commit 6dd74bad6a2366f77bbd141ebe3aa66d26e6b34b Author: Arthur Lu Date: Sat Apr 1 04:18:56 2023 +0000 initial commit diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..8099315 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,59 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +# include /etc/nginx/modules/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + # ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + # ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + # include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites/*; +} diff --git a/sites/client b/sites/client new file mode 100644 index 0000000..7055b90 --- /dev/null +++ b/sites/client @@ -0,0 +1,18 @@ +server { + listen 80; + server_name client.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} +server { + listen 443 ssl http2; + server_name client.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass http://proxmoxaas.dmz:8080; + include /etc/nginx/snippets/proxy-params.conf; + } + location /api/ { + proxy_pass http://proxmoxaas.dmz:80; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/default b/sites/default new file mode 100644 index 0000000..3213981 --- /dev/null +++ b/sites/default @@ -0,0 +1,11 @@ +server { + listen 80 default_server; + server_name *.tronnet.net; + return 301 https://tronnet.net; +} +server { + listen 443 ssl http2 default_server; + server_name *.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + return 301 https://tronnet.net; +} diff --git a/sites/homepage b/sites/homepage new file mode 100644 index 0000000..47ab60f --- /dev/null +++ b/sites/homepage @@ -0,0 +1,14 @@ +server { + listen 80; + server_name tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} +server { + listen 443 ssl http2; + server_name tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass http://sites.dmz:80; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/ldap b/sites/ldap new file mode 100644 index 0000000..5f21610 --- /dev/null +++ b/sites/ldap @@ -0,0 +1,14 @@ +server { + listen 80; + server_name ldap.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} +server { + listen 443 ssl http2; + server_name ldap.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass http://ldap.dmz:80; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/mail b/sites/mail new file mode 100644 index 0000000..8471e6a --- /dev/null +++ b/sites/mail @@ -0,0 +1,15 @@ +server { + listen 80; + server_name mail.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} + +server { + listen 443 ssl http2; + server_name mail.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass https://mail2.dmz; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/nextcloud b/sites/nextcloud new file mode 100644 index 0000000..32d9622 --- /dev/null +++ b/sites/nextcloud @@ -0,0 +1,14 @@ +server { + listen 80; + server_name nextcloud.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} +server { + listen 443 ssl http2; + server_name nextcloud.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass http://nextcloud2.dmz:11000; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/opns b/sites/opns new file mode 100644 index 0000000..0486c10 --- /dev/null +++ b/sites/opns @@ -0,0 +1,15 @@ +server { + listen 80; + server_name opns.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} + +server { + listen 443 ssl http2; + server_name opns.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass https://10.0.0.1:10443; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/pve b/sites/pve new file mode 100644 index 0000000..55dad88 --- /dev/null +++ b/sites/pve @@ -0,0 +1,15 @@ +server { + listen 80; + server_name pve.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} + +server { + listen 443 ssl http2; + server_name pve.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass https://geigatron-0-pve.tn:8006; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/root b/sites/root new file mode 100644 index 0000000..9bff0e5 --- /dev/null +++ b/sites/root @@ -0,0 +1,15 @@ +server { + listen 80; + server_name root.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} + +server { + listen 443 ssl http2; + server_name root.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass http://root.root:80; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/status b/sites/status new file mode 100644 index 0000000..0c2f624 --- /dev/null +++ b/sites/status @@ -0,0 +1,14 @@ +server { + listen 80; + server_name status.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} +server { + listen 443 ssl http2; + server_name status.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass http://sites.dmz:8080; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/sites/wiki b/sites/wiki new file mode 100644 index 0000000..7f1a648 --- /dev/null +++ b/sites/wiki @@ -0,0 +1,14 @@ +server { + listen 80; + server_name wiki.tronnet.net; + rewrite ^(.*) https://$host$1 permanent; +} +server { + listen 443 ssl http2; + server_name wiki.tronnet.net; + include /etc/nginx/snippets/ssl-params.conf; + location / { + proxy_pass http://sites.dmz:8081; + include /etc/nginx/snippets/proxy-params.conf; + } +} diff --git a/snippets/proxy-params.conf b/snippets/proxy-params.conf new file mode 100644 index 0000000..a6b554a --- /dev/null +++ b/snippets/proxy-params.conf @@ -0,0 +1,13 @@ +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; +proxy_buffering off; +client_max_body_size 0; +proxy_connect_timeout 3600s; +proxy_read_timeout 3600s; +proxy_send_timeout 3600s; +send_timeout 3600s; +proxy_redirect default; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header Host $host; diff --git a/snippets/ssl-params.conf b/snippets/ssl-params.conf new file mode 100644 index 0000000..f3a5369 --- /dev/null +++ b/snippets/ssl-params.conf @@ -0,0 +1,26 @@ +ssl_protocols SSLv3 TLSv1.1 TLSv1.2 TLSv1.3; +ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA'; +ssl_prefer_server_ciphers on; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:50m; +ssl_session_timeout 1d; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; +# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always; +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +ssl_dhparam /etc/ssl/certs/dhparam.pem; + +# ssl cert paths +ssl_certificate /etc/letsencrypt/live/tronnet.net/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/tronnet.net/privkey.pem; + +# letsencrypt validation +location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/html; +}