nginx.conf.tmpl

pid /dev/null;

include /etc/nginx/modules/*.conf;

events { }

env NS_IP;
env NS_PORT;

http {
    error_log /dev/stderr debug;
    access_log /dev/stdout;
    server_tokens off;

    map $http_upgrade $connection_upgrade {
      default upgrade;
      '' close;
    }

    server {
        listen {{ getenv "NOMAD_PORT_https" }} ssl;
        server_name {{ getenv "SERVER_NAME" }};
        ssl_certificate /etc/nginx/certificate.cert;
        ssl_certificate_key /etc/nginx/certificate.key;

        set $target '';
        set $service "{{ getenv "BACKEND_SERVICE" }}";
        set_by_lua_block $ns_ip { return os.getenv("NS_IP") or "127.0.0.1" }
        set_by_lua_block $ns_port { return os.getenv("NS_PORT") or 53 }
        access_by_lua_file /etc/nginx/service_router.lua;

        error_page 403 /custom_403.html;

        location /custom_403.html {
          root /var/lib/nginx/html;
          internal;
        }

        location / {
            auth_request /authelia;
            proxy_pass {{ getenv "BACKEND_SERVICE_SCHEME" }}://$target;
            auth_request_set $target_url $scheme://$http_host$request_uri;
            auth_request_set $user $upstream_http_remote_user;
            auth_request_set $groups $upstream_http_remote_groups;
            auth_request_set $name $upstream_http_remote_name;
            auth_request_set $email $upstream_http_remote_email;
            proxy_set_header Remote-User $user;
            proxy_set_header Remote-Groups $groups;
            proxy_set_header Remote-Name $name;
            proxy_set_header Remote-Email $email;
            error_page 401 =302 {{ getenv "AUTHELIA_URL" }}/?rd=$target_url;

            client_body_buffer_size 128k;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
            send_timeout 5m;
            proxy_read_timeout 360;
            proxy_send_timeout 360;
            proxy_connect_timeout 360;

            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Forwarded-Uri $request_uri;
            proxy_set_header X-Forwarded-Ssl on;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

            proxy_redirect  http://  $scheme://;
            proxy_http_version 1.1;
            proxy_cache_bypass $cookie_session;
            proxy_no_cache $cookie_session;
            proxy_buffers 64 256k;

            set_real_ip_from 10.0.0.0/8;
            set_real_ip_from 172.16.0.0/12;
            set_real_ip_from 192.168.0.0/16;
            set_real_ip_from fc00::/7;
            real_ip_header X-Forwarded-For;
            real_ip_recursive on;
        }

        location = /authelia {
            internal;
            proxy_pass_request_body off;
            proxy_pass {{ getenv "AUTHELIA_URL" }}/api/verify;
            proxy_set_header Content-Length "";
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

            client_body_buffer_size 128k;
            proxy_set_header Host $host;
            proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Method $request_method;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Forwarded-Uri $request_uri;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header X-Forwarded-Ssl on;
            proxy_redirect  http://  $scheme://;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_cache_bypass $cookie_session;
            proxy_no_cache $cookie_session;
            proxy_buffers 4 32k;

            send_timeout 5m;
            proxy_read_timeout 240;
            proxy_send_timeout 240;
            proxy_connect_timeout 240;
        }
    }
}