From 99b8524c16cc99ceeaf1ebf588f2fc0f2c0fbe0a Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Sat, 12 Oct 2024 08:14:59 -0400
Subject: add a bunch of hostclasses

---
 files/usr/local/etc/nginx/fastcgi_params.common    | 31 ++++++++++++
 files/usr/local/etc/nginx/nginx.conf.common        | 37 +++++++++++++--
 .../local/etc/nginx/vhosts.conf.bitwarden_server   | 36 ++++++++++++++
 files/usr/local/etc/nginx/vhosts.conf.dav_server   | 55 ++++++++++++++++++++++
 files/usr/local/etc/nginx/vhosts.conf.smtp_server  |  4 +-
 files/usr/local/etc/nginx/vhosts.conf.ttrss_server | 43 +++++++++++++++++
 files/usr/local/etc/nginx/vhosts.conf.xmpp_server  | 21 +++++++++
 files/usr/local/etc/nginx/vhosts.conf.znc_server   | 21 +++++++++
 8 files changed, 241 insertions(+), 7 deletions(-)
 create mode 100644 files/usr/local/etc/nginx/fastcgi_params.common
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.dav_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.ttrss_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.xmpp_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.znc_server

(limited to 'files/usr/local/etc/nginx')

diff --git a/files/usr/local/etc/nginx/fastcgi_params.common b/files/usr/local/etc/nginx/fastcgi_params.common
new file mode 100644
index 0000000..d0a6c69
--- /dev/null
+++ b/files/usr/local/etc/nginx/fastcgi_params.common
@@ -0,0 +1,31 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  PATH_INFO          $fastcgi_path_info;
+fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $host;
+fastcgi_param  REMOTE_USER        $remote_user if_not_empty;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+
+# Protect against HTTPoxy vuln
+fastcgi_param  HTTP_PROXY         "";
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index 1da7c3c..98ff9f9 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -33,8 +33,22 @@ http {
   ssl_session_timeout        1d;
   ssl_session_cache          shared:SSL:10m;
   ssl_session_tickets        off;
-  ssl_protocols              TLSv1.3;
-  ssl_prefer_server_ciphers  off;
+$(if [ "${nginx_public:-}" = true ]; then <<EOF
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_dhparam ${dhparams_path};
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  resolver ${resolvers};
+  resolver_timeout 5s;
+EOF
+else
+  cat <<EOF
+  ssl_protocols TLSv1.3;
+EOF
+fi
+)
+  ssl_prefer_server_ciphers off;
 
   map \$http_upgrade \$connection_upgrade {
     default upgrade;
@@ -47,10 +61,11 @@ $([ "${nginx_gssapi:-}" = true ] && cat <<EOF
 EOF
 )
 
-$([ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ] && cat <<EOF
+$(if [ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ]; then
+cat <<EOF
   server {
-    listen       0.0.0.0:80 default_server;
-    listen       [::]:80 default_server;
+    listen       0.0.0.0:80;
+    listen       [::]:80;
 
     location /.well-known/acme-challenge/ {
       root ${acme_webroot};
@@ -62,6 +77,18 @@ $([ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ] && cat <<EOF
     }
   }
 EOF
+  elif [ "${nginx_redirect:-}" != false ]; then
+cat <<EOF
+  server {
+    listen       0.0.0.0:80;
+    listen       [::]:80;
+
+    location / {
+      return 301 https://\$host\$request_uri;
+    }
+  }
+EOF
+  fi
 )
 
   include vhosts.conf;
diff --git a/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server b/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
new file mode 100644
index 0000000..0ef31bb
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
@@ -0,0 +1,36 @@
+upstream vaultwarden {
+  zone vaultwarden 64k;
+  server 127.0.0.1:${vaultwarden_port};
+  keepalive 2;
+}
+
+map \$http_upgrade \$connection_upgrade {
+  default upgrade;
+  ''      "";
+}
+
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  client_max_body_size 256M;
+
+  ssl_certificate      ${vaultwarden_https_cert};
+  ssl_certificate_key  ${vaultwarden_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection \$connection_upgrade;
+
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+
+    proxy_pass http://vaultwarden/;
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.dav_server b/files/usr/local/etc/nginx/vhosts.conf.dav_server
new file mode 100644
index 0000000..71bbc71
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.dav_server
@@ -0,0 +1,55 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  root ${davical_webroot};
+  index index.html index.php;
+
+  ssl_certificate      ${davical_https_cert};
+  ssl_certificate_key  ${davical_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${davical_keytab};
+  auth_gss_allow_basic_fallback off;
+
+  location / {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+    try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
+  }
+
+  location /.well-known/ {
+    try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
+  }
+
+  location ~ ^/caldav\.php/\.well-known/ {
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${davical_fpm_socket};
+  }
+
+  location ~ [^/]\.php(/|$) {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${davical_fpm_socket};
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.smtp_server b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
index 4b84ede..322ca34 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.smtp_server
+++ b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
@@ -4,8 +4,8 @@ server {
 
   http2 on;
 
-  ssl_certificate      ${rspamd_tls_cert};
-  ssl_certificate_key  ${rspamd_tls_key};
+  ssl_certificate      ${rspamd_https_cert};
+  ssl_certificate_key  ${rspamd_https_key};
 
   add_header Strict-Transport-Security "max-age=63072000" always;
 
diff --git a/files/usr/local/etc/nginx/vhosts.conf.ttrss_server b/files/usr/local/etc/nginx/vhosts.conf.ttrss_server
new file mode 100644
index 0000000..fb0343d
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.ttrss_server
@@ -0,0 +1,43 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  root ${ttrss_repo_dir};
+  index index.php index.html;
+
+  ssl_certificate      ${ttrss_https_cert};
+  ssl_certificate_key  ${ttrss_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${ttrss_keytab};
+  auth_gss_allow_basic_fallback off;
+
+  location ~ ^/index\.php$ {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${ttrss_fpm_socket};
+  }
+
+  location ~ [^/]\.php(/|$) {
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${ttrss_fpm_socket};
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.xmpp_server b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
new file mode 100644
index 0000000..732a6de
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
@@ -0,0 +1,21 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+
+  http2 on;
+
+  ssl_certificate         ${prosody_https_cert};
+  ssl_certificate_key     ${prosody_https_key};
+  ssl_trusted_certificate ${prosody_https_cacert};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_pass http://127.0.0.1:${prosody_http_port};
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.znc_server b/files/usr/local/etc/nginx/vhosts.conf.znc_server
new file mode 100644
index 0000000..ee75878
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.znc_server
@@ -0,0 +1,21 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  ssl_certificate      ${znc_tls_cert};
+  ssl_certificate_key  ${znc_tls_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+
+    proxy_pass http://127.0.0.1:${znc_http_port}/;
+  }
+}
-- 
cgit v1.2.3