From 675ce1ee97a175cf2368a2347f9fef80e7388807 Mon Sep 17 00:00:00 2001 From: Georg Date: Mon, 30 Aug 2021 20:38:56 +0200 Subject: Initial nginx run 01/05 Signed-off-by: Georg --- nginx/01/adminer.conf | 15 +++ nginx/01/dnsui.conf | 41 ++++++ nginx/01/hidden.conf | 123 ++++++++++++++++++ nginx/01/http.conf | 11 ++ nginx/01/keycloak.conf | 79 ++++++++++++ nginx/01/lan.conf | 5 + nginx/01/liberta.casa.conf | 209 +++++++++++++++++++++++++++++++ nginx/01/matrix.conf | 240 ++++++++++++++++++++++++++++++++++++ nginx/01/mattermost.conf | 74 +++++++++++ nginx/01/mirror.conf | 18 +++ nginx/01/nsedit.conf | 16 +++ nginx/01/omnidb.conf | 41 ++++++ nginx/01/tp.3gy.de.conf | 28 +++++ nginx/01/xmpp.conf | 301 +++++++++++++++++++++++++++++++++++++++++++++ 14 files changed, 1201 insertions(+) create mode 100644 nginx/01/adminer.conf create mode 100644 nginx/01/dnsui.conf create mode 100644 nginx/01/hidden.conf create mode 100644 nginx/01/http.conf create mode 100644 nginx/01/keycloak.conf create mode 100644 nginx/01/lan.conf create mode 100644 nginx/01/liberta.casa.conf create mode 100644 nginx/01/matrix.conf create mode 100644 nginx/01/mattermost.conf create mode 100644 nginx/01/mirror.conf create mode 100644 nginx/01/nsedit.conf create mode 100644 nginx/01/omnidb.conf create mode 100644 nginx/01/tp.3gy.de.conf create mode 100644 nginx/01/xmpp.conf diff --git a/nginx/01/adminer.conf b/nginx/01/adminer.conf new file mode 100644 index 0000000..fc72b64 --- /dev/null +++ b/nginx/01/adminer.conf @@ -0,0 +1,15 @@ +#include php-fpm; +server { + listen 192.168.0.110:8084 ssl; + server_name adminer-local.one.secure.squirrelcube.xyz; + root /mnt/gluster01/web/adminer1; + index adminer.php; + + ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem; + + location / { + } + + include php; +} diff --git a/nginx/01/dnsui.conf b/nginx/01/dnsui.conf new file mode 100644 index 0000000..0e24c3a --- /dev/null +++ b/nginx/01/dnsui.conf @@ -0,0 +1,41 @@ +server { + listen 192.168.0.110:8084 ssl; + server_name dnsui-local.one.secure.squirrelcube.xyz; + root /mnt/gluster01/web/dnsui1/public_html; + index init.php; + + ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem; + +# auth_basic "NS1 Intranet"; +# auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + + location / { + try_files $uri $uri/ @php; + auth_basic "NS1 Intranet"; + auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + } + location @php { + rewrite ^/(.*)$ /init.php/$1 last; + auth_basic "NS1 Intranet"; + auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + } + location /init.php { + fastcgi_pass 172.168.100.1:9100; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + auth_basic "NS1 Intranet"; + auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + } + + location /info.php { + fastcgi_pass 172.168.100.1:9100; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + auth_basic "NS1 Intranet"; + auth_basic_user_file /mnt/gluster01/web/auth/dnsui; + } + + + error_log /var/log/nginx/dnsui1.log; +} diff --git a/nginx/01/hidden.conf b/nginx/01/hidden.conf new file mode 100644 index 0000000..80dfd28 --- /dev/null +++ b/nginx/01/hidden.conf @@ -0,0 +1,123 @@ +server { +# server_name localhost; + listen 127.0.0.1:9191; + root /mnt/gluster01/web/liberta.casa; +} +server { + server_name qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion; + listen 127.0.0.1:9191; + + autoindex off; + port_in_redirect off; + + location /kiwi/static/config.json { + root /mnt/gluster01/web/liberta.casa; + rewrite ^/kiwi/static/config.json$ /kiwi_onion/static/config.json; + } + + location /kiwi { + root /mnt/gluster01/web/liberta.casa; + index index.html; + try_files $uri $uri/ =404; + } + + location / { + root /srv/www/liberta.casa/static/website; + index index.html; + + } + + location /register { + proxy_pass http://127.0.0.1:8965; + add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri; + } + + location /libcasa { + root /srv/www/superseriousstats/libertacasa; + index index.html; + location ~ \.php$ { + fastcgi_pass 172.168.100.1:9100; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + + } + + location /libcasa.info { + root /srv/www/superseriousstats/libertacasa; + index index.html; + location ~ \.php$ { + fastcgi_pass 172.168.100.1:9100; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + } + + location /gamja { + root /srv/www/gamja; + index index.html; + } + + location /socket { + proxy_pass http://192.168.0.110:8068; + proxy_read_timeout 600s; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /convos { + rewrite ^/convos/?(.*)$ /$1 break; + proxy_pass http://[::1]:8089; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Request-Base "$scheme://$host/convos"; + } + + location /candy { + root /srv/www/candy/; + index index.html; + add_header Access-Control-Allow-Origin *; + } + location /candy-source { + root /srv/www/candy/; + } + + + error_log /var/log/nginx/liberta.casa.err; + + + #location / { + # root /srv/www/liberta.casa; + # try_files $uri $uri/ =404; + #} + + location /webirc { + proxy_pass http://127.0.0.2:6669; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + +} +#server { +# server_name cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion; +# listen 9191; +# +# location /webirc { +# proxy_pass http://127.0.0.2:6668; +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "Upgrade"; +# proxy_set_header X-Forwarded-For $remote_addr; +# proxy_set_header X-Forwarded-Proto $scheme; +# } +#} diff --git a/nginx/01/http.conf b/nginx/01/http.conf new file mode 100644 index 0000000..160e313 --- /dev/null +++ b/nginx/01/http.conf @@ -0,0 +1,11 @@ +#server { +# listen 81.16.19.64:80 default_server; +# listen 45.129.182.13:80 default_server; +# listen [2a03:4000:47:58a::]:80 default_server; +# return 302 https://$host$request_uri; +#} + +server { + listen 80 default_server; + return 302 https://$host$request_uri; +} diff --git a/nginx/01/keycloak.conf b/nginx/01/keycloak.conf new file mode 100644 index 0000000..b829cac --- /dev/null +++ b/nginx/01/keycloak.conf @@ -0,0 +1,79 @@ +server { + listen 127.0.0.1:443 ssl http2; + server_name wildfly-keycloak-prod-theia.two.secure.squirrelcube.xyz; + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + location / { + proxy_pass http://127.0.0.5:10090; + proxy_set_header Host $host:10090; + proxy_set_header Origin http://$host:10090; + + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass_request_headers on; + } +} +server { + listen 127.0.0.1:443 ssl http2; + + server_name keycloak-prod-theia.two.secure.squirrelcube.xyz; + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + + location / { + proxy_pass http://192.168.0.110:8180; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +## +## PRODUCTION CONFIG +## Keycloak Frontend Load Balancer +## Instance: theia +## +proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m; + +upstream jboss { + ip_hash; + server 192.168.0.110:8843; + server 192.168.0.115:8843; + server 192.168.0.120:8843; +} +server { + listen 81.16.19.64:443 ssl http2; + listen [2a03:4000:47:58a::]:443 ssl http2; + server_name sso.casa; + + ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt; + ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key; + ssl_session_cache shared:SSL:1m; + ssl_prefer_server_ciphers on; + + #location = / { + # return 302 /auth/; + #} + + location / { + proxy_pass https://jboss; + proxy_cache backcache; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + proxy_buffer_size 256k; + proxy_buffers 4 512k; + proxy_busy_buffers_size 512k; + +} + diff --git a/nginx/01/lan.conf b/nginx/01/lan.conf new file mode 100644 index 0000000..f71eb9c --- /dev/null +++ b/nginx/01/lan.conf @@ -0,0 +1,5 @@ +server { + listen 127.0.0.2:80; + server_name theia.local; + root /srv/www/lan; +} diff --git a/nginx/01/liberta.casa.conf b/nginx/01/liberta.casa.conf new file mode 100644 index 0000000..c217c5d --- /dev/null +++ b/nginx/01/liberta.casa.conf @@ -0,0 +1,209 @@ +server { + server_name libertacasa.xyz libertacasa.info libcasa.info www.libertacasa.xyz www.libertacasa.info www.libcasa.info www.lib.casa www.liberta.casa; + listen 81.16.19.64:443 ssl http2; + listen [2a03:4000:47:58a::]:443 ssl http2; + #listen [::]:443 ssl http2; + + root /srv/www/liberta.casa/static/website; + + ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt; + ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ca-bundle.pem; + resolver 127.0.0.4; + + return 302 https://liberta.casa; +} +server { + server_name libertacasa.net libsh.net libsh.com libsso.net libsso.com; + listen 81.16.19.64:443 ssl http2; + + root /srv/www/liberta.casa/static/website; + + ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt; + ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ca-bundle.pem; + resolver 127.0.0.4; + + return 302 https://liberta.casa; +} +server { + server_name liberta.casa lib.casa; + listen 81.16.19.64:443 ssl http2; + listen [2a03:4000:47:58a::]:443 ssl http2; + #listen [::]:443 ssl http2; + + root /srv/www/liberta.casa/static/website; + + ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt; + ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ca-bundle.pem; + resolver 127.0.0.4; + + location / { + root /srv/www/liberta.casa/static/website; + index index.html; + add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri; + } + + location /kiwi { + root /mnt/gluster01/web/liberta.casa; + index index.html; + try_files $uri $uri/ =404; + } + + location /register { + proxy_pass http://127.0.0.1:8965; + add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri; + } + + location /webirc { + proxy_pass http://192.168.0.110:8068; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /libcasa { + root /srv/www/superseriousstats/libertacasa; + index index.html; + location ~ \.php$ { + fastcgi_pass 172.168.100.1:9100; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + + } + + location /libcasa.info { + root /srv/www/superseriousstats/libertacasa; + index index.html; + location ~ \.php$ { + fastcgi_pass 172.168.100.1:9100; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + } + + location /gamja { + root /srv/www/gamja; + index index.html; + } + + location /socket { + proxy_pass http://192.168.0.110:8068; + proxy_read_timeout 600s; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + +# location /convos { +# proxy_pass http://[::1]:8089; +# proxy_read_timeout 600s; +# proxy_http_version 1.1; +# proxy_set_header X-Forwarded-For $remote_addr; +# proxy_set_header X-Forwarded-Proto $scheme; +# } +# +# location ~ ^/(asset|convos-api.yaml|emoji|font|images|themes) { +# root /srv/www/convos/convos/public; +# } + + location /convos { + rewrite ^/convos/?(.*)$ /$1 break; + proxy_pass http://[::1]:8089; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Request-Base "$scheme://$host/convos"; + } + + location /candy { + root /srv/www/candy/; + index index.html; + add_header Access-Control-Allow-Origin *; + } + location /candy-source { + root /srv/www/candy/; + } + + ## https://xmpp.org/extensions/xep-0156.html#http + ## Provides an alternative to SRV lookups, needed for compliance + location /.well-known/host-meta { + root /srv/www/xmpp; + default_type 'application/xrd+xml'; + add_header Access-Control-Allow-Origin '*' always; + } + location /.well-known/host-meta.json { + root /srv/www/xmpp; + default_type 'application/jrd+json'; + add_header Access-Control-Allow-Origin '*' always; + } + + error_log /var/log/nginx/liberta.casa.err; + +} + +server { + server_name katyusha.liberta.casa; + listen 81.16.19.64:443 ssl http2; + + ssl_certificate /etc/ssl/lego/certificates/irc.casa.crt; + ssl_certificate_key /etc/ssl/lego/certificates/irc.casa.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + resolver 127.0.0.4; + + location / { + proxy_pass http://[::1]:8086; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + + access_log syslog:server=192.168.0.115:5014,tag=nginx_access_katyusha graylog_old; + error_log syslog:server=192.168.0.115:5014,tag=nginx_error_katyusha debug; +} diff --git a/nginx/01/matrix.conf b/nginx/01/matrix.conf new file mode 100644 index 0000000..8f8f4be --- /dev/null +++ b/nginx/01/matrix.conf @@ -0,0 +1,240 @@ +##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LIBERTA.CASA + +##SYNAPSE +server { + listen 81.16.19.64:443 ssl; + + # For the federation port + listen 81.16.19.64:8448 ssl default_server; + listen 192.168.0.110:8448 ssl; + + # For bridge + listen 127.0.0.2:443 ssl; + + ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + server_name matrix.liberta.casa; + + location ~* ^(\/_matrix|\/_synapse\/client) { + proxy_pass http://[::1]:8077; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 50M; + } + + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "matrix.liberta.casa:8448"}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + + location / { + proxy_pass http://[::1]:8077/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_synapse graylog; + error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_synapse debug; + +} + +#ELEMENT +server { + listen 81.16.19.64:443 ssl; + server_name element.liberta.casa; + + root /mnt/gluster01/web/matrix/element-libertacasa; + + ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog; + error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug; + +} +server { + listen 81.16.19.64:443 ssl; + server_name m.liberta.casa; + + ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + return 301 https://element.liberta.casa$request_uri; + + access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog; + error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug; + +} + +#SYDENT +server { + listen 81.16.19.64:443 ssl; + + ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + server_name ident.matrix.liberta.casa; + + location / { + proxy_pass http://127.0.0.4:8074/; + proxy_set_header X-Forwarded-For $remote_addr; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 20M; + } + + access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_sydent graylog; + error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_sydent debug; + +} + +#DIMENSION +server { + server_name integrations.matrix.liberta.casa; + listen 81.16.19.64:443 ssl; + + ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:8184; + } + + access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_dimension graylog; + error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_dimension debug; + +} + +#KEYS +server { + server_name keys.matrix.liberta.casa; + listen 81.16.19.64:443 ssl; + + ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + location / { +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.2:8076; + } + + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://keys.matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "keys.matrix.liberta.casa:443"}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_keys graylog; + error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_keys debug; + +} + +#MAUBOT +server { + server_name maubot.matrix.liberta.casa; + listen 81.16.19.64:443 ssl; + + ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + +# location /_matrix/maubot/v1/logs { +# proxy_pass http://127.0.0.2:29419; +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "Upgrade"; +# proxy_set_header X-Forwarded-For $remote_addr; +# } + + location / { + proxy_pass http://127.0.0.2:29419; + proxy_set_header X-Forwarded-For $remote_addr; + } + + access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_maubot graylog; + error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_maubot debug; + +} diff --git a/nginx/01/mattermost.conf b/nginx/01/mattermost.conf new file mode 100644 index 0000000..bcf9318 --- /dev/null +++ b/nginx/01/mattermost.conf @@ -0,0 +1,74 @@ +upstream mattermost { + server 127.0.0.2:8065; + keepalive 32; +} + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off; + +server { + listen 81.16.19.64:443 ssl http2; + listen 192.168.0.110:443 ssl http2; + server_name mattermost.casa; + + http2_push_preload on; + + ssl_certificate /etc/letsencrypt/live/mattermost.casa/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/mattermost.casa/privkey.pem; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_early_data on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + #ssl_session_cache shared:SSL:50m; + add_header Strict-Transport-Security max-age=15768000; + #add_header X-Early-Data $tls1_3_early_data; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + location /libcasa/channels/town-square { + return https://mattermost.casa/libcasa/channels/libcasa; + } + + location ~ /api/v[0-9]+/(users/)?websocket$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + client_max_body_size 50M; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + client_body_timeout 60; + send_timeout 300; + lingering_timeout 5; + proxy_connect_timeout 90; + proxy_send_timeout 300; + proxy_read_timeout 90s; + proxy_http_version 1.1; + proxy_pass http://mattermost; + } + + location / { + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + client_max_body_size 50M; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_cache mattermost_cache; + proxy_cache_revalidate on; + proxy_cache_min_uses 2; + proxy_cache_use_stale timeout; + proxy_cache_lock on; + proxy_http_version 1.1; + proxy_pass http://mattermost; + } +} diff --git a/nginx/01/mirror.conf b/nginx/01/mirror.conf new file mode 100644 index 0000000..f7a0d9b --- /dev/null +++ b/nginx/01/mirror.conf @@ -0,0 +1,18 @@ +server { + listen 45.129.182.13:443 ssl http2; + listen [2a03:4000:47:58a::]:443 ssl http2; + + server_name 3zy.de; + + ssl_certificate /etc/letsencrypt/live/3zy.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/3zy.de/privkey.pem; + + location / { + root /mnt/gluster01/mirror; +# fancyindex on; +# fancyindex_exact_size on; + autoindex on; + autoindex_exact_size on; + autoindex_localtime on; + } +} diff --git a/nginx/01/nsedit.conf b/nginx/01/nsedit.conf new file mode 100644 index 0000000..ed4c311 --- /dev/null +++ b/nginx/01/nsedit.conf @@ -0,0 +1,16 @@ +include php-fpm; + +server { + listen 192.168.0.110:8083 ssl; + server_name nsedit1-local.secure.squirrelcube.xyz; + root /mnt/gluster01/web/nsedit1; + index index.php; + + ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem; + + location / { + } + + include php; +} diff --git a/nginx/01/omnidb.conf b/nginx/01/omnidb.conf new file mode 100644 index 0000000..09a261b --- /dev/null +++ b/nginx/01/omnidb.conf @@ -0,0 +1,41 @@ +server { + listen 127.0.0.2:8085 ssl; + server_name omnidb-local.one.secure.squirrelcube.xyz; + + ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem; + + location / { + proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:8086; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Ssl https; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} +server { + listen 45.129.182.13:25483 ssl; + listen [2a03:4000:47:58a::]:25483 ssl; + server_name omnidb1.one.secure.squirrelcube.xyz; + + ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem; + + location / { + proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:25482; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Ssl https; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 25483; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} diff --git a/nginx/01/tp.3gy.de.conf b/nginx/01/tp.3gy.de.conf new file mode 100644 index 0000000..52140a4 --- /dev/null +++ b/nginx/01/tp.3gy.de.conf @@ -0,0 +1,28 @@ +server { + server_name tp.3gy.de one.tp.3gy.de *.one.secure.squirrelcube.xyz; + listen 45.129.182.13:443 ssl; + listen [2a03:4000:47:58a::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.3; + #ssl_ciphers + #ssl_prefer_server_ciphers + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.4; + + location / { + proxy_pass https://[::1]:3080/; + proxy_ssl_verify off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 3600; + } +} diff --git a/nginx/01/xmpp.conf b/nginx/01/xmpp.conf new file mode 100644 index 0000000..c86713b --- /dev/null +++ b/nginx/01/xmpp.conf @@ -0,0 +1,301 @@ +#Prosody (DEPRECATED!) +#server { +# listen 81.16.19.64:443 ssl http2; +# listen [2a03:4000:47:58a::]:443 ssl http2; +# server_name xmpp.liberta.casa; +# +# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem; +# ssl_session_timeout 1d; +# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +# ssl_session_tickets off; +# +# ssl_protocols TLSv1.3 TLSv1.2; +# ssl_prefer_server_ciphers off; +# add_header Strict-Transport-Security "max-age=63072000" always; +# ssl_stapling on; +# ssl_stapling_verify on; +# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; +# resolver 127.0.0.4; +# +# location / { +# proxy_pass http://[::1]:5280; +# proxy_set_header X-Forwarded-For $remote_addr; +# proxy_set_header Host $host; +# +# } +# +# location /xmpp-websocket { +# proxy_pass http://[::1]:5280/xmpp-websocket; +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "Upgrade"; +# proxy_set_header X-Forwarded-Proto $scheme; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header Host $host; +# proxy_read_timeout 900s; +# } +# location /candy/http-bind { +# proxy_pass https://127.0.0.2:5443/http-bind; +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "Upgrade"; +# proxy_set_header X-Forwarded-Proto $scheme; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header Host $host; +# proxy_read_timeout 900s; +# } +# location /candy { +# root /srv/www/candy/; +# index index.html; +# } +# location /candy-source { +# root /srv/www/candy/; +# } +#} + +#mod_http_upload_external + +#server { +# listen 81.16.19.64:443 ssl http2; +# listen [2a03:4000:47:58a::]:443 ssl http2; +# +# server_name up.xmpp.liberta.casa; +# +# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem; +# ssl_session_timeout 1d; +# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +# ssl_session_tickets off; +# +# ssl_protocols TLSv1.3 TLSv1.2; +# ssl_prefer_server_ciphers off; +# add_header Strict-Transport-Security "max-age=63072000" always; +# ssl_stapling on; +# ssl_stapling_verify on; +# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; +# resolver 127.0.0.4; +# +## client_max_body_size 50m; +# +# location / { +# if ( $request_method = OPTIONS ) { +# add_header Access-Control-Allow-Origin '*'; +# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD'; +# add_header Access-Control-Allow-Headers 'Authorization, Content-Type'; +# add_header Access-Control-Allow-Credentials 'true'; +# add_header Content-Length 0; +# add_header Content-Type text/plain; +# return 200; +# } +# proxy_pass http://[::1]:5050/upload/; +# proxy_request_buffering off; +# } +#} + +#server { +# listen 81.16.19.64:443 ssl http2; +# listen [2a03:4000:47:58a::]:443 ssl http2; +# server_name xmpp.lib.casa; +# +# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem; +# ssl_session_timeout 1d; +# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +# ssl_session_tickets off; +# +# ssl_protocols TLSv1.3 TLSv1.2; +# ssl_prefer_server_ciphers off; +# add_header Strict-Transport-Security "max-age=63072000" always; +# ssl_stapling on; +# ssl_stapling_verify on; +# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; +# resolver 127.0.0.4; +# +# location / { +# root /srv/www/jappix; +# index index.php; +# location ~ \.php$ { +# fastcgi_pass 172.168.100.1:9100; +# include fastcgi_params; +# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +# } +# } +# +# error_log /var/log/nginx/xmpp.lib.casa.err; +#} + + +#### +## ejabberd +#### + +## mod_http_upload + +perl_modules /usr/local/lib/perl; +perl_require upload.pm; + +server { + listen 81.16.19.64:443 ssl http2; + listen [2a03:4000:47:58a::]:443 ssl http2; + listen 127.0.0.2:443 ssl http2; + server_name up.xmpp.lib.casa up.xmpp.liberta.casa; + + ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt; + ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + resolver 127.0.0.4; + + root /opt/ejabberd/upload; + + location / { + perl upload::handle; + } + + client_max_body_size 40m; + +# location / { +# if ( $request_method = OPTIONS ) { +# add_header Access-Control-Allow-Origin '*'; +# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD'; +# add_header Access-Control-Allow-Headers 'Authorization, Content-Type'; +# add_header Access-Control-Allow-Credentials 'true'; +# add_header Content-Length 0; +# add_header Content-Type text/plain; +# return 200; +# } +# proxy_pass http://127.0.0.2:5443; +# proxy_request_buffering off; +# } + + error_log /var/log/nginx/up.xmpp.lib.casa.err; +} + + +## Everything + +server { + listen 81.16.19.64:443 ssl http2; + listen [2a03:4000:47:58a::]:443 ssl http2; + server_name xmpp.liberta.casa xmpp.lib.casa jabber.liberta.casa jabber.lib.casa; + + ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt; + ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + resolver 127.0.0.4; + + #location / { + # proxy_pass https://127.0.0.2:5443; + # proxy_set_header X-Forwarded-For $remote_addr; + # proxy_set_header Host $host; + # + #} + + location / { + root /srv/www/xmpp; + index index.html; + } + + location /upload { + return https://up.xmpp.lib.casa; + } + + location /bosh { + proxy_pass https://127.0.0.2:5443; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + } + + location /ws { + proxy_pass https://127.0.0.2:5443; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + } + +# location /xmpp-websocket { +# proxy_pass http://[::1]:5280/xmpp-websocket; +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "Upgrade"; +# proxy_set_header X-Forwarded-Proto $scheme; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header Host $host; +# proxy_read_timeout 900s; +# } + location /candy/http-bind { + proxy_pass https://127.0.0.2:5443/http-bind; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_read_timeout 900s; + } + location /candy { + root /srv/www/candy/; + index index.html; + } + location /candy-source { + root /srv/www/candy/; + } + + error_log /var/log/nginx/xmpp.lib.casa.err; + +} + + +## ejabberd_web_admin + +server { + listen 127.0.0.2:443 ssl http2; + server_name ejabberd-local.one.secure.squirrelcube.xyz; + + ssl_certificate /etc/ssl/tp/fullchain.pem; + ssl_certificate_key /etc/ssl/tp/private/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + ssl_stapling on; + ssl_stapling_verify on; + #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + resolver 127.0.0.4; + + location / { + proxy_pass http://127.0.0.2:5280; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + + } +} + -- cgit v1.2.3