228 lines
4.7 KiB
Text
228 lines
4.7 KiB
Text
# Redirect HTTP to HTTPS
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
|
|
server_name _;
|
|
|
|
return 308 https://$host$request_uri;
|
|
}
|
|
|
|
|
|
# Default HTTPS server
|
|
server {
|
|
listen 443 ssl http2 default_server;
|
|
listen [::]:443 ssl http2 default_server;
|
|
|
|
server_name _;
|
|
server_name_in_redirect off;
|
|
|
|
return 404;
|
|
}
|
|
|
|
|
|
# Homepage
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name {{ domain }};
|
|
|
|
location = /.well-known/matrix/server {
|
|
default_type application/json;
|
|
|
|
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
|
|
}
|
|
|
|
location = /.well-known/matrix/client {
|
|
default_type application/json;
|
|
|
|
include /etc/nginx/conf.d/ssl-headers.conf;
|
|
add_header Access-Control-Allow-Origin '*';
|
|
|
|
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
|
|
}
|
|
}
|
|
|
|
|
|
# Downloads
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name dl.{{ domain }};
|
|
|
|
root /var/www/html;
|
|
autoindex on;
|
|
}
|
|
|
|
|
|
# Element
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name element.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ ports['element'] }};
|
|
|
|
include /etc/nginx/conf.d/ssl-headers.conf;
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
}
|
|
}
|
|
|
|
|
|
# Etebase
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name etebase.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
|
|
}
|
|
}
|
|
|
|
|
|
# Hedgedoc
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name hedgedoc.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
|
}
|
|
|
|
location /socket.io/ {
|
|
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $http_connection;
|
|
}
|
|
}
|
|
|
|
|
|
# JMAP
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name mail.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
|
|
|
|
# Websocket
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
}
|
|
}
|
|
|
|
|
|
# SearXNG
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name searx.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
|
|
|
|
include /etc/nginx/conf.d/ssl-headers.conf;
|
|
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
|
}
|
|
}
|
|
|
|
|
|
# Synapse
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name matrix.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size {{ synapse['max_upload_size'] }};
|
|
}
|
|
}
|
|
|
|
|
|
# Syncthing Discovery
|
|
upstream stdisco.{{ domain }} {
|
|
# Local IP address:port for discovery server
|
|
server 127.0.0.1:{{ ports['syncthing_discosrv'] }};
|
|
}
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name stdisco.{{ domain }};
|
|
|
|
ssl_verify_client optional_no_ca;
|
|
|
|
location / {
|
|
proxy_pass http://stdisco.{{ domain }};
|
|
|
|
proxy_set_header X-Client-Port $remote_port;
|
|
proxy_set_header X-SSL-Cert $ssl_client_cert;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $http_connection;
|
|
}
|
|
}
|
|
|
|
|
|
# Uptime Kuma
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name status.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
}
|
|
}
|
|
|
|
|
|
# Vaultwarden
|
|
upstream vaultwarden-default {
|
|
zone vaultwarden-default 64k;
|
|
server 127.0.0.1:{{ ports['vaultwarden'] }};
|
|
keepalive 2;
|
|
}
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name vw.{{ domain }};
|
|
|
|
location / {
|
|
proxy_pass http://vaultwarden-default;
|
|
|
|
# Websocket
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
}
|
|
}
|