vhost_ssl.tpl.php 5.1 KB
Newer Older
1 2 3

<?php if ($this->ssl_enabled && $this->ssl_key) : ?>

4 5 6 7 8 9 10 11 12 13 14
<?php
$satellite_mode = drush_get_option('satellite_mode');
if (!$satellite_mode && $server->satellite_mode) {
  $satellite_mode = $server->satellite_mode;
}

$nginx_has_http2 = drush_get_option('nginx_has_http2');
if (!$nginx_has_http2 && $server->nginx_has_http2) {
  $nginx_has_http2 = $server->nginx_has_http2;
}

15 16
$aegir_root = d('@server_master')->aegir_root;

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
if ($nginx_has_http2) {
  $ssl_args = "ssl http2";
}
else {
  $ssl_args = "ssl";
}

if ($satellite_mode == 'boa') {
  $ssl_listen_ip = "*";
}
else {
  $ssl_listen_ip = $ip_address;
}
?>

32 33 34
<?php if ($this->redirection): ?>
<?php foreach ($this->aliases as $alias_url): ?>
server {
35
  listen       <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
36 37 38 39 40 41 42 43 44 45 46 47 48
<?php
  // if we use redirections, we need to change the redirection
  // target to be the original site URL ($this->uri instead of
  // $alias_url)
  if ($this->redirection && $alias_url == $this->redirection) {
    $this->uri = str_replace('/', '.', $this->uri);
    print "  server_name  {$this->uri};\n";
  }
  else {
    $alias_url = str_replace('/', '.', $alias_url);
    print "  server_name  {$alias_url};\n";
  }
?>
49
  ssl                        on;
50 51 52 53 54 55 56
<?php if ($satellite_mode == 'boa'): ?>
  ssl_stapling               on;
  ssl_stapling_verify        on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout           5s;
  ssl_dhparam                /etc/ssl/private/nginx-wild-ssl.dhp;
<?php endif; ?>
57
  ssl_certificate_key        <?php print $ssl_cert_key; ?>;
58 59 60 61
<?php if (!empty($ssl_chain_cert)) : ?>
  ssl_certificate            <?php print $ssl_chain_cert; ?>;
<?php else: ?>
  ssl_certificate            <?php print $ssl_cert; ?>;
62 63 64 65 66 67 68 69 70 71 72
<?php endif; ?>
<?php if ($satellite_mode == 'boa'): ?>

  ###
  ### Allow access to letsencrypt.org ACME challenges directory.
  ###
  location ^~ /.well-known/acme-challenge {
    alias <?php print $aegir_root; ?>/tools/le/.acme-challenges;
    try_files $uri 404;
  }

73
<?php endif; ?>
74
  return 301 $scheme://<?php print $this->redirection; ?>$request_uri;
75
}
76
<?php endforeach; ?>
77
<?php endif; ?>
78 79

server {
80
  include       fastcgi_params;
81 82 83 84

  # Block https://httpoxy.org/ attacks.
  fastcgi_param HTTP_PROXY "";

85 86
  fastcgi_param MAIN_SITE_NAME <?php print $this->uri; ?>;
  set $main_site_name "<?php print $this->uri; ?>";
87
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
88
  fastcgi_param HTTPS on;
89 90 91 92 93 94 95 96 97 98 99 100 101 102
<?php
  // If any of those parameters is empty for any reason, like after an attempt
  // to import complete platform with sites without importing their databases,
  // it will break Nginx reload and even shutdown all sites on the system on
  // Nginx restart, so we need to use dummy placeholders to avoid affecting
  // other sites on the system if this site is broken.
  if (!$db_type || !$db_name || !$db_user || !$db_passwd || !$db_host) {
    $db_type = 'mysqli';
    $db_name = 'none';
    $db_user = 'none';
    $db_passwd = 'none';
    $db_host = 'localhost';
  }
?>
103 104 105 106 107
  fastcgi_param db_type   <?php print urlencode($db_type); ?>;
  fastcgi_param db_name   <?php print urlencode($db_name); ?>;
  fastcgi_param db_user   <?php print urlencode($db_user); ?>;
  fastcgi_param db_passwd <?php print urlencode($db_passwd); ?>;
  fastcgi_param db_host   <?php print urlencode($db_host); ?>;
108 109 110 111 112 113 114 115 116
<?php
  // Until the real source of this problem is fixed elsewhere, we have to
  // use this simple fallback to guarantee that empty db_port does not
  // break Nginx reload which results with downtime for the affected vhosts.
  if (!$db_port) {
    $db_port = $this->server->db_port ? $this->server->db_port : '3306';
  }
?>
  fastcgi_param db_port   <?php print urlencode($db_port); ?>;
117
  listen        <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
  server_name   <?php
    // this is the main vhost, so we need to put the redirection
    // target as the hostname (if it exists) and not the original URL
    // ($this->uri)
    if ($this->redirection) {
      print str_replace('/', '.', $this->redirection);
    } else {
      print $this->uri;
    }
    if (!$this->redirection && is_array($this->aliases)) {
      foreach ($this->aliases as $alias_url) {
        if (trim($alias_url)) {
          print " " . str_replace('/', '.', $alias_url);
        }
      }
    } ?>;
134
  root          <?php print "{$this->root}"; ?>;
135
  ssl                        on;
136 137 138 139 140 141 142
<?php if ($satellite_mode == 'boa'): ?>
  ssl_stapling               on;
  ssl_stapling_verify        on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout           5s;
  ssl_dhparam                /etc/ssl/private/nginx-wild-ssl.dhp;
<?php endif; ?>
143
  ssl_certificate_key        <?php print $ssl_cert_key; ?>;
144 145 146 147 148
<?php if (!empty($ssl_chain_cert)) : ?>
  ssl_certificate            <?php print $ssl_chain_cert; ?>;
<?php else: ?>
  ssl_certificate            <?php print $ssl_cert; ?>;
<?php endif; ?>
149
  <?php print $extra_config; ?>
150
  include                    <?php print $server->include_path; ?>/nginx_vhost_common.conf;
151 152 153 154
}

<?php endif; ?>

omega8cc's avatar
omega8cc committed
155
<?php
156 157
  // Generate the standard virtual host too.
  include(provision_class_directory('Provision_Config_Nginx_Site') . '/vhost.tpl.php');
158
?>