summaryrefslogtreecommitdiffstats
path: root/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'nginx')
-rw-r--r--nginx/01/adminer.conf15
-rw-r--r--nginx/01/dnsui.conf41
-rw-r--r--nginx/01/hidden.conf123
-rw-r--r--nginx/01/http.conf11
-rw-r--r--nginx/01/keycloak.conf79
-rw-r--r--nginx/01/lan.conf5
-rw-r--r--nginx/01/liberta.casa.conf209
-rw-r--r--nginx/01/matrix.conf240
-rw-r--r--nginx/01/mattermost.conf74
-rw-r--r--nginx/01/mirror.conf18
-rw-r--r--nginx/01/nsedit.conf16
-rw-r--r--nginx/01/omnidb.conf41
-rw-r--r--nginx/01/tp.3gy.de.conf28
-rw-r--r--nginx/01/xmpp.conf301
14 files changed, 1201 insertions, 0 deletions
diff --git a/nginx/01/adminer.conf b/nginx/01/adminer.conf
new file mode 100644
index 0000000..fc72b64
--- /dev/null
+++ b/nginx/01/adminer.conf
@@ -0,0 +1,15 @@
+#include php-fpm;
+server {
+ listen 192.168.0.110:8084 ssl;
+ server_name adminer-local.one.secure.squirrelcube.xyz;
+ root /mnt/gluster01/web/adminer1;
+ index adminer.php;
+
+ ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
+
+ location / {
+ }
+
+ include php;
+}
diff --git a/nginx/01/dnsui.conf b/nginx/01/dnsui.conf
new file mode 100644
index 0000000..0e24c3a
--- /dev/null
+++ b/nginx/01/dnsui.conf
@@ -0,0 +1,41 @@
+server {
+ listen 192.168.0.110:8084 ssl;
+ server_name dnsui-local.one.secure.squirrelcube.xyz;
+ root /mnt/gluster01/web/dnsui1/public_html;
+ index init.php;
+
+ ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
+
+# auth_basic "NS1 Intranet";
+# auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+
+ location / {
+ try_files $uri $uri/ @php;
+ auth_basic "NS1 Intranet";
+ auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+ }
+ location @php {
+ rewrite ^/(.*)$ /init.php/$1 last;
+ auth_basic "NS1 Intranet";
+ auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+ }
+ location /init.php {
+ fastcgi_pass 172.168.100.1:9100;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ auth_basic "NS1 Intranet";
+ auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+ }
+
+ location /info.php {
+ fastcgi_pass 172.168.100.1:9100;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ auth_basic "NS1 Intranet";
+ auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
+ }
+
+
+ error_log /var/log/nginx/dnsui1.log;
+}
diff --git a/nginx/01/hidden.conf b/nginx/01/hidden.conf
new file mode 100644
index 0000000..80dfd28
--- /dev/null
+++ b/nginx/01/hidden.conf
@@ -0,0 +1,123 @@
+server {
+# server_name localhost;
+ listen 127.0.0.1:9191;
+ root /mnt/gluster01/web/liberta.casa;
+}
+server {
+ server_name qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion;
+ listen 127.0.0.1:9191;
+
+ autoindex off;
+ port_in_redirect off;
+
+ location /kiwi/static/config.json {
+ root /mnt/gluster01/web/liberta.casa;
+ rewrite ^/kiwi/static/config.json$ /kiwi_onion/static/config.json;
+ }
+
+ location /kiwi {
+ root /mnt/gluster01/web/liberta.casa;
+ index index.html;
+ try_files $uri $uri/ =404;
+ }
+
+ location / {
+ root /srv/www/liberta.casa/static/website;
+ index index.html;
+
+ }
+
+ location /register {
+ proxy_pass http://127.0.0.1:8965;
+ add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
+ }
+
+ location /libcasa {
+ root /srv/www/superseriousstats/libertacasa;
+ index index.html;
+ location ~ \.php$ {
+ fastcgi_pass 172.168.100.1:9100;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+
+ }
+
+ location /libcasa.info {
+ root /srv/www/superseriousstats/libertacasa;
+ index index.html;
+ location ~ \.php$ {
+ fastcgi_pass 172.168.100.1:9100;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ }
+
+ location /gamja {
+ root /srv/www/gamja;
+ index index.html;
+ }
+
+ location /socket {
+ proxy_pass http://192.168.0.110:8068;
+ proxy_read_timeout 600s;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location /convos {
+ rewrite ^/convos/?(.*)$ /$1 break;
+ proxy_pass http://[::1]:8089;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Request-Base "$scheme://$host/convos";
+ }
+
+ location /candy {
+ root /srv/www/candy/;
+ index index.html;
+ add_header Access-Control-Allow-Origin *;
+ }
+ location /candy-source {
+ root /srv/www/candy/;
+ }
+
+
+ error_log /var/log/nginx/liberta.casa.err;
+
+
+ #location / {
+ # root /srv/www/liberta.casa;
+ # try_files $uri $uri/ =404;
+ #}
+
+ location /webirc {
+ proxy_pass http://127.0.0.2:6669;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+}
+#server {
+# server_name cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion;
+# listen 9191;
+#
+# location /webirc {
+# proxy_pass http://127.0.0.2:6668;
+# proxy_http_version 1.1;
+# proxy_set_header Upgrade $http_upgrade;
+# proxy_set_header Connection "Upgrade";
+# proxy_set_header X-Forwarded-For $remote_addr;
+# proxy_set_header X-Forwarded-Proto $scheme;
+# }
+#}
diff --git a/nginx/01/http.conf b/nginx/01/http.conf
new file mode 100644
index 0000000..160e313
--- /dev/null
+++ b/nginx/01/http.conf
@@ -0,0 +1,11 @@
+#server {
+# listen 81.16.19.64:80 default_server;
+# listen 45.129.182.13:80 default_server;
+# listen [2a03:4000:47:58a::]:80 default_server;
+# return 302 https://$host$request_uri;
+#}
+
+server {
+ listen 80 default_server;
+ return 302 https://$host$request_uri;
+}
diff --git a/nginx/01/keycloak.conf b/nginx/01/keycloak.conf
new file mode 100644
index 0000000..b829cac
--- /dev/null
+++ b/nginx/01/keycloak.conf
@@ -0,0 +1,79 @@
+server {
+ listen 127.0.0.1:443 ssl http2;
+ server_name wildfly-keycloak-prod-theia.two.secure.squirrelcube.xyz;
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+ location / {
+ proxy_pass http://127.0.0.5:10090;
+ proxy_set_header Host $host:10090;
+ proxy_set_header Origin http://$host:10090;
+
+ proxy_redirect off;
+ proxy_http_version 1.1;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass_request_headers on;
+ }
+}
+server {
+ listen 127.0.0.1:443 ssl http2;
+
+ server_name keycloak-prod-theia.two.secure.squirrelcube.xyz;
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+
+ location / {
+ proxy_pass http://192.168.0.110:8180;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-Port $server_port;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+
+##
+## PRODUCTION CONFIG
+## Keycloak Frontend Load Balancer
+## Instance: theia
+##
+proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
+
+upstream jboss {
+ ip_hash;
+ server 192.168.0.110:8843;
+ server 192.168.0.115:8843;
+ server 192.168.0.120:8843;
+}
+server {
+ listen 81.16.19.64:443 ssl http2;
+ listen [2a03:4000:47:58a::]:443 ssl http2;
+ server_name sso.casa;
+
+ ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
+ ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
+ ssl_session_cache shared:SSL:1m;
+ ssl_prefer_server_ciphers on;
+
+ #location = / {
+ # return 302 /auth/;
+ #}
+
+ location / {
+ proxy_pass https://jboss;
+ proxy_cache backcache;
+ proxy_ssl_verify off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ }
+ proxy_buffer_size 256k;
+ proxy_buffers 4 512k;
+ proxy_busy_buffers_size 512k;
+
+}
+
diff --git a/nginx/01/lan.conf b/nginx/01/lan.conf
new file mode 100644
index 0000000..f71eb9c
--- /dev/null
+++ b/nginx/01/lan.conf
@@ -0,0 +1,5 @@
+server {
+ listen 127.0.0.2:80;
+ server_name theia.local;
+ root /srv/www/lan;
+}
diff --git a/nginx/01/liberta.casa.conf b/nginx/01/liberta.casa.conf
new file mode 100644
index 0000000..c217c5d
--- /dev/null
+++ b/nginx/01/liberta.casa.conf
@@ -0,0 +1,209 @@
+server {
+ server_name libertacasa.xyz libertacasa.info libcasa.info www.libertacasa.xyz www.libertacasa.info www.libcasa.info www.lib.casa www.liberta.casa;
+ listen 81.16.19.64:443 ssl http2;
+ listen [2a03:4000:47:58a::]:443 ssl http2;
+ #listen [::]:443 ssl http2;
+
+ root /srv/www/liberta.casa/static/website;
+
+ ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
+ ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+ resolver 127.0.0.4;
+
+ return 302 https://liberta.casa;
+}
+server {
+ server_name libertacasa.net libsh.net libsh.com libsso.net libsso.com;
+ listen 81.16.19.64:443 ssl http2;
+
+ root /srv/www/liberta.casa/static/website;
+
+ ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
+ ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+ resolver 127.0.0.4;
+
+ return 302 https://liberta.casa;
+}
+server {
+ server_name liberta.casa lib.casa;
+ listen 81.16.19.64:443 ssl http2;
+ listen [2a03:4000:47:58a::]:443 ssl http2;
+ #listen [::]:443 ssl http2;
+
+ root /srv/www/liberta.casa/static/website;
+
+ ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
+ ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
+ resolver 127.0.0.4;
+
+ location / {
+ root /srv/www/liberta.casa/static/website;
+ index index.html;
+ add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
+ }
+
+ location /kiwi {
+ root /mnt/gluster01/web/liberta.casa;
+ index index.html;
+ try_files $uri $uri/ =404;
+ }
+
+ location /register {
+ proxy_pass http://127.0.0.1:8965;
+ add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
+ }
+
+ location /webirc {
+ proxy_pass http://192.168.0.110:8068;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location /libcasa {
+ root /srv/www/superseriousstats/libertacasa;
+ index index.html;
+ location ~ \.php$ {
+ fastcgi_pass 172.168.100.1:9100;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+
+ }
+
+ location /libcasa.info {
+ root /srv/www/superseriousstats/libertacasa;
+ index index.html;
+ location ~ \.php$ {
+ fastcgi_pass 172.168.100.1:9100;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+ }
+
+ location /gamja {
+ root /srv/www/gamja;
+ index index.html;
+ }
+
+ location /socket {
+ proxy_pass http://192.168.0.110:8068;
+ proxy_read_timeout 600s;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+# location /convos {
+# proxy_pass http://[::1]:8089;
+# proxy_read_timeout 600s;
+# proxy_http_version 1.1;
+# proxy_set_header X-Forwarded-For $remote_addr;
+# proxy_set_header X-Forwarded-Proto $scheme;
+# }
+#
+# location ~ ^/(asset|convos-api.yaml|emoji|font|images|themes) {
+# root /srv/www/convos/convos/public;
+# }
+
+ location /convos {
+ rewrite ^/convos/?(.*)$ /$1 break;
+ proxy_pass http://[::1]:8089;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Request-Base "$scheme://$host/convos";
+ }
+
+ location /candy {
+ root /srv/www/candy/;
+ index index.html;
+ add_header Access-Control-Allow-Origin *;
+ }
+ location /candy-source {
+ root /srv/www/candy/;
+ }
+
+ ## https://xmpp.org/extensions/xep-0156.html#http
+ ## Provides an alternative to SRV lookups, needed for compliance
+ location /.well-known/host-meta {
+ root /srv/www/xmpp;
+ default_type 'application/xrd+xml';
+ add_header Access-Control-Allow-Origin '*' always;
+ }
+ location /.well-known/host-meta.json {
+ root /srv/www/xmpp;
+ default_type 'application/jrd+json';
+ add_header Access-Control-Allow-Origin '*' always;
+ }
+
+ error_log /var/log/nginx/liberta.casa.err;
+
+}
+
+server {
+ server_name katyusha.liberta.casa;
+ listen 81.16.19.64:443 ssl http2;
+
+ ssl_certificate /etc/ssl/lego/certificates/irc.casa.crt;
+ ssl_certificate_key /etc/ssl/lego/certificates/irc.casa.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+ resolver 127.0.0.4;
+
+ location / {
+ proxy_pass http://[::1]:8086;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ access_log syslog:server=192.168.0.115:5014,tag=nginx_access_katyusha graylog_old;
+ error_log syslog:server=192.168.0.115:5014,tag=nginx_error_katyusha debug;
+}
diff --git a/nginx/01/matrix.conf b/nginx/01/matrix.conf
new file mode 100644
index 0000000..8f8f4be
--- /dev/null
+++ b/nginx/01/matrix.conf
@@ -0,0 +1,240 @@
+##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LIBERTA.CASA
+
+##SYNAPSE
+server {
+ listen 81.16.19.64:443 ssl;
+
+ # For the federation port
+ listen 81.16.19.64:8448 ssl default_server;
+ listen 192.168.0.110:8448 ssl;
+
+ # For bridge
+ listen 127.0.0.2:443 ssl;
+
+ ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ server_name matrix.liberta.casa;
+
+ location ~* ^(\/_matrix|\/_synapse\/client) {
+ proxy_pass http://[::1]:8077;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+ client_max_body_size 50M;
+ }
+
+ location /.well-known/matrix/client {
+ return 200 '{"m.homeserver": {"base_url": "https://matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+
+ location /.well-known/matrix/server {
+ return 200 '{"m.server": "matrix.liberta.casa:8448"}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+
+
+ location / {
+ proxy_pass http://[::1]:8077/;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+ # Nginx by default only allows file uploads up to 1M in size
+ # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+ client_max_body_size 50M;
+ }
+
+ access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_synapse graylog;
+ error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_synapse debug;
+
+}
+
+#ELEMENT
+server {
+ listen 81.16.19.64:443 ssl;
+ server_name element.liberta.casa;
+
+ root /mnt/gluster01/web/matrix/element-libertacasa;
+
+ ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
+ error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
+
+}
+server {
+ listen 81.16.19.64:443 ssl;
+ server_name m.liberta.casa;
+
+ ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ return 301 https://element.liberta.casa$request_uri;
+
+ access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
+ error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
+
+}
+
+#SYDENT
+server {
+ listen 81.16.19.64:443 ssl;
+
+ ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ server_name ident.matrix.liberta.casa;
+
+ location / {
+ proxy_pass http://127.0.0.4:8074/;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ # Nginx by default only allows file uploads up to 1M in size
+ # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+ client_max_body_size 20M;
+ }
+
+ access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_sydent graylog;
+ error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_sydent debug;
+
+}
+
+#DIMENSION
+server {
+ server_name integrations.matrix.liberta.casa;
+ listen 81.16.19.64:443 ssl;
+
+ ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ location / {
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://127.0.0.1:8184;
+ }
+
+ access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_dimension graylog;
+ error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_dimension debug;
+
+}
+
+#KEYS
+server {
+ server_name keys.matrix.liberta.casa;
+ listen 81.16.19.64:443 ssl;
+
+ ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ location / {
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://127.0.0.2:8076;
+ }
+
+ location /.well-known/matrix/client {
+ return 200 '{"m.homeserver": {"base_url": "https://keys.matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+
+ location /.well-known/matrix/server {
+ return 200 '{"m.server": "keys.matrix.liberta.casa:443"}';
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ }
+
+ access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_keys graylog;
+ error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_keys debug;
+
+}
+
+#MAUBOT
+server {
+ server_name maubot.matrix.liberta.casa;
+ listen 81.16.19.64:443 ssl;
+
+ ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+# location /_matrix/maubot/v1/logs {
+# proxy_pass http://127.0.0.2:29419;
+# proxy_http_version 1.1;
+# proxy_set_header Upgrade $http_upgrade;
+# proxy_set_header Connection "Upgrade";
+# proxy_set_header X-Forwarded-For $remote_addr;
+# }
+
+ location / {
+ proxy_pass http://127.0.0.2:29419;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
+ access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_maubot graylog;
+ error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_maubot debug;
+
+}
diff --git a/nginx/01/mattermost.conf b/nginx/01/mattermost.conf
new file mode 100644
index 0000000..bcf9318
--- /dev/null
+++ b/nginx/01/mattermost.conf
@@ -0,0 +1,74 @@
+upstream mattermost {
+ server 127.0.0.2:8065;
+ keepalive 32;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+server {
+ listen 81.16.19.64:443 ssl http2;
+ listen 192.168.0.110:443 ssl http2;
+ server_name mattermost.casa;
+
+ http2_push_preload on;
+
+ ssl_certificate /etc/letsencrypt/live/mattermost.casa/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/mattermost.casa/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_early_data on;
+ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ ssl_prefer_server_ciphers on;
+ #ssl_session_cache shared:SSL:50m;
+ add_header Strict-Transport-Security max-age=15768000;
+ #add_header X-Early-Data $tls1_3_early_data;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ location /libcasa/channels/town-square {
+ return https://mattermost.casa/libcasa/channels/libcasa;
+ }
+
+ location ~ /api/v[0-9]+/(users/)?websocket$ {
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Frame-Options SAMEORIGIN;
+ client_max_body_size 50M;
+ proxy_buffers 256 16k;
+ proxy_buffer_size 16k;
+ client_body_timeout 60;
+ send_timeout 300;
+ lingering_timeout 5;
+ proxy_connect_timeout 90;
+ proxy_send_timeout 300;
+ proxy_read_timeout 90s;
+ proxy_http_version 1.1;
+ proxy_pass http://mattermost;
+ }
+
+ location / {
+ proxy_set_header Connection "";
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Frame-Options SAMEORIGIN;
+ client_max_body_size 50M;
+ proxy_buffers 256 16k;
+ proxy_buffer_size 16k;
+ proxy_read_timeout 600s;
+ proxy_cache mattermost_cache;
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 2;
+ proxy_cache_use_stale timeout;
+ proxy_cache_lock on;
+ proxy_http_version 1.1;
+ proxy_pass http://mattermost;
+ }
+}
diff --git a/nginx/01/mirror.conf b/nginx/01/mirror.conf
new file mode 100644
index 0000000..f7a0d9b
--- /dev/null
+++ b/nginx/01/mirror.conf
@@ -0,0 +1,18 @@
+server {
+ listen 45.129.182.13:443 ssl http2;
+ listen [2a03:4000:47:58a::]:443 ssl http2;
+
+ server_name 3zy.de;
+
+ ssl_certificate /etc/letsencrypt/live/3zy.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/3zy.de/privkey.pem;
+
+ location / {
+ root /mnt/gluster01/mirror;
+# fancyindex on;
+# fancyindex_exact_size on;
+ autoindex on;
+ autoindex_exact_size on;
+ autoindex_localtime on;
+ }
+}
diff --git a/nginx/01/nsedit.conf b/nginx/01/nsedit.conf
new file mode 100644
index 0000000..ed4c311
--- /dev/null
+++ b/nginx/01/nsedit.conf
@@ -0,0 +1,16 @@
+include php-fpm;
+
+server {
+ listen 192.168.0.110:8083 ssl;
+ server_name nsedit1-local.secure.squirrelcube.xyz;
+ root /mnt/gluster01/web/nsedit1;
+ index index.php;
+
+ ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
+
+ location / {
+ }
+
+ include php;
+}
diff --git a/nginx/01/omnidb.conf b/nginx/01/omnidb.conf
new file mode 100644
index 0000000..09a261b
--- /dev/null
+++ b/nginx/01/omnidb.conf
@@ -0,0 +1,41 @@
+server {
+ listen 127.0.0.2:8085 ssl;
+ server_name omnidb-local.one.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
+
+ location / {
+ proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:8086;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Ssl https;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header X-Forwarded-Port 443;
+ proxy_set_header Host $host;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ }
+}
+server {
+ listen 45.129.182.13:25483 ssl;
+ listen [2a03:4000:47:58a::]:25483 ssl;
+ server_name omnidb1.one.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
+
+ location / {
+ proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:25482;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Ssl https;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header X-Forwarded-Port 25483;
+ proxy_set_header Host $host;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ }
+}
diff --git a/nginx/01/tp.3gy.de.conf b/nginx/01/tp.3gy.de.conf
new file mode 100644
index 0000000..52140a4
--- /dev/null
+++ b/nginx/01/tp.3gy.de.conf
@@ -0,0 +1,28 @@
+server {
+ server_name tp.3gy.de one.tp.3gy.de *.one.secure.squirrelcube.xyz;
+ listen 45.129.182.13:443 ssl;
+ listen [2a03:4000:47:58a::]:443 ssl;
+
+ ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
+
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.3;
+ #ssl_ciphers
+ #ssl_prefer_server_ciphers
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 127.0.0.4;
+
+ location / {
+ proxy_pass https://[::1]:3080/;
+ proxy_ssl_verify off;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header Host $host;
+ proxy_read_timeout 3600;
+ }
+}
diff --git a/nginx/01/xmpp.conf b/nginx/01/xmpp.conf
new file mode 100644
index 0000000..c86713b
--- /dev/null
+++ b/nginx/01/xmpp.conf
@@ -0,0 +1,301 @@
+#Prosody (DEPRECATED!)
+#server {
+# listen 81.16.19.64:443 ssl http2;
+# listen [2a03:4000:47:58a::]:443 ssl http2;
+# server_name xmpp.liberta.casa;
+#
+# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
+# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
+# ssl_session_timeout 1d;
+# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+# ssl_session_tickets off;
+#
+# ssl_protocols TLSv1.3 TLSv1.2;
+# ssl_prefer_server_ciphers off;
+# add_header Strict-Transport-Security "max-age=63072000" always;
+# ssl_stapling on;
+# ssl_stapling_verify on;
+# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+# resolver 127.0.0.4;
+#
+# location / {
+# proxy_pass http://[::1]:5280;
+# proxy_set_header X-Forwarded-For $remote_addr;
+# proxy_set_header Host $host;
+#
+# }
+#
+# location /xmpp-websocket {
+# proxy_pass http://[::1]:5280/xmpp-websocket;
+# proxy_http_version 1.1;
+# proxy_set_header Upgrade $http_upgrade;
+# proxy_set_header Connection "Upgrade";
+# proxy_set_header X-Forwarded-Proto $scheme;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_set_header Host $host;
+# proxy_read_timeout 900s;
+# }
+# location /candy/http-bind {
+# proxy_pass https://127.0.0.2:5443/http-bind;
+# proxy_http_version 1.1;
+# proxy_set_header Upgrade $http_upgrade;
+# proxy_set_header Connection "Upgrade";
+# proxy_set_header X-Forwarded-Proto $scheme;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_set_header Host $host;
+# proxy_read_timeout 900s;
+# }
+# location /candy {
+# root /srv/www/candy/;
+# index index.html;
+# }
+# location /candy-source {
+# root /srv/www/candy/;
+# }
+#}
+
+#mod_http_upload_external
+
+#server {
+# listen 81.16.19.64:443 ssl http2;
+# listen [2a03:4000:47:58a::]:443 ssl http2;
+#
+# server_name up.xmpp.liberta.casa;
+#
+# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
+# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
+# ssl_session_timeout 1d;
+# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+# ssl_session_tickets off;
+#
+# ssl_protocols TLSv1.3 TLSv1.2;
+# ssl_prefer_server_ciphers off;
+# add_header Strict-Transport-Security "max-age=63072000" always;
+# ssl_stapling on;
+# ssl_stapling_verify on;
+# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+# resolver 127.0.0.4;
+#
+## client_max_body_size 50m;
+#
+# location / {
+# if ( $request_method = OPTIONS ) {
+# add_header Access-Control-Allow-Origin '*';
+# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
+# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
+# add_header Access-Control-Allow-Credentials 'true';
+# add_header Content-Length 0;
+# add_header Content-Type text/plain;
+# return 200;
+# }
+# proxy_pass http://[::1]:5050/upload/;
+# proxy_request_buffering off;
+# }
+#}
+
+#server {
+# listen 81.16.19.64:443 ssl http2;
+# listen [2a03:4000:47:58a::]:443 ssl http2;
+# server_name xmpp.lib.casa;
+#
+# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
+# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
+# ssl_session_timeout 1d;
+# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+# ssl_session_tickets off;
+#
+# ssl_protocols TLSv1.3 TLSv1.2;
+# ssl_prefer_server_ciphers off;
+# add_header Strict-Transport-Security "max-age=63072000" always;
+# ssl_stapling on;
+# ssl_stapling_verify on;
+# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+# resolver 127.0.0.4;
+#
+# location / {
+# root /srv/www/jappix;
+# index index.php;
+# location ~ \.php$ {
+# fastcgi_pass 172.168.100.1:9100;
+# include fastcgi_params;
+# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+# }
+# }
+#
+# error_log /var/log/nginx/xmpp.lib.casa.err;
+#}
+
+
+####
+## ejabberd
+####
+
+## mod_http_upload
+
+perl_modules /usr/local/lib/perl;
+perl_require upload.pm;
+
+server {
+ listen 81.16.19.64:443 ssl http2;
+ listen [2a03:4000:47:58a::]:443 ssl http2;
+ listen 127.0.0.2:443 ssl http2;
+ server_name up.xmpp.lib.casa up.xmpp.liberta.casa;
+
+ ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
+ ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+ resolver 127.0.0.4;
+
+ root /opt/ejabberd/upload;
+
+ location / {
+ perl upload::handle;
+ }
+
+ client_max_body_size 40m;
+
+# location / {
+# if ( $request_method = OPTIONS ) {
+# add_header Access-Control-Allow-Origin '*';
+# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
+# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
+# add_header Access-Control-Allow-Credentials 'true';
+# add_header Content-Length 0;
+# add_header Content-Type text/plain;
+# return 200;
+# }
+# proxy_pass http://127.0.0.2:5443;
+# proxy_request_buffering off;
+# }
+
+ error_log /var/log/nginx/up.xmpp.lib.casa.err;
+}
+
+
+## Everything
+
+server {
+ listen 81.16.19.64:443 ssl http2;
+ listen [2a03:4000:47:58a::]:443 ssl http2;
+ server_name xmpp.liberta.casa xmpp.lib.casa jabber.liberta.casa jabber.lib.casa;
+
+ ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
+ ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+ resolver 127.0.0.4;
+
+ #location / {
+ # proxy_pass https://127.0.0.2:5443;
+ # proxy_set_header X-Forwarded-For $remote_addr;
+ # proxy_set_header Host $host;
+ #
+ #}
+
+ location / {
+ root /srv/www/xmpp;
+ index index.html;
+ }
+
+ location /upload {
+ return https://up.xmpp.lib.casa;
+ }
+
+ location /bosh {
+ proxy_pass https://127.0.0.2:5443;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ }
+
+ location /ws {
+ proxy_pass https://127.0.0.2:5443;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ }
+
+# location /xmpp-websocket {
+# proxy_pass http://[::1]:5280/xmpp-websocket;
+# proxy_http_version 1.1;
+# proxy_set_header Upgrade $http_upgrade;
+# proxy_set_header Connection "Upgrade";
+# proxy_set_header X-Forwarded-Proto $scheme;
+# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# proxy_set_header Host $host;
+# proxy_read_timeout 900s;
+# }
+ location /candy/http-bind {
+ proxy_pass https://127.0.0.2:5443/http-bind;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ proxy_read_timeout 900s;
+ }
+ location /candy {
+ root /srv/www/candy/;
+ index index.html;
+ }
+ location /candy-source {
+ root /srv/www/candy/;
+ }
+
+ error_log /var/log/nginx/xmpp.lib.casa.err;
+
+}
+
+
+## ejabberd_web_admin
+
+server {
+ listen 127.0.0.2:443 ssl http2;
+ server_name ejabberd-local.one.secure.squirrelcube.xyz;
+
+ ssl_certificate /etc/ssl/tp/fullchain.pem;
+ ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_prefer_server_ciphers off;
+ add_header Strict-Transport-Security "max-age=63072000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+ resolver 127.0.0.4;
+
+ location / {
+ proxy_pass http://127.0.0.2:5280;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Host $host;
+
+ }
+}
+