aboutsummaryrefslogtreecommitdiff
path: root/template2/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'template2/nginx')
-rw-r--r--template2/nginx/domain.conf.template19
-rw-r--r--template2/nginx/global/client-max-body-size.conf1
-rw-r--r--template2/nginx/global/forbid-unknown-domain.conf8
-rw-r--r--template2/nginx/global/ssl.conf.template17
-rw-r--r--template2/nginx/global/websocket.conf4
-rw-r--r--template2/nginx/http/444.segment3
-rw-r--r--template2/nginx/http/redirect-to-https.segment3
-rw-r--r--template2/nginx/https/redirect.segment.template7
-rw-r--r--template2/nginx/https/reverse-proxy.segment.template10
-rw-r--r--template2/nginx/https/static-file.no-strip-prefix.segment.template3
-rw-r--r--template2/nginx/https/static-file.segment.template3
-rw-r--r--template2/nginx/server.schema.json96
-rw-r--r--template2/nginx/server.ts66
13 files changed, 240 insertions, 0 deletions
diff --git a/template2/nginx/domain.conf.template b/template2/nginx/domain.conf.template
new file mode 100644
index 0000000..7fa2d7a
--- /dev/null
+++ b/template2/nginx/domain.conf.template
@@ -0,0 +1,19 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name ${DOMAIN};
+
+${HTTPS_SEGMENT}
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name ${DOMAIN};
+
+${HTTP_SEGMENT}
+
+ location /.well-known/acme-challenge {
+ root /srv/acme;
+ }
+}
diff --git a/template2/nginx/global/client-max-body-size.conf b/template2/nginx/global/client-max-body-size.conf
new file mode 100644
index 0000000..a2b1c00
--- /dev/null
+++ b/template2/nginx/global/client-max-body-size.conf
@@ -0,0 +1 @@
+client_max_body_size 5G;
diff --git a/template2/nginx/global/forbid-unknown-domain.conf b/template2/nginx/global/forbid-unknown-domain.conf
new file mode 100644
index 0000000..ae96393
--- /dev/null
+++ b/template2/nginx/global/forbid-unknown-domain.conf
@@ -0,0 +1,8 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ listen 443 ssl http2 default_server;
+ listen [::]:443 ssl http2 default_server;
+
+ return 444;
+}
diff --git a/template2/nginx/global/ssl.conf.template b/template2/nginx/global/ssl.conf.template
new file mode 100644
index 0000000..ff70f5a
--- /dev/null
+++ b/template2/nginx/global/ssl.conf.template
@@ -0,0 +1,17 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file. Contents are based on https://ssl-config.mozilla.org
+
+ssl_certificate /etc/letsencrypt/live/${ROOT_DOMAIN}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/${ROOT_DOMAIN}/privkey.pem;
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff --git a/template2/nginx/global/websocket.conf b/template2/nginx/global/websocket.conf
new file mode 100644
index 0000000..32af4c3
--- /dev/null
+++ b/template2/nginx/global/websocket.conf
@@ -0,0 +1,4 @@
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
diff --git a/template2/nginx/http/444.segment b/template2/nginx/http/444.segment
new file mode 100644
index 0000000..fe490d4
--- /dev/null
+++ b/template2/nginx/http/444.segment
@@ -0,0 +1,3 @@
+location / {
+ return 444;
+}
diff --git a/template2/nginx/http/redirect-to-https.segment b/template2/nginx/http/redirect-to-https.segment
new file mode 100644
index 0000000..56d095d
--- /dev/null
+++ b/template2/nginx/http/redirect-to-https.segment
@@ -0,0 +1,3 @@
+location / {
+ return 301 https://$host$request_uri;
+}
diff --git a/template2/nginx/https/redirect.segment.template b/template2/nginx/https/redirect.segment.template
new file mode 100644
index 0000000..028f617
--- /dev/null
+++ b/template2/nginx/https/redirect.segment.template
@@ -0,0 +1,7 @@
+location = ${PATH} {
+ return ${REDIRECT_CODE} ${REDIRECT_URL};
+}
+
+location ^${PATH}/(?<redirect_path>.*)$ {
+ return ${REDIRECT_CODE} ${REDIRECT_URL}/$redirect_path;
+}
diff --git a/template2/nginx/https/reverse-proxy.segment.template b/template2/nginx/https/reverse-proxy.segment.template
new file mode 100644
index 0000000..85a942e
--- /dev/null
+++ b/template2/nginx/https/reverse-proxy.segment.template
@@ -0,0 +1,10 @@
+location ${PATH}/ {
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_pass http://${UPSTREAM};
+}
diff --git a/template2/nginx/https/static-file.no-strip-prefix.segment.template b/template2/nginx/https/static-file.no-strip-prefix.segment.template
new file mode 100644
index 0000000..4e829ba
--- /dev/null
+++ b/template2/nginx/https/static-file.no-strip-prefix.segment.template
@@ -0,0 +1,3 @@
+location ${PATH}/ {
+ root ${ROOT};
+}
diff --git a/template2/nginx/https/static-file.segment.template b/template2/nginx/https/static-file.segment.template
new file mode 100644
index 0000000..683cad3
--- /dev/null
+++ b/template2/nginx/https/static-file.segment.template
@@ -0,0 +1,3 @@
+location ${PATH}/ {
+ alias ${ROOT};
+}
diff --git a/template2/nginx/server.schema.json b/template2/nginx/server.schema.json
new file mode 100644
index 0000000..a19c131
--- /dev/null
+++ b/template2/nginx/server.schema.json
@@ -0,0 +1,96 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "definitions": {
+ "RedirectService": {
+ "properties": {
+ "code": {
+ "type": "number"
+ },
+ "path": {
+ "type": "string"
+ },
+ "to": {
+ "type": "string"
+ },
+ "type": {
+ "enum": [
+ "redirect"
+ ],
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "ReverseProxyService": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "enum": [
+ "reverse-proxy"
+ ],
+ "type": "string"
+ },
+ "upstream": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "StaticFileService": {
+ "properties": {
+ "no_strip_prefix": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "root": {
+ "type": "string"
+ },
+ "type": {
+ "enum": [
+ "static-file"
+ ],
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "SubDomain": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "services": {
+ "items": {
+ "anyOf": [
+ {
+ "$ref": "#/definitions/RedirectService"
+ },
+ {
+ "$ref": "#/definitions/StaticFileService"
+ },
+ {
+ "$ref": "#/definitions/ReverseProxyService"
+ }
+ ]
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "properties": {
+ "domains": {
+ "items": {
+ "$ref": "#/definitions/SubDomain"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+}
+
diff --git a/template2/nginx/server.ts b/template2/nginx/server.ts
new file mode 100644
index 0000000..ffd64b7
--- /dev/null
+++ b/template2/nginx/server.ts
@@ -0,0 +1,66 @@
+// Used to generate json schema.
+
+// path should start with "/", end without "/" and contain no special characters in regex.
+// the special case is root path "/", which is allowed.
+
+// For example:
+// Given
+// path: /a/b
+// to: http://c.com/d
+// Then (no_strip_prefix is false)
+// url: /a/b/c
+// redirect to: http://c.com/d/c (/a/b is removed)
+// Note:
+// Contrary to reverse proxy, you would always want to strip the prefix path.
+// Because there is no meaning to redirect to the new page with the original path.
+// If you want a domain-only redirect, just specify the path as "/".
+export interface RedirectService {
+ type: "redirect";
+ path: string; // must be a path, should start with "/", end without "/"
+ to: string; // must be a url, should start with scheme (http:// or https://), end without "/"
+ code?: number; // default to 307
+}
+
+// For example:
+// Given
+// path: /a/b
+// root: /e/f
+// Then (no_strip_prefix is false)
+// url: /a/b/c/d
+// file path: /e/f/c/d (/a/b is removed)
+// Or (no_strip_prefix is true)
+// url: /a/b/c/d
+// file path: /e/f/a/b/c/d
+export interface StaticFileService {
+ type: "static-file";
+ path: string; // must be a path, should start with "/", end without "/"
+ root: string; // must be a path (directory), should start with "/", end without "/"
+ no_strip_prefix?: boolean; // default to false. If true, the path prefix is not removed from the url when finding the file.
+}
+
+// For example:
+// Given
+// path: /a/b
+// upstream: another-server:1234
+// Then
+// url: /a/b/c/d
+// proxy to: another-server:1234/a/b/c/d
+// Note:
+// Contrary to redirect, you would always want to keep the prefix path.
+// Because the upstream server will mess up the path handling if the prefix is not kept.
+export interface ReverseProxyService {
+ type: "reverse-proxy";
+ path: string; // must be a path, should start with "/", end without "/"
+ upstream: string; // should be a [host]:[port], like "localhost:1234"
+}
+
+export type Service = RedirectService | StaticFileService | ReverseProxyService;
+
+export interface SubDomain {
+ name: string; // @ for root domain
+ services: Service[];
+}
+
+export interface Server {
+ domains: SubDomain[];
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-16 12:13:06 +0000