summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg2021-08-30 20:51:39 +0200
committerGeorg2021-08-30 20:51:39 +0200
commitc9e34fd1e126731be67c430c0f182a69fbbfcc8d (patch)
treebe3dc6e95554625526d0acae1266d5bfe01d5e2f
parent675ce1ee97a175cf2368a2347f9fef80e7388807 (diff)
downloadsystem-c9e34fd1e126731be67c430c0f182a69fbbfcc8d.tar.gz
system-c9e34fd1e126731be67c430c0f182a69fbbfcc8d.tar.bz2
system-c9e34fd1e126731be67c430c0f182a69fbbfcc8d.zip
Initial nginx run 02/05
Signed-off-by: Georg <georg@lysergic.dev>
-rw-r--r--nginx/02/bastelstube.conf35
-rw-r--r--nginx/02/cachet.conf17
-rw-r--r--nginx/02/confluence.conf30
-rw-r--r--nginx/02/default.conf17
-rw-r--r--nginx/02/dnsui.conf27
-rw-r--r--nginx/02/drone.conf38
-rw-r--r--nginx/02/etherpad.conf39
-rw-r--r--nginx/02/georg.conf23
-rw-r--r--nginx/02/git.conf65
-rw-r--r--nginx/02/grafana.conf15
-rw-r--r--nginx/02/graylog.conf42
-rw-r--r--nginx/02/jitsi.conf57
-rw-r--r--nginx/02/keycloak.conf219
-rw-r--r--nginx/02/matrix.conf79
-rw-r--r--nginx/02/mirror.conf15
-rw-r--r--nginx/02/phpldapadmin.conf22
-rw-r--r--nginx/02/privatebin.conf24
-rw-r--r--nginx/02/prometheus.conf67
-rw-r--r--nginx/02/scooper.conf29
-rw-r--r--nginx/02/shlink-web.conf31
-rw-r--r--nginx/02/shlink.conf29
-rw-r--r--nginx/02/syscid.conf15
-rw-r--r--nginx/02/tp.3gy.de.conf28
-rw-r--r--nginx/02/xen-orchestra.conf23
24 files changed, 986 insertions, 0 deletions
diff --git a/nginx/02/bastelstube.conf b/nginx/02/bastelstube.conf
new file mode 100644
index 0000000..f065034
--- /dev/null
+++ b/nginx/02/bastelstube.conf
@@ -0,0 +1,35 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name www.lysergic.dev lysergic.dev;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSLS:10m;
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+ resolver 127.0.0.4;
+
+ root /srv/www/htdocs/bastelstube;
+ index index.html;
+
+
+ location /.well-known/matrix/client {
+ return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+
+ location /.well-known/matrix/server {
+ return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+}
diff --git a/nginx/02/cachet.conf b/nginx/02/cachet.conf
new file mode 100644
index 0000000..d443a91
--- /dev/null
+++ b/nginx/02/cachet.conf
@@ -0,0 +1,17 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name status.liberta.casa status.lib.casa;
+
+ ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
+
+ location / {
+ proxy_pass http://cachet.local:8033;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ }
+}
diff --git a/nginx/02/confluence.conf b/nginx/02/confluence.conf
new file mode 100644
index 0000000..3004fca
--- /dev/null
+++ b/nginx/02/confluence.conf
@@ -0,0 +1,30 @@
+server {
+ listen 202.61.255.116:443 ssl;
+ listen [2a03:4000:55:d20::]:443 ssl;
+ server_name confluence.psyched.dev;
+
+ ssl_certificate /etc/ssl/psyched/fullchain.pem;
+ ssl_certificate_key /etc/ssl/psyched/private/privkey.pem;
+
+ ssl_session_timeout 5m;
+
+ ssl_protocols TLSv1.3;
+ #ssl_prefer_server_ciphers on;
+
+ location / {
+ client_max_body_size 100m;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://localhost:8090;
+ }
+ location /synchrony {
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://localhost:8091/synchrony;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ }
+}
diff --git a/nginx/02/default.conf b/nginx/02/default.conf
new file mode 100644
index 0000000..dc5815b
--- /dev/null
+++ b/nginx/02/default.conf
@@ -0,0 +1,17 @@
+server {
+ listen 202.61.255.116:443 ssl http2 default_server;
+ listen [2a03:4000:55:d20::]:443 ssl http2 default_server;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ root /srv/www/htdocs/default;
+ index index.html;
+}
+server {
+ listen 202.61.255.116:80 default_server;
+ listen [2a03:4000:55:d20::]:80 default_server;
+
+ root /srv/www/htdocs/default;
+ index index.html;
+}
diff --git a/nginx/02/dnsui.conf b/nginx/02/dnsui.conf
new file mode 100644
index 0000000..2d1c55b
--- /dev/null
+++ b/nginx/02/dnsui.conf
@@ -0,0 +1,27 @@
+server {
+ listen 192.168.0.115:8084 ssl;
+ server_name dnsui-local.two.secure.squirrelcube.xyz;
+ root /mnt/gluster01/web/dnsui2/public_html;
+ index init.php;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ try_files $uri $uri/ @php;
+ auth_basic "NS1 Intranet";
+ auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+ }
+ location @php {
+ rewrite ^/(.*)$ /init.php/$1 last;
+ auth_basic "NS1 Intranet";
+ auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+ }
+ location /init.php {
+ fastcgi_pass 172.168.100.2:9100;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ auth_basic "NS1 Intranet";
+ auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+ }
+}
diff --git a/nginx/02/drone.conf b/nginx/02/drone.conf
new file mode 100644
index 0000000..1f36830
--- /dev/null
+++ b/nginx/02/drone.conf
@@ -0,0 +1,38 @@
+#Drone (only for RPC access from other nodes - UI access is proxied directly through Teleport)
+server {
+ listen 192.168.0.115:443 ssl http2;
+ server_name drone.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass https://drone-local.two.secure.squirrelcube.xyz;
+ }
+}
+
+#Runner Exec
+server {
+ listen 192.168.0.115:443 ssl http2;
+ server_name drone-runner-exec-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://127.0.0.3:3000;
+ }
+}
+
+#Runner SSH
+server {
+ listen 192.168.0.115:443 ssl http2;
+ server_name drone-runner-ssh-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://127.0.0.3:3001;
+ }
+}
diff --git a/nginx/02/etherpad.conf b/nginx/02/etherpad.conf
new file mode 100644
index 0000000..f4a0233
--- /dev/null
+++ b/nginx/02/etherpad.conf
@@ -0,0 +1,39 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name pad.hugz.io pad.lsd25.dev pad.lysergic.dev;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+ resolver 127.0.0.4;
+
+
+ location / {
+ proxy_pass http://127.0.0.2:9001;
+ proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+ proxy_set_header Host $host;
+ proxy_pass_header Server;
+
+ # Note you might want to pass these headers etc too.
+ proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
+ proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
+ proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+ proxy_http_version 1.1; # recommended with keepalive connections
+
+ # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+
+ }
+}
diff --git a/nginx/02/georg.conf b/nginx/02/georg.conf
new file mode 100644
index 0000000..eb38d32
--- /dev/null
+++ b/nginx/02/georg.conf
@@ -0,0 +1,23 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name georg-pfuetzenreuter.net pfuetzenreuter.at gippy.at;
+
+ ssl_certificate /etc/ssl/georg/533088712.crt;
+ ssl_certificate_key /etc/ssl/georg/my.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSLS:10m;
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/georg/533088712.ca-bundle;
+ resolver 127.0.0.4;
+
+ root /srv/www/htdocs/georg;
+ index index.html;
+
+}
diff --git a/nginx/02/git.conf b/nginx/02/git.conf
new file mode 100644
index 0000000..98e619d
--- /dev/null
+++ b/nginx/02/git.conf
@@ -0,0 +1,65 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ server_name git.lysergic.dev git.de.com;
+
+ return 302 https://git.com.de;
+}
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
+
+ server_name git.casa;
+
+# return 302 https://git.com.de/libertacasa;
+
+
+ root /srv/www/htdocs;
+
+ try_files $uri @cgit;
+
+ location @cgit {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /srv/www/cgi-bin/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_pass unix:/run/fcgiwrap.sock;
+ }
+
+
+}
+
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+ listen 192.168.0.115:443 ssl http2;
+
+ server_name git.com.de;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.3;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+ resolver 127.0.0.4;
+
+
+ location / {
+ proxy_pass http://127.0.0.2:3501;
+ }
+}
diff --git a/nginx/02/grafana.conf b/nginx/02/grafana.conf
new file mode 100644
index 0000000..8fc850e
--- /dev/null
+++ b/nginx/02/grafana.conf
@@ -0,0 +1,15 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+ server_name grafana.lysergic.dev;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ ssl_session_timeout 5m;
+ ssl_protocols TLSv1.3;
+
+ location / {
+ proxy_pass http://[::1]:3000/;
+ }
+}
diff --git a/nginx/02/graylog.conf b/nginx/02/graylog.conf
new file mode 100644
index 0000000..6a1d098
--- /dev/null
+++ b/nginx/02/graylog.conf
@@ -0,0 +1,42 @@
+server {
+ listen 192.168.0.115:8087 ssl;
+ server_name graylog-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://127.0.0.1:9000;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ }
+}
+
+#server {
+# listen 202.61.255.116:443 ssl http2;
+# listen [2a03:4000:55:d20::]:443 ssl http2;
+# server_name glpub.two.secure.squirrelcube.xyz;
+#
+# ssl_certificate /etc/ssl/tp/fullchain.pem;
+# ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+# ssl_session_timeout 1d;
+# ssl_session_cache shared:MozSSLS:10m;
+# ssl_session_tickets off;
+# ssl_protocols TLSv1.3;
+# ssl_prefer_server_ciphers off;
+# add_header Strict-Transport-Security "max-age=63072000" always;
+# ssl_stapling on;
+# ssl_stapling_verify on;
+# ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+# resolver 127.0.0.4;
+#
+# location /streams {
+# proxy_pass http://127.0.0.1:9000/;
+# proxy_set_header X-Forwarded-Host $host;
+# proxy_set_header X-Forwarded-Server $host;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_http_version 1.1;
+# }
+#}
diff --git a/nginx/02/jitsi.conf b/nginx/02/jitsi.conf
new file mode 100644
index 0000000..4e2d47b
--- /dev/null
+++ b/nginx/02/jitsi.conf
@@ -0,0 +1,57 @@
+#server_names_hash_bucket_size 64;
+
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+ listen 127.0.0.1:443 ssl http2;
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+ # tls configuration that is not covered in this guide
+ # we recommend the use of https://certbot.eff.org/
+ server_name meet.lysergic.dev meet.liberta.casa meet.lib.casa;
+ # set the root
+ root /srv/jitsi-meet;
+ index index.html;
+ location ~ ^/([a-zA-Z0-9=_\-\?]+)$ {
+ rewrite ^/(.*)$ / break;
+ }
+ location / {
+ ssi on;
+ }
+ # BOSH, Bidirectional-streams Over Synchronous HTTP
+ # https://en.wikipedia.org/wiki/BOSH_(protocol)
+ location = /http-bind {
+ proxy_pass http://127.0.0.1:5280/http-bind;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Host $http_host;
+ proxy_method POST;
+ proxy_buffering off;
+ tcp_nodelay on;
+ }
+ # external_api.js must be accessible from the root of the
+ # installation for the electron version of Jitsi Meet to work
+ # https://github.com/jitsi/jitsi-meet-electron
+ location /external_api.js {
+ alias /srv/jitsi-meet/libs/external_api.min.js;
+ }
+ # xmpp websockets
+ location /xmpp-websocket {
+ proxy_pass http://127.0.0.1:5280/xmpp-websocket;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host;
+ tcp_nodelay on;
+ }
+}
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+ server_name meet-auth.sso.casa;
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ location / {
+ proxy_pass http://127.0.0.2:3002;
+ }
+}
diff --git a/nginx/02/keycloak.conf b/nginx/02/keycloak.conf
new file mode 100644
index 0000000..87e3282
--- /dev/null
+++ b/nginx/02/keycloak.conf
@@ -0,0 +1,219 @@
+#########################################
+## SECTION 1 ##
+## DEVELOPMENT / STAGING CONFIGURATION ##
+#########################################
+
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name auth.syscid.com sso.syscid.com;
+
+ ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
+ ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
+
+# location /auth {
+# return 302 https://auth.syscid.com/auth/realms/master/account/;
+# }
+# location /auth/realms/master/account/ {
+# proxy_pass https://10.0.0.10;
+# proxy_set_header Host $host;
+# proxy_set_header X-Real-IP $remote_addr;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_set_header X-Forwarded-Host $host;
+# proxy_set_header X-Forwarded-Server $host;
+# proxy_set_header X-Forwarded-Port $server_port;
+# proxy_set_header X-Forwarded-Proto $scheme;
+# }
+ location / {
+ proxy_pass https://10.0.0.10;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+}
+server {
+ listen 127.0.0.1:443 ssl http2;
+
+ server_name keycloak-internal.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
+ ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
+
+ return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;
+
+ location / {
+ proxy_pass https://10.0.0.10;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+
+#########################################
+## SECTION 2 ##
+## Everything below here is PRODUCTION ##
+#########################################
+
+##
+## WildFly Management UI access through Teleport
+##
+server {
+ listen 127.0.0.1:443 ssl http2;
+ server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+ location / {
+ proxy_pass http://127.0.0.5:9990;
+
+## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.
+
+# proxy_set_header Host $host;
+# proxy_set_header X-Real-IP $remote_addr;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_set_header X-Forwarded-Host $host;
+# proxy_set_header X-Forwarded-Server $host;
+# proxy_set_header X-Forwarded-Port $server_port;
+# proxy_set_header X-Forwarded-Proto $scheme;
+# proxy_set_header Authorization $http_authorization;
+# proxy_pass_header Authorization;
+ proxy_set_header Host $host:10090;
+ proxy_set_header Origin http://$host:10090;
+
+ proxy_redirect off;
+ proxy_http_version 1.1;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass_request_headers on;
+ }
+}
+
+##
+## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
+##
+#server {
+# listen 127.0.0.1:443 ssl http2;
+# listen 192.168.0.115:443 ssl http2;
+#
+# server_name intra.sso.casa;
+# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
+# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
+#
+# location / {
+# proxy_pass https://192.168.0.115:8843/;
+# proxy_ssl_verify off;
+# proxy_set_header Host $host;
+# proxy_set_header X-Real-IP $remote_addr;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# #proxy_set_header X-Forwarded-Host $host;
+# #proxy_set_header X-Forwarded-Server $host;
+# #proxy_set_header X-Forwarded-Port $server_port;
+# proxy_set_header X-Forwarded-Proto https;
+# }
+# proxy_buffer_size 128k;
+# proxy_buffers 4 256k;
+# proxy_busy_buffers_size 256k;
+#}
+
+##
+## Standalone Keycloak Frontend on Orpheus
+##
+
+#server {
+# listen 202.61.255.116:443 ssl http2;
+# listen [2a03:4000:55:d20::]:443 ssl http2;
+#
+# server_name sso.casa;
+#
+# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
+# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
+#
+# location / {
+# proxy_pass https://192.168.0.115:8843/;
+# proxy_ssl_verify off;
+# proxy_set_header Host $host;
+# proxy_set_header X-Real-IP $remote_addr;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# #proxy_set_header X-Forwarded-Host $host;
+# #proxy_set_header X-Forwarded-Server $host;
+# #proxy_set_header X-Forwarded-Port $server_port;
+# proxy_set_header X-Forwarded-Proto https;
+# }
+# proxy_buffer_size 128k;
+# proxy_buffers 4 256k;
+# proxy_busy_buffers_size 256k;
+#
+## location ~ /auth/admin {
+## deny all;
+## return 403;
+## }
+#
+#}
+
+##
+## Keycloak Frontend Load Balancer
+##
+proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
+
+upstream jboss {
+ ip_hash;
+ server 192.168.0.110:8843;
+ server 192.168.0.115:8843;
+ server 192.168.0.120:8843;
+
+ # only available in NGINX Plus - very sad!!
+ # sticky learn
+ # create=$upstream_cookie_AUTH_SESSION_ID
+ # lookup=$cookie_AUTH_SESSION_ID
+ # zone=client_sessions:1m;
+}
+
+# same ordeal
+#match jboss_check {
+# status 200;
+# header Content-Type = text/html;
+# body ~ "WildFly is running";
+#}
+
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+ listen 127.0.0.1:443 ssl http2;
+ server_name sso.casa;
+
+ ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
+ ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
+ ssl_session_cache shared:SSL:1m;
+ ssl_prefer_server_ciphers on;
+
+ #location = / {
+ # return 302 /auth/;
+ #}
+
+ location / {
+ proxy_pass https://jboss;
+ proxy_cache backcache;
+ proxy_ssl_verify off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+
+ # yup, nginx plus
+ #health_check match=jboss_check;
+ }
+ proxy_buffer_size 256k;
+ proxy_buffers 4 512k;
+ proxy_busy_buffers_size 512k;
+
+}
diff --git a/nginx/02/matrix.conf b/nginx/02/matrix.conf
new file mode 100644
index 0000000..d88ef87
--- /dev/null
+++ b/nginx/02/matrix.conf
@@ -0,0 +1,79 @@
+##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LYSERGIC.DEV
+
+##SYNAPSE
+server {
+ listen 202.61.255.116:443 ssl;
+ listen [2a03:4000:55:d20::]:443 ssl;
+
+ # For the federation port
+ listen 202.61.255.116:8448 ssl default_server;
+ listen [2a03:4000:55:d20::]:8448 ssl;
+ listen 192.168.0.115:8448 ssl;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ server_name matrix.lysergic.dev;
+
+ location ~* ^(\/_matrix|\/_synapse\/client) {
+ proxy_pass http://[::1]:8763;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+ client_max_body_size 100M;
+ }
+
+ location /.well-known/matrix/client {
+ return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+
+ location /.well-known/matrix/server {
+ return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+
+
+ location / {
+ proxy_pass http://[::1]:8763/;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+ client_max_body_size 100M;
+ }
+}
+
+#ELEMENT
+server {
+ listen 202.61.255.116:443 ssl;
+ listen [2a03:4000:55:d20::]:443 ssl;
+ server_name element.lysergic.dev;
+
+ root /mnt/gluster01/web/matrix/element-lysergic;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+}
+
diff --git a/nginx/02/mirror.conf b/nginx/02/mirror.conf
new file mode 100644
index 0000000..5e31ec9
--- /dev/null
+++ b/nginx/02/mirror.conf
@@ -0,0 +1,15 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name 3zy.de;
+
+ ssl_certificate /etc/ssl/3zy.de/fullchain.pem;
+ ssl_certificate_key /etc/ssl/3zy.de/private/privkey.pem;
+
+ location / {
+ root /mnt/gluster01/mirror;
+ fancyindex on;
+ fancyindex_exact_size on;
+ }
+}
diff --git a/nginx/02/phpldapadmin.conf b/nginx/02/phpldapadmin.conf
new file mode 100644
index 0000000..11dda75
--- /dev/null
+++ b/nginx/02/phpldapadmin.conf
@@ -0,0 +1,22 @@
+server {
+ listen 192.168.0.115:8084 ssl;
+ server_name phpldapadmin-local.two.secure.squirrelcube.xyz;
+ root /srv/www/phpLDAPadmin/phpLDAPadmin/htdocs;
+ index index.php;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+ location ~ \.php$ {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass 172.168.100.2:9100;
+ }
+}
+
diff --git a/nginx/02/privatebin.conf b/nginx/02/privatebin.conf
new file mode 100644
index 0000000..07e95a3
--- /dev/null
+++ b/nginx/02/privatebin.conf
@@ -0,0 +1,24 @@
+server {
+ server_name pasta.lysergic.dev p.lsd25.dev p.lsd-25.dev;
+ listen 202.61.255.116:443;
+ listen [2a03:4000:55:d20::]:443;
+ root /mnt/gluster01/web/privatebin/PrivateBin;
+ index index.php;
+ charset utf-8;
+ disable_symlinks off;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+ client_max_body_size 300M;
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+ location ~ \.php$ {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass 172.168.100.2:9100;
+ }
+}
diff --git a/nginx/02/prometheus.conf b/nginx/02/prometheus.conf
new file mode 100644
index 0000000..f8e0f50
--- /dev/null
+++ b/nginx/02/prometheus.conf
@@ -0,0 +1,67 @@
+server {
+ listen 192.168.0.115:8092 ssl http2;
+ server_name prometheus-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://172.16.9.2:9090/;
+ }
+}
+server {
+ listen 192.168.0.115:8093 ssl http2;
+ server_name prometheus-alertmanager-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://172.16.9.2:9093/;
+ }
+}
+server {
+ listen 192.168.0.115:8094 ssl http2;
+ server_name prometheus-blackbox-exporter-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://172.16.9.2:9115/;
+ }
+}
+server {
+ listen 192.168.0.115:8095 ssl http2;
+ server_name prometheus-nginx-exporter-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://172.16.9.2:9113/;
+ }
+}
+server {
+ listen 192.168.0.115:8095 ssl http2;
+ server_name prometheus-wireguard-exporter-mercury.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://172.16.9.2:9586/;
+ }
+}
+server {
+ listen 192.168.0.115:8095 ssl http2;
+ server_name prometheus-wireguard-exporter-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://127.0.0.2:9586/;
+ }
+}
+
diff --git a/nginx/02/scooper.conf b/nginx/02/scooper.conf
new file mode 100644
index 0000000..e39620c
--- /dev/null
+++ b/nginx/02/scooper.conf
@@ -0,0 +1,29 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name scooper.irc.lsd.systems;
+
+ ssl_certificate /etc/ssl/irc/fullchain.pem;
+ ssl_certificate_key /etc/ssl/irc/private/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSLS:10m;
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.3;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+ resolver 127.0.0.4;
+
+ location / {
+ fastcgi_pass unix:/var/run/kfcgi/scooper.sock;
+ fastcgi_split_path_info (/)(.*);
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ include fastcgi_params;
+ auth_basic "I <3 Internet Relay Chat";
+ auth_basic_user_file /mnt/gluster01/web/auth/scooper;
+ }
+}
+
diff --git a/nginx/02/shlink-web.conf b/nginx/02/shlink-web.conf
new file mode 100644
index 0000000..1705f2f
--- /dev/null
+++ b/nginx/02/shlink-web.conf
@@ -0,0 +1,31 @@
+server {
+ server_name lsd25.xyz;
+ listen 202.61.255.116:443;
+ listen [2a03:4000:55:d20::]:443;
+ root /mnt/gluster01/web/shlink-web;
+ index index.html;
+ charset utf-8;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ location ~* \.(?:manifest|appcache|html?|xml|json)$ {
+ expires -1;
+ }
+ location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+ expires 1M;
+ add_header Cache-Control "public";
+ }
+ location ~* \.(?:css|js)$ {
+ expires 1y;
+ add_header Cache-Control "public";
+ }
+ location ~* .+\.(css|js|html|png|jpe?g|gif|bmp|ico|json|csv|otf|eot|svg|svgz|ttf|woff|woff2|ijmap|pdf|tif|map) {
+ try_files $uri $uri/ =404;
+ }
+ location / {
+ auth_basic "Lysergic URL Shortening Service";
+ auth_basic_user_file /mnt/gluster01/web/auth/shlink-web;
+ try_files $uri $uri/ /index.html$is_args$args;
+ }
+}
diff --git a/nginx/02/shlink.conf b/nginx/02/shlink.conf
new file mode 100644
index 0000000..f507aa3
--- /dev/null
+++ b/nginx/02/shlink.conf
@@ -0,0 +1,29 @@
+include php-fpm;
+
+server {
+ server_name lsd25.dev lsd-25.dev mcdonalds.pw;
+ listen 202.61.255.116:443;
+ listen [2a03:4000:55:d20::]:443;
+ root /mnt/gluster01/web/shlink/public;
+ index index.php;
+ charset utf-8;
+
+ ssl_certificate /etc/ssl/lysergic/fullchain.pem;
+ ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
+
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+ location ~ \.php$ {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ fastcgi_index index.php;
+ fastcgi_pass 172.168.100.2:9100;
+ }
+
+ location ~ /\.ht {
+ deny all;
+ }
+}
diff --git a/nginx/02/syscid.conf b/nginx/02/syscid.conf
new file mode 100644
index 0000000..b57c986
--- /dev/null
+++ b/nginx/02/syscid.conf
@@ -0,0 +1,15 @@
+server {
+ listen 202.61.255.116:443 ssl http2;
+ listen [2a03:4000:55:d20::]:443 ssl http2;
+
+ server_name orpheus.syscid.com www.syscid.com;
+
+ ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
+ ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
+
+ location / {
+ root /srv/www/htdocs/syscid;
+ index index.html;
+ }
+
+}
diff --git a/nginx/02/tp.3gy.de.conf b/nginx/02/tp.3gy.de.conf
new file mode 100644
index 0000000..8be570c
--- /dev/null
+++ b/nginx/02/tp.3gy.de.conf
@@ -0,0 +1,28 @@
+server {
+ server_name tp.3gy.de two.tp.3gy.de *.two.secure.squirrelcube.xyz;
+ listen 202.61.255.116:443 ssl;
+ listen [2a03:4000:55:d20::]:443 ssl;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.3;
+ #ssl_ciphers
+ #ssl_prefer_server_ciphers
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ location / {
+ proxy_pass https://[::1]:3080/;
+ proxy_ssl_verify off;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header Host $host;
+ proxy_read_timeout 3600;
+ }
+}
diff --git a/nginx/02/xen-orchestra.conf b/nginx/02/xen-orchestra.conf
new file mode 100644
index 0000000..f1444cd
--- /dev/null
+++ b/nginx/02/xen-orchestra.conf
@@ -0,0 +1,23 @@
+server {
+ listen 192.168.0.115:8086 ssl;
+ server_name xen-orchestra-local.two.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+ resolver 127.0.0.4;
+
+ location / {
+ proxy_pass https://127.0.0.2:8089;
+ proxy_ssl_verify off;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_redirect default;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_read_timeout 1800;
+ client_max_body_size 4G;
+ }
+}