From f5730b2477f1f1ffd5b013b5f6931e11196a6ca5 Mon Sep 17 00:00:00 2001 From: Hadrien Date: Tue, 14 Jun 2022 23:42:52 +0200 Subject: [PATCH] nginx templates --- files/nginx/nginx.conf | 81 +++++++ files/nginx/sites-enabled/fuz.re.conf | 52 +++++ files/nginx/sites-enabled/matrix.fuz.re.conf | 38 ++++ files/nginx/snippets/general.conf | 18 ++ files/nginx/snippets/letsencrypt.conf | 4 + files/nginx/snippets/proxy.conf | 18 ++ files/nginx/snippets/security.conf | 12 ++ templates/nginx.conf | 214 +++++++++++++++++++ 8 files changed, 437 insertions(+) create mode 100755 files/nginx/nginx.conf create mode 100755 files/nginx/sites-enabled/fuz.re.conf create mode 100755 files/nginx/sites-enabled/matrix.fuz.re.conf create mode 100755 files/nginx/snippets/general.conf create mode 100755 files/nginx/snippets/letsencrypt.conf create mode 100755 files/nginx/snippets/proxy.conf create mode 100755 files/nginx/snippets/security.conf create mode 100644 templates/nginx.conf diff --git a/files/nginx/nginx.conf b/files/nginx/nginx.conf new file mode 100755 index 0000000..1e50fde --- /dev/null +++ b/files/nginx/nginx.conf @@ -0,0 +1,81 @@ +# https://www.digitalocean.com/community/tools/nginx + +user www-data; +pid /run/nginx.pid; +worker_processes auto; +worker_rlimit_nofile 65535; + +# Load modules +include /etc/nginx/modules-enabled/*.conf; + +events { + multi_accept on; + worker_connections 65535; +} + +http { + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 2048; + types_hash_bucket_size 64; + client_max_body_size 16M; + + # MIME + include mime.types; + default_type application/octet-stream; + + # Logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + # SSL + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # Diffie-Hellman parameter for DHE ciphersuites + ssl_dhparam /etc/nginx/dhparam.pem; + + # Mozilla Intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # OCSP Stapling + ssl_stapling on; + ssl_stapling_verify on; + + # Connection header for WebSocket reverse proxy + map $http_upgrade $connection_upgrade { + default upgrade; + "" close; + } + + map $remote_addr $proxy_forwarded_elem { + + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; + } + + # Load configs + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} \ No newline at end of file diff --git a/files/nginx/sites-enabled/fuz.re.conf b/files/nginx/sites-enabled/fuz.re.conf new file mode 100755 index 0000000..1721eec --- /dev/null +++ b/files/nginx/sites-enabled/fuz.re.conf @@ -0,0 +1,52 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name fuz.re; + root /var/www/fuz.re/public; + + # SSL + ssl_certificate /etc/letsencrypt/live/fuz.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/fuz.re/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/fuz.re/chain.pem; + + # security + include snippets/security.conf; + + # index.html fallback + location / { + try_files $uri $uri/ /index.html; + } + + # index.php fallback + location ~ ^/api/ { + try_files $uri $uri/ /index.php?$query_string; + } + + # additional config + include snippets/general.conf; +} + +# subdomains redirect +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name *.fuz.re; + + # SSL + ssl_certificate /etc/letsencrypt/live/fuz.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/fuz.re/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/fuz.re/chain.pem; + return 301 https://fuz.re$request_uri; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name .fuz.re; + include snippets/letsencrypt.conf; + + location / { + return 301 https://fuz.re$request_uri; + } +} \ No newline at end of file diff --git a/files/nginx/sites-enabled/matrix.fuz.re.conf b/files/nginx/sites-enabled/matrix.fuz.re.conf new file mode 100755 index 0000000..aabbac9 --- /dev/null +++ b/files/nginx/sites-enabled/matrix.fuz.re.conf @@ -0,0 +1,38 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name matrix.fuz.re; + + # SSL + ssl_certificate /etc/letsencrypt/live/matrix.fuz.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.fuz.re/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/matrix.fuz.re/chain.pem; + + # security + include snippets/security.conf; + + # logging + access_log /var/log/nginx/matrix.fuz.re.access.log; + error_log /var/log/nginx/matrix.fuz.re.error.log warn; + + # reverse proxy + location / { + proxy_pass http://127.0.0.1:8080; + include snippets/proxy.conf; + } + + # additional config + include snippets/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name matrix.fuz.re; + include snippets/letsencrypt.conf; + + location / { + return 301 https://matrix.fuz.re$request_uri; + } +} \ No newline at end of file diff --git a/files/nginx/snippets/general.conf b/files/nginx/snippets/general.conf new file mode 100755 index 0000000..0b30d61 --- /dev/null +++ b/files/nginx/snippets/general.conf @@ -0,0 +1,18 @@ +# favicon.ico +location = /favicon.ico { + log_not_found off; + access_log off; +} + +# robots.txt +location = /robots.txt { + log_not_found off; + access_log off; +} + +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; \ No newline at end of file diff --git a/files/nginx/snippets/letsencrypt.conf b/files/nginx/snippets/letsencrypt.conf new file mode 100755 index 0000000..8705582 --- /dev/null +++ b/files/nginx/snippets/letsencrypt.conf @@ -0,0 +1,4 @@ +# ACME-challenge +location ^~ /.well-known/acme-challenge/ { + root /var/www/_letsencrypt; +} \ No newline at end of file diff --git a/files/nginx/snippets/proxy.conf b/files/nginx/snippets/proxy.conf new file mode 100755 index 0000000..c8c46b0 --- /dev/null +++ b/files/nginx/snippets/proxy.conf @@ -0,0 +1,18 @@ +proxy_http_version 1.1; +proxy_cache_bypass $http_upgrade; + +# Proxy headers +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Forwarded $proxy_add_forwarded; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $server_port; + +# Proxy timeouts +proxy_connect_timeout 60s; +proxy_send_timeout 60s; +proxy_read_timeout 60s; \ No newline at end of file diff --git a/files/nginx/snippets/security.conf b/files/nginx/snippets/security.conf new file mode 100755 index 0000000..b7ba9a9 --- /dev/null +++ b/files/nginx/snippets/security.conf @@ -0,0 +1,12 @@ +# security headers +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; +add_header Permissions-Policy "interest-cohort=()" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + +# . files +location ~ /\.(?!well-known) { + deny all; +} \ No newline at end of file diff --git a/templates/nginx.conf b/templates/nginx.conf new file mode 100644 index 0000000..cd6728c --- /dev/null +++ b/templates/nginx.conf @@ -0,0 +1,214 @@ + +### FUZ.RE ### +## TODO: Wiki pas encore hébergé ici ### +# $HTTP["host"] == "wiki.fuz.re" { +# server.document-root = "/var/www/fuz.re/dokuwiki/" +# $HTTP["scheme"] == "http" { +# url.redirect = (".*" => "https://wiki.fuz.re$0") + # } + +# FIXME: Redirect www -> https without www +# $HTTP["host"] == "www.fuz.re" { +# $HTTP["scheme"] == "http" { +# url.redirect = (".*" => "https://fuz.re$0") +# } +# } +# Redirect http -> https without www +# FIXME: Redirect www -> https without www +# $HTTP["host"] == "fuz.re" { +# $HTTP["scheme"] == "http" { +# url.redirect = (".*" => "https://fuz.re$0") +# } +# FIXME: HTTPS : + # $HTTP["scheme"] == "https" { + # $SERVER["socket"] == ":443" { + # ssl.engine = "enable" + # server.document-root = "/var/www/fuz.re/newsite/public" + # ssl.pemfile = "/etc/letsencrypt/live/fuz.re/fullchain.pem" + # ssl.privkey = "/etc/letsencrypt/live/fuz.re/privkey.pem" + # } + +# Old Jack.tf +$HTTP["host"] == "jack.fuz.re" { + server.document-root = "/var/www/fuz.re/jack/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://jack.fuz.re$0") + } + } + $HTTP["scheme"] == "https" { + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/jack.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/jack.fuz.re/privkey.pem" + } + } +} + + +$HTTP["host"] == "riot.fuz.re" { + server.document-root = "/var/www/fuz.re/riot/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://riot.fuz.re$0") + } + } + $HTTP["scheme"] == "https" { + alias.url = ( + "/rc" => "/var/www/fuz.re/riot/rc" + ) + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/riot.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/riot.fuz.re/privkey.pem" + } + } +} + +$HTTP["host"] == "matrix.fuz.re" { + server.document-root = "/var/www/fuz.re/matrix/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://matrix.fuz.re$0") + } + } + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem" + proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 ))) + proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"), + "map-host-response" => ("-" => "-")) + } + $SERVER["socket"] == ":8448" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem" + proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 ))) + proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"), + "map-host-response" => ("-" => "-")) + } +} + +$HTTP["host"] == "mumble.fuz.re" { + $HTTP["scheme"] == "http" { + server.document-root = "/var/www/fuz.re/mumble/site" + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://mumble.fuz.re$0") + } + } + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/mumble.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/mumble.fuz.re/privkey.pem" + url.redirect-code = 302 # it's a workaround for retarded lighttpd unable to handle websockets, hence a temp 302 redirection -- Lomanic 20200606 + url.redirect = (".*" => "https://mumble.fuz.re:64737$0") + } +} + + + +$HTTP["host"] == "presence.fuz.re" { # added by Lomanic 20200606 + $HTTP["scheme"] == "http" { + server.document-root = "/var/www/fuz.re/presence/site" + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}") + } + } + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3000)) ) + #ssl.ca-file = "/etc/letsencrypt/live/presence.fuz.re/chain.pem" + #ssl.pemfile = "/etc/lighttpd/certs/presence.fuz.re.pem" + + ssl.pemfile = "/etc/letsencrypt/live/presence.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/presence.fuz.re/privkey.pem" + } +} +$HTTP["host"] == "spaceapi.fuz.re" { # added by Lomanic 20201017 + $HTTP["scheme"] == "http" { + server.document-root = "/var/www/fuz.re/spaceapi/site" + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}") + } + } + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3001)) ) + ssl.pemfile = "/etc/letsencrypt/live/spaceapi.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/spaceapi.fuz.re/privkey.pem" + } +} + +$HTTP["host"] == "sonic.fuz.re" { + server.document-root = "/var/www/sonic.fuz.re/" +} + +### Mailman ### +$HTTP["host"] == "liste.fuz.re" { + server.document-root = "/var/www/fuz.re/liste/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://liste.fuz.re$0") + } + } + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + #ssl.ca-file = "/etc/letsencrypt/live/liste.fuz.re/chain.pem" + #ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/combined.pem" + ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/liste.fuz.re/privkey.pem" + } + alias.url = ( + "/mailman/" => "/usr/lib/cgi-bin/mailman/", + "/cgi-bin/mailman/" => "/usr/lib/cgi-bin/mailman/", + "/images/mailman/" => "/usr/share/images/mailman/", + #"/pipermail/" => "/var/lib/mailman/archives/public/" + ) + cgi.assign = ( + "/admin" => "", + "/admindb" => "", + "/confirm" => "", + "/create" => "", + "/edithtml" => "", + "/listinfo" => "", + "/options" => "", + "/private" => "", + "/rmlist" => "", + "/roster" => "", + "/subscribe" => "") +} + +## Datapaulette - Pas hébérgé ici non plus +# $HTTP["host"] =~ "www.datapaulette.org" { +# url.redirect = (".*" => "http://datapaulette.org") +# } +# $HTTP["host"] =~ "datapaulette.org" { +# server.error-handler-404 = "/index.php" +# server.document-root = "/var/www/datapaulette.org/dp-wp" +# $SERVER["socket"] == ":443" { +# ssl.engine = "enable" +# ssl.ca-file = "/etc/letsencrypt/live/datapaulette.org/fullchain.pem" +# ssl.pemfile = "/etc/lighttpd/certs/datapaulette.org.pem" +# } + #url.rewrite = ( + # "^/(.*)\.(.+)$" => "$0", + # ###"^/(wp-admin|wp-includes|wp-content|gallery2)/(.*)" => "$0", + # "^/(.+)/?$" => "/index.php/$1" + #) +} + +### WOOTDEVICES.IO - https à activer après copie des certs +$HTTP["host"] == "wootdevices.io" { + server.document-root = "/var/www/wootdevices.io/site/" +# $SERVER["socket"] == ":443" { +# ssl.engine = "enable" +# ssl.ca-file = "/etc/letsencrypt/live/wootdevices.io/fullchain.pem" +# ssl.pemfile = "/etc/lighttpd/certs/wootdevices.io.pem" +# } +} +