From e3c7c4f38ab9e29e47a8b4ccbc929b0f251c0da5 Mon Sep 17 00:00:00 2001 From: Viyurz Date: Mon, 1 Apr 2024 10:27:06 +0200 Subject: [PATCH] Rename role reverse-proxy to nginx + split configuration. --- env.yml | 9 +- roles/nginx/tasks/main.yml | 60 ++++ roles/nginx/templates/nginx.conf | 38 +++ .../templates/sites-enabled/authelia.conf | 10 + .../templates/sites-enabled/default.conf | 15 + .../templates/sites-enabled/downloads.conf | 9 + .../templates/sites-enabled/element.conf | 16 + .../templates/sites-enabled/etebase.conf | 10 + .../templates/sites-enabled/hedgedoc.conf | 16 + .../templates/sites-enabled/homepage.conf | 25 ++ roles/nginx/templates/sites-enabled/jmap.conf | 12 + .../nginx/templates/sites-enabled/lldap.conf | 14 + .../templates/sites-enabled/searxng.conf | 13 + .../templates/sites-enabled/synapse.conf | 12 + .../sites-enabled/syncthing-discovery.conf | 16 + .../templates/sites-enabled/syncthing.conf | 14 + .../templates/sites-enabled/uptime-kuma.conf | 12 + .../templates/sites-enabled/vaultwarden.conf | 18 ++ .../snippets}/authelia-authrequest.conf | 0 .../snippets}/authelia-location.conf | 6 +- roles/nginx/templates/snippets/proxy.conf | 10 + .../templates/snippets}/ssl-headers.conf | 0 roles/nginx/templates/snippets/ssl.conf | 18 ++ roles/nginx/templates/snippets/websocket.conf | 2 + roles/reverse-proxy/tasks/main.yml | 79 ----- roles/reverse-proxy/templates/nginx.conf | 86 ------ .../templates/reverse-proxy.conf | 273 ------------------ 27 files changed, 344 insertions(+), 449 deletions(-) create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/templates/nginx.conf create mode 100644 roles/nginx/templates/sites-enabled/authelia.conf create mode 100644 roles/nginx/templates/sites-enabled/default.conf create mode 100644 roles/nginx/templates/sites-enabled/downloads.conf create mode 100644 roles/nginx/templates/sites-enabled/element.conf create mode 100644 roles/nginx/templates/sites-enabled/etebase.conf create mode 100644 roles/nginx/templates/sites-enabled/hedgedoc.conf create mode 100644 roles/nginx/templates/sites-enabled/homepage.conf create mode 100644 roles/nginx/templates/sites-enabled/jmap.conf create mode 100644 roles/nginx/templates/sites-enabled/lldap.conf create mode 100644 roles/nginx/templates/sites-enabled/searxng.conf create mode 100644 roles/nginx/templates/sites-enabled/synapse.conf create mode 100644 roles/nginx/templates/sites-enabled/syncthing-discovery.conf create mode 100644 roles/nginx/templates/sites-enabled/syncthing.conf create mode 100644 roles/nginx/templates/sites-enabled/uptime-kuma.conf create mode 100644 roles/nginx/templates/sites-enabled/vaultwarden.conf rename roles/{reverse-proxy/templates => nginx/templates/snippets}/authelia-authrequest.conf (100%) rename roles/{reverse-proxy/templates => nginx/templates/snippets}/authelia-location.conf (71%) create mode 100644 roles/nginx/templates/snippets/proxy.conf rename roles/{reverse-proxy/files => nginx/templates/snippets}/ssl-headers.conf (100%) create mode 100644 roles/nginx/templates/snippets/ssl.conf create mode 100644 roles/nginx/templates/snippets/websocket.conf delete mode 100644 roles/reverse-proxy/tasks/main.yml delete mode 100644 roles/reverse-proxy/templates/nginx.conf delete mode 100644 roles/reverse-proxy/templates/reverse-proxy.conf diff --git a/env.yml b/env.yml index 485a409..65b5c7f 100644 --- a/env.yml +++ b/env.yml @@ -47,8 +47,8 @@ projects: - homepage - lldap - mailserver + - nginx - postgres - - reverse-proxy - searxng - synapse - syncthing @@ -149,12 +149,5 @@ volumes: # Service-specific variables -reverse_proxy: - ssl_certificate_file: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem" - ssl_certificate_key_file: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" - ssl_trusted_certificate_file: "/etc/letsencrypt/live/{{ domain }}/chain.pem" - resolver: "185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]" - - synapse: max_upload_size: 50M diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..e6b3f95 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,60 @@ +- name: + become: true + block: + - name: Install package nginx + apt: + name: nginx + + - name: Delete directories in /etc/nginx/ + file: + path: "/etc/nginx/{{ item }}" + state: absent + loop: + - sites-enabled + - snippets + + - name: Create directories in /etc/nginx/ + file: + path: "/etc/nginx/{{ item }}" + state: directory + loop: + - sites-enabled + - snippets + + - name: Template configuration files to /etc/nginx/ + template: + src: "{{ item.src }}" + dest: "/etc/nginx/{{ item.path }}" + owner: root + group: root + mode: '644' + with_filetree: ../templates/ + when: item.state == 'file' + + - name: Get state of file /etc/nginx/dhparam.txt + stat: + path: /etc/nginx/dhparam.txt + register: nginx_stat_dhparam_result + + - name: Download dhparam file from Mozilla + get_url: + url: https://ssl-config.mozilla.org/ffdhe2048.txt + dest: /etc/nginx/dhparam.txt + when: not nginx_stat_dhparam_result.stat.exists + + - name: Set correct permissions on certificate directories + file: + path: "/etc/letsencrypt/{{ item }}/{{ domain }}" + state: directory + owner: root + group: root + mode: '750' + loop: + - live + - archive + + - name: Start/Reload NGINX service + service: + name: nginx + state: reloaded + enabled: yes diff --git a/roles/nginx/templates/nginx.conf b/roles/nginx/templates/nginx.conf new file mode 100644 index 0000000..6db0562 --- /dev/null +++ b/roles/nginx/templates/nginx.conf @@ -0,0 +1,38 @@ +user www-data; +worker_processes auto; +worker_rlimit_nofile 1024; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 512; + multi_accept off; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + gzip off; + server_tokens off; + keepalive_timeout 30; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + include /etc/nginx/mime.types; + + # Needed to support websocket connections + map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; + } + + include /etc/nginx/conf.d/*.conf; + + include /etc/nginx/snippets/proxy.conf; + include /etc/nginx/snippets/ssl.conf; + include /etc/nginx/snippets/ssl-headers.conf; + + include /etc/nginx/sites-enabled/*; +} diff --git a/roles/nginx/templates/sites-enabled/authelia.conf b/roles/nginx/templates/sites-enabled/authelia.conf new file mode 100644 index 0000000..fcc3dff --- /dev/null +++ b/roles/nginx/templates/sites-enabled/authelia.conf @@ -0,0 +1,10 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name auth.{{ domain }}; + + location / { + proxy_pass http://127.0.0.1:{{ ports['authelia'] }}; + } +} diff --git a/roles/nginx/templates/sites-enabled/default.conf b/roles/nginx/templates/sites-enabled/default.conf new file mode 100644 index 0000000..ed2ea4b --- /dev/null +++ b/roles/nginx/templates/sites-enabled/default.conf @@ -0,0 +1,15 @@ +# Redirect HTTP to HTTPS +server { + listen 80 default_server; + listen [::]:80 default_server; + + return 308 https://$host$request_uri; +} + +# Default HTTPS server +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + return 404; +} diff --git a/roles/nginx/templates/sites-enabled/downloads.conf b/roles/nginx/templates/sites-enabled/downloads.conf new file mode 100644 index 0000000..62cccfb --- /dev/null +++ b/roles/nginx/templates/sites-enabled/downloads.conf @@ -0,0 +1,9 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name dl.{{ domain }}; + + root /var/www/html; + autoindex on; +} diff --git a/roles/nginx/templates/sites-enabled/element.conf b/roles/nginx/templates/sites-enabled/element.conf new file mode 100644 index 0000000..ebb18d1 --- /dev/null +++ b/roles/nginx/templates/sites-enabled/element.conf @@ -0,0 +1,16 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name element.{{ domain }}; + + location / { + proxy_pass http://127.0.0.1:{{ ports['element'] }}; + + include /etc/nginx/snippets/ssl-headers.conf; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + } +} diff --git a/roles/nginx/templates/sites-enabled/etebase.conf b/roles/nginx/templates/sites-enabled/etebase.conf new file mode 100644 index 0000000..f73ee6c --- /dev/null +++ b/roles/nginx/templates/sites-enabled/etebase.conf @@ -0,0 +1,10 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name etebase.{{ domain }}; + + location / { + proxy_pass http://127.0.0.1:{{ ports['etebase'] }}; + } +} diff --git a/roles/nginx/templates/sites-enabled/hedgedoc.conf b/roles/nginx/templates/sites-enabled/hedgedoc.conf new file mode 100644 index 0000000..59f0779 --- /dev/null +++ b/roles/nginx/templates/sites-enabled/hedgedoc.conf @@ -0,0 +1,16 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name hedgedoc.{{ domain }}; + + location / { + proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }}; + } + + location /socket.io/ { + proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }}; + + include /etc/nginx/snippets/websocket.conf; + } +} diff --git a/roles/nginx/templates/sites-enabled/homepage.conf b/roles/nginx/templates/sites-enabled/homepage.conf new file mode 100644 index 0000000..c9dc4de --- /dev/null +++ b/roles/nginx/templates/sites-enabled/homepage.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ domain }}; + + location = /.well-known/matrix/server { + default_type application/json; + + return 200 '{ "m.server": "matrix.{{ domain }}:443" }'; + } + + location = /.well-known/matrix/client { + default_type application/json; + + include /etc/nginx/snippets/ssl-headers.conf; + add_header Access-Control-Allow-Origin '*'; + + return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }'; + } + + location / { + proxy_pass http://127.0.0.1:{{ ports['homepage'] }}; + } +} diff --git a/roles/nginx/templates/sites-enabled/jmap.conf b/roles/nginx/templates/sites-enabled/jmap.conf new file mode 100644 index 0000000..ad59191 --- /dev/null +++ b/roles/nginx/templates/sites-enabled/jmap.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name jmap.{{ domain }}; + + location / { + proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }}; + + include /etc/nginx/snippets/websocket.conf; + } +} diff --git a/roles/nginx/templates/sites-enabled/lldap.conf b/roles/nginx/templates/sites-enabled/lldap.conf new file mode 100644 index 0000000..9a97e1b --- /dev/null +++ b/roles/nginx/templates/sites-enabled/lldap.conf @@ -0,0 +1,14 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name ldap.{{ domain }}; + + include /etc/nginx/snippets/authelia-location.conf; + + location / { + proxy_pass http://127.0.0.1:{{ ports['lldap'] }}; + + include /etc/nginx/snippets/authelia-authrequest.conf; + } +} diff --git a/roles/nginx/templates/sites-enabled/searxng.conf b/roles/nginx/templates/sites-enabled/searxng.conf new file mode 100644 index 0000000..5457114 --- /dev/null +++ b/roles/nginx/templates/sites-enabled/searxng.conf @@ -0,0 +1,13 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name searx.{{ domain }}; + + location / { + proxy_pass http://127.0.0.1:{{ ports['searxng'] }}; + + include /etc/nginx/snippets/ssl-headers.conf; + add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; + } +} diff --git a/roles/nginx/templates/sites-enabled/synapse.conf b/roles/nginx/templates/sites-enabled/synapse.conf new file mode 100644 index 0000000..ea84c24 --- /dev/null +++ b/roles/nginx/templates/sites-enabled/synapse.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name matrix.{{ domain }}; + + location / { + proxy_pass http://127.0.0.1:{{ ports['synapse'] }}; + + client_max_body_size {{ synapse['max_upload_size'] }}; + } +} diff --git a/roles/nginx/templates/sites-enabled/syncthing-discovery.conf b/roles/nginx/templates/sites-enabled/syncthing-discovery.conf new file mode 100644 index 0000000..5cbb163 --- /dev/null +++ b/roles/nginx/templates/sites-enabled/syncthing-discovery.conf @@ -0,0 +1,16 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name stdisco.{{ domain }}; + + ssl_verify_client optional_no_ca; + + location / { + proxy_pass http://127.0.0.1:{{ ports['syncthing_discosrv'] }}; + + proxy_set_header X-Client-Port $remote_port; + proxy_set_header X-SSL-Cert $ssl_client_cert; + include /etc/nginx/snippets/websocket.conf; + } +} diff --git a/roles/nginx/templates/sites-enabled/syncthing.conf b/roles/nginx/templates/sites-enabled/syncthing.conf new file mode 100644 index 0000000..d78f19b --- /dev/null +++ b/roles/nginx/templates/sites-enabled/syncthing.conf @@ -0,0 +1,14 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name syncthing.{{ domain }}; + + include /etc/nginx/snippets/authelia-location.conf; + + location / { + proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }}; + + include /etc/nginx/snippets/authelia-authrequest.conf; + } +} diff --git a/roles/nginx/templates/sites-enabled/uptime-kuma.conf b/roles/nginx/templates/sites-enabled/uptime-kuma.conf new file mode 100644 index 0000000..a90762f --- /dev/null +++ b/roles/nginx/templates/sites-enabled/uptime-kuma.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name status.{{ domain }}; + + location / { + proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }}; + + include /etc/nginx/snippets/websocket.conf; + } +} diff --git a/roles/nginx/templates/sites-enabled/vaultwarden.conf b/roles/nginx/templates/sites-enabled/vaultwarden.conf new file mode 100644 index 0000000..cfaceb6 --- /dev/null +++ b/roles/nginx/templates/sites-enabled/vaultwarden.conf @@ -0,0 +1,18 @@ +upstream vaultwarden { + zone vaultwarden 64k; + server 127.0.0.1:{{ ports['vaultwarden'] }}; + keepalive 2; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name vw.{{ domain }}; + + location / { + proxy_pass http://vaultwarden; + + include /etc/nginx/snippets/websocket.conf; + } +} diff --git a/roles/reverse-proxy/templates/authelia-authrequest.conf b/roles/nginx/templates/snippets/authelia-authrequest.conf similarity index 100% rename from roles/reverse-proxy/templates/authelia-authrequest.conf rename to roles/nginx/templates/snippets/authelia-authrequest.conf diff --git a/roles/reverse-proxy/templates/authelia-location.conf b/roles/nginx/templates/snippets/authelia-location.conf similarity index 71% rename from roles/reverse-proxy/templates/authelia-location.conf rename to roles/nginx/templates/snippets/authelia-location.conf index fe728f9..57d149c 100644 --- a/roles/reverse-proxy/templates/authelia-location.conf +++ b/roles/nginx/templates/snippets/authelia-location.conf @@ -1,15 +1,15 @@ location /internal/authelia/authz { internal; - proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request; + proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request; - proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Content-Length ""; proxy_set_header Connection ""; - proxy_pass_request_body off; + proxy_pass_request_body off; proxy_http_version 1.1; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; diff --git a/roles/nginx/templates/snippets/proxy.conf b/roles/nginx/templates/snippets/proxy.conf new file mode 100644 index 0000000..e54c7ed --- /dev/null +++ b/roles/nginx/templates/snippets/proxy.conf @@ -0,0 +1,10 @@ +proxy_http_version 1.1; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Port $server_port; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Scheme $scheme; +proxy_set_header X-Forwarded-URI $request_uri; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Real-IP $remote_addr; diff --git a/roles/reverse-proxy/files/ssl-headers.conf b/roles/nginx/templates/snippets/ssl-headers.conf similarity index 100% rename from roles/reverse-proxy/files/ssl-headers.conf rename to roles/nginx/templates/snippets/ssl-headers.conf diff --git a/roles/nginx/templates/snippets/ssl.conf b/roles/nginx/templates/snippets/ssl.conf new file mode 100644 index 0000000..bf890d1 --- /dev/null +++ b/roles/nginx/templates/snippets/ssl.conf @@ -0,0 +1,18 @@ +ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; +ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /etc/nginx/dhparam.txt; + +ssl_prefer_server_ciphers on; + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; + +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx/templates/snippets/websocket.conf b/roles/nginx/templates/snippets/websocket.conf new file mode 100644 index 0000000..f75eb91 --- /dev/null +++ b/roles/nginx/templates/snippets/websocket.conf @@ -0,0 +1,2 @@ +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; diff --git a/roles/reverse-proxy/tasks/main.yml b/roles/reverse-proxy/tasks/main.yml deleted file mode 100644 index ea8a31a..0000000 --- a/roles/reverse-proxy/tasks/main.yml +++ /dev/null @@ -1,79 +0,0 @@ -- name: - become: true - block: - - name: Install package nginx - apt: - name: nginx - - - name: Template configuration files to /etc/nginx/ - template: - src: "{{ item }}" - dest: "/etc/nginx/{{ item }}" - owner: root - group: root - mode: '644' - loop: - - nginx.conf - - authelia-location.conf - - authelia-authrequest.conf - - - name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf - template: - src: reverse-proxy.conf - dest: /etc/nginx/sites-available/reverse-proxy.conf - owner: root - group: root - mode: '644' - - - name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf - copy: - src: files/ssl-headers.conf - dest: /etc/nginx/conf.d/ssl-headers.conf - owner: root - group: root - mode: '644' - - - name: Remove all enabled NGINX sites - file: - state: "{{ item }}" - path: "/etc/nginx/sites-enabled" - owner: root - group: root - mode: '755' - loop: - - absent - - directory - - - name: Enable reverse-proxy.conf site - file: - state: link - src: /etc/nginx/sites-available/reverse-proxy.conf - dest: /etc/nginx/sites-enabled/reverse-proxy.conf - - - name: Get state of file /etc/nginx/dhparam.txt - stat: - path: /etc/nginx/dhparam.txt - register: nginx_stat_dhparam_result - - - name: Download dhparam file from Mozilla - get_url: - url: https://ssl-config.mozilla.org/ffdhe2048.txt - dest: /etc/nginx/dhparam.txt - when: not nginx_stat_dhparam_result.stat.exists - - - name: Set correct permissions on certificate directories - file: - path: "/etc/letsencrypt/{{ item }}/{{ domain }}" - state: directory - owner: root - group: root - mode: '750' - loop: - - live - - archive - - - name: Start/Reload NGINX service - service: - name: nginx - state: reloaded - enabled: yes diff --git a/roles/reverse-proxy/templates/nginx.conf b/roles/reverse-proxy/templates/nginx.conf deleted file mode 100644 index 277fd3b..0000000 --- a/roles/reverse-proxy/templates/nginx.conf +++ /dev/null @@ -1,86 +0,0 @@ -user www-data; -worker_processes auto; -worker_rlimit_nofile 1024; -include /etc/nginx/modules-enabled/*.conf; - -events { - worker_connections 512; - multi_accept off; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - - gzip off; - server_tokens off; - keepalive_timeout 30; - - include /etc/nginx/mime.types; - - ## - # SSL Settings - ## - - ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }}; - ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }}; - ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }}; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam - ssl_dhparam /etc/nginx/dhparam.txt; - - ssl_prefer_server_ciphers on; - - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; - ssl_session_tickets off; - - ssl_stapling on; - ssl_stapling_verify on; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Headers - ## - - resolver {{ reverse_proxy['resolver'] }}; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Scheme $scheme; - proxy_set_header X-Forwarded-URI $request_uri; - proxy_set_header X-Real-IP $remote_addr; - - # Needed to support websocket connections - # See: https://nginx.org/en/docs/http/websocket.html - # Instead of "close" as stated in the above link we send an empty value. - # Else all keepalive connections will not work. - map $http_upgrade $connection_upgrade { - default upgrade; - '' ""; - } - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} diff --git a/roles/reverse-proxy/templates/reverse-proxy.conf b/roles/reverse-proxy/templates/reverse-proxy.conf deleted file mode 100644 index b60ec6f..0000000 --- a/roles/reverse-proxy/templates/reverse-proxy.conf +++ /dev/null @@ -1,273 +0,0 @@ -# Redirect HTTP to HTTPS -server { - listen 80 default_server; - listen [::]:80 default_server; - - server_name _; - - return 308 https://$host$request_uri; -} - - -# Default HTTPS server -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - server_name _; - server_name_in_redirect off; - - return 404; -} - - -# Homepage -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name {{ domain }}; - - location = /.well-known/matrix/server { - default_type application/json; - - return 200 '{ "m.server": "matrix.{{ domain }}:443" }'; - } - - location = /.well-known/matrix/client { - default_type application/json; - - include /etc/nginx/conf.d/ssl-headers.conf; - add_header Access-Control-Allow-Origin '*'; - - return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }'; - } - - location / { - proxy_pass http://127.0.0.1:{{ ports['homepage'] }}; - } -} - - -# Downloads -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name dl.{{ domain }}; - - root /var/www/html; - autoindex on; -} - - -# Authelia -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name auth.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['authelia'] }}; - } -} - - -# Element -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name element.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['element'] }}; - - include /etc/nginx/conf.d/ssl-headers.conf; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - } -} - - -# Etebase -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name etebase.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['etebase'] }}; - } -} - - -# Hedgedoc -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name hedgedoc.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }}; - } - - location /socket.io/ { - proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }}; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - } -} - - -# JMAP -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name jmap.{{ domain }}; - - location / { - proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }}; - - # Websocket - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - - -# LLDAP -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name ldap.{{ domain }}; - - include /etc/nginx/authelia-location.conf; - - location / { - proxy_pass http://127.0.0.1:{{ ports['lldap'] }}; - include /etc/nginx/authelia-authrequest.conf; - } -} - - -# SearXNG -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name searx.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['searxng'] }}; - - include /etc/nginx/conf.d/ssl-headers.conf; - add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; - } -} - - -# Synapse -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name matrix.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['synapse'] }}; - - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size {{ synapse['max_upload_size'] }}; - } -} - - -# Syncthihng -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name syncthing.{{ domain }}; - - include /etc/nginx/authelia-location.conf; - - location / { - proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }}; - include /etc/nginx/authelia-authrequest.conf; - } -} - - -# Syncthing Discovery -upstream stdisco.{{ domain }} { - # Local IP address:port for discovery server - server 127.0.0.1:{{ ports['syncthing_discosrv'] }}; -} -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name stdisco.{{ domain }}; - - ssl_verify_client optional_no_ca; - - location / { - proxy_pass http://stdisco.{{ domain }}; - - proxy_set_header X-Client-Port $remote_port; - proxy_set_header X-SSL-Cert $ssl_client_cert; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - } -} - - -# Uptime Kuma -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name status.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }}; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - - -# Vaultwarden -upstream vaultwarden-default { - zone vaultwarden-default 64k; - server 127.0.0.1:{{ ports['vaultwarden'] }}; - keepalive 2; -} -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name vw.{{ domain }}; - - location / { - proxy_pass http://vaultwarden-default; - - # Websocket - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -}