{{- $vhost := ds "vhost" }} {{- $defauls := data.YAML "{hostnames: [localhost], proxy_ssl_protocols: TLSv1.2 TLSv1.3, proxy_hide_header: [X-Amz-*]}" -}} {{- range $vhost }} {{- $this := coll.Merge . $defauls }} {{- $upstream_host := index ($this.upstream | strings.Split ":") 0 }} {{- $access_key_id := index $this "access_key_id" }} {{- $secret_access_key := index $this "secret_access_key" -}} upstream backend_s3_{{ $this.bucket }} { server {{ $this.upstream }}; } server { listen 8080; server_name {{ conv.Join $this.hostnames " " }}; location / { {{ if and $access_key_id $secret_access_key -}} set_by_lua $now "return ngx.http_time(ngx.time())"; set $string_to_sign "GET\n\n\n${now}\n/{{ $this.bucket }}/${repo}$request_path"; set_hmac_sha1 $aws_signature "{{ $this.secret_access_key }}" "$string_to_sign"; set_encode_base64 $aws_signature "$aws_signature"; proxy_set_header Date "$now"; proxy_set_header Authorization "AWS {{ $this.access_key_id }}:$aws_signature"; {{ end -}} proxy_pass https://backend_s3_{{ $this.bucket }}/{{ $this.bucket }}/${repo}$uri; proxy_ssl_name {{ $upstream_host }}; proxy_ssl_server_name on; proxy_ssl_verify on; proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; proxy_ssl_protocols {{ $this.proxy_ssl_protocols }}; proxy_http_version 1.1; proxy_buffering off; proxy_connect_timeout 300; proxy_intercept_errors on; port_in_redirect off; proxy_set_header Host "{{ $upstream_host }}"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; {{ range $this.proxy_hide_header }} more_clear_headers {{ . }}; {{- end }} proxy_ignore_headers Set-Cookie; rewrite ^([^.]*[^/])$ $1/ permanent; rewrite ^(.*)/$ $1/index.html break; rewrite ^(.*/[^./]+)$ $1/index.html break; } } {{- end -}}