add https to nginx config

bench/config.py

@@ -31,10 +31,16 @@ def get_site_config(site, bench='.'):
 
 def get_sites_with_config(bench='.'):
 	sites = get_sites()
-	return [{
-		"name": site, 
-		"port": get_site_config(site, bench=bench).get('nginx_port')
-	} for site in sites]
+	ret = []
+	for site in sites:
+		site_config = get_site_config(site, bench=bench)
+		ret.append({
+			"name": site,
+			"port": site_config.get('nginx_port'),
+			"ssl_certificate": site_config.get('ssl_certificate'),
+			"ssl_certificate_key": site_config.get('ssl_certificate_key')
+		})
+	return ret
 
 def generate_nginx_config(bench='.'):
 	template = env.get_template('nginx.conf')

bench/templates/nginx.conf

@@ -5,15 +5,7 @@ upstream frappe {
     server 127.0.0.1:8000 fail_timeout=0;
 }
 
-{% macro server_block(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
-	server {
-		listen {{ site.port if not default and site.port else port }} {% if default %} default {% endif %};
-		client_max_body_size 4G;
-		{% if dns_multitenant and sites %}
-			server_name {% for site in sites %} {{ site.name }} {% endfor %};
-		{% else %}
-			server_name {{ site.name if not server_name else server_name }};
-		{% endif %}
+{% macro location_block(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
 		keepalive_timeout 5;
 		sendfile on;
 		root {{ sites_dir }};
@@ -43,21 +35,58 @@ upstream frappe {
 			proxy_redirect off;
 			proxy_pass  http://frappe;
 		}
+{%- endmacro %}
+
+{% macro server_name_block(site, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+		client_max_body_size 4G;
+		{% if dns_multitenant and sites %}
+			server_name {% for site in sites %} {{ site.name }} {% endfor %};
+		{% else %}
+			server_name {{ site.name if not server_name else server_name }};
+		{% endif %}
+{%- endmacro %}
+
+{% macro server_block_http(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+	server {
+		listen {{ site.port if not default and site.port else port }} {% if default %} default {% endif %};
+		{{ server_name_block(site, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+		{{ location_block(site, port=port, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+	}
+{%- endmacro %}
+
+{% macro server_block_https(site, port=443, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+	server {
+		listen {{ site.ssl_port if not default and site.ssl_port else port }} {% if default %} default {% endif %};
+		{{ server_name_block(site, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+
+		ssl on;
+		ssl_certificate      {{ site.ssl_certificate }};
+		ssl_certificate_key  {{ site.ssl_certificate_key }};
+		ssl_session_timeout  5m;
+		ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+		ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+		ssl_prefer_server_ciphers   on;
+
+		{{ location_block(site, port=port, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
 	}
 {%- endmacro %}
 
 {% for site in sites %}
 
 {% if site.port %}
-{{ server_block(site) }}
+{{ server_block_http(site) }}
+{% endif %}
+
+{% if site.ssl_certificate_key and site.ssl_certificate %}
+{{ server_block_https(site) }}
 {% endif %}
 
 {% endfor %}
 
 {% if default_site %}
-{{ server_block(default_site, default=True, server_name="frappe_default_site") }}
+{{ server_block_http(default_site, default=True, server_name="frappe_default_site") }}
 {% endif %}
 
 {% if dns_multitenant and sites %}
-{{ server_block(None, default=False, sites=sites, dns_multitenant=True) }}
+{{ server_block_http(None, default=False, sites=sites, dns_multitenant=True) }}
 {% endif %}