Initial nginx run 02/05
Signed-off-by: Georg <georg@lysergic.dev>
This commit is contained in:
parent
89f7cffd73
commit
aea3a1cc60
35
nginx/02/bastelstube.conf
Normal file
35
nginx/02/bastelstube.conf
Normal file
@ -0,0 +1,35 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name www.lysergic.dev lysergic.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSLS:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
root /srv/www/htdocs/bastelstube;
|
||||
index index.html;
|
||||
|
||||
|
||||
location /.well-known/matrix/client {
|
||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
}
|
17
nginx/02/cachet.conf
Normal file
17
nginx/02/cachet.conf
Normal file
@ -0,0 +1,17 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name status.liberta.casa status.lib.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://cachet.local:8033;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
30
nginx/02/confluence.conf
Normal file
30
nginx/02/confluence.conf
Normal file
@ -0,0 +1,30 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
server_name confluence.psyched.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/psyched/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/psyched/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
#ssl_prefer_server_ciphers on;
|
||||
|
||||
location / {
|
||||
client_max_body_size 100m;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://localhost:8090;
|
||||
}
|
||||
location /synchrony {
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://localhost:8091/synchrony;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
}
|
||||
}
|
17
nginx/02/default.conf
Normal file
17
nginx/02/default.conf
Normal file
@ -0,0 +1,17 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2 default_server;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2 default_server;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
root /srv/www/htdocs/default;
|
||||
index index.html;
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.116:80 default_server;
|
||||
listen [2a03:4000:55:d20::]:80 default_server;
|
||||
|
||||
root /srv/www/htdocs/default;
|
||||
index index.html;
|
||||
}
|
27
nginx/02/dnsui.conf
Normal file
27
nginx/02/dnsui.conf
Normal file
@ -0,0 +1,27 @@
|
||||
server {
|
||||
listen 192.168.0.115:8084 ssl;
|
||||
server_name dnsui-local.two.secure.squirrelcube.xyz;
|
||||
root /mnt/gluster01/web/dnsui2/public_html;
|
||||
index init.php;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ @php;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location @php {
|
||||
rewrite ^/(.*)$ /init.php/$1 last;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location /init.php {
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
}
|
38
nginx/02/drone.conf
Normal file
38
nginx/02/drone.conf
Normal file
@ -0,0 +1,38 @@
|
||||
#Drone (only for RPC access from other nodes - UI access is proxied directly through Teleport)
|
||||
server {
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
server_name drone.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass https://drone-local.two.secure.squirrelcube.xyz;
|
||||
}
|
||||
}
|
||||
|
||||
#Runner Exec
|
||||
server {
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
server_name drone-runner-exec-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.3:3000;
|
||||
}
|
||||
}
|
||||
|
||||
#Runner SSH
|
||||
server {
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
server_name drone-runner-ssh-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.3:3001;
|
||||
}
|
||||
}
|
39
nginx/02/etherpad.conf
Normal file
39
nginx/02/etherpad.conf
Normal file
@ -0,0 +1,39 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name pad.hugz.io pad.lsd25.dev pad.lysergic.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:9001;
|
||||
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass_header Server;
|
||||
|
||||
# Note you might want to pass these headers etc too.
|
||||
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
||||
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
|
||||
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
|
||||
proxy_http_version 1.1; # recommended with keepalive connections
|
||||
|
||||
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
|
||||
}
|
||||
}
|
23
nginx/02/georg.conf
Normal file
23
nginx/02/georg.conf
Normal file
@ -0,0 +1,23 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name georg-pfuetzenreuter.net pfuetzenreuter.at gippy.at;
|
||||
|
||||
ssl_certificate /etc/ssl/georg/533088712.crt;
|
||||
ssl_certificate_key /etc/ssl/georg/my.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSLS:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/georg/533088712.ca-bundle;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
root /srv/www/htdocs/georg;
|
||||
index index.html;
|
||||
|
||||
}
|
65
nginx/02/git.conf
Normal file
65
nginx/02/git.conf
Normal file
@ -0,0 +1,65 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
server_name git.lysergic.dev git.de.com;
|
||||
|
||||
return 302 https://git.com.de;
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
|
||||
|
||||
server_name git.casa;
|
||||
|
||||
# return 302 https://git.com.de/libertacasa;
|
||||
|
||||
|
||||
root /srv/www/htdocs;
|
||||
|
||||
try_files $uri @cgit;
|
||||
|
||||
location @cgit {
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME /srv/www/cgi-bin/cgit/cgit.cgi;
|
||||
fastcgi_param PATH_INFO $uri;
|
||||
fastcgi_param QUERY_STRING $args;
|
||||
fastcgi_param HTTP_HOST $server_name;
|
||||
fastcgi_pass unix:/run/fcgiwrap.sock;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
|
||||
server_name git.com.de;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:3501;
|
||||
}
|
||||
}
|
15
nginx/02/grafana.conf
Normal file
15
nginx/02/grafana.conf
Normal file
@ -0,0 +1,15 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
server_name grafana.lysergic.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1.3;
|
||||
|
||||
location / {
|
||||
proxy_pass http://[::1]:3000/;
|
||||
}
|
||||
}
|
42
nginx/02/graylog.conf
Normal file
42
nginx/02/graylog.conf
Normal file
@ -0,0 +1,42 @@
|
||||
server {
|
||||
listen 192.168.0.115:8087 ssl;
|
||||
server_name graylog-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:9000;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
||||
|
||||
#server {
|
||||
# listen 202.61.255.116:443 ssl http2;
|
||||
# listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
# server_name glpub.two.secure.squirrelcube.xyz;
|
||||
#
|
||||
# ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
# ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
# ssl_session_timeout 1d;
|
||||
# ssl_session_cache shared:MozSSLS:10m;
|
||||
# ssl_session_tickets off;
|
||||
# ssl_protocols TLSv1.3;
|
||||
# ssl_prefer_server_ciphers off;
|
||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
# resolver 127.0.0.4;
|
||||
#
|
||||
# location /streams {
|
||||
# proxy_pass http://127.0.0.1:9000/;
|
||||
# proxy_set_header X-Forwarded-Host $host;
|
||||
# proxy_set_header X-Forwarded-Server $host;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_http_version 1.1;
|
||||
# }
|
||||
#}
|
57
nginx/02/jitsi.conf
Normal file
57
nginx/02/jitsi.conf
Normal file
@ -0,0 +1,57 @@
|
||||
#server_names_hash_bucket_size 64;
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
# tls configuration that is not covered in this guide
|
||||
# we recommend the use of https://certbot.eff.org/
|
||||
server_name meet.lysergic.dev meet.liberta.casa meet.lib.casa;
|
||||
# set the root
|
||||
root /srv/jitsi-meet;
|
||||
index index.html;
|
||||
location ~ ^/([a-zA-Z0-9=_\-\?]+)$ {
|
||||
rewrite ^/(.*)$ / break;
|
||||
}
|
||||
location / {
|
||||
ssi on;
|
||||
}
|
||||
# BOSH, Bidirectional-streams Over Synchronous HTTP
|
||||
# https://en.wikipedia.org/wiki/BOSH_(protocol)
|
||||
location = /http-bind {
|
||||
proxy_pass http://127.0.0.1:5280/http-bind;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_method POST;
|
||||
proxy_buffering off;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
# external_api.js must be accessible from the root of the
|
||||
# installation for the electron version of Jitsi Meet to work
|
||||
# https://github.com/jitsi/jitsi-meet-electron
|
||||
location /external_api.js {
|
||||
alias /srv/jitsi-meet/libs/external_api.min.js;
|
||||
}
|
||||
# xmpp websockets
|
||||
location /xmpp-websocket {
|
||||
proxy_pass http://127.0.0.1:5280/xmpp-websocket;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
server_name meet-auth.sso.casa;
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:3002;
|
||||
}
|
||||
}
|
219
nginx/02/keycloak.conf
Normal file
219
nginx/02/keycloak.conf
Normal file
@ -0,0 +1,219 @@
|
||||
#########################################
|
||||
## SECTION 1 ##
|
||||
## DEVELOPMENT / STAGING CONFIGURATION ##
|
||||
#########################################
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name auth.syscid.com sso.syscid.com;
|
||||
|
||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
||||
|
||||
# location /auth {
|
||||
# return 302 https://auth.syscid.com/auth/realms/master/account/;
|
||||
# }
|
||||
# location /auth/realms/master/account/ {
|
||||
# proxy_pass https://10.0.0.10;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header X-Forwarded-Host $host;
|
||||
# proxy_set_header X-Forwarded-Server $host;
|
||||
# proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# }
|
||||
location / {
|
||||
proxy_pass https://10.0.0.10;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
|
||||
server_name keycloak-internal.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
||||
|
||||
return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;
|
||||
|
||||
location / {
|
||||
proxy_pass https://10.0.0.10;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
||||
#########################################
|
||||
## SECTION 2 ##
|
||||
## Everything below here is PRODUCTION ##
|
||||
#########################################
|
||||
|
||||
##
|
||||
## WildFly Management UI access through Teleport
|
||||
##
|
||||
server {
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
location / {
|
||||
proxy_pass http://127.0.0.5:9990;
|
||||
|
||||
## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.
|
||||
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header X-Forwarded-Host $host;
|
||||
# proxy_set_header X-Forwarded-Server $host;
|
||||
# proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# proxy_set_header Authorization $http_authorization;
|
||||
# proxy_pass_header Authorization;
|
||||
proxy_set_header Host $host:10090;
|
||||
proxy_set_header Origin http://$host:10090;
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass_request_headers on;
|
||||
}
|
||||
}
|
||||
|
||||
##
|
||||
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
|
||||
##
|
||||
#server {
|
||||
# listen 127.0.0.1:443 ssl http2;
|
||||
# listen 192.168.0.115:443 ssl http2;
|
||||
#
|
||||
# server_name intra.sso.casa;
|
||||
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
||||
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
||||
#
|
||||
# location / {
|
||||
# proxy_pass https://192.168.0.115:8843/;
|
||||
# proxy_ssl_verify off;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# #proxy_set_header X-Forwarded-Host $host;
|
||||
# #proxy_set_header X-Forwarded-Server $host;
|
||||
# #proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto https;
|
||||
# }
|
||||
# proxy_buffer_size 128k;
|
||||
# proxy_buffers 4 256k;
|
||||
# proxy_busy_buffers_size 256k;
|
||||
#}
|
||||
|
||||
##
|
||||
## Standalone Keycloak Frontend on Orpheus
|
||||
##
|
||||
|
||||
#server {
|
||||
# listen 202.61.255.116:443 ssl http2;
|
||||
# listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
#
|
||||
# server_name sso.casa;
|
||||
#
|
||||
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
||||
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
||||
#
|
||||
# location / {
|
||||
# proxy_pass https://192.168.0.115:8843/;
|
||||
# proxy_ssl_verify off;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# #proxy_set_header X-Forwarded-Host $host;
|
||||
# #proxy_set_header X-Forwarded-Server $host;
|
||||
# #proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto https;
|
||||
# }
|
||||
# proxy_buffer_size 128k;
|
||||
# proxy_buffers 4 256k;
|
||||
# proxy_busy_buffers_size 256k;
|
||||
#
|
||||
## location ~ /auth/admin {
|
||||
## deny all;
|
||||
## return 403;
|
||||
## }
|
||||
#
|
||||
#}
|
||||
|
||||
##
|
||||
## Keycloak Frontend Load Balancer
|
||||
##
|
||||
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
|
||||
|
||||
upstream jboss {
|
||||
ip_hash;
|
||||
server 192.168.0.110:8843;
|
||||
server 192.168.0.115:8843;
|
||||
server 192.168.0.120:8843;
|
||||
|
||||
# only available in NGINX Plus - very sad!!
|
||||
# sticky learn
|
||||
# create=$upstream_cookie_AUTH_SESSION_ID
|
||||
# lookup=$cookie_AUTH_SESSION_ID
|
||||
# zone=client_sessions:1m;
|
||||
}
|
||||
|
||||
# same ordeal
|
||||
#match jboss_check {
|
||||
# status 200;
|
||||
# header Content-Type = text/html;
|
||||
# body ~ "WildFly is running";
|
||||
#}
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
server_name sso.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
#location = / {
|
||||
# return 302 /auth/;
|
||||
#}
|
||||
|
||||
location / {
|
||||
proxy_pass https://jboss;
|
||||
proxy_cache backcache;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# yup, nginx plus
|
||||
#health_check match=jboss_check;
|
||||
}
|
||||
proxy_buffer_size 256k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_busy_buffers_size 512k;
|
||||
|
||||
}
|
79
nginx/02/matrix.conf
Normal file
79
nginx/02/matrix.conf
Normal file
@ -0,0 +1,79 @@
|
||||
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LYSERGIC.DEV
|
||||
|
||||
##SYNAPSE
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
|
||||
# For the federation port
|
||||
listen 202.61.255.116:8448 ssl default_server;
|
||||
listen [2a03:4000:55:d20::]:8448 ssl;
|
||||
listen 192.168.0.115:8448 ssl;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
server_name matrix.lysergic.dev;
|
||||
|
||||
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||
proxy_pass http://[::1]:8763;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 100M;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/client {
|
||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://[::1]:8763/;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 100M;
|
||||
}
|
||||
}
|
||||
|
||||
#ELEMENT
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
server_name element.lysergic.dev;
|
||||
|
||||
root /mnt/gluster01/web/matrix/element-lysergic;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
}
|
||||
|
15
nginx/02/mirror.conf
Normal file
15
nginx/02/mirror.conf
Normal file
@ -0,0 +1,15 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name 3zy.de;
|
||||
|
||||
ssl_certificate /etc/ssl/3zy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/3zy.de/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
root /mnt/gluster01/mirror;
|
||||
fancyindex on;
|
||||
fancyindex_exact_size on;
|
||||
}
|
||||
}
|
22
nginx/02/phpldapadmin.conf
Normal file
22
nginx/02/phpldapadmin.conf
Normal file
@ -0,0 +1,22 @@
|
||||
server {
|
||||
listen 192.168.0.115:8084 ssl;
|
||||
server_name phpldapadmin-local.two.secure.squirrelcube.xyz;
|
||||
root /srv/www/phpLDAPadmin/phpLDAPadmin/htdocs;
|
||||
index index.php;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
}
|
||||
}
|
||||
|
24
nginx/02/privatebin.conf
Normal file
24
nginx/02/privatebin.conf
Normal file
@ -0,0 +1,24 @@
|
||||
server {
|
||||
server_name pasta.lysergic.dev p.lsd25.dev p.lsd-25.dev;
|
||||
listen 202.61.255.116:443;
|
||||
listen [2a03:4000:55:d20::]:443;
|
||||
root /mnt/gluster01/web/privatebin/PrivateBin;
|
||||
index index.php;
|
||||
charset utf-8;
|
||||
disable_symlinks off;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
client_max_body_size 300M;
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
}
|
||||
}
|
67
nginx/02/prometheus.conf
Normal file
67
nginx/02/prometheus.conf
Normal file
@ -0,0 +1,67 @@
|
||||
server {
|
||||
listen 192.168.0.115:8092 ssl http2;
|
||||
server_name prometheus-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9090/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8093 ssl http2;
|
||||
server_name prometheus-alertmanager-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9093/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8094 ssl http2;
|
||||
server_name prometheus-blackbox-exporter-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9115/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8095 ssl http2;
|
||||
server_name prometheus-nginx-exporter-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9113/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8095 ssl http2;
|
||||
server_name prometheus-wireguard-exporter-mercury.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9586/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8095 ssl http2;
|
||||
server_name prometheus-wireguard-exporter-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:9586/;
|
||||
}
|
||||
}
|
||||
|
29
nginx/02/scooper.conf
Normal file
29
nginx/02/scooper.conf
Normal file
@ -0,0 +1,29 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name scooper.irc.lsd.systems;
|
||||
|
||||
ssl_certificate /etc/ssl/irc/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/irc/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSLS:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
fastcgi_pass unix:/var/run/kfcgi/scooper.sock;
|
||||
fastcgi_split_path_info (/)(.*);
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include fastcgi_params;
|
||||
auth_basic "I <3 Internet Relay Chat";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/scooper;
|
||||
}
|
||||
}
|
||||
|
31
nginx/02/shlink-web.conf
Normal file
31
nginx/02/shlink-web.conf
Normal file
@ -0,0 +1,31 @@
|
||||
server {
|
||||
server_name lsd25.xyz;
|
||||
listen 202.61.255.116:443;
|
||||
listen [2a03:4000:55:d20::]:443;
|
||||
root /mnt/gluster01/web/shlink-web;
|
||||
index index.html;
|
||||
charset utf-8;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
||||
expires -1;
|
||||
}
|
||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
||||
expires 1M;
|
||||
add_header Cache-Control "public";
|
||||
}
|
||||
location ~* \.(?:css|js)$ {
|
||||
expires 1y;
|
||||
add_header Cache-Control "public";
|
||||
}
|
||||
location ~* .+\.(css|js|html|png|jpe?g|gif|bmp|ico|json|csv|otf|eot|svg|svgz|ttf|woff|woff2|ijmap|pdf|tif|map) {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location / {
|
||||
auth_basic "Lysergic URL Shortening Service";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/shlink-web;
|
||||
try_files $uri $uri/ /index.html$is_args$args;
|
||||
}
|
||||
}
|
29
nginx/02/shlink.conf
Normal file
29
nginx/02/shlink.conf
Normal file
@ -0,0 +1,29 @@
|
||||
include php-fpm;
|
||||
|
||||
server {
|
||||
server_name lsd25.dev lsd-25.dev mcdonalds.pw;
|
||||
listen 202.61.255.116:443;
|
||||
listen [2a03:4000:55:d20::]:443;
|
||||
root /mnt/gluster01/web/shlink/public;
|
||||
index index.php;
|
||||
charset utf-8;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
}
|
||||
|
||||
location ~ /\.ht {
|
||||
deny all;
|
||||
}
|
||||
}
|
15
nginx/02/syscid.conf
Normal file
15
nginx/02/syscid.conf
Normal file
@ -0,0 +1,15 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name orpheus.syscid.com www.syscid.com;
|
||||
|
||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
||||
|
||||
location / {
|
||||
root /srv/www/htdocs/syscid;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
}
|
28
nginx/02/tp.3gy.de.conf
Normal file
28
nginx/02/tp.3gy.de.conf
Normal file
@ -0,0 +1,28 @@
|
||||
server {
|
||||
server_name tp.3gy.de two.tp.3gy.de *.two.secure.squirrelcube.xyz;
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3;
|
||||
#ssl_ciphers
|
||||
#ssl_prefer_server_ciphers
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_pass https://[::1]:3080/;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_read_timeout 3600;
|
||||
}
|
||||
}
|
23
nginx/02/xen-orchestra.conf
Normal file
23
nginx/02/xen-orchestra.conf
Normal file
@ -0,0 +1,23 @@
|
||||
server {
|
||||
listen 192.168.0.115:8086 ssl;
|
||||
server_name xen-orchestra-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_pass https://127.0.0.2:8089;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect default;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
proxy_read_timeout 1800;
|
||||
client_max_body_size 4G;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user