podman-services/etc/nginx/sites-available/passwords-psono.theribbles.org

server {
	if ($host = passwords.theribbles.org) {
		return 301 https://$host$request_uri;
	} # managed by Certbot

	server_name passwords.theribbles.org;
	listen 80;
	listen [::]:80;
	return 404; # managed by Certbot
}

server {
	listen [::]:443 ssl; # managed by Certbot
	listen 443 ssl; # managed by Certbot

	server_name passwords.theribbles.org;

	# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

	add_header Referrer-Policy same-origin;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	# If you have the admin fileserver installed too behind this reverse proxy domain, add your fileserver URL e.g. https://fs01.example.com as connect-src too:
	# add_header Content-Security-Policy "default-src 'none';  manifest-src 'self'; connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.s3.amazonaws.com; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'";

	ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	client_max_body_size 256m;

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_min_length 256;
	gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

	index index.html;
	try_files $uri /index.html;

	location / {
		add_header Pragma public;
		add_header Cache-Control "public";

		root /var/www/html/psono/webclient;
	}

	location /portal {
		add_header Pragma public;
		add_header Cache-Control "public";

		alias /var/www/html/psono/admin-webclient;
	}

	location /server {
		rewrite ^/server/(.*) /$1 break;
		proxy_set_header        Host $host;
		proxy_set_header        X-Real-IP $remote_addr;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto $scheme;

		add_header Last-Modified $date_gmt;
		add_header Pragma "no-cache";
		add_header Cache-Control "private, max-age=0, no-cache, no-store";
		if_modified_since off;
		expires off;
		etag off;

		proxy_pass          http://127.0.0.1:10040;
	}

}
Add nginx configs. 2024-02-21 12:37:30 -08:00			`server {`
			`if ($host = passwords.theribbles.org) {`
			`return 301 https://$host$request_uri;`
			`} # managed by Certbot`

			`server_name passwords.theribbles.org;`
			`listen 80;`
			`listen [::]:80;`
			`return 404; # managed by Certbot`
			`}`

			`server {`
			`listen [::]:443 ssl; # managed by Certbot`
			`listen 443 ssl; # managed by Certbot`

			`server_name passwords.theribbles.org;`

			`# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";`

			`add_header Referrer-Policy same-origin;`
			`add_header X-Frame-Options DENY;`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`

			`# If you have the admin fileserver installed too behind this reverse proxy domain, add your fileserver URL e.g. https://fs01.example.com as connect-src too:`
			`# add_header Content-Security-Policy "default-src 'none'; manifest-src 'self'; connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://.digitaloceanspaces.com https://.s3.amazonaws.com; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'";`

			`ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot`
			`ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot`
			`include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot`
			`ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot`

			`client_max_body_size 256m;`

			`gzip on;`
			`gzip_disable "msie6";`

			`gzip_vary on;`
			`gzip_proxied any;`
			`gzip_comp_level 6;`
			`gzip_buffers 16 8k;`
			`gzip_http_version 1.1;`
			`gzip_min_length 256;`
			`gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;`

			`index index.html;`
			`try_files $uri /index.html;`

			`location / {`
			`add_header Pragma public;`
			`add_header Cache-Control "public";`

			`root /var/www/html/psono/webclient;`
			`}`

			`location /portal {`
			`add_header Pragma public;`
			`add_header Cache-Control "public";`

			`alias /var/www/html/psono/admin-webclient;`
			`}`

			`location /server {`
			`rewrite ^/server/(.*) /$1 break;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`add_header Last-Modified $date_gmt;`
			`add_header Pragma "no-cache";`
			`add_header Cache-Control "private, max-age=0, no-cache, no-store";`
			`if_modified_since off;`
			`expires off;`
			`etag off;`

			`proxy_pass http://127.0.0.1:10040;`
			`}`

			`}`