mirror of
https://github.com/caprover/caprover
synced 2025-12-13 23:05:34 +00:00
0f6cf799f9
The default TLS settings (disabling tls1.0 and 1.1) chosen by CapRover should be applied to the catchall virtualhost as well as the embedded registry.
140 lines
4.5 KiB
Plaintext
140 lines
4.5 KiB
Plaintext
|
|
# Default catch-all page. e.g. if you enter SOME-RANDOM-CHARS.captainroot.domain.com
|
|
server {
|
|
|
|
# Catch all HTTP
|
|
listen 80;
|
|
|
|
# Catch all HTTPS
|
|
listen 443 ssl;
|
|
ssl_certificate <%-fake.crtPath%>;
|
|
ssl_certificate_key <%-fake.keyPath%>;
|
|
|
|
# Mozilla Intermediate configuration. tweak to your needs.
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
server_name _;
|
|
|
|
location /nginx_status {
|
|
stub_status on;
|
|
|
|
access_log off;
|
|
|
|
# This can be improved by adding authentication as well.
|
|
# CIDR Range IPs:
|
|
allow 172.16.0.0/12;
|
|
allow 10.0.0.0/8;
|
|
allow 192.168.0.0/16;
|
|
|
|
deny all;
|
|
}
|
|
|
|
location / {
|
|
root <%-captain.defaultHtmlDir%>;
|
|
index index.html index.htm;
|
|
}
|
|
|
|
error_page 404 /index.html;
|
|
error_page 500 502 503 504 /error_generic_catch_all.html;
|
|
}
|
|
|
|
|
|
# Captain dashboard at captain.captainroot.domain.com
|
|
server {
|
|
|
|
listen 80;
|
|
client_max_body_size 300m;
|
|
|
|
<%
|
|
if (captain.hasRootSsl) {
|
|
%>
|
|
listen 443 ssl;
|
|
ssl_certificate <%-captain.crtPath%>;
|
|
ssl_certificate_key <%-captain.keyPath%>;
|
|
|
|
ssl_session_cache shared:SSL:20m;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_tickets off;
|
|
|
|
|
|
# Mozilla Intermediate configuration. tweak to your needs.
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
<%
|
|
}
|
|
%>
|
|
|
|
server_name <%-captain.domain%>;
|
|
|
|
# 127.0.0.11 is DNS set up by Docker, see:
|
|
# https://docs.docker.com/engine/userguide/networking/configure-dns/
|
|
# https://github.com/moby/moby/issues/20026
|
|
resolver 127.0.0.11 valid=10s;
|
|
set $upstream http://<%-captain.serviceName%>:<%-captain.serviceExposedPort%>;
|
|
|
|
# IMPORTANT!! Except proxy_read_timeout, this block should be same as location /api/v2/user/apps/appData
|
|
location / {
|
|
proxy_pass $upstream;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# temporary until build process becomes an asynchronous process
|
|
location /api/v2/user/apps/appData {
|
|
proxy_pass $upstream;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_read_timeout 120s;
|
|
}
|
|
|
|
# Used by Lets Encrypt
|
|
location /.well-known/acme-challenge/ {
|
|
root <%-captain.staticWebRoot%>;
|
|
}
|
|
|
|
# Used by CapRover for health check
|
|
location /.well-known/captain-identifier {
|
|
root <%-captain.staticWebRoot%>;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
# Built-in Docker Registry at registry.captainroot.domain.com
|
|
# Port 80/443 is used by Let's Encrypt to support HTTPS
|
|
# But the Registry engine runs on port 996
|
|
server {
|
|
|
|
listen 80;
|
|
client_max_body_size 500m;
|
|
|
|
<%
|
|
if (registry.hasRootSsl) {
|
|
%>
|
|
listen 443 ssl;
|
|
ssl_certificate <%-registry.crtPath%>;
|
|
ssl_certificate_key <%-registry.keyPath%>;
|
|
|
|
# Mozilla Intermediate configuration. tweak to your needs.
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
<%
|
|
}
|
|
%>
|
|
|
|
server_name <%-registry.domain%>;
|
|
|
|
location / {
|
|
root <%-registry.staticWebRoot%>;
|
|
}
|
|
}
|