Commit a754d548 authored by Till Brehm's avatar Till Brehm

Merge branch 'master' into 'master'

improved nginx http to https redirect

"if" constructions in nginx should be used only if no other solution is possible, because "if" is the slowest directive and adds performance penalties (["If is Evil"](https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)). This merge request is supposed to improve this issue and adds another "server" block instead of using "if" directive. This is a "standard" approach which is widely used in nginx configurations for http->https redirections. All other functionality and features of ISPConfig are preserved.

Closes #2209 (redirection without "if" directive)
Closes #3118 (the "split" is achieved using "server" blocks without "if" directive)

See merge request !578
parents 05fe4041 090ce085
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
server {
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
access_log off;
rewrite ^ https://$http_host$request_uri? permanent;
}
</tmpl_if>
</tmpl_if>
server {
<tmpl_unless name='ssl_enabled'>
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
</tmpl_if>
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='!=' value='y'>
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
</tmpl_if>
listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
......@@ -35,13 +57,6 @@ server {
rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
}
</tmpl_loop>
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
if ($scheme != "https") {
rewrite ^ https://$http_host$request_uri? permanent;
}
</tmpl_if>
</tmpl_if>
<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment