tronnet/nginx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

consolidate ssl-params and proxy_params

Browse Source 
Signed-off-by: Arthur Lu <learthurgo@gmail.com>
This commit is contained in:
Arthur Lu 2023-04-27 15:47:27 -07:00
parent ba849311ec
commit 8ec95a3b1b
16 changed files with 56 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nginx.conf
View File

@ -9,12 +9,15 @@ http {
tcp_nopush on;
types_hash_max_size 2048;
# mime types
include /etc/nginx/mime.types;
default_type application/octet-stream;
# logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
@ -23,5 +26,12 @@ http {
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# ssl parameters
include /etc/nginx/ssl-params.conf
# proxy parameters
include /etc/nginx/proxy-params.conf
# include sites
include /etc/nginx/sites/*;
}

0
snippets/proxy-params.conf → proxy-params.conf
View File

8
sites/client.conf
View File

@ -1,14 +1,12 @@
server {
listen 443 ssl http2;
server_name client.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
location / {
include /etc/nginx/snippets/error-pages.conf;
proxy_pass http://proxmoxaas.dmz:8080;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://proxmoxaas.dmz:8080;
}
location /api/ {
proxy_pass http://proxmoxaas.dmz:80;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://proxmoxaas.dmz:80;
}
}

2
sites/default.conf
View File

@ -1,6 +1,6 @@
server {
listen 443 ssl http2 default_server;
server_name *.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
return 301 https://tronnet.net;
}

5
sites/homepage.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://sites.dmz:80;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://sites.dmz:80;
}
}

5
sites/ldap.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name ldap.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://ldap.dmz:80;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://ldap.dmz:80;
}
}

5
sites/mail.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name mail.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass https://mail2.dmz;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass https://mail2.dmz;
}
}

5
sites/nextcloud.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name nextcloud.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://nextcloud2.dmz:11000;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://nextcloud2.dmz:11000;
}
}

5
sites/opns.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name opns.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass https://10.0.0.1:10443;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass https://10.0.0.1:10443;
}
}

5
sites/pve.conf
View File

@ -1,9 +1,8 @@
server {
listen 443 ssl http2;
server_name pve.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
location / {
proxy_pass https://geigatron-0-pve.tn:8006;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass https://geigatron-0-pve.tn:8006;
}
}

5
sites/root.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name root.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://root.root:80;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://root.root:80;
}
}

5
sites/status.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name status.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://sites.dmz:8080;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://sites.dmz:8080;
}
}

5
sites/wiki.conf
View File

@ -1,10 +1,9 @@
server {
listen 443 ssl http2;
server_name wiki.tronnet.net;
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://sites.dmz:8081;
include /etc/nginx/snippets/proxy-params.conf;
proxy_pass http://sites.dmz:8081;
}
}

5
snippets/ssl-acme.conf Normal file
View File

@ -0,0 +1,5 @@
# letsencrypt validation
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}

25
snippets/ssl-params.conf
View File

@ -1,25 +0,0 @@
ssl_protocols SSLv3 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# ssl cert paths
ssl_certificate /etc/letsencrypt/live/tronnet.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tronnet.net/privkey.pem;
# letsencrypt validation
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}

19
ssl-params.conf Normal file
View File

@ -0,0 +1,19 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve auto;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# ssl cert paths
ssl_certificate /etc/letsencrypt/live/tronnet.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tronnet.net/privkey.pem;