aboutsummaryrefslogtreecommitdiff
path: root/files/usr/local/etc/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'files/usr/local/etc/nginx')
-rw-r--r--files/usr/local/etc/nginx/fastcgi_params.common31
-rw-r--r--files/usr/local/etc/nginx/nginx.conf.common37
-rw-r--r--files/usr/local/etc/nginx/vhosts.conf.bitwarden_server36
-rw-r--r--files/usr/local/etc/nginx/vhosts.conf.dav_server55
-rw-r--r--files/usr/local/etc/nginx/vhosts.conf.smtp_server4
-rw-r--r--files/usr/local/etc/nginx/vhosts.conf.ttrss_server43
-rw-r--r--files/usr/local/etc/nginx/vhosts.conf.xmpp_server21
-rw-r--r--files/usr/local/etc/nginx/vhosts.conf.znc_server21
8 files changed, 241 insertions, 7 deletions
diff --git a/files/usr/local/etc/nginx/fastcgi_params.common b/files/usr/local/etc/nginx/fastcgi_params.common
new file mode 100644
index 0000000..d0a6c69
--- /dev/null
+++ b/files/usr/local/etc/nginx/fastcgi_params.common
@@ -0,0 +1,31 @@
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param PATH_INFO $fastcgi_path_info;
+fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $host;
+fastcgi_param REMOTE_USER $remote_user if_not_empty;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
+
+# Protect against HTTPoxy vuln
+fastcgi_param HTTP_PROXY "";
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index 1da7c3c..98ff9f9 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -33,8 +33,22 @@ http {
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
- ssl_protocols TLSv1.3;
- ssl_prefer_server_ciphers off;
+$(if [ "${nginx_public:-}" = true ]; then <<EOF
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ ssl_dhparam ${dhparams_path};
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver ${resolvers};
+ resolver_timeout 5s;
+EOF
+else
+ cat <<EOF
+ ssl_protocols TLSv1.3;
+EOF
+fi
+)
+ ssl_prefer_server_ciphers off;
map \$http_upgrade \$connection_upgrade {
default upgrade;
@@ -47,10 +61,11 @@ $([ "${nginx_gssapi:-}" = true ] && cat <<EOF
EOF
)
-$([ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ] && cat <<EOF
+$(if [ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ]; then
+cat <<EOF
server {
- listen 0.0.0.0:80 default_server;
- listen [::]:80 default_server;
+ listen 0.0.0.0:80;
+ listen [::]:80;
location /.well-known/acme-challenge/ {
root ${acme_webroot};
@@ -62,6 +77,18 @@ $([ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ] && cat <<EOF
}
}
EOF
+ elif [ "${nginx_redirect:-}" != false ]; then
+cat <<EOF
+ server {
+ listen 0.0.0.0:80;
+ listen [::]:80;
+
+ location / {
+ return 301 https://\$host\$request_uri;
+ }
+ }
+EOF
+ fi
)
include vhosts.conf;
diff --git a/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server b/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
new file mode 100644
index 0000000..0ef31bb
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
@@ -0,0 +1,36 @@
+upstream vaultwarden {
+ zone vaultwarden 64k;
+ server 127.0.0.1:${vaultwarden_port};
+ keepalive 2;
+}
+
+map \$http_upgrade \$connection_upgrade {
+ default upgrade;
+ '' "";
+}
+
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ http2 on;
+
+ client_max_body_size 256M;
+
+ ssl_certificate ${vaultwarden_https_cert};
+ ssl_certificate_key ${vaultwarden_https_key};
+
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ location / {
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade \$http_upgrade;
+ proxy_set_header Connection \$connection_upgrade;
+
+ proxy_set_header Host \$host;
+ proxy_set_header X-Real-IP \$remote_addr;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto \$scheme;
+
+ proxy_pass http://vaultwarden/;
+ }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.dav_server b/files/usr/local/etc/nginx/vhosts.conf.dav_server
new file mode 100644
index 0000000..71bbc71
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.dav_server
@@ -0,0 +1,55 @@
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ http2 on;
+
+ root ${davical_webroot};
+ index index.html index.php;
+
+ ssl_certificate ${davical_https_cert};
+ ssl_certificate_key ${davical_https_key};
+
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ auth_gss_keytab ${davical_keytab};
+ auth_gss_allow_basic_fallback off;
+
+ location / {
+ auth_gss on;
+ satisfy any;
+$(printf ' deny %s;\n' $kerberized_cidrs)
+ allow all;
+ try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
+ }
+
+ location /.well-known/ {
+ try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
+ }
+
+ location ~ ^/caldav\.php/\.well-known/ {
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ if (!-f \$document_root\$fastcgi_script_name) {
+ return 404;
+ }
+ fastcgi_index index.php;
+ fastcgi_intercept_errors on;
+ include fastcgi_params;
+ fastcgi_pass unix:${davical_fpm_socket};
+ }
+
+ location ~ [^/]\.php(/|$) {
+ auth_gss on;
+ satisfy any;
+$(printf ' deny %s;\n' $kerberized_cidrs)
+ allow all;
+
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ if (!-f \$document_root\$fastcgi_script_name) {
+ return 404;
+ }
+ fastcgi_index index.php;
+ fastcgi_intercept_errors on;
+ include fastcgi_params;
+ fastcgi_pass unix:${davical_fpm_socket};
+ }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.smtp_server b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
index 4b84ede..322ca34 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.smtp_server
+++ b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
@@ -4,8 +4,8 @@ server {
http2 on;
- ssl_certificate ${rspamd_tls_cert};
- ssl_certificate_key ${rspamd_tls_key};
+ ssl_certificate ${rspamd_https_cert};
+ ssl_certificate_key ${rspamd_https_key};
add_header Strict-Transport-Security "max-age=63072000" always;
diff --git a/files/usr/local/etc/nginx/vhosts.conf.ttrss_server b/files/usr/local/etc/nginx/vhosts.conf.ttrss_server
new file mode 100644
index 0000000..fb0343d
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.ttrss_server
@@ -0,0 +1,43 @@
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ http2 on;
+
+ root ${ttrss_repo_dir};
+ index index.php index.html;
+
+ ssl_certificate ${ttrss_https_cert};
+ ssl_certificate_key ${ttrss_https_key};
+
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ auth_gss_keytab ${ttrss_keytab};
+ auth_gss_allow_basic_fallback off;
+
+ location ~ ^/index\.php$ {
+ auth_gss on;
+ satisfy any;
+$(printf ' deny %s;\n' $kerberized_cidrs)
+ allow all;
+
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ if (!-f \$document_root\$fastcgi_script_name) {
+ return 404;
+ }
+ fastcgi_index index.php;
+ fastcgi_intercept_errors on;
+ include fastcgi_params;
+ fastcgi_pass unix:${ttrss_fpm_socket};
+ }
+
+ location ~ [^/]\.php(/|$) {
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ if (!-f \$document_root\$fastcgi_script_name) {
+ return 404;
+ }
+ fastcgi_index index.php;
+ fastcgi_intercept_errors on;
+ include fastcgi_params;
+ fastcgi_pass unix:${ttrss_fpm_socket};
+ }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.xmpp_server b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
new file mode 100644
index 0000000..732a6de
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
@@ -0,0 +1,21 @@
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+
+ http2 on;
+
+ ssl_certificate ${prosody_https_cert};
+ ssl_certificate_key ${prosody_https_key};
+ ssl_trusted_certificate ${prosody_https_cacert};
+
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ location / {
+ proxy_http_version 1.1;
+ proxy_set_header Host \$host;
+ proxy_set_header X-Real-IP \$remote_addr;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto \$scheme;
+ proxy_pass http://127.0.0.1:${prosody_http_port};
+ }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.znc_server b/files/usr/local/etc/nginx/vhosts.conf.znc_server
new file mode 100644
index 0000000..ee75878
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.znc_server
@@ -0,0 +1,21 @@
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ http2 on;
+
+ ssl_certificate ${znc_tls_cert};
+ ssl_certificate_key ${znc_tls_key};
+
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ location / {
+ proxy_http_version 1.1;
+
+ proxy_set_header Host \$host;
+ proxy_set_header X-Real-IP \$remote_addr;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto \$scheme;
+
+ proxy_pass http://127.0.0.1:${znc_http_port}/;
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-29 03:25:11 -0500