justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/infra/ansible/roles/nginx/templates/pw-minio-tls.conf.j2
justin f8cd37ac8c Initial commit — Performance West telecom compliance platform 
Includes: API (Express/TypeScript), Astro site, Python workers,
document generators, FCC compliance tools, Canada CRTC formation,
Ansible infrastructure, and deployment scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-27 06:54:22 -05:00

97 lines
3 KiB
Django/Jinja
Raw Blame History

{{ ansible_managed }}
# MinIO S3 API — minio.performancewest.net
# ACCESS RESTRICTED: only the Windows DocServer VM ({{ docserver_ip }}) and localhost.
# Docker containers reach MinIO via the internal Docker network (minio:9000),
# not through this nginx vhost. This endpoint is for external clients only.
server {
listen 443 ssl;
http2 on;
server_name {{ minio_domain }};
ssl_certificate /etc/letsencrypt/live/{{ minio_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ minio_domain }}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# IP allowlist — only the Windows DocServer VM and localhost
allow 127.0.0.1;
allow ::1;
allow {{ docserver_ip }};
deny all;
# Large body for document uploads
client_max_body_size 100m;
# Disable buffering for S3 streaming
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_pass http://127.0.0.1:{{ minio_port }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
location /.well-known/acme-challenge/ {
root {{ certbot_webroot }};
}
}
# MinIO Console — minio-console.performancewest.net
# Same IP restriction: admin console is never public.
server {
listen 443 ssl;
http2 on;
server_name {{ minio_console_domain }};
ssl_certificate /etc/letsencrypt/live/{{ minio_console_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ minio_console_domain }}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# IP allowlist
allow 127.0.0.1;
allow ::1;
allow {{ docserver_ip }};
deny all;
proxy_http_version 1.1;
location / {
proxy_pass http://127.0.0.1:{{ minio_console_port }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /.well-known/acme-challenge/ {
root {{ certbot_webroot }};
}
}
server {
listen 80;
server_name {{ minio_domain }} {{ minio_console_domain }};
location /.well-known/acme-challenge/ { root {{ certbot_webroot }}; }
location / { return 301 https://$host$request_uri; }
}
Reference in a new issue View git blame Copy permalink