From da3cda28cd5fe032e59555eac48dd302910249e3 Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Wed, 21 Feb 2024 13:37:30 -0700 Subject: [PATCH] Add nginx configs. --- etc/nginx/auth-endpoints.conf | 14 ++ etc/nginx/auth.conf | 13 ++ etc/nginx/authelia.conf | 39 ++++++ etc/nginx/fastcgi.conf | 27 ++++ etc/nginx/fastcgi_params | 26 ++++ etc/nginx/koi-utf | 109 +++++++++++++++ etc/nginx/koi-win | 103 +++++++++++++++ etc/nginx/mime.types | 89 +++++++++++++ .../modules-enabled/50-mod-http-auth-pam.conf | 1 + .../modules-enabled/50-mod-http-dav-ext.conf | 1 + .../modules-enabled/50-mod-http-echo.conf | 1 + .../modules-enabled/50-mod-http-geoip.conf | 1 + .../modules-enabled/50-mod-http-geoip2.conf | 1 + .../50-mod-http-image-filter.conf | 1 + .../50-mod-http-subs-filter.conf | 1 + .../50-mod-http-upstream-fair.conf | 1 + .../50-mod-http-xslt-filter.conf | 1 + etc/nginx/modules-enabled/50-mod-mail.conf | 1 + etc/nginx/modules-enabled/50-mod-stream.conf | 1 + .../modules-enabled/70-mod-stream-geoip.conf | 1 + .../modules-enabled/70-mod-stream-geoip2.conf | 1 + etc/nginx/nginx.conf | 92 +++++++++++++ etc/nginx/nginx.conf.dpkg-old | 88 ++++++++++++ etc/nginx/proxy-photo-upload.conf | 42 ++++++ etc/nginx/proxy.conf | 39 ++++++ etc/nginx/proxy_params | 4 + etc/nginx/scgi_params | 17 +++ etc/nginx/sites-available/afaf.theribbles.org | 11 ++ .../sites-available/app-test.theribbles.org | 24 ++++ .../sites-available/audiobooks.theribbles.org | 26 ++++ etc/nginx/sites-available/auth.theribbles.org | 55 ++++++++ .../sites-available/auth.theribbles.org.bak | 27 ++++ .../sites-available/auth.theribbles.org.bak2 | 34 +++++ .../sites-available/beets.theribbles.org | 25 ++++ .../sites-available/budget.theribbles.org | 25 ++++ etc/nginx/sites-available/chat.theribbles.org | 47 +++++++ .../sites-available/cloud.theribbles.org | 31 +++++ .../sites-available/contacts.theribbles.org | 29 ++++ .../sites-available/db-test.theribbles.org | 28 ++++ etc/nginx/sites-available/default | 111 ++++++++++++++++ etc/nginx/sites-available/docs.theribbles.org | 50 +++++++ .../sites-available/email.theribbles.org | 36 +++++ .../sites-available/email.theribbles.org.bak | 30 +++++ .../sites-available/email.theribbles.org.bak2 | 36 +++++ .../sites-available/email.theribbles.org.bak3 | 34 +++++ .../sites-available/email2.theribbles.org | 30 +++++ .../sites-available/habits.theribbles.org | 30 +++++ etc/nginx/sites-available/home.theribbles.org | 41 ++++++ etc/nginx/sites-available/ipa.theribbles.org | 28 ++++ etc/nginx/sites-available/mail.theribbles.org | 53 ++++++++ .../sites-available/matrix.theribbles.org | 53 ++++++++ .../sites-available/media.theribbles.org | 80 +++++++++++ .../money-import.theribbles.org | 27 ++++ .../sites-available/money.theribbles.org | 41 ++++++ .../sites-available/oauth.theribbles.org | 27 ++++ .../passwords-psono.theribbles.org | 80 +++++++++++ .../sites-available/passwords.theribbles.org | 33 +++++ .../sites-available/photos.theribbles.org | 32 +++++ .../sites-available/pihole.theribbles.org | 33 +++++ etc/nginx/sites-available/plex.theribbles.org | 97 ++++++++++++++ .../sites-available/podcast.theribbles.org | 25 ++++ .../sites-available/ranbato.familyds.net | 15 +++ .../sites-available/recipes.theribbles.org | 29 ++++ .../sites-available/source.theribbles.org | 33 +++++ .../sites-available/todo-api.theribbles.org | 27 ++++ etc/nginx/sites-available/todo.theribbles.org | 33 +++++ .../sites-available/torrents.theribbles.org | 43 ++++++ .../sites-available/unifi.theribbles.org | 56 ++++++++ .../web-crypto-explorer.theribbles.org | 26 ++++ etc/nginx/sites-available/wiki.suvereno.org | 26 ++++ etc/nginx/sites-available/wiki.theribbles.org | 29 ++++ etc/nginx/sites-enabled/afaf.theribbles.org | 1 + .../sites-enabled/app-test.theribbles.org | 1 + .../sites-enabled/audiobooks.theribbles.org | 1 + etc/nginx/sites-enabled/auth.theribbles.org | 1 + etc/nginx/sites-enabled/beets.theribbles.org | 1 + etc/nginx/sites-enabled/budget.theribbles.org | 1 + etc/nginx/sites-enabled/chat.theribbles.org | 1 + etc/nginx/sites-enabled/cloud.theribbles.org | 1 + .../sites-enabled/contacts.theribbles.org | 1 + .../sites-enabled/db-test.theribbles.org | 1 + etc/nginx/sites-enabled/default | 1 + etc/nginx/sites-enabled/docs.theribbles.org | 1 + etc/nginx/sites-enabled/email.theribbles.org | 1 + etc/nginx/sites-enabled/email2.theribbles.org | 1 + etc/nginx/sites-enabled/home.theribbles.org | 1 + etc/nginx/sites-enabled/mail.theribbles.org | 1 + etc/nginx/sites-enabled/matrix.theribbles.org | 1 + etc/nginx/sites-enabled/media.theribbles.org | 1 + etc/nginx/sites-enabled/oauth.theribbles.org | 1 + .../sites-enabled/passwords.theribbles.org | 1 + etc/nginx/sites-enabled/photos.theribbles.org | 1 + etc/nginx/sites-enabled/pihole.theribbles.org | 1 + etc/nginx/sites-enabled/plex.theribbles.org | 1 + .../sites-enabled/podcast.theribbles.org | 1 + etc/nginx/sites-enabled/ranbato.familydns.net | 1 + .../sites-enabled/recipes.theribbles.org | 1 + etc/nginx/sites-enabled/source.theribbles.org | 1 + etc/nginx/sites-enabled/todo.theribbles.org | 1 + .../sites-enabled/torrents.theribbles.org | 1 + etc/nginx/sites-enabled/unifi.theribbles.org | 1 + .../web-crypto-explorer.theribbles.org | 1 + etc/nginx/sites-enabled/wiki.suvereno.org | 1 + etc/nginx/sites-enabled/wiki.theribbles.org | 1 + etc/nginx/snippets/auth-oauth2.conf | 10 ++ etc/nginx/snippets/fastcgi-php.conf | 14 ++ etc/nginx/snippets/fastcgi.conf | 26 ++++ etc/nginx/snippets/snakeoil.conf | 5 + etc/nginx/uwsgi_params | 17 +++ etc/nginx/win-utf | 125 ++++++++++++++++++ 110 files changed, 2631 insertions(+) create mode 100644 etc/nginx/auth-endpoints.conf create mode 100644 etc/nginx/auth.conf create mode 100644 etc/nginx/authelia.conf create mode 100644 etc/nginx/fastcgi.conf create mode 100644 etc/nginx/fastcgi_params create mode 100644 etc/nginx/koi-utf create mode 100644 etc/nginx/koi-win create mode 100644 etc/nginx/mime.types create mode 120000 etc/nginx/modules-enabled/50-mod-http-auth-pam.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-dav-ext.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-echo.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-geoip.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-geoip2.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-image-filter.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-subs-filter.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf create mode 120000 etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf create mode 120000 etc/nginx/modules-enabled/50-mod-mail.conf create mode 120000 etc/nginx/modules-enabled/50-mod-stream.conf create mode 120000 etc/nginx/modules-enabled/70-mod-stream-geoip.conf create mode 120000 etc/nginx/modules-enabled/70-mod-stream-geoip2.conf create mode 100644 etc/nginx/nginx.conf create mode 100644 etc/nginx/nginx.conf.dpkg-old create mode 100644 etc/nginx/proxy-photo-upload.conf create mode 100644 etc/nginx/proxy.conf create mode 100644 etc/nginx/proxy_params create mode 100644 etc/nginx/scgi_params create mode 100644 etc/nginx/sites-available/afaf.theribbles.org create mode 100644 etc/nginx/sites-available/app-test.theribbles.org create mode 100644 etc/nginx/sites-available/audiobooks.theribbles.org create mode 100644 etc/nginx/sites-available/auth.theribbles.org create mode 100644 etc/nginx/sites-available/auth.theribbles.org.bak create mode 100644 etc/nginx/sites-available/auth.theribbles.org.bak2 create mode 100644 etc/nginx/sites-available/beets.theribbles.org create mode 100644 etc/nginx/sites-available/budget.theribbles.org create mode 100644 etc/nginx/sites-available/chat.theribbles.org create mode 100644 etc/nginx/sites-available/cloud.theribbles.org create mode 100644 etc/nginx/sites-available/contacts.theribbles.org create mode 100644 etc/nginx/sites-available/db-test.theribbles.org create mode 100644 etc/nginx/sites-available/default create mode 100644 etc/nginx/sites-available/docs.theribbles.org create mode 100644 etc/nginx/sites-available/email.theribbles.org create mode 100644 etc/nginx/sites-available/email.theribbles.org.bak create mode 100644 etc/nginx/sites-available/email.theribbles.org.bak2 create mode 100644 etc/nginx/sites-available/email.theribbles.org.bak3 create mode 100644 etc/nginx/sites-available/email2.theribbles.org create mode 100644 etc/nginx/sites-available/habits.theribbles.org create mode 100644 etc/nginx/sites-available/home.theribbles.org create mode 100644 etc/nginx/sites-available/ipa.theribbles.org create mode 100644 etc/nginx/sites-available/mail.theribbles.org create mode 100644 etc/nginx/sites-available/matrix.theribbles.org create mode 100644 etc/nginx/sites-available/media.theribbles.org create mode 100644 etc/nginx/sites-available/money-import.theribbles.org create mode 100644 etc/nginx/sites-available/money.theribbles.org create mode 100644 etc/nginx/sites-available/oauth.theribbles.org create mode 100644 etc/nginx/sites-available/passwords-psono.theribbles.org create mode 100644 etc/nginx/sites-available/passwords.theribbles.org create mode 100644 etc/nginx/sites-available/photos.theribbles.org create mode 100644 etc/nginx/sites-available/pihole.theribbles.org create mode 100644 etc/nginx/sites-available/plex.theribbles.org create mode 100644 etc/nginx/sites-available/podcast.theribbles.org create mode 100644 etc/nginx/sites-available/ranbato.familyds.net create mode 100644 etc/nginx/sites-available/recipes.theribbles.org create mode 100644 etc/nginx/sites-available/source.theribbles.org create mode 100644 etc/nginx/sites-available/todo-api.theribbles.org create mode 100644 etc/nginx/sites-available/todo.theribbles.org create mode 100644 etc/nginx/sites-available/torrents.theribbles.org create mode 100644 etc/nginx/sites-available/unifi.theribbles.org create mode 100644 etc/nginx/sites-available/web-crypto-explorer.theribbles.org create mode 100644 etc/nginx/sites-available/wiki.suvereno.org create mode 100644 etc/nginx/sites-available/wiki.theribbles.org create mode 120000 etc/nginx/sites-enabled/afaf.theribbles.org create mode 120000 etc/nginx/sites-enabled/app-test.theribbles.org create mode 120000 etc/nginx/sites-enabled/audiobooks.theribbles.org create mode 120000 etc/nginx/sites-enabled/auth.theribbles.org create mode 120000 etc/nginx/sites-enabled/beets.theribbles.org create mode 120000 etc/nginx/sites-enabled/budget.theribbles.org create mode 120000 etc/nginx/sites-enabled/chat.theribbles.org create mode 120000 etc/nginx/sites-enabled/cloud.theribbles.org create mode 120000 etc/nginx/sites-enabled/contacts.theribbles.org create mode 120000 etc/nginx/sites-enabled/db-test.theribbles.org create mode 120000 etc/nginx/sites-enabled/default create mode 120000 etc/nginx/sites-enabled/docs.theribbles.org create mode 120000 etc/nginx/sites-enabled/email.theribbles.org create mode 120000 etc/nginx/sites-enabled/email2.theribbles.org create mode 120000 etc/nginx/sites-enabled/home.theribbles.org create mode 120000 etc/nginx/sites-enabled/mail.theribbles.org create mode 120000 etc/nginx/sites-enabled/matrix.theribbles.org create mode 120000 etc/nginx/sites-enabled/media.theribbles.org create mode 120000 etc/nginx/sites-enabled/oauth.theribbles.org create mode 120000 etc/nginx/sites-enabled/passwords.theribbles.org create mode 120000 etc/nginx/sites-enabled/photos.theribbles.org create mode 120000 etc/nginx/sites-enabled/pihole.theribbles.org create mode 120000 etc/nginx/sites-enabled/plex.theribbles.org create mode 120000 etc/nginx/sites-enabled/podcast.theribbles.org create mode 120000 etc/nginx/sites-enabled/ranbato.familydns.net create mode 120000 etc/nginx/sites-enabled/recipes.theribbles.org create mode 120000 etc/nginx/sites-enabled/source.theribbles.org create mode 120000 etc/nginx/sites-enabled/todo.theribbles.org create mode 120000 etc/nginx/sites-enabled/torrents.theribbles.org create mode 120000 etc/nginx/sites-enabled/unifi.theribbles.org create mode 120000 etc/nginx/sites-enabled/web-crypto-explorer.theribbles.org create mode 120000 etc/nginx/sites-enabled/wiki.suvereno.org create mode 120000 etc/nginx/sites-enabled/wiki.theribbles.org create mode 100644 etc/nginx/snippets/auth-oauth2.conf create mode 100644 etc/nginx/snippets/fastcgi-php.conf create mode 100644 etc/nginx/snippets/fastcgi.conf create mode 100644 etc/nginx/snippets/snakeoil.conf create mode 100644 etc/nginx/uwsgi_params create mode 100644 etc/nginx/win-utf diff --git a/etc/nginx/auth-endpoints.conf b/etc/nginx/auth-endpoints.conf new file mode 100644 index 0000000..8e73f9b --- /dev/null +++ b/etc/nginx/auth-endpoints.conf @@ -0,0 +1,14 @@ +error_page 401 = /oauth2/sign_in; +location ~ /oauth2/ { + proxy_pass http://127.0.0.1:10031; + include /etc/nginx/proxy.conf; + proxy_set_header X-Auth-Request-Redirect $request_uri; +} +location = /oauth2/auth { + internal; + proxy_pass http://127.0.0.1:10031; + include /etc/nginx/proxy.conf; + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + proxy_set_header X-Original-URI $request_uri; +} diff --git a/etc/nginx/auth.conf b/etc/nginx/auth.conf new file mode 100644 index 0000000..99a0ac4 --- /dev/null +++ b/etc/nginx/auth.conf @@ -0,0 +1,13 @@ +auth_request /oauth2/auth; +error_page 401 = /oauth2/sign_in; + +auth_request_set $user $upstream_http_x_auth_request_user; +auth_request_set $email $upstream_http_x_auth_request_email; +auth_request_set $auth_cookie $upstream_http_set_cookie; +proxy_set_header remote_user $email; +proxy_set_header X-User $email; +proxy_set_header X-Email $email; + +add_header Set-Cookie $auth_cookie; + +proxy_intercept_errors on; diff --git a/etc/nginx/authelia.conf b/etc/nginx/authelia.conf new file mode 100644 index 0000000..205b572 --- /dev/null +++ b/etc/nginx/authelia.conf @@ -0,0 +1,39 @@ +# Added by Eli Ribble to support Authelia +# https://www.authelia.com/docs/deployment/supported-proxies/nginx.html +location = /authelia { + internal; + set $upstream_authelia http://127.0.0.1:10001/api/verify; + proxy_pass_request_body off; + proxy_pass $upstream_authelia; + proxy_set_header Content-Length ""; + + # Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # [REQUIRED] Needed by Authelia to check authorizations of the resource. + # Provide either X-Original-URL and X-Forwarded-Proto or + # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. + # Those headers will be used by Authelia to deduce the target url of the user. + # Basic Proxy Config + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} diff --git a/etc/nginx/fastcgi.conf b/etc/nginx/fastcgi.conf new file mode 100644 index 0000000..d53a628 --- /dev/null +++ b/etc/nginx/fastcgi.conf @@ -0,0 +1,27 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/etc/nginx/fastcgi_params b/etc/nginx/fastcgi_params new file mode 100644 index 0000000..69c4387 --- /dev/null +++ b/etc/nginx/fastcgi_params @@ -0,0 +1,26 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/etc/nginx/koi-utf b/etc/nginx/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/etc/nginx/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; #   + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/etc/nginx/koi-win b/etc/nginx/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/etc/nginx/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; #   + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/etc/nginx/mime.types b/etc/nginx/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/etc/nginx/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/etc/nginx/modules-enabled/50-mod-http-auth-pam.conf b/etc/nginx/modules-enabled/50-mod-http-auth-pam.conf new file mode 120000 index 0000000..2c9098d --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-auth-pam.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-auth-pam.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-dav-ext.conf b/etc/nginx/modules-enabled/50-mod-http-dav-ext.conf new file mode 120000 index 0000000..4bcd08d --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-dav-ext.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-dav-ext.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-echo.conf b/etc/nginx/modules-enabled/50-mod-http-echo.conf new file mode 120000 index 0000000..2ca55aa --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-echo.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-echo.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-geoip.conf b/etc/nginx/modules-enabled/50-mod-http-geoip.conf new file mode 120000 index 0000000..390fab2 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-geoip.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-geoip.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-geoip2.conf b/etc/nginx/modules-enabled/50-mod-http-geoip2.conf new file mode 120000 index 0000000..e2655c3 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-geoip2.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-geoip2.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-image-filter.conf b/etc/nginx/modules-enabled/50-mod-http-image-filter.conf new file mode 120000 index 0000000..fa27cd3 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-image-filter.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-image-filter.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-subs-filter.conf b/etc/nginx/modules-enabled/50-mod-http-subs-filter.conf new file mode 120000 index 0000000..60fc893 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-subs-filter.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-subs-filter.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf b/etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf new file mode 120000 index 0000000..2dc0c72 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-upstream-fair.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf b/etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf new file mode 120000 index 0000000..51d7ca7 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-xslt-filter.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-mail.conf b/etc/nginx/modules-enabled/50-mod-mail.conf new file mode 120000 index 0000000..baa6ea9 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-mail.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-mail.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/50-mod-stream.conf b/etc/nginx/modules-enabled/50-mod-stream.conf new file mode 120000 index 0000000..7f65cc5 --- /dev/null +++ b/etc/nginx/modules-enabled/50-mod-stream.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-stream.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/70-mod-stream-geoip.conf b/etc/nginx/modules-enabled/70-mod-stream-geoip.conf new file mode 120000 index 0000000..4acbe4f --- /dev/null +++ b/etc/nginx/modules-enabled/70-mod-stream-geoip.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-stream-geoip.conf \ No newline at end of file diff --git a/etc/nginx/modules-enabled/70-mod-stream-geoip2.conf b/etc/nginx/modules-enabled/70-mod-stream-geoip2.conf new file mode 120000 index 0000000..612a5e1 --- /dev/null +++ b/etc/nginx/modules-enabled/70-mod-stream-geoip2.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-stream-geoip2.conf \ No newline at end of file diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 0000000..3330522 --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,92 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Websocket Upgrade + # + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/etc/nginx/nginx.conf.dpkg-old b/etc/nginx/nginx.conf.dpkg-old new file mode 100644 index 0000000..d7bdfcb --- /dev/null +++ b/etc/nginx/nginx.conf.dpkg-old @@ -0,0 +1,88 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; + # Debug local clients only + # debug_connection 192.168.1.0/24; + # debug_connection 192.168.1.153; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/etc/nginx/proxy-photo-upload.conf b/etc/nginx/proxy-photo-upload.conf new file mode 100644 index 0000000..91fae5f --- /dev/null +++ b/etc/nginx/proxy-photo-upload.conf @@ -0,0 +1,42 @@ +client_body_buffer_size 1024k; +client_body_timeout 20m; +client_max_body_size 100G; + +lingering_close always; + +# Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Advanced Proxy Config +send_timeout 20m; +proxy_read_timeout 600; +proxy_send_timeout 600; +proxy_connect_timeout 600; +proxy_headers_hash_max_size 512; +proxy_headers_hash_bucket_size 128; + +# Basic Proxy Config +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Server $host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Scheme $scheme; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; +proxy_buffer_size 128k; +proxy_busy_buffers_size 256k; + +# If behind reverse proxy, forwards the correct IP +set_real_ip_from 10.0.0.0/8; +set_real_ip_from 172.16.0.0/12; +set_real_ip_from 192.168.0.0/16; +set_real_ip_from fc00::/7; +real_ip_header X-Forwarded-For; +real_ip_recursive on; diff --git a/etc/nginx/proxy.conf b/etc/nginx/proxy.conf new file mode 100644 index 0000000..c215584 --- /dev/null +++ b/etc/nginx/proxy.conf @@ -0,0 +1,39 @@ +client_body_buffer_size 128k; +client_max_body_size 10G; + +#Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Advanced Proxy Config +send_timeout 5m; +proxy_read_timeout 360; +proxy_send_timeout 360; +proxy_connect_timeout 360; +proxy_headers_hash_max_size 512; +proxy_headers_hash_bucket_size 128; + +# Basic Proxy Config +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Server $host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Scheme $scheme; +proxy_http_version 1.1; +# proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; +proxy_buffer_size 128k; +proxy_busy_buffers_size 256k; + +# If behind reverse proxy, forwards the correct IP +set_real_ip_from 10.0.0.0/8; +set_real_ip_from 172.16.0.0/12; +set_real_ip_from 192.168.0.0/16; +set_real_ip_from fc00::/7; +real_ip_header X-Forwarded-For; +real_ip_recursive on; diff --git a/etc/nginx/proxy_params b/etc/nginx/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/etc/nginx/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/etc/nginx/scgi_params b/etc/nginx/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/etc/nginx/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/etc/nginx/sites-available/afaf.theribbles.org b/etc/nginx/sites-available/afaf.theribbles.org new file mode 100644 index 0000000..e304c6a --- /dev/null +++ b/etc/nginx/sites-available/afaf.theribbles.org @@ -0,0 +1,11 @@ +server { + listen 80; + server_name afaf.theribbles.org; + root /concrete5; + index index.html; + + location ~* \.php$ { + fastcgi_pass 127.0.0.1:9001; + include /etc/nginx/snippets/fastcgi-php.conf; + } +} diff --git a/etc/nginx/sites-available/app-test.theribbles.org b/etc/nginx/sites-available/app-test.theribbles.org new file mode 100644 index 0000000..fe2945a --- /dev/null +++ b/etc/nginx/sites-available/app-test.theribbles.org @@ -0,0 +1,24 @@ +server { + server_name app-test.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ { + root /home/eliribble/src/app-test; + } +} + +server { + if ($host = podcast.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name app-test.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/audiobooks.theribbles.org b/etc/nginx/sites-available/audiobooks.theribbles.org new file mode 100644 index 0000000..b4f7e92 --- /dev/null +++ b/etc/nginx/sites-available/audiobooks.theribbles.org @@ -0,0 +1,26 @@ +server { + server_name audiobooks.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:10110; + + include "/etc/nginx/proxy.conf"; + } +} + +server { + if ($host = audiobooks.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name audiobooks.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/auth.theribbles.org b/etc/nginx/sites-available/auth.theribbles.org new file mode 100644 index 0000000..b08d018 --- /dev/null +++ b/etc/nginx/sites-available/auth.theribbles.org @@ -0,0 +1,55 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + + server_name auth.theribbles.org; + + location ~ { + proxy_pass http://127.0.0.1:10030; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + +server { + + server_name auth.suvereno.org; + + location ~ { + proxy_pass http://127.0.0.1:10030; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/suvereno.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/suvereno.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + +server { + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + server_name auth.theribbles.org auth.suvereno.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/auth.theribbles.org.bak b/etc/nginx/sites-available/auth.theribbles.org.bak new file mode 100644 index 0000000..f6bfae8 --- /dev/null +++ b/etc/nginx/sites-available/auth.theribbles.org.bak @@ -0,0 +1,27 @@ +server { + + server_name auth.theribbles.org; + + location ~ { + proxy_pass https://127.0.0.1:10030; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = auth.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name auth.theribbles.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/auth.theribbles.org.bak2 b/etc/nginx/sites-available/auth.theribbles.org.bak2 new file mode 100644 index 0000000..f583d9c --- /dev/null +++ b/etc/nginx/sites-available/auth.theribbles.org.bak2 @@ -0,0 +1,34 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + + server_name auth.theribbles.org; + + location ~ { + proxy_pass http://127.0.0.1:10160; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = auth.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name auth.theribbles.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/beets.theribbles.org b/etc/nginx/sites-available/beets.theribbles.org new file mode 100644 index 0000000..9e21ca5 --- /dev/null +++ b/etc/nginx/sites-available/beets.theribbles.org @@ -0,0 +1,25 @@ +server { + server_name beets.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ { + proxy_pass http://127.0.0.1:8337; + include /etc/nginx/proxy.conf; + } +} + +server { + if ($host = beets.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name beets.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/budget.theribbles.org b/etc/nginx/sites-available/budget.theribbles.org new file mode 100644 index 0000000..c7c163d --- /dev/null +++ b/etc/nginx/sites-available/budget.theribbles.org @@ -0,0 +1,25 @@ +server { + server_name budget.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ { + proxy_pass http://127.0.0.1:10100; + include /etc/nginx/proxy.conf; + } +} + +server { + if ($host = budget.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name budget.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/chat.theribbles.org b/etc/nginx/sites-available/chat.theribbles.org new file mode 100644 index 0000000..da277ca --- /dev/null +++ b/etc/nginx/sites-available/chat.theribbles.org @@ -0,0 +1,47 @@ +server { + + root /var/www/element; + + # Add index.php to the list if you are using PHP + index index.html; + + server_name chat.theribbles.org; + + access_log /var/log/nginx/chat.theribbles.org-access.log; + + error_log /var/log/nginx/chat.theribbles.org-error.log debug; + + location = /index.html { + add_header Cache-Control "no-cache"; + } + location = /version { + add_header Cache-Control "no-cache"; + } + # covers config.json and config.hostname.json requests as it is prefix. + location /config { + add_header Cache-Control "no-cache"; + } + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + + listen 443 ssl http2; # manually changed, but added by Certbot + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = chat.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name chat.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/cloud.theribbles.org b/etc/nginx/sites-available/cloud.theribbles.org new file mode 100644 index 0000000..c6f6bac --- /dev/null +++ b/etc/nginx/sites-available/cloud.theribbles.org @@ -0,0 +1,31 @@ +server { + server_name cloud.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + client_max_body_size 10G; + client_body_buffer_size 400M; + location ~ { + proxy_pass http://127.0.0.1:10070; + proxy_set_header Connection ""; + include /etc/nginx/proxy.conf; + } +} + +server { + if ($host = cloud.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + + server_name cloud.theribbles.org; + listen [::]:80; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/contacts.theribbles.org b/etc/nginx/sites-available/contacts.theribbles.org new file mode 100644 index 0000000..4826c49 --- /dev/null +++ b/etc/nginx/sites-available/contacts.theribbles.org @@ -0,0 +1,29 @@ +server { + server_name contacts.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:10200; + + include proxy.conf; + } +} + +server { + if ($host = contacts.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80; + listen [::]:80; + + server_name contacts.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/db-test.theribbles.org b/etc/nginx/sites-available/db-test.theribbles.org new file mode 100644 index 0000000..b094068 --- /dev/null +++ b/etc/nginx/sites-available/db-test.theribbles.org @@ -0,0 +1,28 @@ +server { + server_name db-test.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ { + proxy_pass http://127.0.0.1:10160; + include /etc/nginx/proxy.conf; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + } +} + +server { + if ($host = podcast.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name db-test.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default new file mode 100644 index 0000000..a439d2d --- /dev/null +++ b/etc/nginx/sites-available/default @@ -0,0 +1,111 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + return 301 https://$host$request_uri; + + server_name www.theribbles.org theribbles.org _; +} + +server { + + # SSL configuration + # + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name www.theribbles.org theribbles.org; + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://matrix.theribbles.org"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + location /waiver { + return 301 https://app.waiversign.com/e/60f5a65891f983001947ac59/doc/60f5a7bce1ea2500193529e5?event=none; + } + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/etc/nginx/sites-available/docs.theribbles.org b/etc/nginx/sites-available/docs.theribbles.org new file mode 100644 index 0000000..9376404 --- /dev/null +++ b/etc/nginx/sites-available/docs.theribbles.org @@ -0,0 +1,50 @@ +server { + + server_name docs.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + # Adjust as required. This is the maximum size for file uploads. + # The default value 1M might be a little too small. + client_max_body_size 10M; + + location / { + + # Adjust host and port as required. + proxy_pass http://localhost:10190/; + + client_body_buffer_size 1024k; + client_body_timeout 20m; + client_max_body_size 100G; + + # These configuration options are required for WebSockets to work. + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + add_header P3P 'CP=""'; # may not be required in all setups + } +} + +server { + if ($host = docs.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name docs.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/email.theribbles.org b/etc/nginx/sites-available/email.theribbles.org new file mode 100644 index 0000000..2435f9c --- /dev/null +++ b/etc/nginx/sites-available/email.theribbles.org @@ -0,0 +1,36 @@ +server { + server_name email.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + client_max_body_size 40M; + client_body_buffer_size 10M; + + index index.php; + location / { + root /var/lib/containers/storage/volumes/roundcube-web/_data; + } + location ~* \.php$ { + root /var/www/html; + fastcgi_pass 127.0.0.1:10120; + include /etc/nginx/snippets/fastcgi-php.conf; + } +} + +server { + if ($host = email.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name email.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/email.theribbles.org.bak b/etc/nginx/sites-available/email.theribbles.org.bak new file mode 100644 index 0000000..70b272a --- /dev/null +++ b/etc/nginx/sites-available/email.theribbles.org.bak @@ -0,0 +1,30 @@ +server { + server_name email.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + client_max_body_size 40M; + client_body_buffer_size 10M; + location ~ { + proxy_pass http://127.0.0.1:10120; + include /etc/nginx/proxy.conf; + } +} + +server { + if ($host = email.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name email.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/email.theribbles.org.bak2 b/etc/nginx/sites-available/email.theribbles.org.bak2 new file mode 100644 index 0000000..2435f9c --- /dev/null +++ b/etc/nginx/sites-available/email.theribbles.org.bak2 @@ -0,0 +1,36 @@ +server { + server_name email.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + client_max_body_size 40M; + client_body_buffer_size 10M; + + index index.php; + location / { + root /var/lib/containers/storage/volumes/roundcube-web/_data; + } + location ~* \.php$ { + root /var/www/html; + fastcgi_pass 127.0.0.1:10120; + include /etc/nginx/snippets/fastcgi-php.conf; + } +} + +server { + if ($host = email.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name email.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/email.theribbles.org.bak3 b/etc/nginx/sites-available/email.theribbles.org.bak3 new file mode 100644 index 0000000..bfe94de --- /dev/null +++ b/etc/nginx/sites-available/email.theribbles.org.bak3 @@ -0,0 +1,34 @@ +server { + listen 80; + listen [::]:80; + + return 301 https://$host$request_uri; + + server_name email.theribbles.org; +} + +server { + + # SSL configuration + # + listen 443 ssl; + listen [::]:443 ssl; + + root /opt/src/jmap-demo-webmail; + + # Add index.php to the list if you are using PHP + index index.html index.htm; + + server_name email.theribbles.org; + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } +} diff --git a/etc/nginx/sites-available/email2.theribbles.org b/etc/nginx/sites-available/email2.theribbles.org new file mode 100644 index 0000000..81ff40f --- /dev/null +++ b/etc/nginx/sites-available/email2.theribbles.org @@ -0,0 +1,30 @@ +server { + server_name email2.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + client_max_body_size 40M; + client_body_buffer_size 10M; + + location / { + proxy_pass http://127.0.0.1:3000; + } +} + +server { + if ($host = email2.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name email2.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/habits.theribbles.org b/etc/nginx/sites-available/habits.theribbles.org new file mode 100644 index 0000000..a29d52a --- /dev/null +++ b/etc/nginx/sites-available/habits.theribbles.org @@ -0,0 +1,30 @@ +server { + + server_name habits.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:10091; + include /etc/nginx/proxy.conf; + } + +} + +server { + if ($host = habits.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name habits.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/home.theribbles.org b/etc/nginx/sites-available/home.theribbles.org new file mode 100644 index 0000000..df12ff8 --- /dev/null +++ b/etc/nginx/sites-available/home.theribbles.org @@ -0,0 +1,41 @@ +server { + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name home.theribbles.org; + + access_log /var/log/nginx/home.theribbles.org-access.log; + + error_log /var/log/nginx/home.theribbles.org-error.log debug; + + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + + listen [::]:443 ssl ipv6only=on; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = home.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name home.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/ipa.theribbles.org b/etc/nginx/sites-available/ipa.theribbles.org new file mode 100644 index 0000000..73d1eaa --- /dev/null +++ b/etc/nginx/sites-available/ipa.theribbles.org @@ -0,0 +1,28 @@ +server { + + server_name ipa.theribbles.org; + + location ~ { + proxy_pass https://127.0.0.1:10021; + proxy_set_header X-Real-IP $remote_addr; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = auth.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name ipa.theribbles.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/mail.theribbles.org b/etc/nginx/sites-available/mail.theribbles.org new file mode 100644 index 0000000..4871a85 --- /dev/null +++ b/etc/nginx/sites-available/mail.theribbles.org @@ -0,0 +1,53 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + + server_name mail.theribbles.org; + + location ~ { + proxy_pass https://127.0.0.1:10230; + proxy_set_header Upgrade $http_upgrade; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + + server_name mail.suvereno.org; + + location ~ { + proxy_pass http://127.0.0.1:10030; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/suvereno.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/suvereno.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + +server { + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + server_name mail.theribbles.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/matrix.theribbles.org b/etc/nginx/sites-available/matrix.theribbles.org new file mode 100644 index 0000000..4d1f4ab --- /dev/null +++ b/etc/nginx/sites-available/matrix.theribbles.org @@ -0,0 +1,53 @@ +server { + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name matrix.theribbles.org; + + access_log /var/log/nginx/matrix.theribbles.org-access.log; + + error_log /var/log/nginx/matrix.theribbles.org-error.log debug; + + + location ~ { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:10180; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + + listen 443 ssl http2; # manually changed, but added by Certbot + + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = matrix.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name matrix.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/media.theribbles.org b/etc/nginx/sites-available/media.theribbles.org new file mode 100644 index 0000000..2f821d4 --- /dev/null +++ b/etc/nginx/sites-available/media.theribbles.org @@ -0,0 +1,80 @@ +server { + server_name media.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + # Security / XSS Mitigation Headers + # NOTE: X-Frame-Options may cause issues with the webOS app + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + # Content Security Policy + # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # Enforces https content and restricts JS/CSS to origin + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + # NOTE: The default CSP headers may cause issues with the webOS app + #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + + location = / { + return 302 https://$host/web/; + } + + location / { + # Proxy main Jellyfin traffic + proxy_pass http://127.0.0.1:10170; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + } + + # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/ + location = /web/ { + # Proxy main Jellyfin traffic + proxy_pass http://127.0.0.1:10170/web/index.html; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + } + + location /socket { + # Proxy Jellyfin Websockets traffic + proxy_pass http://127.0.0.1:10170; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + } +} + +server { + if ($host = media.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + + server_name media.theribbles.org; + listen [::]:80; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/money-import.theribbles.org b/etc/nginx/sites-available/money-import.theribbles.org new file mode 100644 index 0000000..b030358 --- /dev/null +++ b/etc/nginx/sites-available/money-import.theribbles.org @@ -0,0 +1,27 @@ +server { + server_name money-import.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + include /etc/nginx/auth-endpoints.conf; + location ~ { + proxy_pass http://127.0.0.1:10061; + include /etc/nginx/proxy.conf; + include /etc/nginx/auth.conf; + } +} + +server { + if ($host = money-import.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name money-import.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/money.theribbles.org b/etc/nginx/sites-available/money.theribbles.org new file mode 100644 index 0000000..458ec99 --- /dev/null +++ b/etc/nginx/sites-available/money.theribbles.org @@ -0,0 +1,41 @@ +server { + server_name money.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ /oauth2/ { + proxy_pass http://127.0.0.1:10031; + include /etc/nginx/proxy.conf; + proxy_set_header X-Auth-Request-Redirect $request_uri; + } + location = /oauth2/auth { + internal; + proxy_pass http://127.0.0.1:10031; + include /etc/nginx/proxy.conf; + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + proxy_set_header X-Original-URI $request_uri; + } + location ~ { + proxy_pass http://127.0.0.1:10060; + include /etc/nginx/proxy.conf; + include /etc/nginx/auth.conf; + } + error_page 401 = /oauth2/sign_in; + +} + +server { + if ($host = money.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name money.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/oauth.theribbles.org b/etc/nginx/sites-available/oauth.theribbles.org new file mode 100644 index 0000000..e31b7e1 --- /dev/null +++ b/etc/nginx/sites-available/oauth.theribbles.org @@ -0,0 +1,27 @@ +server { + + server_name oauth.theribbles.org; + + location ~ { + proxy_pass http://127.0.0.1:10031; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = oauth.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name oauth.theribbles.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/passwords-psono.theribbles.org b/etc/nginx/sites-available/passwords-psono.theribbles.org new file mode 100644 index 0000000..74a78a3 --- /dev/null +++ b/etc/nginx/sites-available/passwords-psono.theribbles.org @@ -0,0 +1,80 @@ +server { + if ($host = passwords.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name passwords.theribbles.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} + +server { + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + + server_name passwords.theribbles.org; + + # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; + + add_header Referrer-Policy same-origin; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + # If you have the admin fileserver installed too behind this reverse proxy domain, add your fileserver URL e.g. https://fs01.example.com as connect-src too: + # add_header Content-Security-Policy "default-src 'none'; manifest-src 'self'; connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.s3.amazonaws.com; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'"; + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + client_max_body_size 256m; + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_min_length 256; + gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon; + + index index.html; + try_files $uri /index.html; + + location / { + add_header Pragma public; + add_header Cache-Control "public"; + + root /var/www/html/psono/webclient; + } + + location /portal { + add_header Pragma public; + add_header Cache-Control "public"; + + alias /var/www/html/psono/admin-webclient; + } + + location /server { + rewrite ^/server/(.*) /$1 break; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + add_header Last-Modified $date_gmt; + add_header Pragma "no-cache"; + add_header Cache-Control "private, max-age=0, no-cache, no-store"; + if_modified_since off; + expires off; + etag off; + + proxy_pass http://127.0.0.1:10040; + } + +} diff --git a/etc/nginx/sites-available/passwords.theribbles.org b/etc/nginx/sites-available/passwords.theribbles.org new file mode 100644 index 0000000..805dcb5 --- /dev/null +++ b/etc/nginx/sites-available/passwords.theribbles.org @@ -0,0 +1,33 @@ +server { + + server_name passwords.theribbles.org; + location / { + proxy_pass http://127.0.0.1:10040; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect http://$http_host/ https://$http_host/; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + +server { + if ($host = passwords.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name passwords.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/photos.theribbles.org b/etc/nginx/sites-available/photos.theribbles.org new file mode 100644 index 0000000..7d8bf25 --- /dev/null +++ b/etc/nginx/sites-available/photos.theribbles.org @@ -0,0 +1,32 @@ +server { + server_name photos.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:10080; + + include "/etc/nginx/proxy-photo-upload.conf"; + proxy_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} + +server { + if ($host = photos.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80; + listen [::]:80; + + server_name photos.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/pihole.theribbles.org b/etc/nginx/sites-available/pihole.theribbles.org new file mode 100644 index 0000000..35bdd13 --- /dev/null +++ b/etc/nginx/sites-available/pihole.theribbles.org @@ -0,0 +1,33 @@ +server { + + server_name pihole.theribbles.org; + + allow 192.168.1.0/24; + deny all; + + location ~ { + proxy_pass http://127.0.0.1:10000; + } + + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + if ($host = pihole.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name pihole.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/plex.theribbles.org b/etc/nginx/sites-available/plex.theribbles.org new file mode 100644 index 0000000..b41d400 --- /dev/null +++ b/etc/nginx/sites-available/plex.theribbles.org @@ -0,0 +1,97 @@ +# Must be set in the global scope see: https://forum.nginx.org/read.php?2,152294,152294 +# Why this is important especially with Plex as it makes a lot of requests http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html / https://www.peterbe.com/plog/ssl_session_cache-ab +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; + +# Upstream to Plex +upstream plex_backend { + # Set this to the IP address that appears in `ifconfig` (NATTED LAN IP or Public IP address) if you want the bandwidth meter in the server status page to work + server 127.0.0.1:32400; + keepalive 32; +} + +server { + # Enabling http2 can cause some issues with some devices, see #29 - Disable it if you experience issues + listen 443 ssl http2; # http2 can provide a substantial improvement for streaming: https://blog.cloudflare.com/introducing-http2/ + listen [::]:443 ssl http2; + server_name plex.theribbles.org; + + send_timeout 100m; # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome) + + # Faster resolving, improves stapling time. Timeout and nameservers may need to be adjusted for your location Google's have been used here. + # resolver 8.8.4.4 8.8.8.8 valid=300s; + # resolver_timeout 10s; + + + # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ + ssl_stapling on; + ssl_stapling_verify on; + + # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. (Haven't encountered any yet) + gzip on; + gzip_vary on; + gzip_min_length 1000; + gzip_proxied any; + gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; + gzip_disable "MSIE [1-6]\."; + + # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. + # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more + client_max_body_size 100M; + + # Forward real ip and host to Plex + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + # When using ngx_http_realip_module change $proxy_add_x_forwarded_for to '$http_x_forwarded_for,$realip_remote_addr' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + + # Websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + + # Disables compression between Plex and Nginx, required if using sub_filter below. + # May also improve loading time by a very marginal amount, as nginx will compress anyway. + # proxy_set_header Accept-Encoding ""; + + # Buffering off send to the client as soon as the data is received from Plex. + proxy_redirect off; + proxy_buffering off; + + location / { + # Example of using sub_filter to alter what Plex displays, this disables Plex News. + # sub_filter ',news,' ','; + # sub_filter_once on; + # sub_filter_types text/xml; + proxy_pass http://plex_backend; + } + + # PlexPy forward example, works the same for other services. + # location /plexpy { + # proxy_pass http://127.0.0.1:8181; + #} + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot +} + + + +server { + if ($host = plex.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name plex.theribbles.org; + return 404; # managed by Certbot + + +} diff --git a/etc/nginx/sites-available/podcast.theribbles.org b/etc/nginx/sites-available/podcast.theribbles.org new file mode 100644 index 0000000..59cdd5d --- /dev/null +++ b/etc/nginx/sites-available/podcast.theribbles.org @@ -0,0 +1,25 @@ +server { + server_name podcast.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ { + proxy_pass http://127.0.0.1:10150; + include /etc/nginx/proxy.conf; + } +} + +server { + if ($host = podcast.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name podcast.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/ranbato.familyds.net b/etc/nginx/sites-available/ranbato.familyds.net new file mode 100644 index 0000000..4b76d93 --- /dev/null +++ b/etc/nginx/sites-available/ranbato.familyds.net @@ -0,0 +1,15 @@ +server { + + server_name ranbato.familyds.net; + + location ~ { + proxy_pass http://192.168.1.31:5081; + } + + + listen 80; + listen [::]:80; + + + +} diff --git a/etc/nginx/sites-available/recipes.theribbles.org b/etc/nginx/sites-available/recipes.theribbles.org new file mode 100644 index 0000000..c69b053 --- /dev/null +++ b/etc/nginx/sites-available/recipes.theribbles.org @@ -0,0 +1,29 @@ +server { + + server_name recipes.theribbles.org; + location / { + proxy_pass http://127.0.0.1:10050; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + +server { + if ($host = recipes.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name recipes.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/source.theribbles.org b/etc/nginx/sites-available/source.theribbles.org new file mode 100644 index 0000000..2d209d2 --- /dev/null +++ b/etc/nginx/sites-available/source.theribbles.org @@ -0,0 +1,33 @@ +server { + + server_name source.theribbles.org; + location / { + proxy_pass http://127.0.0.1:10110; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect http://$http_host/ https://$http_host/; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + +server { + if ($host = source.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name source.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/todo-api.theribbles.org b/etc/nginx/sites-available/todo-api.theribbles.org new file mode 100644 index 0000000..7c5b70c --- /dev/null +++ b/etc/nginx/sites-available/todo-api.theribbles.org @@ -0,0 +1,27 @@ +server { + + server_name todo-api.theribbles.org; + + location ~ { + proxy_pass http://127.0.0.1:3456; + include /etc/nginx/proxy.conf; + } + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = todo-api.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name todo-api.theribbles.org; + listen 80; + listen [::]:80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/todo.theribbles.org b/etc/nginx/sites-available/todo.theribbles.org new file mode 100644 index 0000000..aa80d90 --- /dev/null +++ b/etc/nginx/sites-available/todo.theribbles.org @@ -0,0 +1,33 @@ +server { + server_name todo.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + root /var/opt/todo/frontend/current; + try_files $uri $uri/ /; + index index.html index.htm; + } + location ~* ^/(api|dav|\.well-known)/ { + proxy_pass http://localhost:3456; + include /etc/nginx/proxy.conf; + } +} + +server { + if ($host = todo.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name todo.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/torrents.theribbles.org b/etc/nginx/sites-available/torrents.theribbles.org new file mode 100644 index 0000000..82274ee --- /dev/null +++ b/etc/nginx/sites-available/torrents.theribbles.org @@ -0,0 +1,43 @@ +server { + server_name torrents.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ /oauth2/ { + proxy_pass http://127.0.0.1:10031; + include /etc/nginx/proxy.conf; + proxy_set_header X-Auth-Request-Redirect $request_uri; + } + location = /oauth2/auth { + internal; + proxy_pass http://127.0.0.1:10031; + include /etc/nginx/proxy.conf; + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + proxy_set_header X-Original-URI $request_uri; + } + location ~ { + proxy_pass http://127.0.0.1:10140; + include /etc/nginx/proxy.conf; + include /etc/nginx/auth.conf; + } + error_page 401 = /oauth2/sign_in; +} + +server { + if ($host = torrents.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name torrents.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/unifi.theribbles.org b/etc/nginx/sites-available/unifi.theribbles.org new file mode 100644 index 0000000..6d4d7a3 --- /dev/null +++ b/etc/nginx/sites-available/unifi.theribbles.org @@ -0,0 +1,56 @@ +server { + + listen 443 ssl; + listen [::]:443 ssl; + + server_name unifi.theribbles.org; + + client_max_body_size 50m; + + ssl_trusted_certificate /etc/nginx/certificates/unifi.pem; + + # Needed to allow the websockets to forward well. + # Information adopted from here: https://community.ubnt.com/t5/EdgeMAX/Access-Edgemax-gui-via-nginx-reverse-proxy-websocket-problem/td-p/1544354 + location /wss/ { + proxy_pass https://127.0.0.1:8443; + proxy_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + # Suggested at + # https://community.ui.com/questions/Websocket-issue-with-Unifi-Controller-behind-nginx/21030109-95b1-47e2-91fb-0153a89dd04d + # Adding it removed a websocket connection failure + proxy_set_header Origin ''; + + proxy_read_timeout 86400; + } + + location / { + proxy_pass https://127.0.0.1:8443; #The UniFi Controller Port + proxy_redirect https://127.0.0.1:8443/ /; + proxy_buffering off; + proxy_read_timeout 60s; + + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + } + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot +} + +server { + if ($host = unifi.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name unifi.theribbles.org; + return 404; # managed by Certbot +} + diff --git a/etc/nginx/sites-available/web-crypto-explorer.theribbles.org b/etc/nginx/sites-available/web-crypto-explorer.theribbles.org new file mode 100644 index 0000000..468b8cc --- /dev/null +++ b/etc/nginx/sites-available/web-crypto-explorer.theribbles.org @@ -0,0 +1,26 @@ +server { + server_name web-crypto-explorer.theribbles.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location ~ { + proxy_pass http://127.0.0.1:10210; + include /etc/nginx/proxy.conf; + proxy_set_header Host $host; + } +} + +server { + if ($host = web-crypto-explorer.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name web-crypto-explorer.theribbles.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/wiki.suvereno.org b/etc/nginx/sites-available/wiki.suvereno.org new file mode 100644 index 0000000..f540534 --- /dev/null +++ b/etc/nginx/sites-available/wiki.suvereno.org @@ -0,0 +1,26 @@ +server { + server_name wiki.suvereno.org; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/suvereno.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/suvereno.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:11100; + + include "/etc/nginx/proxy.conf"; + } +} + +server { + if ($host = wiki.suvereno.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name wiki.suvereno.org; + listen 80; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-available/wiki.theribbles.org b/etc/nginx/sites-available/wiki.theribbles.org new file mode 100644 index 0000000..dc7ebd2 --- /dev/null +++ b/etc/nginx/sites-available/wiki.theribbles.org @@ -0,0 +1,29 @@ +server { + server_name wiki.theribbles.org; + + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + + ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:10130; + + include "/etc/nginx/proxy.conf"; + } +} + +server { + if ($host = wiki.theribbles.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80; + listen [::]:80; + + server_name wiki.theribbles.org; + return 404; # managed by Certbot +} diff --git a/etc/nginx/sites-enabled/afaf.theribbles.org b/etc/nginx/sites-enabled/afaf.theribbles.org new file mode 120000 index 0000000..0d8593c --- /dev/null +++ b/etc/nginx/sites-enabled/afaf.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/afaf.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/app-test.theribbles.org b/etc/nginx/sites-enabled/app-test.theribbles.org new file mode 120000 index 0000000..c677587 --- /dev/null +++ b/etc/nginx/sites-enabled/app-test.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/app-test.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/audiobooks.theribbles.org b/etc/nginx/sites-enabled/audiobooks.theribbles.org new file mode 120000 index 0000000..85a971c --- /dev/null +++ b/etc/nginx/sites-enabled/audiobooks.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/audiobooks.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/auth.theribbles.org b/etc/nginx/sites-enabled/auth.theribbles.org new file mode 120000 index 0000000..1c540fa --- /dev/null +++ b/etc/nginx/sites-enabled/auth.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/auth.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/beets.theribbles.org b/etc/nginx/sites-enabled/beets.theribbles.org new file mode 120000 index 0000000..d438876 --- /dev/null +++ b/etc/nginx/sites-enabled/beets.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/beets.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/budget.theribbles.org b/etc/nginx/sites-enabled/budget.theribbles.org new file mode 120000 index 0000000..eae317e --- /dev/null +++ b/etc/nginx/sites-enabled/budget.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/budget.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/chat.theribbles.org b/etc/nginx/sites-enabled/chat.theribbles.org new file mode 120000 index 0000000..4a8beab --- /dev/null +++ b/etc/nginx/sites-enabled/chat.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/chat.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/cloud.theribbles.org b/etc/nginx/sites-enabled/cloud.theribbles.org new file mode 120000 index 0000000..d66b560 --- /dev/null +++ b/etc/nginx/sites-enabled/cloud.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/cloud.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/contacts.theribbles.org b/etc/nginx/sites-enabled/contacts.theribbles.org new file mode 120000 index 0000000..4c04f8b --- /dev/null +++ b/etc/nginx/sites-enabled/contacts.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/contacts.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/db-test.theribbles.org b/etc/nginx/sites-enabled/db-test.theribbles.org new file mode 120000 index 0000000..1bcc7b2 --- /dev/null +++ b/etc/nginx/sites-enabled/db-test.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/db-test.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/default b/etc/nginx/sites-enabled/default new file mode 120000 index 0000000..ad35b83 --- /dev/null +++ b/etc/nginx/sites-enabled/default @@ -0,0 +1 @@ +/etc/nginx/sites-available/default \ No newline at end of file diff --git a/etc/nginx/sites-enabled/docs.theribbles.org b/etc/nginx/sites-enabled/docs.theribbles.org new file mode 120000 index 0000000..35f3d26 --- /dev/null +++ b/etc/nginx/sites-enabled/docs.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/docs.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/email.theribbles.org b/etc/nginx/sites-enabled/email.theribbles.org new file mode 120000 index 0000000..99e576c --- /dev/null +++ b/etc/nginx/sites-enabled/email.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/email.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/email2.theribbles.org b/etc/nginx/sites-enabled/email2.theribbles.org new file mode 120000 index 0000000..23a3d96 --- /dev/null +++ b/etc/nginx/sites-enabled/email2.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/email2.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/home.theribbles.org b/etc/nginx/sites-enabled/home.theribbles.org new file mode 120000 index 0000000..f0d4c56 --- /dev/null +++ b/etc/nginx/sites-enabled/home.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/home.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/mail.theribbles.org b/etc/nginx/sites-enabled/mail.theribbles.org new file mode 120000 index 0000000..776d5c6 --- /dev/null +++ b/etc/nginx/sites-enabled/mail.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/mail.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/matrix.theribbles.org b/etc/nginx/sites-enabled/matrix.theribbles.org new file mode 120000 index 0000000..6865d8e --- /dev/null +++ b/etc/nginx/sites-enabled/matrix.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/matrix.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/media.theribbles.org b/etc/nginx/sites-enabled/media.theribbles.org new file mode 120000 index 0000000..258518a --- /dev/null +++ b/etc/nginx/sites-enabled/media.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/media.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/oauth.theribbles.org b/etc/nginx/sites-enabled/oauth.theribbles.org new file mode 120000 index 0000000..5d9e029 --- /dev/null +++ b/etc/nginx/sites-enabled/oauth.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/oauth.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/passwords.theribbles.org b/etc/nginx/sites-enabled/passwords.theribbles.org new file mode 120000 index 0000000..41c459d --- /dev/null +++ b/etc/nginx/sites-enabled/passwords.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/passwords.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/photos.theribbles.org b/etc/nginx/sites-enabled/photos.theribbles.org new file mode 120000 index 0000000..ad5ef47 --- /dev/null +++ b/etc/nginx/sites-enabled/photos.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/photos.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/pihole.theribbles.org b/etc/nginx/sites-enabled/pihole.theribbles.org new file mode 120000 index 0000000..ae64fdf --- /dev/null +++ b/etc/nginx/sites-enabled/pihole.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/pihole.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/plex.theribbles.org b/etc/nginx/sites-enabled/plex.theribbles.org new file mode 120000 index 0000000..8807319 --- /dev/null +++ b/etc/nginx/sites-enabled/plex.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/plex.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/podcast.theribbles.org b/etc/nginx/sites-enabled/podcast.theribbles.org new file mode 120000 index 0000000..5953262 --- /dev/null +++ b/etc/nginx/sites-enabled/podcast.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/podcast.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/ranbato.familydns.net b/etc/nginx/sites-enabled/ranbato.familydns.net new file mode 120000 index 0000000..b7f17fd --- /dev/null +++ b/etc/nginx/sites-enabled/ranbato.familydns.net @@ -0,0 +1 @@ +/etc/nginx/sites-available/ranbato.familyds.net \ No newline at end of file diff --git a/etc/nginx/sites-enabled/recipes.theribbles.org b/etc/nginx/sites-enabled/recipes.theribbles.org new file mode 120000 index 0000000..982bcc7 --- /dev/null +++ b/etc/nginx/sites-enabled/recipes.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/recipes.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/source.theribbles.org b/etc/nginx/sites-enabled/source.theribbles.org new file mode 120000 index 0000000..35aec71 --- /dev/null +++ b/etc/nginx/sites-enabled/source.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/source.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/todo.theribbles.org b/etc/nginx/sites-enabled/todo.theribbles.org new file mode 120000 index 0000000..6d9f1ec --- /dev/null +++ b/etc/nginx/sites-enabled/todo.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/todo.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/torrents.theribbles.org b/etc/nginx/sites-enabled/torrents.theribbles.org new file mode 120000 index 0000000..f73b27a --- /dev/null +++ b/etc/nginx/sites-enabled/torrents.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/torrents.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/unifi.theribbles.org b/etc/nginx/sites-enabled/unifi.theribbles.org new file mode 120000 index 0000000..01b4d00 --- /dev/null +++ b/etc/nginx/sites-enabled/unifi.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/unifi.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/web-crypto-explorer.theribbles.org b/etc/nginx/sites-enabled/web-crypto-explorer.theribbles.org new file mode 120000 index 0000000..513cd99 --- /dev/null +++ b/etc/nginx/sites-enabled/web-crypto-explorer.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/web-crypto-explorer.theribbles.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/wiki.suvereno.org b/etc/nginx/sites-enabled/wiki.suvereno.org new file mode 120000 index 0000000..67cf555 --- /dev/null +++ b/etc/nginx/sites-enabled/wiki.suvereno.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/wiki.suvereno.org \ No newline at end of file diff --git a/etc/nginx/sites-enabled/wiki.theribbles.org b/etc/nginx/sites-enabled/wiki.theribbles.org new file mode 120000 index 0000000..0957af4 --- /dev/null +++ b/etc/nginx/sites-enabled/wiki.theribbles.org @@ -0,0 +1 @@ +/etc/nginx/sites-available/wiki.theribbles.org \ No newline at end of file diff --git a/etc/nginx/snippets/auth-oauth2.conf b/etc/nginx/snippets/auth-oauth2.conf new file mode 100644 index 0000000..c5e3936 --- /dev/null +++ b/etc/nginx/snippets/auth-oauth2.conf @@ -0,0 +1,10 @@ +auth_request /oauth2/auth; +error_page 401 = /oauth2/sign_in; + +auth_request_set $user $upstream_http_x_auth_request_user; +auth_request_set $email $upstream_http_x_auth_request_email; +auth_request_set $auth_cookie $upstream_http_set_cookie; +proxy_set_header X-User $user; +proxy_set_header X-Email $email; + +add_header Set-Cookie $auth_cookie; diff --git a/etc/nginx/snippets/fastcgi-php.conf b/etc/nginx/snippets/fastcgi-php.conf new file mode 100644 index 0000000..de38b33 --- /dev/null +++ b/etc/nginx/snippets/fastcgi-php.conf @@ -0,0 +1,14 @@ +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info ^(.+?\.php)(/.*)$; + + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +# Mitigate https://httpoxy.org/ vulnerabilities +fastcgi_param HTTP_PROXY ""; + +fastcgi_index index.php; +include snippets/fastcgi.conf; diff --git a/etc/nginx/snippets/fastcgi.conf b/etc/nginx/snippets/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/etc/nginx/snippets/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/etc/nginx/snippets/snakeoil.conf b/etc/nginx/snippets/snakeoil.conf new file mode 100644 index 0000000..ad26c3e --- /dev/null +++ b/etc/nginx/snippets/snakeoil.conf @@ -0,0 +1,5 @@ +# Self signed certificates generated by the ssl-cert package +# Don't use them in a production server! + +ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; +ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; diff --git a/etc/nginx/uwsgi_params b/etc/nginx/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/etc/nginx/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/etc/nginx/win-utf b/etc/nginx/win-utf new file mode 100644 index 0000000..774fd9f --- /dev/null +++ b/etc/nginx/win-utf @@ -0,0 +1,125 @@ +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A; # single low-9 quotation mark + + 84 E2809E; # double low-9 quotation mark + 85 E280A6; # ellipsis + 86 E280A0; # dagger + 87 E280A1; # double dagger + 88 E282AC; # euro + 89 E280B0; # per mille + + 91 E28098; # left single quotation mark + 92 E28099; # right single quotation mark + 93 E2809C; # left double quotation mark + 94 E2809D; # right double quotation mark + 95 E280A2; # bullet + 96 E28093; # en dash + 97 E28094; # em dash + + 99 E284A2; # trade mark sign + + A0 C2A0; #   + A1 D18E; # capital Byelorussian short U + A2 D19E; # small Byelorussian short u + + A4 C2A4; # currency sign + A5 D290; # capital Ukrainian soft G + A6 C2A6; # borken bar + A7 C2A7; # section sign + A8 D081; # capital YO + A9 C2A9; # (C) + AA D084; # capital Ukrainian YE + AB C2AB; # left-pointing double angle quotation mark + AC C2AC; # not sign + AD C2AD; # soft hypen + AE C2AE; # (R) + AF D087; # capital Ukrainian YI + + B0 C2B0; # ° + B1 C2B1; # plus-minus sign + B2 D086; # capital Ukrainian I + B3 D196; # small Ukrainian i + B4 D291; # small Ukrainian soft g + B5 C2B5; # micro sign + B6 C2B6; # pilcrow sign + B7 C2B7; # · + B8 D191; # small yo + B9 E28496; # numero sign + BA D194; # small Ukrainian ye + BB C2BB; # right-pointing double angle quotation mark + + BF D197; # small Ukrainian yi + + C0 D090; # capital A + C1 D091; # capital B + C2 D092; # capital V + C3 D093; # capital G + C4 D094; # capital D + C5 D095; # capital YE + C6 D096; # capital ZH + C7 D097; # capital Z + C8 D098; # capital I + C9 D099; # capital J + CA D09A; # capital K + CB D09B; # capital L + CC D09C; # capital M + CD D09D; # capital N + CE D09E; # capital O + CF D09F; # capital P + + D0 D0A0; # capital R + D1 D0A1; # capital S + D2 D0A2; # capital T + D3 D0A3; # capital U + D4 D0A4; # capital F + D5 D0A5; # capital KH + D6 D0A6; # capital TS + D7 D0A7; # capital CH + D8 D0A8; # capital SH + D9 D0A9; # capital SHCH + DA D0AA; # capital hard sign + DB D0AB; # capital Y + DC D0AC; # capital soft sign + DD D0AD; # capital E + DE D0AE; # capital YU + DF D0AF; # capital YA + + E0 D0B0; # small a + E1 D0B1; # small b + E2 D0B2; # small v + E3 D0B3; # small g + E4 D0B4; # small d + E5 D0B5; # small ye + E6 D0B6; # small zh + E7 D0B7; # small z + E8 D0B8; # small i + E9 D0B9; # small j + EA D0BA; # small k + EB D0BB; # small l + EC D0BC; # small m + ED D0BD; # small n + EE D0BE; # small o + EF D0BF; # small p + + F0 D180; # small r + F1 D181; # small s + F2 D182; # small t + F3 D183; # small u + F4 D184; # small f + F5 D185; # small kh + F6 D186; # small ts + F7 D187; # small ch + F8 D188; # small sh + F9 D189; # small shch + FA D18A; # small hard sign + FB D18B; # small y + FC D18C; # small soft sign + FD D18D; # small e + FE D18E; # small yu + FF D18F; # small ya +}