diff options
Diffstat (limited to 'template2/nginx')
| -rw-r--r-- | template2/nginx/domain.conf.template | 19 | ||||
| -rw-r--r-- | template2/nginx/global/client-max-body-size.conf | 1 | ||||
| -rw-r--r-- | template2/nginx/global/forbid-unknown-domain.conf | 8 | ||||
| -rw-r--r-- | template2/nginx/global/ssl.conf.template | 17 | ||||
| -rw-r--r-- | template2/nginx/global/websocket.conf | 4 | ||||
| -rw-r--r-- | template2/nginx/http/444.segment | 3 | ||||
| -rw-r--r-- | template2/nginx/http/redirect-to-https.segment | 3 | ||||
| -rw-r--r-- | template2/nginx/https/redirect.segment.template | 7 | ||||
| -rw-r--r-- | template2/nginx/https/reverse-proxy.segment.template | 10 | ||||
| -rw-r--r-- | template2/nginx/https/static-file.no-strip-prefix.segment.template | 3 | ||||
| -rw-r--r-- | template2/nginx/https/static-file.segment.template | 3 | ||||
| -rw-r--r-- | template2/nginx/server.schema.json | 96 | ||||
| -rw-r--r-- | template2/nginx/server.ts | 66 | 
13 files changed, 240 insertions, 0 deletions
| diff --git a/template2/nginx/domain.conf.template b/template2/nginx/domain.conf.template new file mode 100644 index 0000000..7fa2d7a --- /dev/null +++ b/template2/nginx/domain.conf.template @@ -0,0 +1,19 @@ +server { +    listen 443 ssl http2; +    listen [::]:443 ssl http2; +    server_name ${DOMAIN}; + +${HTTPS_SEGMENT} +} + +server { +    listen 80; +    listen [::]:80; +    server_name ${DOMAIN}; + +${HTTP_SEGMENT} + +    location /.well-known/acme-challenge { +        root /srv/acme; +    } +} diff --git a/template2/nginx/global/client-max-body-size.conf b/template2/nginx/global/client-max-body-size.conf new file mode 100644 index 0000000..a2b1c00 --- /dev/null +++ b/template2/nginx/global/client-max-body-size.conf @@ -0,0 +1 @@ +client_max_body_size 5G; diff --git a/template2/nginx/global/forbid-unknown-domain.conf b/template2/nginx/global/forbid-unknown-domain.conf new file mode 100644 index 0000000..ae96393 --- /dev/null +++ b/template2/nginx/global/forbid-unknown-domain.conf @@ -0,0 +1,8 @@ +server { +    listen 80 default_server; +    listen [::]:80 default_server; +    listen 443 ssl http2 default_server; +    listen [::]:443 ssl http2 default_server; + +    return 444; +} diff --git a/template2/nginx/global/ssl.conf.template b/template2/nginx/global/ssl.conf.template new file mode 100644 index 0000000..ff70f5a --- /dev/null +++ b/template2/nginx/global/ssl.conf.template @@ -0,0 +1,17 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. Contents are based on https://ssl-config.mozilla.org + +ssl_certificate /etc/letsencrypt/live/${ROOT_DOMAIN}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/${ROOT_DOMAIN}/privkey.pem; + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/template2/nginx/global/websocket.conf b/template2/nginx/global/websocket.conf new file mode 100644 index 0000000..32af4c3 --- /dev/null +++ b/template2/nginx/global/websocket.conf @@ -0,0 +1,4 @@ +map $http_upgrade $connection_upgrade { +    default upgrade; +    ''      close; +} diff --git a/template2/nginx/http/444.segment b/template2/nginx/http/444.segment new file mode 100644 index 0000000..fe490d4 --- /dev/null +++ b/template2/nginx/http/444.segment @@ -0,0 +1,3 @@ +location / { +    return 444; +} diff --git a/template2/nginx/http/redirect-to-https.segment b/template2/nginx/http/redirect-to-https.segment new file mode 100644 index 0000000..56d095d --- /dev/null +++ b/template2/nginx/http/redirect-to-https.segment @@ -0,0 +1,3 @@ +location / { +    return 301 https://$host$request_uri; +} diff --git a/template2/nginx/https/redirect.segment.template b/template2/nginx/https/redirect.segment.template new file mode 100644 index 0000000..028f617 --- /dev/null +++ b/template2/nginx/https/redirect.segment.template @@ -0,0 +1,7 @@ +location = ${PATH} { +    return ${REDIRECT_CODE} ${REDIRECT_URL}; +} + +location ^${PATH}/(?<redirect_path>.*)$ { +    return ${REDIRECT_CODE} ${REDIRECT_URL}/$redirect_path; +} diff --git a/template2/nginx/https/reverse-proxy.segment.template b/template2/nginx/https/reverse-proxy.segment.template new file mode 100644 index 0000000..85a942e --- /dev/null +++ b/template2/nginx/https/reverse-proxy.segment.template @@ -0,0 +1,10 @@ +location ${PATH}/ { +    proxy_http_version 1.1; +    proxy_set_header Upgrade $http_upgrade; +    proxy_set_header Connection $connection_upgrade; +    proxy_set_header Host $host; +    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +    proxy_set_header X-Forwarded-Proto $scheme; +    proxy_set_header X-Real-IP $remote_addr; +    proxy_pass http://${UPSTREAM}; +} diff --git a/template2/nginx/https/static-file.no-strip-prefix.segment.template b/template2/nginx/https/static-file.no-strip-prefix.segment.template new file mode 100644 index 0000000..4e829ba --- /dev/null +++ b/template2/nginx/https/static-file.no-strip-prefix.segment.template @@ -0,0 +1,3 @@ +location ${PATH}/ { +    root ${ROOT}; +} diff --git a/template2/nginx/https/static-file.segment.template b/template2/nginx/https/static-file.segment.template new file mode 100644 index 0000000..683cad3 --- /dev/null +++ b/template2/nginx/https/static-file.segment.template @@ -0,0 +1,3 @@ +location ${PATH}/ { +    alias ${ROOT}; +} diff --git a/template2/nginx/server.schema.json b/template2/nginx/server.schema.json new file mode 100644 index 0000000..a19c131 --- /dev/null +++ b/template2/nginx/server.schema.json @@ -0,0 +1,96 @@ +{ +    "$schema": "http://json-schema.org/draft-07/schema#", +    "definitions": { +        "RedirectService": { +            "properties": { +                "code": { +                    "type": "number" +                }, +                "path": { +                    "type": "string" +                }, +                "to": { +                    "type": "string" +                }, +                "type": { +                    "enum": [ +                        "redirect" +                    ], +                    "type": "string" +                } +            }, +            "type": "object" +        }, +        "ReverseProxyService": { +            "properties": { +                "path": { +                    "type": "string" +                }, +                "type": { +                    "enum": [ +                        "reverse-proxy" +                    ], +                    "type": "string" +                }, +                "upstream": { +                    "type": "string" +                } +            }, +            "type": "object" +        }, +        "StaticFileService": { +            "properties": { +                "no_strip_prefix": { +                    "type": "boolean" +                }, +                "path": { +                    "type": "string" +                }, +                "root": { +                    "type": "string" +                }, +                "type": { +                    "enum": [ +                        "static-file" +                    ], +                    "type": "string" +                } +            }, +            "type": "object" +        }, +        "SubDomain": { +            "properties": { +                "name": { +                    "type": "string" +                }, +                "services": { +                    "items": { +                        "anyOf": [ +                            { +                                "$ref": "#/definitions/RedirectService" +                            }, +                            { +                                "$ref": "#/definitions/StaticFileService" +                            }, +                            { +                                "$ref": "#/definitions/ReverseProxyService" +                            } +                        ] +                    }, +                    "type": "array" +                } +            }, +            "type": "object" +        } +    }, +    "properties": { +        "domains": { +            "items": { +                "$ref": "#/definitions/SubDomain" +            }, +            "type": "array" +        } +    }, +    "type": "object" +} + diff --git a/template2/nginx/server.ts b/template2/nginx/server.ts new file mode 100644 index 0000000..ffd64b7 --- /dev/null +++ b/template2/nginx/server.ts @@ -0,0 +1,66 @@ +// Used to generate json schema. + +// path should start with "/", end without "/" and contain no special characters in regex. +// the special case is root path "/", which is allowed. + +// For example: +// Given +//   path: /a/b +//   to: http://c.com/d +// Then (no_strip_prefix is false) +//   url: /a/b/c +//   redirect to: http://c.com/d/c (/a/b is removed) +// Note: +// Contrary to reverse proxy, you would always want to strip the prefix path. +// Because there is no meaning to redirect to the new page with the original path. +// If you want a domain-only redirect, just specify the path as "/". +export interface RedirectService { +  type: "redirect"; +  path: string; // must be a path, should start with "/", end without "/" +  to: string; // must be a url, should start with scheme (http:// or https://), end without "/" +  code?: number; // default to 307 +} + +// For example: +// Given +//   path: /a/b +//   root: /e/f +// Then (no_strip_prefix is false) +//   url: /a/b/c/d +//   file path: /e/f/c/d (/a/b is removed) +// Or (no_strip_prefix is true) +//   url: /a/b/c/d +//   file path: /e/f/a/b/c/d +export interface StaticFileService { +  type: "static-file"; +  path: string; // must be a path, should start with "/", end without "/" +  root: string; // must be a path (directory), should start with "/", end without "/" +  no_strip_prefix?: boolean; // default to false. If true, the path prefix is not removed from the url when finding the file. +} + +// For example: +// Given +//   path: /a/b +//   upstream: another-server:1234 +// Then +//   url: /a/b/c/d +//   proxy to: another-server:1234/a/b/c/d +// Note: +//   Contrary to redirect, you would always want to keep the prefix path. +//   Because the upstream server will mess up the path handling if the prefix is not kept. +export interface ReverseProxyService { +  type: "reverse-proxy"; +  path: string; // must be a path, should start with "/", end without "/" +  upstream: string; // should be a [host]:[port], like "localhost:1234" +} + +export type Service = RedirectService | StaticFileService | ReverseProxyService; + +export interface SubDomain { +  name: string; // @ for root domain +  services: Service[]; +} + +export interface Server { +  domains: SubDomain[]; +} | 
