115 lines
5.6 KiB
Plaintext
115 lines
5.6 KiB
Plaintext
# LOG FORMATS
|
|
log_format main '$remote_addr [$time_local] '
|
|
'$protocol $status $bytes_sent $bytes_received '
|
|
'$session_time';
|
|
log_format anonymized ':: [$time_local] '
|
|
'$protocol $status $bytes_sent $bytes_received '
|
|
'$session_time';
|
|
|
|
# UPSTREAM SERVERS
|
|
{% for upstream in helpers.toList('OPNsense.Nginx.upstream') %}
|
|
upstream upstream{{ upstream['@uuid'].replace('-','') }} {
|
|
{% if upstream.load_balancing_algorithm is defined and upstream.load_balancing_algorithm != '' %}
|
|
{% if upstream.load_balancing_algorithm == 'ip_hash' %}
|
|
hash $remote_addr consistent;
|
|
{% endif %}
|
|
{% endif %}
|
|
{% for upstream_serveruuid in upstream.serverentries.split(',') %}
|
|
{% set upstream_server = helpers.getUUID(upstream_serveruuid) %}
|
|
server {% if ':' in upstream_server.server %}[{% endif %}{{ upstream_server.server }}{% if ':' in upstream_server.server %}]{% endif
|
|
%}{% if upstream_server.port is defined %}:{{ upstream_server.port }}{% endif
|
|
%}{% if upstream_server.priority is defined %} weight={{ upstream_server.priority }}{% endif
|
|
%}{% if upstream_server.max_conns is defined %} max_conns={{ upstream_server.max_conns }}{% endif
|
|
%}{% if upstream_server.max_fails is defined %} max_fails={{ upstream_server.max_fails }}{% endif
|
|
%}{% if upstream_server.fail_timeout is defined %} fail_timeout={{ upstream_server.fail_timeout }}{% endif
|
|
%}{% if upstream_server.no_use is defined %} {{ upstream_server.no_use }}{% endif %};
|
|
{% endfor %}
|
|
}
|
|
{% endfor %}
|
|
|
|
# upstream maps
|
|
{% for upstream_map in helpers.toList('OPNsense.Nginx.sni_hostname_upstream_map') %}
|
|
map $ssl_preread_server_name $hostmap{{ upstream_map['@uuid'].replace('-','') }} {
|
|
{% for map_entry_uuid in upstream_map.data.split(',') %}
|
|
{% set map_entry = helpers.getUUID(map_entry_uuid) %}
|
|
{{ map_entry.hostname }} upstream{{ map_entry.upstream.replace('-','') }};
|
|
{% endfor %}
|
|
|
|
}
|
|
{% endfor %}
|
|
|
|
|
|
include opnsense_stream_vhost_plugins/*.conf;
|
|
|
|
{% if OPNsense.Nginx.general.enabled is defined and OPNsense.Nginx.general.enabled == '1' %}
|
|
{% for server in helpers.toList('OPNsense.Nginx.stream_server') %}
|
|
# servers
|
|
server {
|
|
{% set tls_enabled = server.certificate is defined %}
|
|
|
|
{% if server.listen_address is defined and server.listen_address != '' %}
|
|
{% for listen_address in server.listen_address.split(',') %}
|
|
listen {{ listen_address }}{% if server.udp is defined and server.udp == '1' %} udp{% endif %}{% if tls_enabled %} ssl{% endif %}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
access_log /var/log/nginx/stream_{{ server['@uuid'] }}.access.log main;
|
|
{% if server.syslog_targets is defined %}
|
|
{% set syslog_targets = server.syslog_targets.split(',') %}
|
|
{% include "OPNsense/Nginx/syslog_targets.conf" %}
|
|
{% endif %}
|
|
error_log /var/log/nginx/stream_{{ server['@uuid'] }}.error.log info;
|
|
|
|
{% if server.route_field == 'sni_upstream_map' %}
|
|
ssl_preread on;
|
|
{% endif %}
|
|
{% if server.ip_acl is defined %}
|
|
{% set ip_acl = server.ip_acl %}
|
|
{% include "OPNsense/Nginx/ipacl.conf" %}
|
|
{% endif %}
|
|
{% if server.certificate is defined %}
|
|
{% if server.ca is defined %}
|
|
ssl_client_certificate /usr/local/etc/nginx/key/{{ server['@uuid'] }}_ca.pem;
|
|
ssl_verify_client {{ server.verify_client }};
|
|
{% endif %}
|
|
ssl_certificate_key /usr/local/etc/nginx/key/{{ server['@uuid'] }}.key;
|
|
ssl_certificate /usr/local/etc/nginx/key/{{ server['@uuid'] }}.pem;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_dhparam /usr/local/etc/dh-parameters.4096;
|
|
ssl_ciphers 'ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:sslcache{{ server['@uuid'].replace('-','') }}:50m;
|
|
ssl_session_tickets off;
|
|
ssl_prefer_server_ciphers on;
|
|
{% endif %}
|
|
|
|
include {{ server['@uuid'] }}_pre/*.conf;
|
|
|
|
{% if server.route_field == 'upstream' %}
|
|
{% if server.upstream is defined %}
|
|
{% set upstream = helpers.getUUID(server.upstream) %}
|
|
{% if upstream.tls_enable == '1' %}
|
|
{% if upstream.tls_client_certificate is defined and upstream.tls_client_certificate != '' %}
|
|
proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
|
|
proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
|
|
{% endif %}
|
|
{% endif %}
|
|
proxy_ssl {% if upstream.tls_enable == '1' %}on{% else %}off{% endif %};
|
|
proxy_pass upstream{{ server.upstream.replace('-','') }};
|
|
{% endif %}
|
|
{% elif server.route_field == 'sni_upstream_map' %}
|
|
proxy_pass $hostmap{{ server.sni_upstream_map.replace('-','') }};
|
|
{% endif %}
|
|
proxy_protocol {% if server.proxy_protocol == '1' %}on{% else %}off{% endif %};
|
|
{% if server.trusted_proxies is defined and server.trusted_proxies != '' %}
|
|
{% for trusted_proxy in server.trusted_proxies.split(',') %}
|
|
set_real_ip_from {{ trusted_proxy }};
|
|
{% endfor %}
|
|
{% endif%}
|
|
|
|
include {{ server['@uuid'] }}_post/*.conf;
|
|
|
|
}
|
|
{% endfor %}
|
|
{% endif %}
|