infralab/ansible/roles/jenkins/templates/nginx-jenkins-https.conf.j2

# HTTP → HTTPS редирект
server {
  listen 80;
  listen [::]:80;
  server_name {{ nginx_server_name }};

  # ACME challenge (если включен LE)
  location ^~ /.well-known/acme-challenge/ {
    root /var/www/jenkins;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

# HTTPS ↔ Jenkins (reverse proxy)
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name {{ nginx_server_name }};

  {% if tls_mode == 'letsencrypt' %}
  ssl_certificate     /etc/letsencrypt/live/{{ nginx_server_name }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ nginx_server_name }}/privkey.pem;
  {% else %}
  ssl_certificate     {{ tls_cert_path }};
  ssl_certificate_key {{ tls_key_path }};
  {% endif %}

  # Базовая TLS-настройка
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  # (Опционально) HSTS — включай, если домен всегда по HTTPS
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  # Размер артефактов, long-running шаги
  client_max_body_size {{ client_max_body_size }};
  proxy_read_timeout   3600s;
  proxy_send_timeout   3600s;

  # Проксирование в Jenkins-контейнер
  location / {
    proxy_pass         {{ jenkins_backend }};
    proxy_http_version 1.1;

    # WebSocket/HTTP/1.1
    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection $connection_upgrade;

    # Проброс хостов/протоколов/адресов
    proxy_set_header   Host              $host;
    proxy_set_header   X-Real-IP         $remote_addr;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto https;
    proxy_set_header   X-Forwarded-Port  443;

    # Убираем буферизацию, Jenkins любит стримить логи билда
    proxy_buffering    off;
  }

  # Вспомогательное: корректная переменная для upgrade
  map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
  }

  access_log /var/log/nginx/jenkins.access.log;
  error_log  /var/log/nginx/jenkins.error.log;
}