Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 1911785da4 | |||
| 2023d87e87 | |||
| da6dfcc4a2 | |||
| e379d852f0 | |||
| d39c70098a | |||
| 05dd6efc70 | |||
| e0758ee12e | |||
| d91e920219 | |||
| 6bf4eba59a | |||
| 4a4cd29472 |
3
.gitignore
vendored
3
.gitignore
vendored
@@ -1,5 +1,8 @@
|
||||
*.j2
|
||||
site/
|
||||
letsencrypt/
|
||||
letsencrypt_certs/
|
||||
nginx.conf.default
|
||||
conf.d/
|
||||
conf.d_templates/http.DOMAIN.conf
|
||||
conf.d_templates/https.DOMAIN.conf
|
||||
|
||||
1
conf.d/csp.conf
Normal file
1
conf.d/csp.conf
Normal file
@@ -0,0 +1 @@
|
||||
add_header Content-Security-Policy-Report-Only "default-src 'self' 'unsafe-inline' 'unsafe-eval';";
|
||||
1
conf.d/giteacsp.conf
Normal file
1
conf.d/giteacsp.conf
Normal file
@@ -0,0 +1 @@
|
||||
add_header Content-Security-Policy-Report-Only "default-src 'self' 'unsafe-inline' 'unsafe-eval';";
|
||||
29
conf.d/http.DOMAIN.conf.j2
Normal file
29
conf.d/http.DOMAIN.conf.j2
Normal file
@@ -0,0 +1,29 @@
|
||||
####################
|
||||
#
|
||||
# {{ server_name_default }}
|
||||
# http/{{ port_default }}
|
||||
#
|
||||
# basically, just redirects to https
|
||||
#
|
||||
####################
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ server_name_default }};
|
||||
return 301 https://{{ server_name_default }}$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name www.{{ server_name_default }};
|
||||
return 301 https://www.{{ server_name_default }}$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name git.{{ server_name_default }};
|
||||
return 301 https://git.{{ server_name_default }}$request_uri;
|
||||
}
|
||||
@@ -1,27 +1,27 @@
|
||||
####################
|
||||
#
|
||||
# {{ server_name_default }}
|
||||
# https/{{ port_ssl_default }}
|
||||
# https/443
|
||||
#
|
||||
# {{ server_name_default }} and www.{{ server_name_default }}
|
||||
# should handle the following cases:
|
||||
# - w/ and wiki/ should reverse proxy story_mw
|
||||
# - phpMyAdmin/ should reverse proxy stormy_myadmin
|
||||
# - gitea subdomain should reverse proxy stormy_gitea
|
||||
#
|
||||
####################
|
||||
|
||||
|
||||
# default
|
||||
server {
|
||||
listen {{ port_ssl_default }} ssl;
|
||||
listen [::]:{{ port_ssl_default }} ssl;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name {{ server_name_default }} default_server;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ server_name_default }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ server_name_default }}/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
include /etc/nginx/conf.d/secheaders.conf;
|
||||
include /etc/nginx/conf.d/csp.conf;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
@@ -43,13 +43,6 @@ server {
|
||||
proxy_pass http://stormy_mw:8989/w/;
|
||||
}
|
||||
|
||||
#location /phpMyAdmin/ {
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_pass http://stormy_myadmin:80/;
|
||||
#}
|
||||
|
||||
# ~ means case-sensitive regex match, rather than string literal
|
||||
# (ignores .git, .gitignore, etc.)
|
||||
location ~ /\.git {
|
||||
@@ -60,15 +53,15 @@ server {
|
||||
|
||||
# www
|
||||
server {
|
||||
listen {{ port_ssl_default }} ssl;
|
||||
listen [::]:{{ port_ssl_default }} ssl;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name www.{{ server_name_default }};
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/www.{{ server_name_default }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/www.{{ server_name_default }}/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
include /etc/nginx/conf.d/secheaders.conf;
|
||||
include /etc/nginx/conf.d/csp.conf;
|
||||
|
||||
root /www/{{ server_name_default }}/htdocs;
|
||||
|
||||
@@ -91,13 +84,6 @@ server {
|
||||
proxy_pass http://stormy_mw:8989/w/;
|
||||
}
|
||||
|
||||
#location /phpMyAdmin/ {
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_pass http://stormy_myadmin:80/;
|
||||
#}
|
||||
|
||||
location ~ /\.git {
|
||||
deny all;
|
||||
}
|
||||
@@ -106,15 +92,15 @@ server {
|
||||
|
||||
# gitea
|
||||
server {
|
||||
listen {{ port_ssl_gitea}} ssl;
|
||||
listen [::]:{{ port_ssl_gitea }} ssl;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name git.{{ server_name_default }};
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/git.{{ server_name_default }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.{{ server_name_default }}/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
include /etc/nginx/conf.d/secheaders.conf;
|
||||
include /etc/nginx/conf.d/giteacsp.conf;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
8
conf.d/secheaders.conf
Normal file
8
conf.d/secheaders.conf
Normal file
@@ -0,0 +1,8 @@
|
||||
server_tokens off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
client_max_body_size 100m;
|
||||
@@ -1,71 +0,0 @@
|
||||
####################
|
||||
#
|
||||
# charlesreid1.com
|
||||
# http/80
|
||||
#
|
||||
# basically, just redirects to https
|
||||
#
|
||||
####################
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name charlesreid1.com;
|
||||
location / {
|
||||
return 301 https://charlesreid1.com$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name www.charlesreid1.com;
|
||||
location / {
|
||||
return 301 https://www.charlesreid1.com$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name git.charlesreid1.com;
|
||||
location / {
|
||||
return 301 https://git.charlesreid1.com$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name pages.charlesreid1.com;
|
||||
location / {
|
||||
return 301 https://pages.charlesreid1.com$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name hooks.charlesreid1.com;
|
||||
location / {
|
||||
return 301 https://hooks.charlesreid1.com$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name bots.charlesreid1.com;
|
||||
location / {
|
||||
return 301 https://bots.charlesreid1.com$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
### server {
|
||||
### listen 80;
|
||||
### listen [::]:80;
|
||||
### server_name files.charlesreid1.com;
|
||||
### location / {
|
||||
### return 301 https://files.charlesreid1.com$request_uri;
|
||||
### }
|
||||
### }
|
||||
@@ -1,148 +0,0 @@
|
||||
####################
|
||||
#
|
||||
# charlesreid1.com
|
||||
# https/443
|
||||
#
|
||||
# charlesreid1.com and www.charlesreid1.com
|
||||
# should handle the following cases:
|
||||
# - w/ and wiki/ should reverse proxy story_mw
|
||||
# - phpMyAdmin/ should reverse proxy stormy_myadmin
|
||||
#
|
||||
# git.charlesreid1.com should handle:
|
||||
# - all requests should reverse proxy stormy_gitea
|
||||
#
|
||||
####################
|
||||
|
||||
|
||||
# default
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name charlesreid1.com default_server;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/charlesreid1.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/charlesreid1.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
root /www/charlesreid1.com/htdocs;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
location /wiki/ {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://stormy_mw:8989/wiki/;
|
||||
}
|
||||
|
||||
location /w/ {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://stormy_mw:8989/w/;
|
||||
}
|
||||
|
||||
#location /phpMyAdmin/ {
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_pass http://stormy_myadmin:80/;
|
||||
#}
|
||||
|
||||
# ~ means case-sensitive regex match, rather than string literal
|
||||
# (ignores .git, .gitignore, etc.)
|
||||
location ~ /\.git {
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# www
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name www.charlesreid1.com;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/www.charlesreid1.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/www.charlesreid1.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
|
||||
root /www/charlesreid1.com/htdocs;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
location /wiki/ {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://stormy_mw:8989/wiki/;
|
||||
}
|
||||
|
||||
location /w/ {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://stormy_mw:8989/w/;
|
||||
}
|
||||
|
||||
#location /phpMyAdmin/ {
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_pass http://stormy_myadmin:80/;
|
||||
#}
|
||||
|
||||
location ~ /\.git {
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# gitea
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name git.charlesreid1.com;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/git.charlesreid1.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.charlesreid1.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://stormy_gitea:3000/;
|
||||
}
|
||||
}
|
||||
|
||||
### # files
|
||||
### server {
|
||||
### listen 443 ssl;
|
||||
### listen [::]:443 ssl;
|
||||
### server_name files.charlesreid1.com;
|
||||
###
|
||||
### ssl_certificate /etc/letsencrypt/live/files.charlesreid1.com/fullchain.pem;
|
||||
### ssl_certificate_key /etc/letsencrypt/live/files.charlesreid1.com/privkey.pem;
|
||||
### include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
###
|
||||
### client_max_body_size 100m;
|
||||
###
|
||||
### location / {
|
||||
### proxy_set_header X-Real-IP $remote_addr;
|
||||
### proxy_set_header X-Forwarded-For $remote_addr;
|
||||
### proxy_set_header Host $host;
|
||||
### proxy_pass http://stormy_files:8081/;
|
||||
### }
|
||||
### }
|
||||
@@ -1,101 +0,0 @@
|
||||
####################
|
||||
#
|
||||
# charlesreid1.com
|
||||
# https/443
|
||||
#
|
||||
# charlesreid1.com subdomains
|
||||
# reverse-proxied by the server
|
||||
# running pod-webhooks.
|
||||
# - pages.charlesreid1.com
|
||||
# - hooks.charlesreid1.com
|
||||
# - bots.charlesreid1.com
|
||||
#
|
||||
# address of pod-webhooks server:
|
||||
# localhost
|
||||
####################
|
||||
|
||||
|
||||
# pages
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name pages.charlesreid1.com;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/pages.charlesreid1.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/pages.charlesreid1.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
port_in_redirect off;
|
||||
|
||||
location / {
|
||||
# https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://localhost:7777/;
|
||||
proxy_redirect http://localhost:7777/ http://pages.charlesreid1.com/;
|
||||
}
|
||||
}
|
||||
|
||||
# webhooks
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name hooks.charlesreid1.com;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/hooks.charlesreid1.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/hooks.charlesreid1.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
|
||||
gzip on;
|
||||
gzip_http_version 1.0;
|
||||
gzip_proxied any;
|
||||
gzip_min_length 500;
|
||||
gzip_disable "MSIE [1-6]\.";
|
||||
gzip_types text/plain text/xml text/css
|
||||
text/comma-separated-values
|
||||
text/javascript
|
||||
application/x-javascript
|
||||
application/atom+xml;
|
||||
|
||||
location / {
|
||||
# / takes user to static hooks subdomain page
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://localhost:7778;
|
||||
}
|
||||
|
||||
location /webhook {
|
||||
# /webhook* anything takes user to port 5000, api
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://localhost:5000/webhook;
|
||||
}
|
||||
}
|
||||
|
||||
# bots
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name bots.charlesreid1.com;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/bots.charlesreid1.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/bots.charlesreid1.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
client_max_body_size 100m;
|
||||
port_in_redirect off;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://localhost:7779;
|
||||
proxy_redirect http://localhost:7779/ http://bots.charlesreid1.com/;
|
||||
}
|
||||
}
|
||||
@@ -1,72 +0,0 @@
|
||||
####################
|
||||
#
|
||||
# {{ server_name_default }}
|
||||
# http/{{ port_default }}
|
||||
#
|
||||
# basically, just redirects to https
|
||||
#
|
||||
####################
|
||||
|
||||
server {
|
||||
listen {{ port_default }};
|
||||
listen [::]:{{ port_default }};
|
||||
server_name {{ server_name_default }};
|
||||
location / {
|
||||
return 301 https://{{ server_name_default }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ port_default }};
|
||||
listen [::]:{{ port_default }};
|
||||
server_name www.{{ server_name_default }};
|
||||
location / {
|
||||
return 301 https://www.{{ server_name_default }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ port_gitea }};
|
||||
listen [::]:{{ port_gitea }};
|
||||
server_name git.{{ server_name_default }};
|
||||
location / {
|
||||
return 301 https://git.{{ server_name_default }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
#server {
|
||||
# listen {{ port_pages }};
|
||||
# listen [::]:{{ port_pages }};
|
||||
# server_name pages.{{ server_name_default }};
|
||||
# location / {
|
||||
# return 301 https://pages.{{ server_name_default }}$request_uri;
|
||||
# }
|
||||
#}
|
||||
|
||||
#server {
|
||||
# listen {{ port_hooks }};
|
||||
# listen [::]:{{ port_hooks }};
|
||||
# server_name hooks.{{ server_name_default }};
|
||||
# location / {
|
||||
# return 301 https://hooks.{{ server_name_default }}$request_uri;
|
||||
# }
|
||||
#}
|
||||
|
||||
#server {
|
||||
# listen {{ port_bots }};
|
||||
# listen [::]:{{ port_bots }};
|
||||
# server_name bots.{{ server_name_default }};
|
||||
# location / {
|
||||
# return 301 https://bots.{{ server_name_default }}$request_uri;
|
||||
# }
|
||||
#}
|
||||
|
||||
### server {
|
||||
### listen {{ port_files }};
|
||||
### listen [::]:{{ port_files }};
|
||||
### server_name files.{{ server_name_default }};
|
||||
### location / {
|
||||
### return 301 https://files.{{ server_name_default }}$request_uri;
|
||||
### }
|
||||
### }
|
||||
|
||||
@@ -1,32 +0,0 @@
|
||||
####################
|
||||
#
|
||||
# {{ server_name_default }}
|
||||
# https/{{ port_ssl_default }}
|
||||
#
|
||||
# charlesreid1.com subdomains
|
||||
# reverse-proxied by the server
|
||||
####################
|
||||
|
||||
|
||||
# # pages
|
||||
# server {
|
||||
# listen {{ port_ssl_pages }} ssl;
|
||||
# listen [::]:{{ port_ssl_pages }} ssl;
|
||||
# server_name pages.{{ server_name_default }};
|
||||
#
|
||||
# ssl_certificate /etc/letsencrypt/live/pages.{{ server_name_default }}/fullchain.pem;
|
||||
# ssl_certificate_key /etc/letsencrypt/live/pages.{{ server_name_default }}/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
#
|
||||
# client_max_body_size 100m;
|
||||
# port_in_redirect off;
|
||||
#
|
||||
# location / {
|
||||
# # https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_pass http://{{ nginx_subdomains_ip }}:7777/;
|
||||
# proxy_redirect http://{{ nginx_subdomains_ip }}:7777/ http://pages.{{ server_name_default }}/;
|
||||
# }
|
||||
# }
|
||||
Reference in New Issue
Block a user