Initial nginx run 01/05

Signed-off-by: Georg <georg@lysergic.dev>
This commit is contained in:
Georg Pfuetzenreuter 2021-08-30 20:38:56 +02:00
parent 4b1683d4ed
commit 89f7cffd73
Signed by: Georg
GPG Key ID: 1DAF57F49F8E8F22
14 changed files with 1201 additions and 0 deletions

15
nginx/01/adminer.conf Normal file
View File

@ -0,0 +1,15 @@
#include php-fpm;
server {
listen 192.168.0.110:8084 ssl;
server_name adminer-local.one.secure.squirrelcube.xyz;
root /mnt/gluster01/web/adminer1;
index adminer.php;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
}
include php;
}

41
nginx/01/dnsui.conf Normal file
View File

@ -0,0 +1,41 @@
server {
listen 192.168.0.110:8084 ssl;
server_name dnsui-local.one.secure.squirrelcube.xyz;
root /mnt/gluster01/web/dnsui1/public_html;
index init.php;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
# auth_basic "NS1 Intranet";
# auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
location / {
try_files $uri $uri/ @php;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location /init.php {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location /info.php {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
error_log /var/log/nginx/dnsui1.log;
}

123
nginx/01/hidden.conf Normal file
View File

@ -0,0 +1,123 @@
server {
# server_name localhost;
listen 127.0.0.1:9191;
root /mnt/gluster01/web/liberta.casa;
}
server {
server_name qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion;
listen 127.0.0.1:9191;
autoindex off;
port_in_redirect off;
location /kiwi/static/config.json {
root /mnt/gluster01/web/liberta.casa;
rewrite ^/kiwi/static/config.json$ /kiwi_onion/static/config.json;
}
location /kiwi {
root /mnt/gluster01/web/liberta.casa;
index index.html;
try_files $uri $uri/ =404;
}
location / {
root /srv/www/liberta.casa/static/website;
index index.html;
}
location /register {
proxy_pass http://127.0.0.1:8965;
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
}
location /libcasa {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /libcasa.info {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /gamja {
root /srv/www/gamja;
index index.html;
}
location /socket {
proxy_pass http://192.168.0.110:8068;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /convos {
rewrite ^/convos/?(.*)$ /$1 break;
proxy_pass http://[::1]:8089;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Base "$scheme://$host/convos";
}
location /candy {
root /srv/www/candy/;
index index.html;
add_header Access-Control-Allow-Origin *;
}
location /candy-source {
root /srv/www/candy/;
}
error_log /var/log/nginx/liberta.casa.err;
#location / {
# root /srv/www/liberta.casa;
# try_files $uri $uri/ =404;
#}
location /webirc {
proxy_pass http://127.0.0.2:6669;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#server {
# server_name cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion;
# listen 9191;
#
# location /webirc {
# proxy_pass http://127.0.0.2:6668;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
#}

11
nginx/01/http.conf Normal file
View File

@ -0,0 +1,11 @@
#server {
# listen 81.16.19.64:80 default_server;
# listen 45.129.182.13:80 default_server;
# listen [2a03:4000:47:58a::]:80 default_server;
# return 302 https://$host$request_uri;
#}
server {
listen 80 default_server;
return 302 https://$host$request_uri;
}

79
nginx/01/keycloak.conf Normal file
View File

@ -0,0 +1,79 @@
server {
listen 127.0.0.1:443 ssl http2;
server_name wildfly-keycloak-prod-theia.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.5:10090;
proxy_set_header Host $host:10090;
proxy_set_header Origin http://$host:10090;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
server {
listen 127.0.0.1:443 ssl http2;
server_name keycloak-prod-theia.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://192.168.0.110:8180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
##
## PRODUCTION CONFIG
## Keycloak Frontend Load Balancer
## Instance: theia
##
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
upstream jboss {
ip_hash;
server 192.168.0.110:8843;
server 192.168.0.115:8843;
server 192.168.0.120:8843;
}
server {
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
server_name sso.casa;
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
#location = / {
# return 302 /auth/;
#}
location / {
proxy_pass https://jboss;
proxy_cache backcache;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
proxy_buffer_size 256k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
}

5
nginx/01/lan.conf Normal file
View File

@ -0,0 +1,5 @@
server {
listen 127.0.0.2:80;
server_name theia.local;
root /srv/www/lan;
}

209
nginx/01/liberta.casa.conf Normal file
View File

@ -0,0 +1,209 @@
server {
server_name libertacasa.xyz libertacasa.info libcasa.info www.libertacasa.xyz www.libertacasa.info www.libcasa.info www.lib.casa www.liberta.casa;
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
#listen [::]:443 ssl http2;
root /srv/www/liberta.casa/static/website;
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
return 302 https://liberta.casa;
}
server {
server_name libertacasa.net libsh.net libsh.com libsso.net libsso.com;
listen 81.16.19.64:443 ssl http2;
root /srv/www/liberta.casa/static/website;
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
return 302 https://liberta.casa;
}
server {
server_name liberta.casa lib.casa;
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
#listen [::]:443 ssl http2;
root /srv/www/liberta.casa/static/website;
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
root /srv/www/liberta.casa/static/website;
index index.html;
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
}
location /kiwi {
root /mnt/gluster01/web/liberta.casa;
index index.html;
try_files $uri $uri/ =404;
}
location /register {
proxy_pass http://127.0.0.1:8965;
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
}
location /webirc {
proxy_pass http://192.168.0.110:8068;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /libcasa {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /libcasa.info {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /gamja {
root /srv/www/gamja;
index index.html;
}
location /socket {
proxy_pass http://192.168.0.110:8068;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
# location /convos {
# proxy_pass http://[::1]:8089;
# proxy_read_timeout 600s;
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
#
# location ~ ^/(asset|convos-api.yaml|emoji|font|images|themes) {
# root /srv/www/convos/convos/public;
# }
location /convos {
rewrite ^/convos/?(.*)$ /$1 break;
proxy_pass http://[::1]:8089;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Base "$scheme://$host/convos";
}
location /candy {
root /srv/www/candy/;
index index.html;
add_header Access-Control-Allow-Origin *;
}
location /candy-source {
root /srv/www/candy/;
}
## https://xmpp.org/extensions/xep-0156.html#http
## Provides an alternative to SRV lookups, needed for compliance
location /.well-known/host-meta {
root /srv/www/xmpp;
default_type 'application/xrd+xml';
add_header Access-Control-Allow-Origin '*' always;
}
location /.well-known/host-meta.json {
root /srv/www/xmpp;
default_type 'application/jrd+json';
add_header Access-Control-Allow-Origin '*' always;
}
error_log /var/log/nginx/liberta.casa.err;
}
server {
server_name katyusha.liberta.casa;
listen 81.16.19.64:443 ssl http2;
ssl_certificate /etc/ssl/lego/certificates/irc.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/irc.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
location / {
proxy_pass http://[::1]:8086;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log syslog:server=192.168.0.115:5014,tag=nginx_access_katyusha graylog_old;
error_log syslog:server=192.168.0.115:5014,tag=nginx_error_katyusha debug;
}

240
nginx/01/matrix.conf Normal file
View File

@ -0,0 +1,240 @@
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LIBERTA.CASA
##SYNAPSE
server {
listen 81.16.19.64:443 ssl;
# For the federation port
listen 81.16.19.64:8448 ssl default_server;
listen 192.168.0.110:8448 ssl;
# For bridge
listen 127.0.0.2:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
server_name matrix.liberta.casa;
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://[::1]:8077;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.liberta.casa:8448"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location / {
proxy_pass http://[::1]:8077/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_synapse graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_synapse debug;
}
#ELEMENT
server {
listen 81.16.19.64:443 ssl;
server_name element.liberta.casa;
root /mnt/gluster01/web/matrix/element-libertacasa;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
}
server {
listen 81.16.19.64:443 ssl;
server_name m.liberta.casa;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
return 301 https://element.liberta.casa$request_uri;
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
}
#SYDENT
server {
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
server_name ident.matrix.liberta.casa;
location / {
proxy_pass http://127.0.0.4:8074/;
proxy_set_header X-Forwarded-For $remote_addr;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 20M;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_sydent graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_sydent debug;
}
#DIMENSION
server {
server_name integrations.matrix.liberta.casa;
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8184;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_dimension graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_dimension debug;
}
#KEYS
server {
server_name keys.matrix.liberta.casa;
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.2:8076;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://keys.matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "keys.matrix.liberta.casa:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_keys graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_keys debug;
}
#MAUBOT
server {
server_name maubot.matrix.liberta.casa;
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
# location /_matrix/maubot/v1/logs {
# proxy_pass http://127.0.0.2:29419;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-For $remote_addr;
# }
location / {
proxy_pass http://127.0.0.2:29419;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_maubot graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_maubot debug;
}

74
nginx/01/mattermost.conf Normal file
View File

@ -0,0 +1,74 @@
upstream mattermost {
server 127.0.0.2:8065;
keepalive 32;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
server {
listen 81.16.19.64:443 ssl http2;
listen 192.168.0.110:443 ssl http2;
server_name mattermost.casa;
http2_push_preload on;
ssl_certificate /etc/letsencrypt/live/mattermost.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mattermost.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_early_data on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
#ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security max-age=15768000;
#add_header X-Early-Data $tls1_3_early_data;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location /libcasa/channels/town-square {
return https://mattermost.casa/libcasa/channels/libcasa;
}
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
client_max_body_size 50M;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_http_version 1.1;
proxy_pass http://mattermost;
}
location / {
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
client_max_body_size 50M;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_pass http://mattermost;
}
}

18
nginx/01/mirror.conf Normal file
View File

@ -0,0 +1,18 @@
server {
listen 45.129.182.13:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
server_name 3zy.de;
ssl_certificate /etc/letsencrypt/live/3zy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/3zy.de/privkey.pem;
location / {
root /mnt/gluster01/mirror;
# fancyindex on;
# fancyindex_exact_size on;
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
}
}

16
nginx/01/nsedit.conf Normal file
View File

@ -0,0 +1,16 @@
include php-fpm;
server {
listen 192.168.0.110:8083 ssl;
server_name nsedit1-local.secure.squirrelcube.xyz;
root /mnt/gluster01/web/nsedit1;
index index.php;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
}
include php;
}

41
nginx/01/omnidb.conf Normal file
View File

@ -0,0 +1,41 @@
server {
listen 127.0.0.2:8085 ssl;
server_name omnidb-local.one.secure.squirrelcube.xyz;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:8086;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 45.129.182.13:25483 ssl;
listen [2a03:4000:47:58a::]:25483 ssl;
server_name omnidb1.one.secure.squirrelcube.xyz;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:25482;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 25483;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

28
nginx/01/tp.3gy.de.conf Normal file
View File

@ -0,0 +1,28 @@
server {
server_name tp.3gy.de one.tp.3gy.de *.one.secure.squirrelcube.xyz;
listen 45.129.182.13:443 ssl;
listen [2a03:4000:47:58a::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
#ssl_ciphers
#ssl_prefer_server_ciphers
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
proxy_pass https://[::1]:3080/;
proxy_ssl_verify off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 3600;
}
}

301
nginx/01/xmpp.conf Normal file
View File

@ -0,0 +1,301 @@
#Prosody (DEPRECATED!)
#server {
# listen 81.16.19.64:443 ssl http2;
# listen [2a03:4000:47:58a::]:443 ssl http2;
# server_name xmpp.liberta.casa;
#
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# resolver 127.0.0.4;
#
# location / {
# proxy_pass http://[::1]:5280;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header Host $host;
#
# }
#
# location /xmpp-websocket {
# proxy_pass http://[::1]:5280/xmpp-websocket;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_read_timeout 900s;
# }
# location /candy/http-bind {
# proxy_pass https://127.0.0.2:5443/http-bind;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_read_timeout 900s;
# }
# location /candy {
# root /srv/www/candy/;
# index index.html;
# }
# location /candy-source {
# root /srv/www/candy/;
# }
#}
#mod_http_upload_external
#server {
# listen 81.16.19.64:443 ssl http2;
# listen [2a03:4000:47:58a::]:443 ssl http2;
#
# server_name up.xmpp.liberta.casa;
#
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# resolver 127.0.0.4;
#
## client_max_body_size 50m;
#
# location / {
# if ( $request_method = OPTIONS ) {
# add_header Access-Control-Allow-Origin '*';
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
# add_header Access-Control-Allow-Credentials 'true';
# add_header Content-Length 0;
# add_header Content-Type text/plain;
# return 200;
# }
# proxy_pass http://[::1]:5050/upload/;
# proxy_request_buffering off;
# }
#}
#server {
# listen 81.16.19.64:443 ssl http2;
# listen [2a03:4000:47:58a::]:443 ssl http2;
# server_name xmpp.lib.casa;
#
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# resolver 127.0.0.4;
#
# location / {
# root /srv/www/jappix;
# index index.php;
# location ~ \.php$ {
# fastcgi_pass 172.168.100.1:9100;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# }
# }
#
# error_log /var/log/nginx/xmpp.lib.casa.err;
#}
####
## ejabberd
####
## mod_http_upload
perl_modules /usr/local/lib/perl;
perl_require upload.pm;
server {
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
listen 127.0.0.2:443 ssl http2;
server_name up.xmpp.lib.casa up.xmpp.liberta.casa;
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
root /opt/ejabberd/upload;
location / {
perl upload::handle;
}
client_max_body_size 40m;
# location / {
# if ( $request_method = OPTIONS ) {
# add_header Access-Control-Allow-Origin '*';
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
# add_header Access-Control-Allow-Credentials 'true';
# add_header Content-Length 0;
# add_header Content-Type text/plain;
# return 200;
# }
# proxy_pass http://127.0.0.2:5443;
# proxy_request_buffering off;
# }
error_log /var/log/nginx/up.xmpp.lib.casa.err;
}
## Everything
server {
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
server_name xmpp.liberta.casa xmpp.lib.casa jabber.liberta.casa jabber.lib.casa;
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
#location / {
# proxy_pass https://127.0.0.2:5443;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header Host $host;
#
#}
location / {
root /srv/www/xmpp;
index index.html;
}
location /upload {
return https://up.xmpp.lib.casa;
}
location /bosh {
proxy_pass https://127.0.0.2:5443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
location /ws {
proxy_pass https://127.0.0.2:5443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
# location /xmpp-websocket {
# proxy_pass http://[::1]:5280/xmpp-websocket;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_read_timeout 900s;
# }
location /candy/http-bind {
proxy_pass https://127.0.0.2:5443/http-bind;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_read_timeout 900s;
}
location /candy {
root /srv/www/candy/;
index index.html;
}
location /candy-source {
root /srv/www/candy/;
}
error_log /var/log/nginx/xmpp.lib.casa.err;
}
## ejabberd_web_admin
server {
listen 127.0.0.2:443 ssl http2;
server_name ejabberd-local.one.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
location / {
proxy_pass http://127.0.0.2:5280;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}