LibertaCasa
/
system
8
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

Initial nginx run 02/05 

Signed-off-by: Georg <georg@lysergic.dev>
This commit is contained in:
Georg Pfuetzenreuter 2021-08-30 20:51:39 +02:00
parent 675ce1ee97
commit c9e34fd1e1
24 changed files with 986 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
nginx/02/bastelstube.conf Normal file
View File

@ -0,0 +1,35 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name www.lysergic.dev lysergic.dev;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSLS:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
root /srv/www/htdocs/bastelstube;
index index.html;
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
}

17
nginx/02/cachet.conf Normal file
View File

@ -0,0 +1,17 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name status.liberta.casa status.lib.casa;
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
location / {
proxy_pass http://cachet.local:8033;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
}
}

30
nginx/02/confluence.conf Normal file
View File

@ -0,0 +1,30 @@
server {
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
server_name confluence.psyched.dev;
ssl_certificate /etc/ssl/psyched/fullchain.pem;
ssl_certificate_key /etc/ssl/psyched/private/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.3;
#ssl_prefer_server_ciphers on;
location / {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8090;
}
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

17
nginx/02/default.conf Normal file
View File

@ -0,0 +1,17 @@
server {
listen 202.61.255.116:443 ssl http2 default_server;
listen [2a03:4000:55:d20::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
root /srv/www/htdocs/default;
index index.html;
}
server {
listen 202.61.255.116:80 default_server;
listen [2a03:4000:55:d20::]:80 default_server;
root /srv/www/htdocs/default;
index index.html;
}

27
nginx/02/dnsui.conf Normal file
View File

@ -0,0 +1,27 @@
server {
listen 192.168.0.115:8084 ssl;
server_name dnsui-local.two.secure.squirrelcube.xyz;
root /mnt/gluster01/web/dnsui2/public_html;
index init.php;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
try_files $uri $uri/ @php;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location /init.php {
fastcgi_pass 172.168.100.2:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
}

38
nginx/02/drone.conf Normal file
View File

@ -0,0 +1,38 @@
#Drone (only for RPC access from other nodes - UI access is proxied directly through Teleport)
server {
listen 192.168.0.115:443 ssl http2;
server_name drone.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass https://drone-local.two.secure.squirrelcube.xyz;
}
}
#Runner Exec
server {
listen 192.168.0.115:443 ssl http2;
server_name drone-runner-exec-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.3:3000;
}
}
#Runner SSH
server {
listen 192.168.0.115:443 ssl http2;
server_name drone-runner-ssh-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.3:3001;
}
}

39
nginx/02/etherpad.conf Normal file
View File

@ -0,0 +1,39 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name pad.hugz.io pad.lsd25.dev pad.lysergic.dev;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
proxy_pass http://127.0.0.2:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass these headers etc too.
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

23
nginx/02/georg.conf Normal file
View File

@ -0,0 +1,23 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name georg-pfuetzenreuter.net pfuetzenreuter.at gippy.at;
ssl_certificate /etc/ssl/georg/533088712.crt;
ssl_certificate_key /etc/ssl/georg/my.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSLS:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/georg/533088712.ca-bundle;
resolver 127.0.0.4;
root /srv/www/htdocs/georg;
index index.html;
}

65
nginx/02/git.conf Normal file
View File

@ -0,0 +1,65 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
server_name git.lysergic.dev git.de.com;
return 302 https://git.com.de;
}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
server_name git.casa;
# return 302 https://git.com.de/libertacasa;
root /srv/www/htdocs;
try_files $uri @cgit;
location @cgit {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /srv/www/cgi-bin/cgit/cgit.cgi;
fastcgi_param PATH_INFO $uri;
fastcgi_param QUERY_STRING $args;
fastcgi_param HTTP_HOST $server_name;
fastcgi_pass unix:/run/fcgiwrap.sock;
}
}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
listen 192.168.0.115:443 ssl http2;
server_name git.com.de;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
proxy_pass http://127.0.0.2:3501;
}
}

15
nginx/02/grafana.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name grafana.lysergic.dev;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.3;
location / {
proxy_pass http://[::1]:3000/;
}
}

42
nginx/02/graylog.conf Normal file
View File

@ -0,0 +1,42 @@
server {
listen 192.168.0.115:8087 ssl;
server_name graylog-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
}
}
#server {
# listen 202.61.255.116:443 ssl http2;
# listen [2a03:4000:55:d20::]:443 ssl http2;
# server_name glpub.two.secure.squirrelcube.xyz;
#
# ssl_certificate /etc/ssl/tp/fullchain.pem;
# ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSLS:10m;
# ssl_session_tickets off;
# ssl_protocols TLSv1.3;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
# resolver 127.0.0.4;
#
# location /streams {
# proxy_pass http://127.0.0.1:9000/;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_http_version 1.1;
# }
#}

57
nginx/02/jitsi.conf Normal file
View File

@ -0,0 +1,57 @@
#server_names_hash_bucket_size 64;
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
listen 127.0.0.1:443 ssl http2;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
# tls configuration that is not covered in this guide
# we recommend the use of https://certbot.eff.org/
server_name meet.lysergic.dev meet.liberta.casa meet.lib.casa;
# set the root
root /srv/jitsi-meet;
index index.html;
location ~ ^/([a-zA-Z0-9=_\-\?]+)$ {
rewrite ^/(.*)$ / break;
}
location / {
ssi on;
}
# BOSH, Bidirectional-streams Over Synchronous HTTP
# https://en.wikipedia.org/wiki/BOSH_(protocol)
location = /http-bind {
proxy_pass http://127.0.0.1:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_method POST;
proxy_buffering off;
tcp_nodelay on;
}
# external_api.js must be accessible from the root of the
# installation for the electron version of Jitsi Meet to work
# https://github.com/jitsi/jitsi-meet-electron
location /external_api.js {
alias /srv/jitsi-meet/libs/external_api.min.js;
}
# xmpp websockets
location /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}
}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name meet-auth.sso.casa;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
location / {
proxy_pass http://127.0.0.2:3002;
}
}

219
nginx/02/keycloak.conf Normal file
View File

@ -0,0 +1,219 @@
#########################################
## SECTION 1 ##
## DEVELOPMENT / STAGING CONFIGURATION ##
#########################################
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name auth.syscid.com sso.syscid.com;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
# location /auth {
# return 302 https://auth.syscid.com/auth/realms/master/account/;
# }
# location /auth/realms/master/account/ {
# proxy_pass https://10.0.0.10;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
location / {
proxy_pass https://10.0.0.10;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 127.0.0.1:443 ssl http2;
server_name keycloak-internal.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;
location / {
proxy_pass https://10.0.0.10;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#########################################
## SECTION 2 ##
## Everything below here is PRODUCTION ##
#########################################
##
## WildFly Management UI access through Teleport
##
server {
listen 127.0.0.1:443 ssl http2;
server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.5:9990;
## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Authorization $http_authorization;
# proxy_pass_header Authorization;
proxy_set_header Host $host:10090;
proxy_set_header Origin http://$host:10090;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
##
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
##
#server {
# listen 127.0.0.1:443 ssl http2;
# listen 192.168.0.115:443 ssl http2;
#
# server_name intra.sso.casa;
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
#
# location / {
# proxy_pass https://192.168.0.115:8843/;
# proxy_ssl_verify off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# #proxy_set_header X-Forwarded-Host $host;
# #proxy_set_header X-Forwarded-Server $host;
# #proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto https;
# }
# proxy_buffer_size 128k;
# proxy_buffers 4 256k;
# proxy_busy_buffers_size 256k;
#}
##
## Standalone Keycloak Frontend on Orpheus
##
#server {
# listen 202.61.255.116:443 ssl http2;
# listen [2a03:4000:55:d20::]:443 ssl http2;
#
# server_name sso.casa;
#
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
#
# location / {
# proxy_pass https://192.168.0.115:8843/;
# proxy_ssl_verify off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# #proxy_set_header X-Forwarded-Host $host;
# #proxy_set_header X-Forwarded-Server $host;
# #proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto https;
# }
# proxy_buffer_size 128k;
# proxy_buffers 4 256k;
# proxy_busy_buffers_size 256k;
#
## location ~ /auth/admin {
## deny all;
## return 403;
## }
#
#}
##
## Keycloak Frontend Load Balancer
##
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
upstream jboss {
ip_hash;
server 192.168.0.110:8843;
server 192.168.0.115:8843;
server 192.168.0.120:8843;
# only available in NGINX Plus - very sad!!
# sticky learn
# create=$upstream_cookie_AUTH_SESSION_ID
# lookup=$cookie_AUTH_SESSION_ID
# zone=client_sessions:1m;
}
# same ordeal
#match jboss_check {
# status 200;
# header Content-Type = text/html;
# body ~ "WildFly is running";
#}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
listen 127.0.0.1:443 ssl http2;
server_name sso.casa;
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
#location = / {
# return 302 /auth/;
#}
location / {
proxy_pass https://jboss;
proxy_cache backcache;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# yup, nginx plus
#health_check match=jboss_check;
}
proxy_buffer_size 256k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
}

79
nginx/02/matrix.conf Normal file
View File

@ -0,0 +1,79 @@
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LYSERGIC.DEV
##SYNAPSE
server {
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
# For the federation port
listen 202.61.255.116:8448 ssl default_server;
listen [2a03:4000:55:d20::]:8448 ssl;
listen 192.168.0.115:8448 ssl;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
server_name matrix.lysergic.dev;
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://[::1]:8763;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 100M;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location / {
proxy_pass http://[::1]:8763/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 100M;
}
}
#ELEMENT
server {
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
server_name element.lysergic.dev;
root /mnt/gluster01/web/matrix/element-lysergic;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
}

15
nginx/02/mirror.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name 3zy.de;
ssl_certificate /etc/ssl/3zy.de/fullchain.pem;
ssl_certificate_key /etc/ssl/3zy.de/private/privkey.pem;
location / {
root /mnt/gluster01/mirror;
fancyindex on;
fancyindex_exact_size on;
}
}

22
nginx/02/phpldapadmin.conf Normal file
View File

@ -0,0 +1,22 @@
server {
listen 192.168.0.115:8084 ssl;
server_name phpldapadmin-local.two.secure.squirrelcube.xyz;
root /srv/www/phpLDAPadmin/phpLDAPadmin/htdocs;
index index.php;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 172.168.100.2:9100;
}
}

24
nginx/02/privatebin.conf Normal file
View File

@ -0,0 +1,24 @@
server {
server_name pasta.lysergic.dev p.lsd25.dev p.lsd-25.dev;
listen 202.61.255.116:443;
listen [2a03:4000:55:d20::]:443;
root /mnt/gluster01/web/privatebin/PrivateBin;
index index.php;
charset utf-8;
disable_symlinks off;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
client_max_body_size 300M;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 172.168.100.2:9100;
}
}

67
nginx/02/prometheus.conf Normal file
View File

@ -0,0 +1,67 @@
server {
listen 192.168.0.115:8092 ssl http2;
server_name prometheus-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9090/;
}
}
server {
listen 192.168.0.115:8093 ssl http2;
server_name prometheus-alertmanager-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9093/;
}
}
server {
listen 192.168.0.115:8094 ssl http2;
server_name prometheus-blackbox-exporter-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9115/;
}
}
server {
listen 192.168.0.115:8095 ssl http2;
server_name prometheus-nginx-exporter-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9113/;
}
}
server {
listen 192.168.0.115:8095 ssl http2;
server_name prometheus-wireguard-exporter-mercury.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9586/;
}
}
server {
listen 192.168.0.115:8095 ssl http2;
server_name prometheus-wireguard-exporter-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.2:9586/;
}
}

29
nginx/02/scooper.conf Normal file
View File

@ -0,0 +1,29 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name scooper.irc.lsd.systems;
ssl_certificate /etc/ssl/irc/fullchain.pem;
ssl_certificate_key /etc/ssl/irc/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSLS:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
fastcgi_pass unix:/var/run/kfcgi/scooper.sock;
fastcgi_split_path_info (/)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
auth_basic "I <3 Internet Relay Chat";
auth_basic_user_file /mnt/gluster01/web/auth/scooper;
}
}

31
nginx/02/shlink-web.conf Normal file
View File

@ -0,0 +1,31 @@
server {
server_name lsd25.xyz;
listen 202.61.255.116:443;
listen [2a03:4000:55:d20::]:443;
root /mnt/gluster01/web/shlink-web;
index index.html;
charset utf-8;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
}
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
add_header Cache-Control "public";
}
location ~* \.(?:css|js)$ {
expires 1y;
add_header Cache-Control "public";
}
location ~* .+\.(css|js|html|png|jpe?g|gif|bmp|ico|json|csv|otf|eot|svg|svgz|ttf|woff|woff2|ijmap|pdf|tif|map) {
try_files $uri $uri/ =404;
}
location / {
auth_basic "Lysergic URL Shortening Service";
auth_basic_user_file /mnt/gluster01/web/auth/shlink-web;
try_files $uri $uri/ /index.html$is_args$args;
}
}

29
nginx/02/shlink.conf Normal file
View File

@ -0,0 +1,29 @@
include php-fpm;
server {
server_name lsd25.dev lsd-25.dev mcdonalds.pw;
listen 202.61.255.116:443;
listen [2a03:4000:55:d20::]:443;
root /mnt/gluster01/web/shlink/public;
index index.php;
charset utf-8;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 172.168.100.2:9100;
}
location ~ /\.ht {
deny all;
}
}

15
nginx/02/syscid.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name orpheus.syscid.com www.syscid.com;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
location / {
root /srv/www/htdocs/syscid;
index index.html;
}
}

28
nginx/02/tp.3gy.de.conf Normal file
View File

@ -0,0 +1,28 @@
server {
server_name tp.3gy.de two.tp.3gy.de *.two.secure.squirrelcube.xyz;
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
#ssl_ciphers
#ssl_prefer_server_ciphers
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
proxy_pass https://[::1]:3080/;
proxy_ssl_verify off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 3600;
}
}

23
nginx/02/xen-orchestra.conf Normal file
View File

@ -0,0 +1,23 @@
server {
listen 192.168.0.115:8086 ssl;
server_name xen-orchestra-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
resolver 127.0.0.4;
location / {
proxy_pass https://127.0.0.2:8089;
proxy_ssl_verify off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect default;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_read_timeout 1800;
client_max_body_size 4G;
}
}