From aea3a1cc60a1d92cee848c606e13673cb57d3cab Mon Sep 17 00:00:00 2001 From: Georg Date: Mon, 30 Aug 2021 20:51:39 +0200 Subject: [PATCH] Initial nginx run 02/05 Signed-off-by: Georg --- nginx/02/bastelstube.conf | 35 ++++++ nginx/02/cachet.conf | 17 +++ nginx/02/confluence.conf | 30 +++++ nginx/02/default.conf | 17 +++ nginx/02/dnsui.conf | 27 +++++ nginx/02/drone.conf | 38 +++++++ nginx/02/etherpad.conf | 39 +++++++ nginx/02/georg.conf | 23 ++++ nginx/02/git.conf | 65 +++++++++++ nginx/02/grafana.conf | 15 +++ nginx/02/graylog.conf | 42 +++++++ nginx/02/jitsi.conf | 57 ++++++++++ nginx/02/keycloak.conf | 219 ++++++++++++++++++++++++++++++++++++ nginx/02/matrix.conf | 79 +++++++++++++ nginx/02/mirror.conf | 15 +++ nginx/02/phpldapadmin.conf | 22 ++++ nginx/02/privatebin.conf | 24 ++++ nginx/02/prometheus.conf | 67 +++++++++++ nginx/02/scooper.conf | 29 +++++ nginx/02/shlink-web.conf | 31 +++++ nginx/02/shlink.conf | 29 +++++ nginx/02/syscid.conf | 15 +++ nginx/02/tp.3gy.de.conf | 28 +++++ nginx/02/xen-orchestra.conf | 23 ++++ 24 files changed, 986 insertions(+) create mode 100644 nginx/02/bastelstube.conf create mode 100644 nginx/02/cachet.conf create mode 100644 nginx/02/confluence.conf create mode 100644 nginx/02/default.conf create mode 100644 nginx/02/dnsui.conf create mode 100644 nginx/02/drone.conf create mode 100644 nginx/02/etherpad.conf create mode 100644 nginx/02/georg.conf create mode 100644 nginx/02/git.conf create mode 100644 nginx/02/grafana.conf create mode 100644 nginx/02/graylog.conf create mode 100644 nginx/02/jitsi.conf create mode 100644 nginx/02/keycloak.conf create mode 100644 nginx/02/matrix.conf create mode 100644 nginx/02/mirror.conf create mode 100644 nginx/02/phpldapadmin.conf create mode 100644 nginx/02/privatebin.conf create mode 100644 nginx/02/prometheus.conf create mode 100644 nginx/02/scooper.conf create mode 100644 nginx/02/shlink-web.conf create mode 100644 nginx/02/shlink.conf create mode 100644 nginx/02/syscid.conf create mode 100644 nginx/02/tp.3gy.de.conf create mode 100644 nginx/02/xen-orchestra.conf diff --git a/nginx/02/bastelstube.conf b/nginx/02/bastelstube.conf new file mode 100644 index 0000000..f065034 --- /dev/null +++ b/nginx/02/bastelstube.conf @@ -0,0 +1,35 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name www.lysergic.dev lysergic.dev; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSLS:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ca-bundle.pem; + resolver 127.0.0.4; + + root /srv/www/htdocs/bastelstube; + index index.html; + + + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "matrix.lysergic.dev:8448"}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } +} diff --git a/nginx/02/cachet.conf b/nginx/02/cachet.conf new file mode 100644 index 0000000..d443a91 --- /dev/null +++ b/nginx/02/cachet.conf @@ -0,0 +1,17 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name status.liberta.casa status.lib.casa; + + ssl_certificate /etc/ssl/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem; + + location / { + proxy_pass http://cachet.local:8033; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + } +} diff --git a/nginx/02/confluence.conf b/nginx/02/confluence.conf new file mode 100644 index 0000000..3004fca --- /dev/null +++ b/nginx/02/confluence.conf @@ -0,0 +1,30 @@ +server { + listen 202.61.255.116:443 ssl; + listen [2a03:4000:55:d20::]:443 ssl; + server_name confluence.psyched.dev; + + ssl_certificate /etc/ssl/psyched/fullchain.pem; + ssl_certificate_key /etc/ssl/psyched/private/privkey.pem; + + ssl_session_timeout 5m; + + ssl_protocols TLSv1.3; + #ssl_prefer_server_ciphers on; + + location / { + client_max_body_size 100m; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:8090; + } + location /synchrony { + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:8091/synchrony; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } +} diff --git a/nginx/02/default.conf b/nginx/02/default.conf new file mode 100644 index 0000000..dc5815b --- /dev/null +++ b/nginx/02/default.conf @@ -0,0 +1,17 @@ +server { + listen 202.61.255.116:443 ssl http2 default_server; + listen [2a03:4000:55:d20::]:443 ssl http2 default_server; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + root /srv/www/htdocs/default; + index index.html; +} +server { + listen 202.61.255.116:80 default_server; + listen [2a03:4000:55:d20::]:80 default_server; + + root /srv/www/htdocs/default; + index index.html; +} diff --git a/nginx/02/dnsui.conf b/nginx/02/dnsui.conf new file mode 100644 index 0000000..2d1c55b --- /dev/null +++ b/nginx/02/dnsui.conf @@ -0,0 +1,27 @@ +server { + listen 192.168.0.115:8084 ssl; + server_name dnsui-local.two.secure.squirrelcube.xyz; + root /mnt/gluster01/web/dnsui2/public_html; + index init.php; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + try_files $uri $uri/ @php; + auth_basic "NS1 Intranet"; + auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + } + location @php { + rewrite ^/(.*)$ /init.php/$1 last; + auth_basic "NS1 Intranet"; + auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + } + location /init.php { + fastcgi_pass 172.168.100.2:9100; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + auth_basic "NS1 Intranet"; + auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + } +} diff --git a/nginx/02/drone.conf b/nginx/02/drone.conf new file mode 100644 index 0000000..1f36830 --- /dev/null +++ b/nginx/02/drone.conf @@ -0,0 +1,38 @@ +#Drone (only for RPC access from other nodes - UI access is proxied directly through Teleport) +server { + listen 192.168.0.115:443 ssl http2; + server_name drone.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass https://drone-local.two.secure.squirrelcube.xyz; + } +} + +#Runner Exec +server { + listen 192.168.0.115:443 ssl http2; + server_name drone-runner-exec-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://127.0.0.3:3000; + } +} + +#Runner SSH +server { + listen 192.168.0.115:443 ssl http2; + server_name drone-runner-ssh-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://127.0.0.3:3001; + } +} diff --git a/nginx/02/etherpad.conf b/nginx/02/etherpad.conf new file mode 100644 index 0000000..f4a0233 --- /dev/null +++ b/nginx/02/etherpad.conf @@ -0,0 +1,39 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name pad.hugz.io pad.lsd25.dev pad.lysergic.dev; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ca-bundle.pem; + resolver 127.0.0.4; + + + location / { + proxy_pass http://127.0.0.2:9001; + proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf + proxy_set_header Host $host; + proxy_pass_header Server; + + # Note you might want to pass these headers etc too. + proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html + proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP + proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + proxy_http_version 1.1; # recommended with keepalive connections + + # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + + } +} diff --git a/nginx/02/georg.conf b/nginx/02/georg.conf new file mode 100644 index 0000000..eb38d32 --- /dev/null +++ b/nginx/02/georg.conf @@ -0,0 +1,23 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name georg-pfuetzenreuter.net pfuetzenreuter.at gippy.at; + + ssl_certificate /etc/ssl/georg/533088712.crt; + ssl_certificate_key /etc/ssl/georg/my.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSLS:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/georg/533088712.ca-bundle; + resolver 127.0.0.4; + + root /srv/www/htdocs/georg; + index index.html; + +} diff --git a/nginx/02/git.conf b/nginx/02/git.conf new file mode 100644 index 0000000..98e619d --- /dev/null +++ b/nginx/02/git.conf @@ -0,0 +1,65 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + server_name git.lysergic.dev git.de.com; + + return 302 https://git.com.de; +} +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + ssl_certificate /etc/ssl/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem; + + server_name git.casa; + +# return 302 https://git.com.de/libertacasa; + + + root /srv/www/htdocs; + + try_files $uri @cgit; + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /srv/www/cgi-bin/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:/run/fcgiwrap.sock; + } + + +} + +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + listen 192.168.0.115:443 ssl http2; + + server_name git.com.de; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ca-bundle.pem; + resolver 127.0.0.4; + + + location / { + proxy_pass http://127.0.0.2:3501; + } +} diff --git a/nginx/02/grafana.conf b/nginx/02/grafana.conf new file mode 100644 index 0000000..8fc850e --- /dev/null +++ b/nginx/02/grafana.conf @@ -0,0 +1,15 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + server_name grafana.lysergic.dev; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + ssl_session_timeout 5m; + ssl_protocols TLSv1.3; + + location / { + proxy_pass http://[::1]:3000/; + } +} diff --git a/nginx/02/graylog.conf b/nginx/02/graylog.conf new file mode 100644 index 0000000..6a1d098 --- /dev/null +++ b/nginx/02/graylog.conf @@ -0,0 +1,42 @@ +server { + listen 192.168.0.115:8087 ssl; + server_name graylog-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://127.0.0.1:9000; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + } +} + +#server { +# listen 202.61.255.116:443 ssl http2; +# listen [2a03:4000:55:d20::]:443 ssl http2; +# server_name glpub.two.secure.squirrelcube.xyz; +# +# ssl_certificate /etc/ssl/tp/fullchain.pem; +# ssl_certificate_key /etc/ssl/tp/private/privkey.pem; +# ssl_session_timeout 1d; +# ssl_session_cache shared:MozSSLS:10m; +# ssl_session_tickets off; +# ssl_protocols TLSv1.3; +# ssl_prefer_server_ciphers off; +# add_header Strict-Transport-Security "max-age=63072000" always; +# ssl_stapling on; +# ssl_stapling_verify on; +# ssl_trusted_certificate /etc/ssl/ca-bundle.pem; +# resolver 127.0.0.4; +# +# location /streams { +# proxy_pass http://127.0.0.1:9000/; +# proxy_set_header X-Forwarded-Host $host; +# proxy_set_header X-Forwarded-Server $host; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_http_version 1.1; +# } +#} diff --git a/nginx/02/jitsi.conf b/nginx/02/jitsi.conf new file mode 100644 index 0000000..4e2d47b --- /dev/null +++ b/nginx/02/jitsi.conf @@ -0,0 +1,57 @@ +#server_names_hash_bucket_size 64; + +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + listen 127.0.0.1:443 ssl http2; + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + # tls configuration that is not covered in this guide + # we recommend the use of https://certbot.eff.org/ + server_name meet.lysergic.dev meet.liberta.casa meet.lib.casa; + # set the root + root /srv/jitsi-meet; + index index.html; + location ~ ^/([a-zA-Z0-9=_\-\?]+)$ { + rewrite ^/(.*)$ / break; + } + location / { + ssi on; + } + # BOSH, Bidirectional-streams Over Synchronous HTTP + # https://en.wikipedia.org/wiki/BOSH_(protocol) + location = /http-bind { + proxy_pass http://127.0.0.1:5280/http-bind; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $http_host; + proxy_method POST; + proxy_buffering off; + tcp_nodelay on; + } + # external_api.js must be accessible from the root of the + # installation for the electron version of Jitsi Meet to work + # https://github.com/jitsi/jitsi-meet-electron + location /external_api.js { + alias /srv/jitsi-meet/libs/external_api.min.js; + } + # xmpp websockets + location /xmpp-websocket { + proxy_pass http://127.0.0.1:5280/xmpp-websocket; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + tcp_nodelay on; + } +} +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + server_name meet-auth.sso.casa; + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + location / { + proxy_pass http://127.0.0.2:3002; + } +} diff --git a/nginx/02/keycloak.conf b/nginx/02/keycloak.conf new file mode 100644 index 0000000..87e3282 --- /dev/null +++ b/nginx/02/keycloak.conf @@ -0,0 +1,219 @@ +######################################### +## SECTION 1 ## +## DEVELOPMENT / STAGING CONFIGURATION ## +######################################### + +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name auth.syscid.com sso.syscid.com; + + ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt; + ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key; + +# location /auth { +# return 302 https://auth.syscid.com/auth/realms/master/account/; +# } +# location /auth/realms/master/account/ { +# proxy_pass https://10.0.0.10; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Host $host; +# proxy_set_header X-Forwarded-Server $host; +# proxy_set_header X-Forwarded-Port $server_port; +# proxy_set_header X-Forwarded-Proto $scheme; +# } + location / { + proxy_pass https://10.0.0.10; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + } + +} +server { + listen 127.0.0.1:443 ssl http2; + + server_name keycloak-internal.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt; + ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key; + + return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/; + + location / { + proxy_pass https://10.0.0.10; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +######################################### +## SECTION 2 ## +## Everything below here is PRODUCTION ## +######################################### + +## +## WildFly Management UI access through Teleport +## +server { + listen 127.0.0.1:443 ssl http2; + server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz; + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + location / { + proxy_pass http://127.0.0.5:9990; + +## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts. + +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Host $host; +# proxy_set_header X-Forwarded-Server $host; +# proxy_set_header X-Forwarded-Port $server_port; +# proxy_set_header X-Forwarded-Proto $scheme; +# proxy_set_header Authorization $http_authorization; +# proxy_pass_header Authorization; + proxy_set_header Host $host:10090; + proxy_set_header Origin http://$host:10090; + + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass_request_headers on; + } +} + +## +## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy +## +#server { +# listen 127.0.0.1:443 ssl http2; +# listen 192.168.0.115:443 ssl http2; +# +# server_name intra.sso.casa; +# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem; +# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem; +# +# location / { +# proxy_pass https://192.168.0.115:8843/; +# proxy_ssl_verify off; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# #proxy_set_header X-Forwarded-Host $host; +# #proxy_set_header X-Forwarded-Server $host; +# #proxy_set_header X-Forwarded-Port $server_port; +# proxy_set_header X-Forwarded-Proto https; +# } +# proxy_buffer_size 128k; +# proxy_buffers 4 256k; +# proxy_busy_buffers_size 256k; +#} + +## +## Standalone Keycloak Frontend on Orpheus +## + +#server { +# listen 202.61.255.116:443 ssl http2; +# listen [2a03:4000:55:d20::]:443 ssl http2; +# +# server_name sso.casa; +# +# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem; +# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem; +# +# location / { +# proxy_pass https://192.168.0.115:8843/; +# proxy_ssl_verify off; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# #proxy_set_header X-Forwarded-Host $host; +# #proxy_set_header X-Forwarded-Server $host; +# #proxy_set_header X-Forwarded-Port $server_port; +# proxy_set_header X-Forwarded-Proto https; +# } +# proxy_buffer_size 128k; +# proxy_buffers 4 256k; +# proxy_busy_buffers_size 256k; +# +## location ~ /auth/admin { +## deny all; +## return 403; +## } +# +#} + +## +## Keycloak Frontend Load Balancer +## +proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m; + +upstream jboss { + ip_hash; + server 192.168.0.110:8843; + server 192.168.0.115:8843; + server 192.168.0.120:8843; + + # only available in NGINX Plus - very sad!! + # sticky learn + # create=$upstream_cookie_AUTH_SESSION_ID + # lookup=$cookie_AUTH_SESSION_ID + # zone=client_sessions:1m; +} + +# same ordeal +#match jboss_check { +# status 200; +# header Content-Type = text/html; +# body ~ "WildFly is running"; +#} + +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + listen 127.0.0.1:443 ssl http2; + server_name sso.casa; + + ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem; + ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + + #location = / { + # return 302 /auth/; + #} + + location / { + proxy_pass https://jboss; + proxy_cache backcache; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # yup, nginx plus + #health_check match=jboss_check; + } + proxy_buffer_size 256k; + proxy_buffers 4 512k; + proxy_busy_buffers_size 512k; + +} diff --git a/nginx/02/matrix.conf b/nginx/02/matrix.conf new file mode 100644 index 0000000..d88ef87 --- /dev/null +++ b/nginx/02/matrix.conf @@ -0,0 +1,79 @@ +##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LYSERGIC.DEV + +##SYNAPSE +server { + listen 202.61.255.116:443 ssl; + listen [2a03:4000:55:d20::]:443 ssl; + + # For the federation port + listen 202.61.255.116:8448 ssl default_server; + listen [2a03:4000:55:d20::]:8448 ssl; + listen 192.168.0.115:8448 ssl; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + server_name matrix.lysergic.dev; + + location ~* ^(\/_matrix|\/_synapse\/client) { + proxy_pass http://[::1]:8763; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 100M; + } + + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "matrix.lysergic.dev:8448"}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + + location / { + proxy_pass http://[::1]:8763/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 100M; + } +} + +#ELEMENT +server { + listen 202.61.255.116:443 ssl; + listen [2a03:4000:55:d20::]:443 ssl; + server_name element.lysergic.dev; + + root /mnt/gluster01/web/matrix/element-lysergic; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; +} + diff --git a/nginx/02/mirror.conf b/nginx/02/mirror.conf new file mode 100644 index 0000000..5e31ec9 --- /dev/null +++ b/nginx/02/mirror.conf @@ -0,0 +1,15 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name 3zy.de; + + ssl_certificate /etc/ssl/3zy.de/fullchain.pem; + ssl_certificate_key /etc/ssl/3zy.de/private/privkey.pem; + + location / { + root /mnt/gluster01/mirror; + fancyindex on; + fancyindex_exact_size on; + } +} diff --git a/nginx/02/phpldapadmin.conf b/nginx/02/phpldapadmin.conf new file mode 100644 index 0000000..11dda75 --- /dev/null +++ b/nginx/02/phpldapadmin.conf @@ -0,0 +1,22 @@ +server { + listen 192.168.0.115:8084 ssl; + server_name phpldapadmin-local.two.secure.squirrelcube.xyz; + root /srv/www/phpLDAPadmin/phpLDAPadmin/htdocs; + index index.php; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass 172.168.100.2:9100; + } +} + diff --git a/nginx/02/privatebin.conf b/nginx/02/privatebin.conf new file mode 100644 index 0000000..07e95a3 --- /dev/null +++ b/nginx/02/privatebin.conf @@ -0,0 +1,24 @@ +server { + server_name pasta.lysergic.dev p.lsd25.dev p.lsd-25.dev; + listen 202.61.255.116:443; + listen [2a03:4000:55:d20::]:443; + root /mnt/gluster01/web/privatebin/PrivateBin; + index index.php; + charset utf-8; + disable_symlinks off; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + client_max_body_size 300M; + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass 172.168.100.2:9100; + } +} diff --git a/nginx/02/prometheus.conf b/nginx/02/prometheus.conf new file mode 100644 index 0000000..f8e0f50 --- /dev/null +++ b/nginx/02/prometheus.conf @@ -0,0 +1,67 @@ +server { + listen 192.168.0.115:8092 ssl http2; + server_name prometheus-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://172.16.9.2:9090/; + } +} +server { + listen 192.168.0.115:8093 ssl http2; + server_name prometheus-alertmanager-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://172.16.9.2:9093/; + } +} +server { + listen 192.168.0.115:8094 ssl http2; + server_name prometheus-blackbox-exporter-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://172.16.9.2:9115/; + } +} +server { + listen 192.168.0.115:8095 ssl http2; + server_name prometheus-nginx-exporter-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://172.16.9.2:9113/; + } +} +server { + listen 192.168.0.115:8095 ssl http2; + server_name prometheus-wireguard-exporter-mercury.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://172.16.9.2:9586/; + } +} +server { + listen 192.168.0.115:8095 ssl http2; + server_name prometheus-wireguard-exporter-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://127.0.0.2:9586/; + } +} + diff --git a/nginx/02/scooper.conf b/nginx/02/scooper.conf new file mode 100644 index 0000000..e39620c --- /dev/null +++ b/nginx/02/scooper.conf @@ -0,0 +1,29 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name scooper.irc.lsd.systems; + + ssl_certificate /etc/ssl/irc/fullchain.pem; + ssl_certificate_key /etc/ssl/irc/private/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSLS:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ca-bundle.pem; + resolver 127.0.0.4; + + location / { + fastcgi_pass unix:/var/run/kfcgi/scooper.sock; + fastcgi_split_path_info (/)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + auth_basic "I <3 Internet Relay Chat"; + auth_basic_user_file /mnt/gluster01/web/auth/scooper; + } +} + diff --git a/nginx/02/shlink-web.conf b/nginx/02/shlink-web.conf new file mode 100644 index 0000000..1705f2f --- /dev/null +++ b/nginx/02/shlink-web.conf @@ -0,0 +1,31 @@ +server { + server_name lsd25.xyz; + listen 202.61.255.116:443; + listen [2a03:4000:55:d20::]:443; + root /mnt/gluster01/web/shlink-web; + index index.html; + charset utf-8; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + location ~* \.(?:manifest|appcache|html?|xml|json)$ { + expires -1; + } + location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { + expires 1M; + add_header Cache-Control "public"; + } + location ~* \.(?:css|js)$ { + expires 1y; + add_header Cache-Control "public"; + } + location ~* .+\.(css|js|html|png|jpe?g|gif|bmp|ico|json|csv|otf|eot|svg|svgz|ttf|woff|woff2|ijmap|pdf|tif|map) { + try_files $uri $uri/ =404; + } + location / { + auth_basic "Lysergic URL Shortening Service"; + auth_basic_user_file /mnt/gluster01/web/auth/shlink-web; + try_files $uri $uri/ /index.html$is_args$args; + } +} diff --git a/nginx/02/shlink.conf b/nginx/02/shlink.conf new file mode 100644 index 0000000..f507aa3 --- /dev/null +++ b/nginx/02/shlink.conf @@ -0,0 +1,29 @@ +include php-fpm; + +server { + server_name lsd25.dev lsd-25.dev mcdonalds.pw; + listen 202.61.255.116:443; + listen [2a03:4000:55:d20::]:443; + root /mnt/gluster01/web/shlink/public; + index index.php; + charset utf-8; + + ssl_certificate /etc/ssl/lysergic/fullchain.pem; + ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_index index.php; + fastcgi_pass 172.168.100.2:9100; + } + + location ~ /\.ht { + deny all; + } +} diff --git a/nginx/02/syscid.conf b/nginx/02/syscid.conf new file mode 100644 index 0000000..b57c986 --- /dev/null +++ b/nginx/02/syscid.conf @@ -0,0 +1,15 @@ +server { + listen 202.61.255.116:443 ssl http2; + listen [2a03:4000:55:d20::]:443 ssl http2; + + server_name orpheus.syscid.com www.syscid.com; + + ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt; + ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key; + + location / { + root /srv/www/htdocs/syscid; + index index.html; + } + +} diff --git a/nginx/02/tp.3gy.de.conf b/nginx/02/tp.3gy.de.conf new file mode 100644 index 0000000..8be570c --- /dev/null +++ b/nginx/02/tp.3gy.de.conf @@ -0,0 +1,28 @@ +server { + server_name tp.3gy.de two.tp.3gy.de *.two.secure.squirrelcube.xyz; + listen 202.61.255.116:443 ssl; + listen [2a03:4000:55:d20::]:443 ssl; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.3; + #ssl_ciphers + #ssl_prefer_server_ciphers + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + location / { + proxy_pass https://[::1]:3080/; + proxy_ssl_verify off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 3600; + } +} diff --git a/nginx/02/xen-orchestra.conf b/nginx/02/xen-orchestra.conf new file mode 100644 index 0000000..f1444cd --- /dev/null +++ b/nginx/02/xen-orchestra.conf @@ -0,0 +1,23 @@ +server { + listen 192.168.0.115:8086 ssl; + server_name xen-orchestra-local.two.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + resolver 127.0.0.4; + + location / { + proxy_pass https://127.0.0.2:8089; + proxy_ssl_verify off; + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect default; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_read_timeout 1800; + client_max_body_size 4G; + } +}