tronnet/nginx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: tronnet:93dedc5321caf6112e7914273bc68a55530017fa
Branches Tags
tronnet:main
...
compare: tronnet:b49761ca08d6aeb9ea7e87ea450ff60309d9f62e
Branches Tags
tronnet:main

32 Commits
93dedc5321 ... b49761ca08

Author SHA1 Message Date
Arthur Lu
b49761ca08 switch to http2 directive 2024-09-09 12:34:14 -07:00
Arthur Lu
0f43e8109f add proxy error handling to minecraft http 2024-05-08 07:24:46 +00:00
Arthur Lu
b5869436b1 add minecraft http 2024-05-08 07:22:39 +00:00
Arthur Lu
e6f1fab5eb remove ldap 2024-04-17 22:09:26 +00:00
Arthur Lu
203e144756 fix missing port, fix err log level 2023-12-12 18:54:32 +00:00
Arthur Lu
9102f0e5a7 fix stream module load, 
add logging format to streams
 2023-12-12 10:52:18 -08:00
Arthur Lu
eab1638c96 move sites to http, add stream proxies 2023-12-12 10:14:10 -08:00
Arthur Lu
caca1bb55d delete unused configs and params 2023-12-12 17:35:07 +00:00
Arthur Lu
cd86631adc switch more includes to relative paths 2023-12-11 19:05:00 -08:00
Arthur Lu
d9845e2c9f fix styling 2023-12-11 18:58:10 -08:00
Arthur Lu
0e8f37aff0 remove duplicate client_max_body_size 2023-12-11 18:55:02 -08:00
Arthur Lu
dd107f725b update configs 2023-12-11 18:53:46 -08:00
Arthur Lu
0818cbc3ab switch to relative paths for config file includes 2023-12-12 02:47:38 +00:00
Arthur Lu
dbfde7a072 change api port 2023-11-16 19:39:44 -08:00
Arthur Lu
5cbe89e3ad update mail 2023-10-13 23:26:32 +00:00
Arthur Lu
ace8e188f7 fix for error pages by splitting error_page and location directives, 
delete nextcloud
 2023-10-11 21:50:12 -07:00
Arthur Lu
67af977239 temporary fix for error pages 2023-10-12 04:44:06 +00:00
Arthur Lu
b6fb15d69e update paas.conf 2023-10-12 00:44:14 +00:00
root
22e4d77637 update sites 2023-10-05 21:12:18 +00:00
root
79fb3d950a delete apk-new files 2023-10-05 00:17:56 +00:00
root
e927b8f0c7 delete apk-new files 2023-10-05 00:14:58 +00:00
root
de6abea682 disable nextcloud, add gitea 2023-09-10 06:04:55 +00:00
Arthur Lu
b48c8ddbbf Update nextcloud.conf 2023-06-10 23:18:59 -07:00
Arthur Lu
ce52b0752d Update mail.conf 2023-06-10 13:57:47 -07:00
Arthur Lu
c9a18395b0 Update mail.conf 2023-06-09 23:52:26 -07:00
Arthur Lu
843b06f94f set X-Frame-Options to SAMEORIGIN 2023-05-22 16:45:59 -07:00
Arthur Lu
d61e5a9302 move proxy header overrides to proxy-params.conf 2023-05-22 16:39:08 -07:00
Arthur Lu
38abef5751 fix style 2023-05-13 21:13:18 -07:00
Arthur Lu
5146a8e583 fix style 2023-05-12 23:48:30 -07:00
root
8d4b1cce75 fix style 2023-05-13 06:45:55 +00:00
root
b58ee55827 add security headers 2023-05-13 06:03:54 +00:00
root
c619bdb86a remove add_headers 2023-05-13 05:15:35 +00:00
32 changed files with 263 additions and 200 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.apk-new

14
conf.d/stream.conf Normal file
View File

@ -0,0 +1,14 @@
# /etc/nginx/conf.d/stream.conf
stream {
# Specifies the main log format.
log_format main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/stream.log main;
# Includes servers configs.
include stream.d/*.conf;
}

6
http/default.conf Normal file
View File

@ -0,0 +1,6 @@
server {
listen 443 ssl default_server;
server_name *.tronnet.net;
include snippets/ssl-acme.conf;
return 301 https://tronnet.net;
}

9
http/gitea.conf Normal file
View File

@ -0,0 +1,9 @@
server {
listen 443 ssl;
server_name git.tronnet.net;
include snippets/ssl-acme.conf;
location / {
proxy_pass http://gitea.dmz:3000;
proxy_redirect default;
}
}

11
http/homepage.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 443 ssl;
server_name tronnet.net;
include snippets/ssl-acme.conf;
include snippets/proxy-errors.conf;
include snippets/error-pages.conf;
location / {
proxy_pass http://sites.dmz:80;
proxy_redirect default;
}
}

9
http/mail.conf Normal file
View File

@ -0,0 +1,9 @@
server {
listen 443 ssl;
server_name mail.tronnet.net;
include snippets/ssl-acme.conf;
location / {
proxy_pass http://mail.dmz/;
proxy_redirect default;
}
}

11
http/minecraft.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 443 ssl;
server_name minecraft.tronnet.net;
include snippets/ssl-acme.conf;
include snippets/proxy-errors.conf;
include snippets/error-pages.conf;
location / {
proxy_pass http://minecraft.root:80;
proxy_redirect default;
}
}

11
http/opns.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 443 ssl;
server_name opns.tronnet.net;
include snippets/ssl-acme.conf;
include snippets/proxy-errors.conf;
include snippets/error-pages.conf;
location / {
proxy_pass https://10.0.0.1:10443;
proxy_redirect default;
}
}

18
http/paas.conf Normal file
View File

@ -0,0 +1,18 @@
server {
listen 443 ssl;
server_name paas.tronnet.net;
include snippets/ssl-acme.conf;
include snippets/error-pages.conf;
location /dashboard/ {
include snippets/proxy-errors.conf;
proxy_pass http://proxmoxaas.dmz:8080/;
proxy_redirect default;
}
location /api/ {
proxy_pass http://proxmoxaas.dmz:8081/api/;
proxy_redirect default;
}
location = / {
return 301 "/dashboard/";
}
}

4
sites/pve.conf → http/pve.conf
View File

@ -1,7 +1,7 @@
server { server {
listen 443 ssl http2; listen 443 ssl;
server_name pve.tronnet.net; server_name pve.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf; include snippets/ssl-acme.conf;
location / { location / {
proxy_pass https://geigatron-0-pve.tn:8006; proxy_pass https://geigatron-0-pve.tn:8006;
proxy_redirect default; proxy_redirect default;

2
sites/redirect.conf → http/redirect.conf
View File

@ -2,4 +2,4 @@ server {
listen 80 default_server; listen 80 default_server;
server_name *.tronnet.net; server_name *.tronnet.net;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }

11
http/root.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 443 ssl;
server_name root.tronnet.net;
include snippets/ssl-acme.conf;
include snippets/proxy-errors.conf;
include snippets/error-pages.conf;
location / {
proxy_pass http://root.root:80;
proxy_redirect default;
}
}

7
sites/status.conf → http/status.conf
View File

@ -1,8 +1,9 @@
server { server {
listen 443 ssl http2; listen 443 ssl;
server_name status.tronnet.net; server_name status.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf; include snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf; include snippets/proxy-errors.conf;
include snippets/error-pages.conf;
location / { location / {
proxy_pass http://sites.dmz:8080; proxy_pass http://sites.dmz:8080;
proxy_redirect default; proxy_redirect default;

11
http/wiki.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 443 ssl;
server_name wiki.tronnet.net;
include snippets/ssl-acme.conf;
include snippets/proxy-errors.conf;
include snippets/error-pages.conf;
location / {
proxy_pass http://sites.dmz:8081;
proxy_redirect default;
}
}

171
mime.types
View File

@ -1,89 +1,98 @@
types { types {
text/html html htm shtml; text/html html htm shtml;
text/css css; text/css css;
text/xml xml; text/xml xml;
image/gif gif; image/gif gif;
image/jpeg jpeg jpg; image/jpeg jpeg jpg;
application/javascript js; application/javascript js;
application/atom+xml atom; application/atom+xml atom;
application/rss+xml rss; application/rss+xml rss;
text/mathml mml; text/mathml mml;
text/plain txt; text/plain txt;
text/vnd.sun.j2me.app-descriptor jad; text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml; text/vnd.wap.wml wml;
text/x-component htc; text/x-component htc;
image/png png; image/avif avif;
image/tiff tif tiff; image/png png;
image/vnd.wap.wbmp wbmp; image/svg+xml svg svgz;
image/x-icon ico; image/tiff tif tiff;
image/x-jng jng; image/vnd.wap.wbmp wbmp;
image/x-ms-bmp bmp; image/webp webp;
image/svg+xml svg svgz; image/x-icon ico;
image/webp webp; image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff; font/woff woff;
application/java-archive jar war ear; font/woff2 woff2;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll; application/java-archive jar war ear;
application/octet-stream deb; application/json json;
application/octet-stream dmg; application/mac-binhex40 hqx;
application/octet-stream iso img; application/msword doc;
application/octet-stream msi msp msm; application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/octet-stream bin exe dll;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/octet-stream deb;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar; audio/midi mid midi kar;
audio/mpeg mp3; audio/mpeg mp3;
audio/ogg ogg; audio/ogg ogg;
audio/x-m4a m4a; audio/x-m4a m4a;
audio/x-realaudio ra; audio/x-realaudio ra;
video/3gpp 3gpp 3gp; video/3gpp 3gpp 3gp;
video/mp2t ts; video/mp2t ts;
video/mp4 mp4; video/mp4 mp4;
video/mpeg mpeg mpg; video/mpeg mpeg mpg;
video/quicktime mov; video/quicktime mov;
video/webm webm; video/webm webm;
video/x-flv flv; video/x-flv flv;
video/x-m4v m4v; video/x-m4v m4v;
video/x-mng mng; video/x-mng mng;
video/x-ms-asf asx asf; video/x-ms-asf asx asf;
video/x-ms-wmv wmv; video/x-ms-wmv wmv;
video/x-msvideo avi; video/x-msvideo avi;
} }

1
modules/10_stream.conf Normal file
View File

@ -0,0 +1 @@
load_module "modules/ngx_stream_module.so";

32
nginx.conf
View File

@ -1,21 +1,23 @@
user nginx; user nginx;
worker_processes auto; worker_processes auto;
pid /run/nginx.pid; pcre_jit on;
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
events { events {
worker_connections 768; worker_connections 768;
} }
http { http {
server_tokens off;
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
types_hash_max_size 2048; types_hash_max_size 2048;
# mime types # mime types
include /etc/nginx/mime.types; include mime.types;
default_type application/octet-stream; default_type application/octet-stream;
# logging # logging
access_log /var/log/nginx/access.log; access_log access.log;
error_log /var/log/nginx/error.log; error_log error.log;
# gzip # gzip
gzip on; gzip on;
@ -27,11 +29,25 @@ http {
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# ssl parameters # ssl parameters
include /etc/nginx/ssl-params.conf; include ssl-params.conf;
# proxy parameters # proxy parameters
include /etc/nginx/proxy-params.conf; include proxy-params.conf;
# include sites # enable http2
include /etc/nginx/sites/*; http2 on;
# include http
include http/*.conf;
}
stream {
# logging
log_format basic '$remote_addr:$remote_port - $time_local '
'$protocol stat:$status bs:$bytes_sent br:$bytes_received '
st:'$session_time';
access_log access.log basic;
error_log error.log;
# include stream
include stream/*.conf;
} }

14
proxy-params.conf
View File

@ -10,3 +10,17 @@ send_timeout 3600s;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_hide_header X-Powered-By;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options SAMEORIGIN;
proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection 0;
proxy_hide_header X-Content-Type-Options;
add_header X-Content-Type-Options nosniff;
proxy_hide_header Referrer-Policy;
add_header Referrer-Policy strict-origin-when-cross-origin;
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;";
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin https://tronnet.net;

14
sites/client.conf
View File

@ -1,14 +0,0 @@
server {
listen 443 ssl http2;
server_name client.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
location / {
include /etc/nginx/snippets/error-pages.conf;
proxy_pass http://proxmoxaas.dmz:8080;
proxy_redirect default;
}
location /api/ {
proxy_pass http://proxmoxaas.dmz:80;
proxy_redirect default;
}
}

6
sites/default.conf
View File

@ -1,6 +0,0 @@
server {
listen 443 ssl http2 default_server;
server_name *.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
return 301 https://tronnet.net;
}

10
sites/homepage.conf
View File

@ -1,10 +0,0 @@
server {
listen 443 ssl http2;
server_name tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://sites.dmz:80;
proxy_redirect default;
}
}

10
sites/ldap.conf
View File

@ -1,10 +0,0 @@
server {
listen 443 ssl http2;
server_name ldap.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://ldap.dmz:80;
proxy_redirect default;
}
}

10
sites/mail.conf
View File

@ -1,10 +0,0 @@
server {
listen 443 ssl http2;
server_name mail.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass https://mail2.dmz;
proxy_redirect default;
}
}

10
sites/nextcloud.conf
View File

@ -1,10 +0,0 @@
server {
listen 443 ssl http2;
server_name nextcloud.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://nextcloud2.dmz:11000;
proxy_redirect default;
}
}

10
sites/opns.conf
View File

@ -1,10 +0,0 @@
server {
listen 443 ssl http2;
server_name opns.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass https://10.0.0.1:10443;
proxy_redirect default;
}
}

10
sites/root.conf
View File

@ -1,10 +0,0 @@
server {
listen 443 ssl http2;
server_name root.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://root.root:80;
proxy_redirect default;
}
}

10
sites/wiki.conf
View File

@ -1,10 +0,0 @@
server {
listen 443 ssl http2;
server_name wiki.tronnet.net;
include /etc/nginx/snippets/ssl-acme.conf;
include /etc/nginx/snippets/error-pages.conf;
location / {
proxy_pass http://sites.dmz:8081;
proxy_redirect default;
}
}

11
snippets/error-pages.conf
View File

@ -1,14 +1,3 @@
proxy_intercept_errors on;
error_page 400 /ErrorPages/HTTP400.html;
error_page 401 /ErrorPages/HTTP401.html;
error_page 403 /ErrorPages/HTTP403.html;
error_page 404 /ErrorPages/HTTP404.html;
error_page 500 /ErrorPages/HTTP500.html;
error_page 501 /ErrorPages/HTTP501.html;
error_page 502 /ErrorPages/HTTP502.html;
error_page 503 /ErrorPages/HTTP503.html;
location /ErrorPages/ { location /ErrorPages/ {
alias /var/www/html/ErrorPages/; alias /var/www/html/ErrorPages/;
internal; internal;

9
snippets/proxy-errors.conf Normal file
View File

@ -0,0 +1,9 @@
proxy_intercept_errors on;
error_page 400 /ErrorPages/HTTP400.html;
error_page 401 /ErrorPages/HTTP401.html;
error_page 403 /ErrorPages/HTTP403.html;
error_page 404 /ErrorPages/HTTP404.html;
error_page 500 /ErrorPages/HTTP500.html;
error_page 501 /ErrorPages/HTTP501.html;
error_page 502 /ErrorPages/HTTP502.html;
error_page 503 /ErrorPages/HTTP503.html;

2
snippets/ssl-acme.conf
View File

@ -2,4 +2,4 @@
location '/.well-known/acme-challenge' { location '/.well-known/acme-challenge' {
default_type "text/plain"; default_type "text/plain";
root /var/www/html; root /var/www/html;
} }

3
ssl-params.conf
View File

@ -9,9 +9,6 @@ ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s; resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem;
# ssl cert paths # ssl cert paths

5
stream/minecraft.conf Normal file
View File

@ -0,0 +1,5 @@
server {
listen 25565 reuseport;
proxy_timeout 30s;
proxy_pass minecraft.root:25565;
}