ansible-role-syncthing/templates/syncthing-disco.conf.j2

upstream {{syncthing_disco_domain}} {
    # Local IP address:port for discovery server
    #server 192.0.2.1:8443;
    server 127.0.0.1:{{syncthing_disco_http_port|default('8443')}};
}

server {
    listen 80;
    listen [::]:80;
    server_name {{syncthing_disco_domain}};
    include /etc/nginx/snippets/acme-challenge.conf;
    # The "location" condition is to not do a redirect for ACME challenge
    location ^~ {
        rewrite ^ https://$http_host$request_uri? permanent;
    }
}

server {
    listen              443 ssl http2;
    listen              [::]:443 ssl http2;
    server_name         {{syncthing_disco_domain}};
    ssl_certificate     /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/privkey.pem;
    include /etc/nginx/snippets/tls.conf;

    access_log      /var/log/nginx/{{syncthing_disco_domain}}.access.log timed_combined;
    error_log       /var/log/nginx/{{syncthing_disco_domain}}.error.log;

    include /etc/nginx/snippets/acme-challenge.conf;

    include /etc/nginx/snippets/content-headers.conf;
    include /etc/nginx/snippets/spam.conf;

    # See https://docs.syncthing.net/users/stdiscosrv.html
    #proxy_set_header Connection $connection_upgrade;
    #proxy_set_header Connection $proxy_connection;
    #proxy_set_header Host $http_host;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
    #proxy_set_header X-Forwarded-Proto $scheme;

    ssl_verify_client optional_no_ca;

    #location /v2 {
    location / {
        proxy_pass http://{{syncthing_disco_domain}};
        # HTTP 1.1 support
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-SSL-Cert $ssl_client_cert;
        client_max_body_size    0;
        proxy_connect_timeout   36000s;
        proxy_read_timeout      36000s;
        proxy_send_timeout      36000s;
        send_timeout            36000s;
    }
}