5000/sso-connector.html;
|
|
|
|
}
|
|
|
|
|
2021-08-13 15:52:26 +02:00
|
|
|
{{#if Captcha}}
|
|
|
|
location = /captcha-connector.html {
|
|
|
|
proxy_pass http://web:5000/captcha-connector.html;
|
|
|
|
}
|
|
|
|
|
|
|
|
location = /captcha-mobile-connector.html {
|
|
|
|
proxy_pass http://web:5000/captcha-mobile-connector.html;
|
|
|
|
}
|
|
|
|
{{/if}}
|
|
|
|
|
2018-08-30 17:35:44 +02:00
|
|
|
location /attachments/ {
|
|
|
|
proxy_pass http://attachments:5000/;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /api/ {
|
|
|
|
proxy_pass http://api:5000/;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /icons/ {
|
|
|
|
proxy_pass http://icons:5000/;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /notifications/ {
|
|
|
|
proxy_pass http://notifications:5000/;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /notifications/hub {
|
|
|
|
proxy_pass http://notifications:5000/hub;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection $http_connection;
|
|
|
|
}
|
|
|
|
|
2019-07-09 20:49:34 +02:00
|
|
|
location /events/ {
|
|
|
|
proxy_pass http://events:5000/;
|
|
|
|
}
|
|
|
|
|
2020-08-28 19:44:50 +02:00
|
|
|
location /sso {
|
|
|
|
proxy_pass http://sso:5000;
|
|
|
|
{{#if Ssl}}
|
|
|
|
include /etc/nginx/security-headers-ssl.conf;
|
|
|
|
{{/if}}
|
|
|
|
include /etc/nginx/security-headers.conf;
|
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
}
|
|
|
|
|
2020-08-28 19:44:01 +02:00
|
|
|
location /identity {
|
|
|
|
proxy_pass http://identity:5000;
|
|
|
|
{{#if Ssl}}
|
|
|
|
include /etc/nginx/security-headers-ssl.conf;
|
|
|
|
{{/if}}
|
|
|
|
include /etc/nginx/security-headers.conf;
|
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
}
|
|
|
|
|
2018-08-30 17:35:44 +02:00
|
|
|
location /admin {
|
|
|
|
proxy_pass http://admin:5000;
|
2018-09-01 04:37:49 +02:00
|
|
|
{{#if Ssl}}
|
|
|
|
include /etc/nginx/security-headers-ssl.conf;
|
|
|
|
{{/if}}
|
|
|
|
include /etc/nginx/security-headers.conf;
|
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
2018-08-30 17:35:44 +02:00
|
|
|
}
|
2021-11-16 18:52:02 +01:00
|
|
|
|
|
|
|
{{#if EnableKeyConnector}}
|
|
|
|
location /key-connector/ {
|
|
|
|
proxy_pass http://key-connector:5000/;
|
|
|
|
}
|
|
|
|
{{/if}}
|
2018-08-30 17:35:44 +02:00
|
|
|
}
|