diff --git a/http.d/auth.shad.moe b/http.d/auth.shad.moe index 5040c9d..1200b64 100644 --- a/http.d/auth.shad.moe +++ b/http.d/auth.shad.moe @@ -1,65 +1,21 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream authentik { - server 192.168.1.205:9443; - keepalive 10; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - - server_name auth.shad.moe www.auth.shad.moe; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name auth.shad.moe www.auth.shad.moe; ssl_certificate /etc/letsencrypt/live/auth.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/auth.shad.moe/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; + ssl_trusted_certificate /etc/letsencrypt/live/auth.shad.moe/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.txt; + include snippets/global/common-ssl.conf; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; + include snippets/proxy/common-proxy-headers.conf; location / { proxy_pass https://authentik; - proxy_http_version 1.1; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; } - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem; - - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages - -} + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/axoblu.konpeki.solutions b/http.d/axoblu.konpeki.solutions index bc33f5e..11a061f 100644 --- a/http.d/axoblu.konpeki.solutions +++ b/http.d/axoblu.konpeki.solutions @@ -1,53 +1,17 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -#upstream bsky { -# server 100.64.4.102:3000; -#} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - server_name axoblu.konpeki.solutions; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - server_name axoblu.konpeki.solutions; + server_name axoblu.konpeki.solutions www.axoblu.konpeki.solutions; ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.txt; + include snippets/global/common-ssl.conf; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy/common-proxy-headers.conf; location / { rewrite / https://bsky.app/profile/did:plc:qxrvqly74uzia6d5pwgwjxb5 break; @@ -63,13 +27,5 @@ server { default_type text/plain; } - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages - -} + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/dash.shad.moe b/http.d/dash.shad.moe index 33de055..6a154cd 100644 --- a/http.d/dash.shad.moe +++ b/http.d/dash.shad.moe @@ -1,41 +1,21 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - server_name dash.shad.moe www.dash.shad.moe; - if ($host = dash.shad.moe) { - return 301 https://$host$request_uri; - } - return 404; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name dash.shad.moe www.dash.shad.moe; - ssl_certificate /etc/letsencrypt/live/dash.shad.moe/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/dash.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dash.shad.moe/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - client_max_body_size 525M; + ssl_trusted_certificate /etc/letsencrypt/live/dash.shad.moe/fullchain.pem; - include snippets/http-cat-error-pages.conf; + include snippets/global/common-ssl.conf; + + include snippets/proxy/common-proxy-headers.conf; location / { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://192.168.1.210:3000; + proxy_pass https://192.168.1.210:3000; } -} + + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/docs.shad.moe b/http.d/docs.shad.moe index 88fb0fa..90f9a79 100644 --- a/http.d/docs.shad.moe +++ b/http.d/docs.shad.moe @@ -1,65 +1,21 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream bookstack { - server 100.64.2.118; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - - server_name docs.shad.moe www.docs.shad.moe; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name docs.shad.moe www.docs.shad.moe; ssl_certificate /etc/letsencrypt/live/docs.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/docs.shad.moe/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; - - ssl_dhparam /etc/nginx/dhparam.txt; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - location / { - client_max_body_size 512M; - proxy_pass http://bookstack; - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/letsencrypt/live/docs.shad.moe/fullchain.pem; - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages + include snippets/global/common-ssl.conf; -} + include snippets/proxy/common-proxy-headers.conf; + + location / { + proxy_pass https://bookstack; + } + + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/git.shad.moe b/http.d/git.shad.moe index c4b960b..f328abf 100644 --- a/http.d/git.shad.moe +++ b/http.d/git.shad.moe @@ -1,65 +1,21 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream gitea { - server 192.168.1.215:3000; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - - server_name git.shad.moe www.git.shad.moe; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name git.shad.moe www.git.shad.moe; ssl_certificate /etc/letsencrypt/live/git.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/git.shad.moe/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; - - ssl_dhparam /etc/nginx/dhparam.txt; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - location / { - client_max_body_size 512M; - proxy_pass http://gitea; - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/letsencrypt/live/git.shad.moe/fullchain.pem; - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages + include snippets/global/common-ssl.conf; -} + include snippets/proxy/common-proxy-headers.conf; + + location / { + proxy_pass https://gitea; + } + + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/graph.shad.moe b/http.d/graph.shad.moe index 8d37f1b..6d34b8e 100644 --- a/http.d/graph.shad.moe +++ b/http.d/graph.shad.moe @@ -1,68 +1,21 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream grafana { - server 192.168.1.200:3000; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - - server_name graph.shad.moe www.graph.shad.moe; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name graph.shad.moe www.graph.shad.moe; ssl_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/graph.shad.moe/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; - - ssl_dhparam /etc/nginx/dhparam.txt; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - location / { - proxy_set_header Host $host; - proxy_pass http://grafana; - } - - # Proxy Grafana Live WebSocket connections. - location /api/live/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://grafana; - } - - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem; - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages + include snippets/global/common-ssl.conf; -} + include snippets/proxy/common-proxy-headers.conf; + + location / { + proxy_pass https://grafana; + } + + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/internal.shad.moe b/http.d/internal.shad.moe index cb31165..d925068 100644 --- a/http.d/internal.shad.moe +++ b/http.d/internal.shad.moe @@ -1,22 +1,36 @@ +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; + server { - listen 443 ssl; - server_name internal.shad.moe; - ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; + + server_name internal.shad.moe www.internal.shad.moe; + + ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/internal.shad.moe/privkey.pem; - #ssl_protocols TLSv1.2 TLSv1.3; - #ssl_ciphers HIGH:!aNULL:!MD5; + ssl_trusted_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; + + include snippets/global/common-ssl.conf; + + include snippets/global/common-headers.conf; root /var/www/internal-page-wall; location / { index index.htm index.html; } + + include snippets/global/errors/http-cat-error-pages.conf; } server { - listen 443 ssl; - server_name *.internal.shad.moe; - ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; + + server_name *.internal.shad.moe; + + ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/internal.shad.moe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; + + include snippets/global/common-ssl.conf; + return 302 https://internal.shad.moe; -} +} \ No newline at end of file diff --git a/http.d/konpeki.solutions b/http.d/konpeki.solutions index 283fbbc..0b26d9c 100644 --- a/http.d/konpeki.solutions +++ b/http.d/konpeki.solutions @@ -1,53 +1,17 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream bsky { - server 100.64.4.102:3000; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - - server_name konpeki.solutions www.konpeki.solutions; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name konpeki.solutions www.konpeki.solutions; ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.txt; + include snippets/global/common-ssl.conf; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy/common-proxy-headers.conf; location / { client_max_body_size 512M; @@ -59,13 +23,5 @@ server { proxy_pass http://bsky; } - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages - -} + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/link.gpoc.konpeki.solutions b/http.d/link.gpoc.konpeki.solutions index f02cc73..cd01d1a 100644 --- a/http.d/link.gpoc.konpeki.solutions +++ b/http.d/link.gpoc.konpeki.solutions @@ -1,51 +1,24 @@ -server { - listen 80; - server_name link.gpoc.konpeki.solutions; - return 301 https://$server_name$request_uri; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 443 ssl; - server_name link.gpoc.konpeki.solutions; - http2 on; + server_name link.gpoc.shad.moe www.link.gpoc.shad.moe; - # allow larger file uploads and longer script runtimes - client_max_body_size 100m; - client_body_timeout 120s; + ssl_certificate /etc/letsencrypt/live/link.gpoc.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/link.gpoc.shad.moe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/link.gpoc.shad.moe/fullchain.pem; - sendfile off; + include snippets/global/common-ssl.conf; - ssl_certificate /etc/letsencrypt/live/link.gpoc.konpeki.solutions/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/link.gpoc.konpeki.solutions/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - ssl_prefer_server_ciphers on; + include snippets/proxy/common-proxy-headers.conf; - # See https://hstspreload.org/ before uncommenting the line below. - # add_header Strict-Transport-Security "max-age=15768000; preload;"; - #add_header X-Content-Type-Options nosniff; - #add_header X-XSS-Protection "1; mode=block"; - #add_header X-Robots-Tag none; - #add_header Content-Security-Policy "frame-ancestors 'self'"; - #add_header X-Frame-Options DENY; - #add_header Referrer-Policy same-origin; add_header Access-Control-Allow-Origin *; proxy_set_header Content-Security-Policy upgrade-insecure-requests; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - location / { - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; proxy_pass http://100.64.4.100:8080/; } - -} + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/map.gpoc.konpeki.solutions b/http.d/map.gpoc.konpeki.solutions index afddebc..6ebe355 100644 --- a/http.d/map.gpoc.konpeki.solutions +++ b/http.d/map.gpoc.konpeki.solutions @@ -1,50 +1,21 @@ +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; + proxy_cache_path /var/www/cache levels=1:2 keys_zone=map:8m max_size=1g inactive=24h; server { - listen 80; - server_name map.gpoc.konpeki.solutions; - return 301 https://$server_name$request_uri; -} -server { - listen 443 ssl; - server_name map.gpoc.konpeki.solutions; + server_name auth.shad.moe www.auth.shad.moe; - http2 on; + ssl_certificate /etc/letsencrypt/live/auth.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/auth.shad.moe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/auth.shad.moe/fullchain.pem; - # allow larger file uploads and longer script runtimes - #client_max_body_size 100m; - #client_body_timeout 120s; + include snippets/global/common-ssl.conf; - #sendfile off; - - ssl_certificate /etc/letsencrypt/live/map.gpoc.konpeki.solutions/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/map.gpoc.konpeki.solutions/privkey.pem; - #ssl_protocols TLSv1.2 TLSv1.3; - #ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES2> - #ssl_prefer_server_ciphers on; - - # See https://hstspreload.org/ before uncommenting the line below. - # add_header Strict-Transport-Security "max-age=15768000; preload;"; - #add_header X-Content-Type-Options nosniff; - #add_header X-XSS-Protection "1; mode=block"; - #add_header X-Robots-Tag none; - #add_header Content-Security-Policy "frame-ancestors 'self'"; - #add_header X-Frame-Options DENY; - #add_header Referrer-Policy same-origin; - #add_header Access-Control-Allow-Origin *; - #proxy_set_header Content-Security-Policy upgrade-insecure-requests; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; + include snippets/proxy/common-proxy-headers.conf; location / { - proxy_pass http://100.64.4.100:8123/; proxy_set_header Host $host; proxy_cache map; proxy_cache_key "$host$uri"; @@ -52,5 +23,9 @@ server { proxy_cache_valid 404 10m; proxy_cache_use_stale error timeout invalid_header updating http_500 http_503 http_504; proxy_connect_timeout 10; + + proxy_pass http://100.64.4.100:8123/; } + + include snippets/global/errors/http-cat-error-pages.conf; } diff --git a/http.d/nxt.shad.moe b/http.d/nxt.shad.moe index 6effe54..474be26 100644 --- a/http.d/nxt.shad.moe +++ b/http.d/nxt.shad.moe @@ -1,87 +1,21 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - - server_name nxt.shad.moe www.nxt.shad.moe; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - # http3 on; - # quic_retry on; - # add_header Alt-Svc 'h3=":443"; ma=86400'; - # listen 443 quic reuseport; - # listen [::]:443 quic reuseport; server_name nxt.shad.moe www.nxt.shad.moe; ssl_certificate /etc/letsencrypt/live/nxt.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/nxt.shad.moe/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; + ssl_trusted_certificate /etc/letsencrypt/live/nxt.shad.moe/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.txt; + include snippets/global/common-ssl.conf; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - # Set .mjs and .wasm MIME types - # Either include it in the default mime.types list - # and include that list explicitly or add the file extension - # only for Nextcloud like below: - include mime.types; - - #types { - # text/javascript js mjs; - # application/wasm wasm; - #} - - include snippets/http-cat-error-pages.conf; + include snippets/proxy/common-proxy-headers.conf; location / { proxy_pass https://192.168.1.66; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Scheme $scheme; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - - client_body_buffer_size 512k; - proxy_read_timeout 86400s; - client_max_body_size 0; - - # Websocket - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; } - ssl_stapling on; - ssl_stapling_verify on; - - ssl_trusted_certificate /etc/letsencrypt/live/nxt.shad.moe/fullchain.pem; - - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages - -} + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/play.gpoc-modded.konpeki.solutions b/http.d/play.gpoc-modded.konpeki.solutions index 81c1ffd..9e68438 100644 --- a/http.d/play.gpoc-modded.konpeki.solutions +++ b/http.d/play.gpoc-modded.konpeki.solutions @@ -1,45 +1,24 @@ -server { - listen 80; - server_name play.gpoc-modded.konpeki.solutions; - return 301 https://$server_name$request_uri; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 443 ssl; - server_name play.gpoc-modded.konpeki.solutions; - http2 on; + server_name play.gpoc-modded.shad.moe www.play.gpoc-modded.shad.moe; - # allow larger file uploads and longer script runtimes - client_max_body_size 100m; - client_body_timeout 120s; + ssl_certificate /etc/letsencrypt/live/play.gpoc-modded.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/play.gpoc-modded.shad.moe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/play.gpoc-modded.shad.moe/fullchain.pem; - sendfile off; + include snippets/global/common-ssl.conf; - ssl_certificate /etc/letsencrypt/live/play.gpoc-modded.konpeki.solutions/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/play.gpoc-modded.konpeki.solutions/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - ssl_prefer_server_ciphers on; + include snippets/proxy/common-proxy-headers.conf; - # See https://hstspreload.org/ before uncommenting the line below. - # add_header Strict-Transport-Security "max-age=15768000; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header Content-Security-Policy "frame-ancestors 'self'"; - add_header X-Frame-Options DENY; - add_header Referrer-Policy same-origin; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; + add_header Access-Control-Allow-Origin *; + proxy_set_header Content-Security-Policy upgrade-insecure-requests; location / { - proxy_pass http://100.64.4.102; + proxy_pass http://100.64.4.102/; } + + include snippets/global/errors/http-cat-error-pages.conf; } diff --git a/http.d/play.gpoc.konpeki.solutions b/http.d/play.gpoc.konpeki.solutions index 3e0308d..16dd8f5 100644 --- a/http.d/play.gpoc.konpeki.solutions +++ b/http.d/play.gpoc.konpeki.solutions @@ -1,51 +1,24 @@ -server { - listen 80; - server_name play.gpoc.konpeki.solutions; - return 301 https://$server_name$request_uri; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 443 ssl; - server_name play.gpoc.konpeki.solutions; - http2 on; + server_name play.gpoc.shad.moe www.play.gpoc.shad.moe; - # allow larger file uploads and longer script runtimes - client_max_body_size 100m; - client_body_timeout 120s; + ssl_certificate /etc/letsencrypt/live/play.gpoc.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/play.gpoc.shad.moe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/play.gpoc.shad.moe/fullchain.pem; - sendfile off; + include snippets/global/common-ssl.conf; - ssl_certificate /etc/letsencrypt/live/play.gpoc.konpeki.solutions/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/play.gpoc.konpeki.solutions/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - ssl_prefer_server_ciphers on; + include snippets/proxy/common-proxy-headers.conf; - # See https://hstspreload.org/ before uncommenting the line below. - # add_header Strict-Transport-Security "max-age=15768000; preload;"; - #add_header X-Content-Type-Options nosniff; - #add_header X-XSS-Protection "1; mode=block"; - #add_header X-Robots-Tag none; - #add_header Content-Security-Policy "frame-ancestors 'self'"; - #add_header X-Frame-Options DENY; - #add_header Referrer-Policy same-origin; add_header Access-Control-Allow-Origin *; proxy_set_header Content-Security-Policy upgrade-insecure-requests; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - location / { - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; proxy_pass http://100.64.4.100:8080/; } - + include snippets/global/errors/http-cat-error-pages.conf; } diff --git a/http.d/rss.shad.moe b/http.d/rss.shad.moe index e5206e3..4f08266 100644 --- a/http.d/rss.shad.moe +++ b/http.d/rss.shad.moe @@ -1,57 +1,21 @@ -upstream freshrss { - server 192.168.1.219:8080; - keepalive 64; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - server_name rss.shad.moe www.rss.shad.moe; + server_name rss.shad.moe www.rss.shad.moe; - location / { - return 301 https://$host$request_uri; - } -} + ssl_certificate /etc/letsencrypt/live/rss.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rss.shad.moe/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/rss.shad.moe/fullchain.pem; -server { - server_name rss.shad.moe www.rss.shad.moe; - listen 443 ssl; - listen [::]:443 ssl; + include snippets/global/common-ssl.conf; - http2 on; + include snippets/proxy/common-proxy-headers.conf; - ssl_certificate /etc/letsencrypt/live/rss.shad.moe/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/rss.shad.moe/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; + location / { + proxy_pass http://freshrss/; + } - ssl_dhparam /etc/nginx/dhparam.txt; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - location / { - proxy_pass http://freshrss/; - add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Port $server_port; - proxy_read_timeout 90; - - # Forward the Authorization header for the Google Reader API. - proxy_set_header Authorization $http_authorization; - proxy_pass_header Authorization; - } -} + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/http.d/theshadoweevee.konpeki.solutions b/http.d/theshadoweevee.konpeki.solutions index 335230c..eac973b 100644 --- a/http.d/theshadoweevee.konpeki.solutions +++ b/http.d/theshadoweevee.konpeki.solutions @@ -1,53 +1,17 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -#upstream bsky { -# server 100.64.4.102:3000; -#} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - server_name theshadoweevee.konpeki.solutions; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - server_name theshadoweevee.konpeki.solutions; + server_name theshadoweevee.konpeki.solutions www.theshadoweevee.konpeki.solutions; ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.txt; + include snippets/global/common-ssl.conf; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy/common-proxy-headers.conf; location / { rewrite / https://bsky.app/profile/did:plc:krbzbucjaj76xjob6ju47ilo break; @@ -63,13 +27,5 @@ server { default_type text/plain; } - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages - + include snippets/global/errors/http-cat-error-pages.conf; } diff --git a/http.d/vault.shad.moe b/http.d/vault.shad.moe index 9f1d6dc..cff7da2 100644 --- a/http.d/vault.shad.moe +++ b/http.d/vault.shad.moe @@ -1,49 +1,26 @@ -upstream vaultwarden-default { - zone vaultwarden-default 64k; - server 192.168.1.209:8000; - keepalive 2; -} -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} -server { - listen 80; - listen [::]:80; - server_name vault.shad.moe www.vault.shad.moe; - if ($host = vault.shad.moe) { - return 301 https://$host$request_uri; - } - return 404; -} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name vault.shad.moe www.vault.shad.moe; ssl_certificate /etc/letsencrypt/live/vault.shad.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/vault.shad.moe/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - client_max_body_size 525M; + ssl_trusted_certificate /etc/letsencrypt/live/vault.shad.moe/fullchain.pem; - include snippets/http-cat-error-pages.conf; + include snippets/global/common-ssl.conf; + + include snippets/proxy/common-proxy-headers.conf; location / { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://vaultwarden-default; } location /admin { - return 403; + return 403; } + + include snippets/global/errors/http-cat-error-pages.conf; + } diff --git a/http.d/wc.konpeki.solutions b/http.d/wc.konpeki.solutions index c57830d..9c865b1 100644 --- a/http.d/wc.konpeki.solutions +++ b/http.d/wc.konpeki.solutions @@ -1,56 +1,19 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -#upstream bsky { -# server 100.64.4.102:3000; -#} +# Include a common header (Upgrade Websockets, Add Upstreams, Upgrade HTTP to HTTPS) +include snippets/global/common-boilerplate.conf; server { - listen 80; - listen [::]:80; - - server_name *.konpeki.solutions; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; server_name *.konpeki.solutions; ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.txt; + include snippets/global/common-ssl.conf; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - include snippets/http-cat-error-pages.conf; - - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy/common-proxy-headers.conf; location / { - client_max_body_size 512M; #proxy_pass http://100.64.4.102; return 404; } @@ -59,13 +22,5 @@ server { proxy_pass http://bsky; } - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; - - # replace with the IP address of your resolver - #resolver 127.0.0.1; # Defined in error pages - -} + include snippets/global/errors/http-cat-error-pages.conf; +} \ No newline at end of file diff --git a/mime.types b/mime.types index 3f0dc72..2464773 100644 --- a/mime.types +++ b/mime.types @@ -3,6 +3,7 @@ types { text/html html htm shtml; text/css css; text/xml xml; + text/javascript js mjs; image/gif gif; image/jpeg jpeg jpg; application/javascript js mjs; diff --git a/nginx.conf b/nginx.conf index 23e1b1e..e671c85 100644 --- a/nginx.conf +++ b/nginx.conf @@ -29,10 +29,6 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - # Name servers used to resolve names of upstream servers into addresses. - # It's also needed when using tcpsocket and udpsocket in Lua modules. - #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; - # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; @@ -40,55 +36,20 @@ http { # indicated by the request header Content-Length. If the stated content # length is greater than this size, then the client receives the HTTP # error code 413. Set to 0 to disable. Default is '1m'. - client_max_body_size 100m; + client_max_body_size 1G; + + client_body_timeout 120s # Sendfile copies data between one FD and other from within the kernel, # which is more efficient than read() + write(). Default is off. sendfile on; - # Causes nginx to attempt to send its HTTP response head in one packet, - # instead of using partial frames. Default is 'off'. - tcp_nopush on; - - - # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2. - # TIP: If you're not obligated to support ancient clients, remove TLSv1.1. - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; - - # Path of the file with Diffie-Hellman parameters for EDH ciphers. - # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048` - #ssl_dhparam /etc/ssl/nginx/dh2048.pem; - - # Specifies that our cipher suits should be preferred over client ciphers. - # Default is 'off'. - ssl_prefer_server_ciphers on; - - # Enables a shared SSL cache with size that can hold around 8000 sessions. - # Default is 'none'. - ssl_session_cache shared:SSL:2m; - - # Specifies a time during which a client may reuse the session parameters. - # Default is '5m'. - ssl_session_timeout 1h; - - # Disable TLS session tickets (they are insecure). Default is 'on'. - ssl_session_tickets off; - - # Enable gzipping of responses. - #gzip on; + gzip on; # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. gzip_vary on; - - # Helper variable for proxying websockets. - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - # Specifies the main log format. log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' @@ -97,7 +58,6 @@ http { # Sets the path, format, and configuration for a buffered log write. access_log /var/log/nginx/access.log main; - # Includes virtual hosts configs. include /etc/nginx/http.d/*; } diff --git a/snippets/global/common-boilerplate.conf b/snippets/global/common-boilerplate.conf new file mode 100644 index 0000000..3cfdbfd --- /dev/null +++ b/snippets/global/common-boilerplate.conf @@ -0,0 +1,8 @@ +# Upgrade Websocket Connections +include snippets/websocket-upgrade.conf; + +# Add Upstreams Master List +include snippets/upstreams-list.conf; + +# Upgrade HTTP Connections to HTTPS +include snippets/upgrade-http.conf; \ No newline at end of file diff --git a/snippets/global/common-headers.conf b/snippets/global/common-headers.conf new file mode 100644 index 0000000..5a4ee10 --- /dev/null +++ b/snippets/global/common-headers.conf @@ -0,0 +1,8 @@ +# Set a common group of headers +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Robots-Tag none; +add_header Content-Security-Policy "frame-ancestors 'self'"; +add_header X-Frame-Options DENY; +add_header Referrer-Policy same-origin; +add_header Access-Control-Allow-Origin *; \ No newline at end of file diff --git a/snippets/global/common-ssl.conf b/snippets/global/common-ssl.conf new file mode 100644 index 0000000..ea90a59 --- /dev/null +++ b/snippets/global/common-ssl.conf @@ -0,0 +1,42 @@ +# Many of these parameters configured based on https://ssl-config.mozilla.org/#server=nginx&version=1.26.0&config=intermediate&openssl=1.1.1w&guideline=5.7 + +# Listen on port 443 (IPv4/IPv6) +listen 443 ssl; +listen [::]:443 ssl; + +# Listen on port 443 with quic (IPv4/IPv6) +listen 443 quic reuseport; +listen [::]:443 quic reuseport; + +# Enable http2 +http2 on; + +# Enable http3 +http3 on; + +# Enable QUIC Functions +quic_retry on; +add_header Alt-Svc 'h3=":443"; ma=86400'; + +# Set SSL Session Parameters +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# Configure DHParam +ssl_dhparam /etc/nginx/dhparam.txt; + +# Intermediate SSL Configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + +# Include a resolver for OSCP Stapling +include snippets/resolver.conf; \ No newline at end of file diff --git a/snippets/http-cat-error-pages.conf b/snippets/global/errors/http-cat-error-pages.conf similarity index 93% rename from snippets/http-cat-error-pages.conf rename to snippets/global/errors/http-cat-error-pages.conf index c4af070..ff3b84b 100644 --- a/snippets/http-cat-error-pages.conf +++ b/snippets/global/errors/http-cat-error-pages.conf @@ -26,4 +26,5 @@ location ~ ^/test-status-cats/(?.*)$ { proxy_pass https://http.cat/$cat/; } -resolver 100.100.100.100; +# Include a resolver for domain resolution +include snippets/resolver.conf; \ No newline at end of file diff --git a/snippets/global/resolver.conf b/snippets/global/resolver.conf new file mode 100644 index 0000000..e69de29 diff --git a/snippets/global/upgrade-http.conf b/snippets/global/upgrade-http.conf new file mode 100644 index 0000000..f231a61 --- /dev/null +++ b/snippets/global/upgrade-http.conf @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; + + server_name *; + + location / { + return 301 https://$host$request_uri; + } +} \ No newline at end of file diff --git a/snippets/global/websocket-upgrade.conf b/snippets/global/websocket-upgrade.conf new file mode 100644 index 0000000..c822c8f --- /dev/null +++ b/snippets/global/websocket-upgrade.conf @@ -0,0 +1,4 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} \ No newline at end of file diff --git a/snippets/proxy/common-proxy-headers.conf b/snippets/proxy/common-proxy-headers.conf new file mode 100644 index 0000000..f864cd2 --- /dev/null +++ b/snippets/proxy/common-proxy-headers.conf @@ -0,0 +1,19 @@ +# Set a common group of proxy headers +proxy_http_version 1.1; +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-Scheme $scheme; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Port $server_port; + +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; +proxy_set_header Accept-Encoding ""; + +# Forward the Authorization header when passed +proxy_set_header Authorization $http_authorization; +proxy_pass_header Authorization; + +include snippets/global/common-headers.conf; \ No newline at end of file diff --git a/snippets/proxy/proxy-settings.conf b/snippets/proxy/proxy-settings.conf new file mode 100644 index 0000000..27a4923 --- /dev/null +++ b/snippets/proxy/proxy-settings.conf @@ -0,0 +1,6 @@ +# Settings for proxy connections +proxy_read_timeout 90; + +proxy_redirect off; +proxy_buffering off; +proxy_request_buffering off; \ No newline at end of file diff --git a/snippets/proxy/upstreams-list.conf b/snippets/proxy/upstreams-list.conf new file mode 100644 index 0000000..8ea1c6f --- /dev/null +++ b/snippets/proxy/upstreams-list.conf @@ -0,0 +1,33 @@ +# List of all upstreams + +upstream authentik { + server 192.168.1.205:9443; + keepalive 10; +} + +upstream bookstack { + server 100.64.2.118; +} + +upstream bsky { + server 100.64.4.102:3000; +} + +upstream freshrss { + server 192.168.1.219:8080; + keepalive 64; +} + +upstream gitea { + server 192.168.1.215:3000; +} + +upstream grafana { + server 192.168.1.200:3000; +} + +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server 192.168.1.209:8000; + keepalive 2; +} \ No newline at end of file