server { listen 80; listen [::]:80; server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ; return 301 https://$http_host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ; index index.html index.htm; ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; ssl_prefer_server_ciphers on; include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; location / { # allow defined addresses to access allow 127.0.0.0/8; allow ::1/128; {% for host in pdns_limit_api_access %} allow {{ host }}; {% endfor %} # drop rest of the world deny all; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:8081; proxy_read_timeout 90; proxy_redirect http://127.0.0.1:8081 https://{{ http_dns_prefix }}-api.{{ http_domain_external }}; } }