Moved reverse proxy outside of docker
This commit is contained in:
parent
fd46313f93
commit
97af5ecee2
7 changed files with 538 additions and 209 deletions
2
maj.sh
2
maj.sh
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
|
||||||
services=(mc nginx-rp nginx-www searxng synapse vw)
|
services=(mc nginx-www searxng synapse syncthing vw)
|
||||||
|
|
||||||
|
|
||||||
if [[ ! $(echo "${services[*]} all" | grep -P "\b$1\b" ) ]]; then
|
if [[ ! $(echo "${services[*]} all" | grep -P "\b$1\b" ) ]]; then
|
||||||
|
|
31
nginx-rp/copy-conf.sh
Executable file
31
nginx-rp/copy-conf.sh
Executable file
|
@ -0,0 +1,31 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
|
||||||
|
if [[ $UID -ne 0 ]]; then
|
||||||
|
echo "This script must be run as root."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Chemin relatif pour les cas où
|
||||||
|
# le script n'est pas exécuté depuis
|
||||||
|
# le répertoire où il se trouve.
|
||||||
|
rel_path="$(dirname "$0")"
|
||||||
|
|
||||||
|
# Fichiers requis pour le script
|
||||||
|
files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf')
|
||||||
|
for file in "${files[@]}"; do
|
||||||
|
if ! [[ -f "$rel_path/$file" ]]; then
|
||||||
|
echo "Required file $file is missing, exiting."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
cp "$rel_path/nginx.conf" /etc/nginx/
|
||||||
|
cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/
|
||||||
|
cp "$rel_path/dhparam.txt" /etc/nginx/
|
||||||
|
|
||||||
|
rm /etc/nginx/sites-enabled/*
|
||||||
|
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
|
||||||
|
|
||||||
|
systemctl reload nginx
|
|
@ -1,33 +1,37 @@
|
||||||
|
user www-data;
|
||||||
worker_processes auto;
|
worker_processes auto;
|
||||||
worker_cpu_affinity auto;
|
pid /run/nginx.pid;
|
||||||
worker_rlimit_nofile 2048;
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 768;
|
||||||
|
# multi_accept on;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
charset utf-8;
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
|
|
||||||
gzip off;
|
gzip off;
|
||||||
|
types_hash_max_size 2048;
|
||||||
# Hide NGINX version in error messages.
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
|
||||||
|
# server_names_hash_bucket_size 64;
|
||||||
|
# server_name_in_redirect off;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
# Logging
|
##
|
||||||
# log_not_found on;
|
# SSL Settings
|
||||||
# access_log /var/log/nginx/access.log;
|
##
|
||||||
# error_log /var/log/nginx/error.log warn;
|
|
||||||
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/viyurz.fr/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/viyurz.fr/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem;
|
||||||
|
@ -40,7 +44,7 @@ http {
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||||
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
||||||
ssl_dhparam /dhparam.txt;
|
ssl_dhparam /etc/nginx/dhparam.txt;
|
||||||
|
|
||||||
ssl_prefer_server_ciphers off;
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
@ -48,35 +52,35 @@ http {
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
# HSTS (ngx_http_headers_module is required)
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
||||||
|
|
||||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
|
||||||
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
|
||||||
|
|
||||||
# OCSP stapling
|
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Headers
|
||||||
|
##
|
||||||
|
|
||||||
resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1];
|
resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1];
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Client-Port $remote_port;
|
||||||
|
proxy_set_header X-SSL-Cert $ssl_client_cert;
|
||||||
proxy_set_header X-Forwarded-Port $server_port;
|
proxy_set_header X-Forwarded-Port $server_port;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||||
|
|
||||||
# The `upstream` directives ensure that you have a http/1.1 connection
|
|
||||||
# This enables the keepalive option and better performance
|
|
||||||
#
|
|
||||||
# Define the server IP and ports here.
|
|
||||||
upstream vaultwarden-default {
|
|
||||||
zone vaultwarden-default 64k;
|
|
||||||
server localhost:8081;
|
|
||||||
keepalive 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Needed to support websocket connections
|
# Needed to support websocket connections
|
||||||
# See: https://nginx.org/en/docs/http/websocket.html
|
# See: https://nginx.org/en/docs/http/websocket.html
|
||||||
# Instead of "close" as stated in the above link we send an empty value.
|
# Instead of "close" as stated in the above link we send an empty value.
|
||||||
|
@ -86,178 +90,10 @@ http {
|
||||||
'' "";
|
'' "";
|
||||||
}
|
}
|
||||||
|
|
||||||
# Redirect HTTP to HTTPS
|
##
|
||||||
server {
|
# Virtual Host Configs
|
||||||
listen 80 default_server;
|
##
|
||||||
listen [::]:80 default_server;
|
|
||||||
|
|
||||||
http2 on;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
server_name _;
|
|
||||||
|
|
||||||
return 308 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl default_server;
|
|
||||||
listen [::]:443 ssl default_server;
|
|
||||||
|
|
||||||
http2 on;
|
|
||||||
|
|
||||||
server_name _;
|
|
||||||
server_name_in_redirect off;
|
|
||||||
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
http2 on;
|
|
||||||
|
|
||||||
# http3 on;
|
|
||||||
# quic_retry on;
|
|
||||||
# add_header Alt-Svc 'h3=":$server_port"; ma=86400';
|
|
||||||
# listen 443 quic reuseport;
|
|
||||||
# listen [::]:443 quic reuseport;
|
|
||||||
|
|
||||||
server_name nc.viyurz.fr;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://localhost:11000;
|
|
||||||
|
|
||||||
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
|
||||||
|
|
||||||
# Websocket
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
proxy_set_header Accept-Encoding "";
|
|
||||||
|
|
||||||
client_body_buffer_size 512k;
|
|
||||||
proxy_read_timeout 86400s;
|
|
||||||
client_max_body_size 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
http2 on;
|
|
||||||
|
|
||||||
server_name vw.viyurz.fr;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://vaultwarden-default;
|
|
||||||
|
|
||||||
# Websocket
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
|
|
||||||
client_max_body_size 525M;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
http2 on;
|
|
||||||
|
|
||||||
server_name searx.viyurz.fr;
|
|
||||||
|
|
||||||
location ~ ^/(config|healthz|stats/errors|stats/checker) {
|
|
||||||
proxy_pass http://localhost:8083;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
||||||
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
|
||||||
# Disable some features
|
|
||||||
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
|
||||||
add_header Access-Control-Allow-Methods "GET, OPTIONS";
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
|
||||||
}
|
|
||||||
|
|
||||||
location /static/ {
|
|
||||||
proxy_pass http://localhost:8083;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
||||||
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
|
||||||
# Disable some features
|
|
||||||
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
|
||||||
add_header Cache-Control "public, max-age=31536000";
|
|
||||||
}
|
|
||||||
|
|
||||||
location /image_proxy {
|
|
||||||
proxy_pass http://localhost:8083;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
||||||
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
|
||||||
# Disable some features
|
|
||||||
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
|
||||||
add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:";
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://localhost:8083;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
||||||
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
|
||||||
# Disable some features
|
|
||||||
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
|
||||||
# add_header Cache-Control "no-cache, no-store";
|
|
||||||
# add_header Pragma "no-cache";
|
|
||||||
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
http2 on;
|
|
||||||
|
|
||||||
server_name matrix.viyurz.fr;
|
|
||||||
|
|
||||||
location ~ ^(/_matrix|/_synapse/client) {
|
|
||||||
proxy_pass http://localhost:8008;
|
|
||||||
|
|
||||||
# Nginx by default only allows file uploads up to 1M in size
|
|
||||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
||||||
client_max_body_size 50M;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
http2 on;
|
|
||||||
|
|
||||||
server_name www.viyurz.fr;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://localhost:8082;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
http2 on;
|
|
||||||
|
|
||||||
server_name viyurz.fr;
|
|
||||||
|
|
||||||
location /.well-known/matrix/server {
|
|
||||||
default_type application/json;
|
|
||||||
return 200 '{ "m.server": "matrix.viyurz.fr:443" }';
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 308 https://www.viyurz.fr$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
166
nginx-rp/reverse-proxy.conf
Normal file
166
nginx-rp/reverse-proxy.conf
Normal file
|
@ -0,0 +1,166 @@
|
||||||
|
# Redirect HTTP to HTTPS
|
||||||
|
server {
|
||||||
|
listen 80 http2 default_server;
|
||||||
|
listen [::]:80 http2 default_server;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
return 308 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Default HTTPS server
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2 default_server;
|
||||||
|
listen [::]:443 ssl http2 default_server;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
server_name_in_redirect off;
|
||||||
|
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Nextcloud
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name nc.viyurz.fr;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:11000;
|
||||||
|
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
|
||||||
|
# Websocket
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
proxy_set_header Accept-Encoding "";
|
||||||
|
|
||||||
|
client_body_buffer_size 512k;
|
||||||
|
proxy_read_timeout 86400s;
|
||||||
|
client_max_body_size 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Vaultwarden
|
||||||
|
upstream vaultwarden-default {
|
||||||
|
zone vaultwarden-default 64k;
|
||||||
|
server localhost:8081;
|
||||||
|
keepalive 2;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name vw.viyurz.fr;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://vaultwarden-default;
|
||||||
|
|
||||||
|
# Websocket
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
client_max_body_size 525M;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# SearxNG
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name searx.viyurz.fr;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8083;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Matrix/Synapse
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name matrix.viyurz.fr;
|
||||||
|
|
||||||
|
location ~ ^(/_matrix|/_synapse/client) {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
|
||||||
|
# Nginx by default only allows file uploads up to 1M in size
|
||||||
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||||
|
client_max_body_size 50M;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Syncthing Discovery
|
||||||
|
upstream stdisco.viyurz.fr {
|
||||||
|
# Local IP address:port for discovery server
|
||||||
|
server localhost:8443;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name stdisco.viyurz.fr;
|
||||||
|
|
||||||
|
ssl_verify_client optional_no_ca;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://stdisco.viyurz.fr;
|
||||||
|
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $http_connection;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Homepage
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name www.viyurz.fr;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8082;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Base domain redirect
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name viyurz.fr;
|
||||||
|
|
||||||
|
location /.well-known/matrix/server {
|
||||||
|
default_type application/json;
|
||||||
|
return 200 '{ "m.server": "matrix.viyurz.fr:443" }';
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 308 https://www.viyurz.fr$request_uri;
|
||||||
|
}
|
||||||
|
}
|
8
unused-nginx-rp-docker/dhparam.txt
Normal file
8
unused-nginx-rp-docker/dhparam.txt
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
288
unused-nginx-rp-docker/nginx.conf
Normal file
288
unused-nginx-rp-docker/nginx.conf
Normal file
|
@ -0,0 +1,288 @@
|
||||||
|
worker_processes auto;
|
||||||
|
worker_cpu_affinity auto;
|
||||||
|
worker_rlimit_nofile 2048;
|
||||||
|
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
charset utf-8;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
|
||||||
|
gzip off;
|
||||||
|
|
||||||
|
# Hide NGINX version in error messages.
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
# log_not_found on;
|
||||||
|
# access_log /var/log/nginx/access.log;
|
||||||
|
# error_log /var/log/nginx/error.log warn;
|
||||||
|
|
||||||
|
keepalive_timeout 65;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/viyurz.fr/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem;
|
||||||
|
|
||||||
|
# modern configuration
|
||||||
|
# ssl_protocols TLSv1.3;
|
||||||
|
|
||||||
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||||
|
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
||||||
|
ssl_dhparam /dhparam.txt;
|
||||||
|
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required)
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
|
||||||
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
|
||||||
|
# OCSP stapling
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1];
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Client-Port $remote_port;
|
||||||
|
proxy_set_header X-SSL-Cert $ssl_client_cert;
|
||||||
|
proxy_set_header X-Forwarded-Port $server_port;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||||
|
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||||
|
|
||||||
|
# The `upstream` directives ensure that you have a http/1.1 connection
|
||||||
|
# This enables the keepalive option and better performance
|
||||||
|
#
|
||||||
|
# Define the server IP and ports here.
|
||||||
|
upstream vaultwarden-default {
|
||||||
|
zone vaultwarden-default 64k;
|
||||||
|
server localhost:8081;
|
||||||
|
keepalive 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Needed to support websocket connections
|
||||||
|
# See: https://nginx.org/en/docs/http/websocket.html
|
||||||
|
# Instead of "close" as stated in the above link we send an empty value.
|
||||||
|
# Else all keepalive connections will not work.
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' "";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Redirect HTTP to HTTPS
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
listen [::]:80 default_server;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
return 308 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl default_server;
|
||||||
|
listen [::]:443 ssl default_server;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
server_name_in_redirect off;
|
||||||
|
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
# http3 on;
|
||||||
|
# quic_retry on;
|
||||||
|
# add_header Alt-Svc 'h3=":$server_port"; ma=86400';
|
||||||
|
# listen 443 quic reuseport;
|
||||||
|
# listen [::]:443 quic reuseport;
|
||||||
|
|
||||||
|
server_name nc.viyurz.fr;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:11000;
|
||||||
|
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
|
||||||
|
# Websocket
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
proxy_set_header Accept-Encoding "";
|
||||||
|
|
||||||
|
client_body_buffer_size 512k;
|
||||||
|
proxy_read_timeout 86400s;
|
||||||
|
client_max_body_size 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name vw.viyurz.fr;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://vaultwarden-default;
|
||||||
|
|
||||||
|
# Websocket
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
|
client_max_body_size 525M;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name searx.viyurz.fr;
|
||||||
|
|
||||||
|
location ~ ^/(config|healthz|stats/errors|stats/checker) {
|
||||||
|
proxy_pass http://localhost:8083;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
# Disable some features
|
||||||
|
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
||||||
|
add_header Access-Control-Allow-Methods "GET, OPTIONS";
|
||||||
|
add_header Access-Control-Allow-Origin "*";
|
||||||
|
}
|
||||||
|
|
||||||
|
location /static/ {
|
||||||
|
proxy_pass http://localhost:8083;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
# Disable some features
|
||||||
|
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
||||||
|
add_header Cache-Control "public, max-age=31536000";
|
||||||
|
}
|
||||||
|
|
||||||
|
location /image_proxy {
|
||||||
|
proxy_pass http://localhost:8083;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
# Disable some features
|
||||||
|
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
||||||
|
add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:";
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8083;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||||
|
# Disable some features
|
||||||
|
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
|
||||||
|
# add_header Cache-Control "no-cache, no-store";
|
||||||
|
# add_header Pragma "no-cache";
|
||||||
|
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name matrix.viyurz.fr;
|
||||||
|
|
||||||
|
location ~ ^(/_matrix|/_synapse/client) {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
|
||||||
|
# Nginx by default only allows file uploads up to 1M in size
|
||||||
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||||
|
client_max_body_size 50M;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
upstream stdisco.viyurz.fr {
|
||||||
|
# Local IP address:port for discovery server
|
||||||
|
server localhost:8443;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name stdisco.viyurz.fr;
|
||||||
|
|
||||||
|
ssl_verify_client optional_no_ca;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://stdisco.viyurz.fr;
|
||||||
|
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $http_connection;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name www.viyurz.fr;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8082;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
server_name viyurz.fr;
|
||||||
|
|
||||||
|
location /.well-known/matrix/server {
|
||||||
|
default_type application/json;
|
||||||
|
return 200 '{ "m.server": "matrix.viyurz.fr:443" }';
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 308 https://www.viyurz.fr$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue