# HTTP → HTTPS редирект server { listen 80; listen [::]:80; server_name {{ nginx_server_name }}; # ACME challenge (если включен LE) location ^~ /.well-known/acme-challenge/ { root /var/www/jenkins; } location / { return 301 https://$host$request_uri; } } # HTTPS ↔ Jenkins (reverse proxy) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ nginx_server_name }}; {% if tls_mode == 'letsencrypt' %} ssl_certificate /etc/letsencrypt/live/{{ nginx_server_name }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ nginx_server_name }}/privkey.pem; {% else %} ssl_certificate {{ tls_cert_path }}; ssl_certificate_key {{ tls_key_path }}; {% endif %} # Базовая TLS-настройка ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; # (Опционально) HSTS — включай, если домен всегда по HTTPS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Размер артефактов, long-running шаги client_max_body_size {{ client_max_body_size }}; proxy_read_timeout 3600s; proxy_send_timeout 3600s; # Проксирование в Jenkins-контейнер location / { proxy_pass {{ jenkins_backend }}; proxy_http_version 1.1; # WebSocket/HTTP/1.1 proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # Проброс хостов/протоколов/адресов proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; # Убираем буферизацию, Jenkins любит стримить логи билда proxy_buffering off; } # Вспомогательное: корректная переменная для upgrade map $http_upgrade $connection_upgrade { default upgrade; '' close; } access_log /var/log/nginx/jenkins.access.log; error_log /var/log/nginx/jenkins.error.log; }