diff options
| author | crupest <crupest@outlook.com> | 2024-11-11 01:12:29 +0800 |
|---|---|---|
| committer | Yuqian Yang <crupest@crupest.life> | 2024-12-22 17:45:13 +0800 |
| commit | b834953fa61d816b9a955640ad12d244316ce904 (patch) | |
| tree | 4197980a04943b42941d3fce7cb16d1f7ea400bd /templates/nginx | |
| parent | 7e85627eb0d0126baf1e698ffdeae0f3c5fc693d (diff) | |
| download | crupest-b834953fa61d816b9a955640ad12d244316ce904.tar.gz crupest-b834953fa61d816b9a955640ad12d244316ce904.tar.bz2 crupest-b834953fa61d816b9a955640ad12d244316ce904.zip | |
HALF WORK: 2024.12.22
code.
Diffstat (limited to 'templates/nginx')
| -rw-r--r-- | templates/nginx/2fa.conf.template | 19 | ||||
| -rw-r--r-- | templates/nginx/code.conf.template | 22 | ||||
| -rw-r--r-- | templates/nginx/common/acme-challenge | 3 | ||||
| -rw-r--r-- | templates/nginx/common/https-redirect | 3 | ||||
| -rw-r--r-- | templates/nginx/common/proxy-common | 7 | ||||
| -rw-r--r-- | templates/nginx/forbid_unknown_domain.conf | 8 | ||||
| -rw-r--r-- | templates/nginx/git.conf.template | 22 | ||||
| -rw-r--r-- | templates/nginx/mail.conf.template | 27 | ||||
| -rw-r--r-- | templates/nginx/root.conf.template | 28 | ||||
| -rw-r--r-- | templates/nginx/ssl.conf.template | 17 | ||||
| -rw-r--r-- | templates/nginx/timeline.conf.template | 7 | ||||
| -rw-r--r-- | templates/nginx/websocket.conf | 4 |
12 files changed, 167 insertions, 0 deletions
diff --git a/templates/nginx/2fa.conf.template b/templates/nginx/2fa.conf.template new file mode 100644 index 0000000..aad66c1 --- /dev/null +++ b/templates/nginx/2fa.conf.template @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name 2fa.${CRUPEST_DOMAIN}; + + location / { + include common/proxy-common; + proxy_pass http://2fauth:8000/; + } +} + +server { + listen 80; + listen [::]:80; + server_name 2fa.${CRUPEST_DOMAIN}; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/code.conf.template b/templates/nginx/code.conf.template new file mode 100644 index 0000000..a67500d --- /dev/null +++ b/templates/nginx/code.conf.template @@ -0,0 +1,22 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name code.${CRUPEST_DOMAIN}; + + location / { + include common/proxy-common; + proxy_pass http://debian-dev:8080/; + } + + client_max_body_size 5G; +} + + +server { + listen 80; + listen [::]:80; + server_name code.${CRUPEST_DOMAIN}; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/common/acme-challenge b/templates/nginx/common/acme-challenge new file mode 100644 index 0000000..26054b8 --- /dev/null +++ b/templates/nginx/common/acme-challenge @@ -0,0 +1,3 @@ +location /.well-known/acme-challenge { + root /srv/acme; +} diff --git a/templates/nginx/common/https-redirect b/templates/nginx/common/https-redirect new file mode 100644 index 0000000..56d095d --- /dev/null +++ b/templates/nginx/common/https-redirect @@ -0,0 +1,3 @@ +location / { + return 301 https://$host$request_uri; +} diff --git a/templates/nginx/common/proxy-common b/templates/nginx/common/proxy-common new file mode 100644 index 0000000..4193548 --- /dev/null +++ b/templates/nginx/common/proxy-common @@ -0,0 +1,7 @@ +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Real-IP $remote_addr; diff --git a/templates/nginx/forbid_unknown_domain.conf b/templates/nginx/forbid_unknown_domain.conf new file mode 100644 index 0000000..ae96393 --- /dev/null +++ b/templates/nginx/forbid_unknown_domain.conf @@ -0,0 +1,8 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + return 444; +} diff --git a/templates/nginx/git.conf.template b/templates/nginx/git.conf.template new file mode 100644 index 0000000..ea2a627 --- /dev/null +++ b/templates/nginx/git.conf.template @@ -0,0 +1,22 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name git.${CRUPEST_DOMAIN}; + + location / { + include common/proxy-common; + proxy_pass http://forgejo:3000/; + } + + client_max_body_size 5G; +} + + +server { + listen 80; + listen [::]:80; + server_name git.${CRUPEST_DOMAIN}; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/mail.conf.template b/templates/nginx/mail.conf.template new file mode 100644 index 0000000..ba2e44e --- /dev/null +++ b/templates/nginx/mail.conf.template @@ -0,0 +1,27 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name mail.${CRUPEST_DOMAIN}; + + location / { + include common/proxy-common; + proxy_pass http://roundcubemail:80/; + } + + location /rspamd/ { + include common/proxy-common; + proxy_pass http://mailserver:11334/; + } + + client_max_body_size 5G; +} + + +server { + listen 80; + listen [::]:80; + server_name mail.${CRUPEST_DOMAIN}; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/root.conf.template b/templates/nginx/root.conf.template new file mode 100644 index 0000000..3f20cf1 --- /dev/null +++ b/templates/nginx/root.conf.template @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ${CRUPEST_DOMAIN}; + + location / { + root /srv/www; + } + + location /_$CRUPEST_V2RAY_PATH { + if ($http_upgrade != "websocket") { + return 404; + } + + proxy_redirect off; + include common/proxy-common; + proxy_pass http://v2ray:10000; + } +} + +server { + listen 80; + listen [::]:80; + server_name ${CRUPEST_DOMAIN}; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/ssl.conf.template b/templates/nginx/ssl.conf.template new file mode 100644 index 0000000..54205f1 --- /dev/null +++ b/templates/nginx/ssl.conf.template @@ -0,0 +1,17 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. Contents are based on https://ssl-config.mozilla.org + +ssl_certificate /etc/letsencrypt/live/${CRUPEST_DOMAIN}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/${CRUPEST_DOMAIN}/privkey.pem; + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/templates/nginx/timeline.conf.template b/templates/nginx/timeline.conf.template new file mode 100644 index 0000000..db908e8 --- /dev/null +++ b/templates/nginx/timeline.conf.template @@ -0,0 +1,7 @@ +server { + listen 80; + listen [::]:80; + server_name timeline.${CRUPEST_DOMAIN}; + + include common/acme-challenge; +} diff --git a/templates/nginx/websocket.conf b/templates/nginx/websocket.conf new file mode 100644 index 0000000..32af4c3 --- /dev/null +++ b/templates/nginx/websocket.conf @@ -0,0 +1,4 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} |