infrastructure/ansible/roles/gateway/files/nginx.conf

log_format gateway '$remote_addr [$time_local] '
                '$protocol $status $bytes_sent $bytes_received '
                '$session_time "$ssl_preread_server_name" '
                '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';

access_log /var/log/nginx/gateway.log gateway;
access_log /var/log/nginx/ips.log ips;

map $ssl_preread_server_name $gateway_destination {
    default                      {{ wireguard.clients.ingress.ip }}:8443;

    headscale.jakehoward.tech    127.0.0.1:8888;

    {% for domain in cdn_domains %}
    {{ domain }}  127.0.0.1:8800;
    {% endfor %}
}

server {
    listen 443;
    listen 8448;
    listen [::]:443;
    listen [::]:8448;
    proxy_pass $gateway_destination;
    proxy_protocol on;
}

server {
    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;

    access_log off;

    deny all;

    # This is never used, but need to keep nginx happy
    proxy_pass 127.0.0.1:80;
}
Move gateway logs to separate file 2024-01-31 21:06:19 +00:00			`log_format gateway '$remote_addr [$time_local] '`
Unify nginx configuration This creates a simple base configuration skeleton, that other configuration can be easily loaded into. 2023-12-16 17:47:04 +00:00			`'$protocol $status $bytes_sent $bytes_received '`
			`'$session_time "$ssl_preread_server_name" '`
			`'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';`
Replace edge proxy with nginx The config makes more sense, and it has more of the features I need, which will come later. 2021-08-22 22:34:27 +01:00
Unify nginx configuration This creates a simple base configuration skeleton, that other configuration can be easily loaded into. 2023-12-16 17:47:04 +00:00			`log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';`
Replace edge proxy with nginx The config makes more sense, and it has more of the features I need, which will come later. 2021-08-22 22:34:27 +01:00
Move gateway logs to separate file 2024-01-31 21:06:19 +00:00			`access_log /var/log/nginx/gateway.log gateway;`
Unify nginx configuration This creates a simple base configuration skeleton, that other configuration can be easily loaded into. 2023-12-16 17:47:04 +00:00			`access_log /var/log/nginx/ips.log ips;`
Show domain in logs rather than upstream The upstream is always the same, and no use to us 2022-01-19 09:00:20 +00:00
Deploy headscale 2024-01-27 14:18:37 +00:00			`map $ssl_preread_server_name $gateway_destination {`
Add the basics of some edge caching 2024-02-21 21:42:16 +00:00			`default {{ wireguard.clients.ingress.ip }}:8443;`

			`headscale.jakehoward.tech 127.0.0.1:8888;`

			`{% for domain in cdn_domains %}`
			`{{ domain }} 127.0.0.1:8800;`
			`{% endfor %}`
Deploy headscale 2024-01-27 14:18:37 +00:00			`}`

Unify nginx configuration This creates a simple base configuration skeleton, that other configuration can be easily loaded into. 2023-12-16 17:47:04 +00:00			`server {`
			`listen 443;`
			`listen 8448;`
Allow only exposing services over Tailscale This works using public DNS, so doesn't need Tailscale's magic DNS to override my local. 2024-03-07 22:30:10 +00:00			`listen [::]:443;`
			`listen [::]:8448;`
Deploy headscale 2024-01-27 14:18:37 +00:00			`proxy_pass $gateway_destination;`
Unify nginx configuration This creates a simple base configuration skeleton, that other configuration can be easily loaded into. 2023-12-16 17:47:04 +00:00			`proxy_protocol on;`
Replace edge proxy with nginx The config makes more sense, and it has more of the features I need, which will come later. 2021-08-22 22:34:27 +01:00			`}`
Allow only exposing services over Tailscale This works using public DNS, so doesn't need Tailscale's magic DNS to override my local. 2024-03-07 22:30:10 +00:00
			`server {`
			`listen [{{ vps_hosts.private_ipv6_marker }}]:443;`
			`listen [{{ vps_hosts.private_ipv6_marker }}]:8448;`

			`access_log off;`

			`deny all;`

			`# This is never used, but need to keep nginx happy`
			`proxy_pass 127.0.0.1:80;`
			`}`