diff --git a/roles/archive_web/templates/nginx.d.conf.j2 b/roles/archive_web/templates/nginx.d.conf.j2
index 17e2beabc8e411e39dd41e0bcc25e482a12d898c..e1dda57f83ebabb53d263f0e67b04ed08beaa0d5 100644
--- a/roles/archive_web/templates/nginx.d.conf.j2
+++ b/roles/archive_web/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ archive_domain }};
access_log /var/log/nginx/{{ archive_domain }}/access.log reduced;
diff --git a/roles/archmanweb/templates/nginx.d.conf.j2 b/roles/archmanweb/templates/nginx.d.conf.j2
index 3c51fe125b053cc51ee0b48101e43dd4a838f9c0..b32e0c145119bd5edb124eaa650628397231c899 100644
--- a/roles/archmanweb/templates/nginx.d.conf.j2
+++ b/roles/archmanweb/templates/nginx.d.conf.j2
@@ -23,9 +23,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ archmanweb_domain }};
access_log /var/log/nginx/{{ archmanweb_domain }}/access.log reduced;
diff --git a/roles/archweb/templates/ipxe.archlinux.org.j2 b/roles/archweb/templates/ipxe.archlinux.org.j2
index dd6c6f374d165307ef596d2bc1549910bf6eabf2..956741ad0347173fe99e5a0921e0e18cac3d2533 100644
--- a/roles/archweb/templates/ipxe.archlinux.org.j2
+++ b/roles/archweb/templates/ipxe.archlinux.org.j2
@@ -16,9 +16,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ domain['domain_name'] }};
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
diff --git a/roles/archweb/templates/maintenance-nginx.d.conf.j2 b/roles/archweb/templates/maintenance-nginx.d.conf.j2
index e9f743772ac7276aa3b98853594f23d32c25e1e6..332fb120971c4eecba9f88377a8e40b3aab95089 100644
--- a/roles/archweb/templates/maintenance-nginx.d.conf.j2
+++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2
@@ -21,9 +21,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -60,9 +58,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -98,9 +94,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ service_domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
diff --git a/roles/archweb/templates/nginx.d.conf.j2 b/roles/archweb/templates/nginx.d.conf.j2
index 186befa292592a4ae0d96ce462b63a49951608e9..284da1c4d2af597fb8a7f55140404b843ba581f8 100644
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -54,9 +54,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ domain['domain'] }};
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
@@ -102,9 +100,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ archweb_domain }};
access_log /var/log/nginx/{{ archweb_domain }}/access.log reduced;
diff --git a/roles/archwiki/templates/nginx.d.conf.j2 b/roles/archwiki/templates/nginx.d.conf.j2
index 0be7fe3187b7254fdeb86c4466cec916dad46900..a886a16d9d0acbbbbb1e87186d4acb3b221e7985 100644
--- a/roles/archwiki/templates/nginx.d.conf.j2
+++ b/roles/archwiki/templates/nginx.d.conf.j2
@@ -59,9 +59,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ archwiki_domain }};
access_log /var/log/nginx/{{ archwiki_domain }}/access.log reduced;
diff --git a/roles/aurweb/templates/nginx.d.conf.j2 b/roles/aurweb/templates/nginx.d.conf.j2
index a594ef98c7e84e8e84ded8fafa3f3390589f80fe..cb8837584189ea8d9758cd1852570cea829d99ae 100644
--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -35,9 +35,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ aurweb_domain }};
access_log /var/log/nginx/{{ aurweb_domain }}/access.log main;
diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index 2943dcc82d224f4da4f9c79df96f2fe64366456d..86e349c02c88b40fb376957c9a91e60378af0c68 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -3,9 +3,7 @@ proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inacti
server {
listen 80;
listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ repos_domain }} {{repos_rsync_domain}};
root /srv/ftp;
diff --git a/roles/debuginfod/templates/nginx.d.conf.j2 b/roles/debuginfod/templates/nginx.d.conf.j2
index b9396f0867cb575cc95bb918c500cb128bcf3941..b5d7bb68dec4ee63bf3d5c4173485d681f785895 100644
--- a/roles/debuginfod/templates/nginx.d.conf.j2
+++ b/roles/debuginfod/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ debuginfod_domain }};
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
diff --git a/roles/fluxbb/templates/nginx.conf.j2 b/roles/fluxbb/templates/nginx.conf.j2
index 563cfb13e5c4dc0bd973bc5f375ec276bf804400..5701ef712dfcee6f8cb8b1f5362f0fcde07ffa51 100644
--- a/roles/fluxbb/templates/nginx.conf.j2
+++ b/roles/fluxbb/templates/nginx.conf.j2
@@ -23,9 +23,7 @@ limit_req_zone $binary_remote_addr zone=bbslimit:10m rate=10r/s;
limit_req_status 429;
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ fluxbb_domain }};
root {{ fluxbb_dir }};
index index.php;
diff --git a/roles/grafana/templates/nginx.d.conf.j2 b/roles/grafana/templates/nginx.d.conf.j2
index 7a8583a0f27d0a2dabed37abbef5e7485aeb5ac1..288e9290f3cb14e483bb8dde988b13ede77b6e27 100644
--- a/roles/grafana/templates/nginx.d.conf.j2
+++ b/roles/grafana/templates/nginx.d.conf.j2
@@ -25,9 +25,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ grafana_domain }};
access_log /var/log/nginx/{{ grafana_domain }}/access.log main;
diff --git a/roles/hedgedoc/templates/nginx.d.conf.j2 b/roles/hedgedoc/templates/nginx.d.conf.j2
index d1257ce2a06ae1f20691714eb14f3c9b2698dddf..7c97d697419403225b214f32dfe26b562e21d03d 100644
--- a/roles/hedgedoc/templates/nginx.d.conf.j2
+++ b/roles/hedgedoc/templates/nginx.d.conf.j2
@@ -24,9 +24,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ hedgedoc_domain }};
access_log /var/log/nginx/{{ hedgedoc_domain }}/access.log main;
diff --git a/roles/keycloak/templates/nginx.d.conf.j2 b/roles/keycloak/templates/nginx.d.conf.j2
index 622e396c302004f581b7bfa4d3dd88f33823ff5a..d0e637be3da7633eac4d1080216727d443a81833 100644
--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ keycloak_domain }};
access_log /var/log/nginx/{{ keycloak_domain }}/access.log reduced;
diff --git a/roles/mailman/templates/nginx.d.conf.j2 b/roles/mailman/templates/nginx.d.conf.j2
index eceb66e002ae67e2c7864f5299e1aab942ef14a4..e9b3016cf64c2d4be61ed32140594d3962df7e58 100644
--- a/roles/mailman/templates/nginx.d.conf.j2
+++ b/roles/mailman/templates/nginx.d.conf.j2
@@ -35,9 +35,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ lists_domain }};
access_log /var/log/nginx/{{ lists_domain }}/access.log main;
diff --git a/roles/maintenance/templates/nginx-maintenance.conf.j2 b/roles/maintenance/templates/nginx-maintenance.conf.j2
index 2493c1b78c2c3b9d177d36e23d6137ae6b2da86d..b4ab855180e9feea80ba9f187bd4f8deb688b106 100644
--- a/roles/maintenance/templates/nginx-maintenance.conf.j2
+++ b/roles/maintenance/templates/nginx-maintenance.conf.j2
@@ -17,9 +17,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -56,9 +54,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
@@ -94,9 +90,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ service_domain }};
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
diff --git a/roles/matrix/templates/nginx.d.conf.j2 b/roles/matrix/templates/nginx.d.conf.j2
index 85fdc500f40a4f48dfefc05a57a557e8affca11f..d2dc9ac556f1cff68f1b401d040fd0caa8fc531d 100644
--- a/roles/matrix/templates/nginx.d.conf.j2
+++ b/roles/matrix/templates/nginx.d.conf.j2
@@ -22,9 +22,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ matrix_domain }};
access_log /var/log/nginx/{{ matrix_domain }}/access.log reduced;
diff --git a/roles/mirrorsync/templates/nginx.d.conf.j2 b/roles/mirrorsync/templates/nginx.d.conf.j2
index 4eb9cd844612f9fc117f0bd73264937b5d019298..26bd998948b50c81ca87599339219a0ec64b2740 100644
--- a/roles/mirrorsync/templates/nginx.d.conf.j2
+++ b/roles/mirrorsync/templates/nginx.d.conf.j2
@@ -1,9 +1,7 @@
server {
listen 80;
listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ item.value.mirror_domain }};
root {{ item.value.target }};
diff --git a/roles/mta_sts/templates/nginx.d.conf.j2 b/roles/mta_sts/templates/nginx.d.conf.j2
index abdced5403433f8cc54c83827c82f3db3573f6c0..992e529a8d53803d9a71aa919314ec0d6e511f87 100644
--- a/roles/mta_sts/templates/nginx.d.conf.j2
+++ b/roles/mta_sts/templates/nginx.d.conf.j2
@@ -18,9 +18,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name mta-sts.{{ config.domains | join(' mta-sts.') }};
access_log /var/log/nginx/{{ domain }}/access.log reduced;
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 19c93170904d037bfed234b948aed519d90bea85..abc8e3ba7179f2ee1b27bea8bb80d6f1e35d1b04 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,3 +1,4 @@
letsencrypt_validation_dir: "/var/lib/letsencrypt"
nginx_firewall_zone:
nginx_extra_modules: []
+nginx_enable_http3: false
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 1129b280c9319ffaebe38f6529c5853fd7f125f6..5c0420f86e4cc17a2e55843907641d2902c7b21c 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -19,11 +19,12 @@
- snippets
- name: Copy snippets
- template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
+ template: src={{ item }} dest=/etc/nginx/snippets/{{ item | regex_replace('\\.j2$', '') }} owner=root group=root mode=0644
with_items:
- letsencrypt.conf
- sslsettings.conf
- headers.conf
+ - listen-443.conf.j2
notify:
- Reload nginx
@@ -66,6 +67,7 @@
with_items:
- http
- https
+ - "{{ 'http3' if nginx_enable_http3 else omit }}"
when: configure_firewall
tags:
- firewall
diff --git a/roles/nginx/templates/headers.conf b/roles/nginx/templates/headers.conf
index d427430373b3ebda009fe5518b3cee417e34ae1b..9e3a1eff3b4d0b235ec17f4e3ef66ef51b83b530 100644
--- a/roles/nginx/templates/headers.conf
+++ b/roles/nginx/templates/headers.conf
@@ -1 +1,4 @@
add_header Strict-Transport-Security $hsts_header always;
+{% if nginx_enable_http3 %}
+add_header Alt-Svc $alt_svc_header always;
+{% endif %}
diff --git a/roles/nginx/templates/listen-443.conf.j2 b/roles/nginx/templates/listen-443.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2dd4cfdce63ce7f2c2d4ca91be9235b8c5f76694
--- /dev/null
+++ b/roles/nginx/templates/listen-443.conf.j2
@@ -0,0 +1,7 @@
+listen 443 ssl;
+listen [::]:443 ssl;
+{% if nginx_enable_http3 %}
+listen 443 quic;
+listen [::]:443 quic;
+{% endif %}
+http2 on;
diff --git a/roles/nginx/templates/nginx-hostname-vhost.conf.j2 b/roles/nginx/templates/nginx-hostname-vhost.conf.j2
index b34be7a88af4d83a06a17f7bbe66d9012ad0d240..e19d6d6342022a438f61ff8b068f663ec22d85cc 100644
--- a/roles/nginx/templates/nginx-hostname-vhost.conf.j2
+++ b/roles/nginx/templates/nginx-hostname-vhost.conf.j2
@@ -1,6 +1,14 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
+ listen 443 default_server ssl;
+ listen [::]:443 default_server ssl;
+{% if nginx_enable_http3 %}
+ listen 443 default_server quic reuseport;
+ listen [::]:443 default_server quic reuseport;
+{% endif %}
+ http2 on;
+ ssl_reject_handshake on;
root /srv/http;
include snippets/letsencrypt.conf;
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
index 29ba71416fae23b104ce8fb717a9387456a74c4d..2a075eebf293a837af43ef1ba9836e0523dabf46 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -27,12 +27,13 @@ http {
log_format main
'$remote_addr $host $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for" $request_time';
+ '"$http_user_agent" "$http_x_forwarded_for" $request_time'
+ '$server_protocol';
log_format reduced
'$host [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent"';
+ '"$http_user_agent" $server_protocol';
log_format json_main escape=json
'{'
@@ -48,6 +49,7 @@ http {
'"http_user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"request_time":"$request_time",'
+ '"server_protocol":"$server_protocol",'
# This was added to keep every log line unique as Loki drops
# log line with the same timestamp and log text:
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
@@ -65,6 +67,7 @@ http {
'"body_bytes_sent":"$body_bytes_sent",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
+ '"server_protocol":"$server_protocol",'
# This was added to keep every log line unique as Loki drops
# log line with the same timestamp and log text:
# https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
diff --git a/roles/nginx/templates/sslsettings.conf b/roles/nginx/templates/sslsettings.conf
index 43d7f9382c2f6af3c3e81d6f7d4d6f689cceabc3..2f4352027a326b8303377054ec18a8b5280cad81 100644
--- a/roles/nginx/templates/sslsettings.conf
+++ b/roles/nginx/templates/sslsettings.conf
@@ -18,4 +18,17 @@ map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
+{% if nginx_enable_http3 %}
+# Chrome, Firefox and curl only use the header from secure origins.
+# https://issues.chromium.org/issues/40471032
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1730935
+# https://everything.curl.dev/libcurl-http/alt-svc.html
+# See headers.conf for the Alt-Svc add_header line.
+map $scheme $alt_svc_header {
+ # Keep a low max-age for HTTP/3 while testing.
+ # Bump to 2592000 when we are done testing.
+ https 'h3=":443"; ma=3600';
+}
+
+{% endif %}
resolver 127.0.0.53;
diff --git a/roles/ping/templates/nginx.d.conf.j2 b/roles/ping/templates/nginx.d.conf.j2
index ea37574269ba60617c953c0997f5e3bcf8c524c3..d794023a9f7d5f07c0e043662d04ae31bbd33c70 100644
--- a/roles/ping/templates/nginx.d.conf.j2
+++ b/roles/ping/templates/nginx.d.conf.j2
@@ -2,9 +2,7 @@ server {
# We don't redirect to HTTPS because a redirect is considered a captive portal.
listen 80;
listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ ping_domain }};
access_log /var/log/nginx/{{ ping_domain }}/access.log reduced;
diff --git a/roles/public_html/templates/nginx.d.conf.j2 b/roles/public_html/templates/nginx.d.conf.j2
index 619ad61e357c04623cd1fee306f3c2171383164d..d795444f26ae9e0c828ee774a0642f28fac21797 100644
--- a/roles/public_html/templates/nginx.d.conf.j2
+++ b/roles/public_html/templates/nginx.d.conf.j2
@@ -17,9 +17,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ public_domain }} www.{{ public_domain }};
root /srv/public_html;
diff --git a/roles/rebuilderd/templates/nginx.d.conf.j2 b/roles/rebuilderd/templates/nginx.d.conf.j2
index bd4cc6c5a15f1e21b8d6bf1244cbb1b83fed283c..a743e78f2101fb397c970e9fa20dbe287b9d8e0c 100644
--- a/roles/rebuilderd/templates/nginx.d.conf.j2
+++ b/roles/rebuilderd/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ rebuilderd_domain }};
access_log /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
diff --git a/roles/redirects/templates/nginx.d.conf.j2 b/roles/redirects/templates/nginx.d.conf.j2
index 99bd9db9dbd1cb782914cb85e7d3379d338ad0a4..8e4cf884987406ed461a8420dc4d1442dd53b27a 100644
--- a/roles/redirects/templates/nginx.d.conf.j2
+++ b/roles/redirects/templates/nginx.d.conf.j2
@@ -9,9 +9,7 @@ map $uri ${{ redirect.map | hash('md5') }} {
server {
listen 80;
listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ redirect.domain }};
access_log /var/log/nginx/{{ redirect.domain }}/access.log reduced;
diff --git a/roles/repo_archive_split_temp/templates/nginx.d.conf.j2 b/roles/repo_archive_split_temp/templates/nginx.d.conf.j2
index 0418761bae093ed9fef7573be7c9e82aa89f7ac3..5b8114b7da569b229aac1c82663a961bd4652436 100644
--- a/roles/repo_archive_split_temp/templates/nginx.d.conf.j2
+++ b/roles/repo_archive_split_temp/templates/nginx.d.conf.j2
@@ -1,9 +1,7 @@
server {
listen 80;
listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ repos_rsync_domain }};
root /srv/ftp;
diff --git a/roles/security_tracker/templates/nginx.d.conf.j2 b/roles/security_tracker/templates/nginx.d.conf.j2
index d96a29a245a0723112b2ae7444647db1e2efcf80..6eeddfdb8b937eb79e53b2ad638c493226e802c3 100644
--- a/roles/security_tracker/templates/nginx.d.conf.j2
+++ b/roles/security_tracker/templates/nginx.d.conf.j2
@@ -29,9 +29,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ security_tracker_domain }};
access_log /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
diff --git a/roles/sources/templates/nginx.d.conf.j2 b/roles/sources/templates/nginx.d.conf.j2
index 4420e20792ceee3d5183db59f3be73586a8cd9ed..3c7cdc6f530f1570b579ea542435354e0fafbc3c 100644
--- a/roles/sources/templates/nginx.d.conf.j2
+++ b/roles/sources/templates/nginx.d.conf.j2
@@ -16,9 +16,7 @@ server {
}
server {
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ sources_domain }};
access_log /var/log/nginx/{{ sources_domain }}/access.log reduced;
diff --git a/roles/syncrepo/templates/nginx.d.conf.j2 b/roles/syncrepo/templates/nginx.d.conf.j2
index c5743639e531a6341ce45b8f06a291d46b6e9137..d164c1f594aceeb306aa646a39c9b0bfa143e881 100644
--- a/roles/syncrepo/templates/nginx.d.conf.j2
+++ b/roles/syncrepo/templates/nginx.d.conf.j2
@@ -2,9 +2,7 @@
server {
listen 80;
listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- http2 on;
+ include snippets/listen-443.conf;
server_name {{ domain }};
root /srv/ftp;