vps/roles/reverse-proxy/templates/reverse-proxy.conf
2024-02-17 19:01:04 +01:00

191 lines
4.2 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 308 https://$host$request_uri;
}
# Default HTTPS server
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
server_name_in_redirect off;
return 404;
}
# Homepage
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ domain }};
location = /.well-known/matrix/server {
default_type application/json;
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
}
location = /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
}
location / {
proxy_pass http://localhost:{{ ports['homepage'] }};
}
}
# Downloads
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dl.{{ domain }};
root /var/www/html;
autoindex on;
}
# Element
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name element.{{ domain }};
location / {
proxy_pass http://localhost:{{ ports['element'] }};
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
}
}
# Etebase
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name etebase.{{ domain }};
location ~ ^/(?!admin) {
proxy_pass http://localhost:{{ ports['etebase'] }};
}
}
# Hedgedoc
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hedgedoc.{{ domain }};
location / {
proxy_pass http://localhost:{{ ports['hedgedoc'] }};
}
}
# SearXNG
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name searx.{{ domain }};
location / {
proxy_pass http://localhost:{{ ports['searxng'] }};
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
}
}
# Synapse
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name matrix.{{ domain }};
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:{{ ports['synapse'] }};
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size {{ synapse['max_upload_size'] }};
}
location / {
return 308 https://element.{{ domain }}/;
}
}
# Syncthing Discovery
upstream stdisco.{{ domain }} {
# Local IP address:port for discovery server
server localhost:{{ ports['syncthing_discosrv'] }};
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name stdisco.{{ domain }};
ssl_verify_client optional_no_ca;
location / {
proxy_pass http://stdisco.{{ domain }};
proxy_set_header X-Client-Port $remote_port;
proxy_set_header X-SSL-Cert $ssl_client_cert;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
# Vaultwarden
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server localhost:{{ ports['vaultwarden'] }};
keepalive 2;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vw.{{ domain }};
location / {
proxy_pass http://vaultwarden-default;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 525M;
}
}