aboutsummaryrefslogtreecommitdiff
path: root/files/usr/local/etc/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'files/usr/local/etc/nginx')
-rw-r--r--files/usr/local/etc/nginx/acme.conf.common4
-rw-r--r--files/usr/local/etc/nginx/nginx.conf-acme55
-rw-r--r--files/usr/local/etc/nginx/nginx.conf.common26
l---------files/usr/local/etc/nginx/nginx.conf.smtp_server1
-rw-r--r--files/usr/local/etc/nginx/vhosts.conf.smtp_server13
5 files changed, 34 insertions, 65 deletions
diff --git a/files/usr/local/etc/nginx/acme.conf.common b/files/usr/local/etc/nginx/acme.conf.common
deleted file mode 100644
index 583ca98..0000000
--- a/files/usr/local/etc/nginx/acme.conf.common
+++ /dev/null
@@ -1,4 +0,0 @@
-location /.well-known/acme-challenge/ {
- root ${acme_webroot};
- default_type text/plain;
-}
diff --git a/files/usr/local/etc/nginx/nginx.conf-acme b/files/usr/local/etc/nginx/nginx.conf-acme
deleted file mode 100644
index d77c0de..0000000
--- a/files/usr/local/etc/nginx/nginx.conf-acme
+++ /dev/null
@@ -1,55 +0,0 @@
-worker_processes ${nginx_worker_processes};
-worker_rlimit_nofile ${nginx_nofile};
-
-events {
- worker_connections ${nginx_worker_connections};
-}
-
-http {
- include mime.types;
- default_type application/octet-stream;
- index index.html;
-
- aio threads;
- aio_write on;
- sendfile on;
- directio 4m;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 65;
- types_hash_max_size 2048;
- server_tokens off;
- client_max_body_size 5m;
- charset utf-8;
- gzip on;
- gzip_http_version 1.0;
- gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml;
-
- proxy_buffers 64 32k;
- proxy_busy_buffers_size 64k;
- fastcgi_buffers 64 32k;
-
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:10m;
- ssl_session_tickets off;
- ssl_protocols TLSv1.3;
- ssl_prefer_server_ciphers off;
-
- map \$http_upgrade \$connection_upgrade {
- default upgrade;
- '' keep-alive;
- }
-
- server {
- listen 0.0.0.0:80 default_server;
- listen [::]:80 default_server;
-
- include acme.conf;
-
- location / {
- return 301 https://\$host\$request_uri;
- }
- }
-
- include vhost*.conf;
-}
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index b0a9a06..9ab993c 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -1,5 +1,6 @@
worker_processes ${nginx_worker_processes};
worker_rlimit_nofile ${nginx_nofile};
+$([ "${nginx_gssapi:-}" = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_auth_spnego_module.so";')
events {
worker_connections ${nginx_worker_connections};
@@ -40,5 +41,28 @@ http {
'' keep-alive;
}
- include vhosts.conf;
+$([ "${nginx_gssapi:-}" = true ] && cat <<EOF
+ auth_gss_realm ${realm};
+ auth_gss_force_realm on;
+EOF
+)
+
+$([ "${nginx_acme:-}" = true ] && cat <<EOF
+ server {
+ listen 0.0.0.0:80 default_server;
+ listen [::]:80 default_server;
+
+ location /.well-known/acme-challenge/ {
+ root ${acme_webroot};
+ default_type text/plain;
+ }
+
+ location / {
+ return 301 https://\$host\$request_uri;
+ }
+ }
+EOF
+)
+
+ include vhosts.conf;
}
diff --git a/files/usr/local/etc/nginx/nginx.conf.smtp_server b/files/usr/local/etc/nginx/nginx.conf.smtp_server
deleted file mode 120000
index 53de10f..0000000
--- a/files/usr/local/etc/nginx/nginx.conf.smtp_server
+++ /dev/null
@@ -1 +0,0 @@
-nginx.conf-acme \ No newline at end of file
diff --git a/files/usr/local/etc/nginx/vhosts.conf.smtp_server b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
index 71d6db8..4b84ede 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.smtp_server
+++ b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
@@ -9,14 +9,19 @@ server {
add_header Strict-Transport-Security "max-age=63072000" always;
+$(if [ -n "$rspamd_admin_users" ]; then
+echo ' auth_gss on;'
+echo " auth_gss_keytab ${nginx_keytab};"
+printf ' auth_gss_authorized_principal %s;\n' $rspamd_admin_users
+fi)
+
location / {
proxy_http_version 1.1;
-
proxy_set_header Host \$host;
- proxy_set_header X-Real-IP \$remote_addr;
- proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
-
+$(if [ -z "$rspamd_admin_users" ]; then
+echo ' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'
+fi)
proxy_pass http://127.0.0.1:${rspamd_port}/;
}
}