vps/roles/reverse-proxy/templates/reverse-proxy.conf

# Redirect HTTP to HTTPS
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	server_name _;
	
	return 308 https://$host$request_uri;
}


# Default HTTPS server
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	server_name _;
	server_name_in_redirect off;
	
	return 404;
}


# Homepage
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name {{ domain }};

	location = /.well-known/matrix/server {
		default_type application/json;

		return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
	}

	location = /.well-known/matrix/client {
		default_type application/json;

		include /etc/nginx/conf.d/ssl-headers.conf;
		add_header Access-Control-Allow-Origin '*';

		return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
	}

	location / {
		proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
	}
}


# Downloads
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name dl.{{ domain }};

	root /var/www/html;
	autoindex on;
}


# Element
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name element.{{ domain }};

	location / {
		proxy_pass http://127.0.0.1:{{ ports['element'] }};

		include /etc/nginx/conf.d/ssl-headers.conf;
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header Content-Security-Policy "frame-ancestors 'none'";
	}
}


# Etebase
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name etebase.{{ domain }};
	
	location / {
		proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
	}
}


# Hedgedoc
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name hedgedoc.{{ domain }};
	
	location / {
		proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
	}

	location /socket.io/ {
		proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};

		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $http_connection;
	}
}


# JMAP
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name mail.{{ domain }};

	location / {
		proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};

		# Websocket
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}
}


# SearXNG
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name searx.{{ domain }};

	location / {
		proxy_pass http://127.0.0.1:{{ ports['searxng'] }};

		include /etc/nginx/conf.d/ssl-headers.conf;
		add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
	}
}


# Synapse
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name matrix.{{ domain }};

	location / {
		proxy_pass http://127.0.0.1:{{ ports['synapse'] }};

		# Nginx by default only allows file uploads up to 1M in size
		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
		client_max_body_size {{ synapse['max_upload_size'] }};   
	}
}


# Syncthing Discovery
upstream stdisco.{{ domain }} {
	# Local IP address:port for discovery server
	server 127.0.0.1:{{ ports['syncthing_discosrv'] }};
}
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name stdisco.{{ domain }};
	
	ssl_verify_client optional_no_ca;

	location / {
		proxy_pass http://stdisco.{{ domain }};
		
		proxy_set_header X-Client-Port $remote_port;
		proxy_set_header X-SSL-Cert $ssl_client_cert;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $http_connection;
	}
}


# Uptime Kuma
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;	
	
	server_name status.{{ domain }};

	location / {
		proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
		
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}
}


# Vaultwarden
upstream vaultwarden-default {
	zone vaultwarden-default 64k;
	server 127.0.0.1:{{ ports['vaultwarden'] }};
	keepalive 2;
}
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;	
	
	server_name vw.{{ domain }};

	location / {
		proxy_pass http://vaultwarden-default;
		
		# Websocket
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}
}
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`# Redirect HTTP to HTTPS`
			`server {`
nginx-rp: remove http2 from HTTP server, remove service file + add kavita 2023-12-13 14:41:24 +01:00			`listen 80 default_server;`
			`listen [::]:80 default_server;`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
			`server_name _;`

			`return 308 https://$host$request_uri;`
			`}`


			`# Default HTTPS server`
			`server {`
			`listen 443 ssl http2 default_server;`
			`listen [::]:443 ssl http2 default_server;`

			`server_name _;`
			`server_name_in_redirect off;`

			`return 404;`
			`}`


The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`# Homepage`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name {{ domain }};`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`location = /.well-known/matrix/server {`
			`default_type application/json;`
Update reverse proxy. 2024-03-02 11:57:21 +01:00
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`return 200 '{ "m.server": "matrix.{{ domain }}:443" }';`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`}`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`location = /.well-known/matrix/client {`
			`default_type application/json;`
Update reverse proxy. 2024-03-02 11:57:21 +01:00
			`include /etc/nginx/conf.d/ssl-headers.conf;`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`add_header Access-Control-Allow-Origin '*';`
Update reverse proxy. 2024-03-02 11:57:21 +01:00
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`}`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`location / {`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`proxy_pass http://127.0.0.1:{{ ports['homepage'] }};`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`}`
			`}`


NGINX: Readd dl.viyurz.fr (with autoindex) & remove Send. 2024-02-13 19:15:02 +01:00			`# Downloads`
			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name dl.{{ domain }};`
NGINX: Readd dl.viyurz.fr (with autoindex) & remove Send. 2024-02-13 19:15:02 +01:00
			`root /var/www/html;`
			`autoindex on;`
			`}`


nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`# Element`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name element.{{ domain }};`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
			`location / {`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`proxy_pass http://127.0.0.1:{{ ports['element'] }};`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
Update reverse proxy. 2024-03-02 11:57:21 +01:00			`include /etc/nginx/conf.d/ssl-headers.conf;`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`add_header X-Frame-Options SAMEORIGIN;`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`
			`add_header Content-Security-Policy "frame-ancestors 'none'";`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`}`
			`}`


nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`# Etebase`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name etebase.{{ domain }};`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00
Reverse proxy: Etebase add admin page + Remove Matrix to Element redirection. 2024-02-25 19:27:24 +01:00			`location / {`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`proxy_pass http://127.0.0.1:{{ ports['etebase'] }};`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`}`
			`}`


The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`# Hedgedoc`
Add element web 2023-12-11 14:40:29 +01:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name hedgedoc.{{ domain }};`

			`location / {`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`}`
Reverse proxy/Hedgedoc: Enable WebSocket 2024-02-17 19:37:21 +01:00
			`location /socket.io/ {`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};`
Reverse proxy/Hedgedoc: Enable WebSocket 2024-02-17 19:37:21 +01:00
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $http_connection;`
			`}`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`}`


Add Stalwart mailserver. 2024-03-16 13:49:47 +01:00			`# JMAP`
			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

			`server_name mail.{{ domain }};`

			`location / {`
			`proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};`

			`# Websocket`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`
			`}`
			`}`


The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`# SearXNG`
			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

			`server_name searx.{{ domain }};`
Add element web 2023-12-11 14:40:29 +01:00
			`location / {`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`proxy_pass http://127.0.0.1:{{ ports['searxng'] }};`
Add element web 2023-12-11 14:40:29 +01:00
Update reverse proxy. 2024-03-02 11:57:21 +01:00			`include /etc/nginx/conf.d/ssl-headers.conf;`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
Add element web 2023-12-11 14:40:29 +01:00			`}`
			`}`


nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`# Synapse`
nginx-rp: remove http2 from HTTP server, remove service file + add kavita 2023-12-13 14:41:24 +01:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name matrix.{{ domain }};`
nginx-rp: remove http2 from HTTP server, remove service file + add kavita 2023-12-13 14:41:24 +01:00
Reverse proxy: Etebase add admin page + Remove Matrix to Element redirection. 2024-02-25 19:27:24 +01:00			`location / {`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`proxy_pass http://127.0.0.1:{{ ports['synapse'] }};`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00
			`# Nginx by default only allows file uploads up to 1M in size`
			`# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`client_max_body_size {{ synapse['max_upload_size'] }};`
nginx-rp: remove http2 from HTTP server, remove service file + add kavita 2023-12-13 14:41:24 +01:00			`}`
			`}`


nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`# Syncthing Discovery`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`upstream stdisco.{{ domain }} {`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`# Local IP address:port for discovery server`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`server 127.0.0.1:{{ ports['syncthing_discosrv'] }};`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`}`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name stdisco.{{ domain }};`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00
			`ssl_verify_client optional_no_ca;`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
			`location / {`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`proxy_pass http://stdisco.{{ domain }};`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00
			`proxy_set_header X-Client-Port $remote_port;`
			`proxy_set_header X-SSL-Cert $ssl_client_cert;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $http_connection;`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`}`
			`}`


Add Uptime Kuma role. 2024-03-08 16:35:07 +01:00			`# Uptime Kuma`
			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`

			`server_name status.{{ domain }};`

			`location / {`
			`proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};`

			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`
			`}`
			`}`


nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`# Vaultwarden`
			`upstream vaultwarden-default {`
			`zone vaultwarden-default 64k;`
Docker: Publish ports to localhost + proxy to ip to reduce lookups. 2024-02-18 22:19:55 +01:00			`server 127.0.0.1:{{ ports['vaultwarden'] }};`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`keepalive 2;`
			`}`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`server {`
			`listen 443 ssl http2;`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`listen [::]:443 ssl http2;`

The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`server_name vw.{{ domain }};`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00
nginx-rp fix padding + add collabora 2023-12-06 13:59:07 +01:00			`location / {`
nginx-rp: Reorder servers by alphabetical order 2023-12-13 15:11:38 +01:00			`proxy_pass http://vaultwarden-default;`

			`# Websocket`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`
Moved reverse proxy outside of docker 2023-12-01 11:27:02 +01:00			`}`
			`}`