Skip to content

Commit a754d54

Browse files
author
Till Brehm
committed
Merge branch 'master' into 'master'
 improved nginx http to https redirect "if" constructions in nginx should be used only if no other solution is possible, because "if" is the slowest directive and adds performance penalties (["If is Evil"](https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)). This merge request is supposed to improve this issue and adds another "server" block instead of using "if" directive. This is a "standard" approach which is widely used in nginx configurations for http->https redirections. All other functionality and features of ISPConfig are preserved. Closes #2209 (redirection without "if" directive) Closes #3118 (the "split" is achieved using "server" blocks without "if" directive) See merge request !578
2 parents 05fe404 + 090ce08 commit a754d54

File tree

1 file changed

+22
-7
lines changed

1 file changed

+22
-7
lines changed

server/conf/nginx_vhost.conf.master

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,32 @@
1+
<tmpl_if name='ssl_enabled'>
2+
<tmpl_if name='rewrite_to_https' op='==' value='y'>
3+
server {
4+
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
5+
<tmpl_if name='ipv6_enabled'>
6+
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
7+
</tmpl_if>
8+
server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
9+
access_log off;
10+
rewrite ^ https://$http_host$request_uri? permanent;
11+
}
12+
</tmpl_if>
13+
</tmpl_if>
14+
115
server {
16+
<tmpl_unless name='ssl_enabled'>
217
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
318
<tmpl_if name='ipv6_enabled'>
419
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
520
</tmpl_if>
21+
</tmpl_if>
622

723
<tmpl_if name='ssl_enabled'>
24+
<tmpl_if name='rewrite_to_https' op='!=' value='y'>
25+
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
26+
<tmpl_if name='ipv6_enabled'>
27+
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
28+
</tmpl_if>
29+
</tmpl_if>
830
listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
931
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
1032
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
@@ -35,13 +57,6 @@ server {
3557
rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
3658
}
3759
</tmpl_loop>
38-
<tmpl_if name='ssl_enabled'>
39-
<tmpl_if name='rewrite_to_https' op='==' value='y'>
40-
if ($scheme != "https") {
41-
rewrite ^ https://$http_host$request_uri? permanent;
42-
}
43-
</tmpl_if>
44-
</tmpl_if>
4560

4661
<tmpl_loop name="own_redirects">
4762
<tmpl_if name='use_rewrite'>

0 commit comments

Comments
 (0)