From 90a72d2d7ed4a5eadfe36f62d81f26ca3324e49b Mon Sep 17 00:00:00 2001 From: crupest Date: Mon, 11 Nov 2024 01:12:29 +0800 Subject: HALF WORK: 2024.1.20 - 4 --- templates/nginx/2fa.conf.template | 19 --------------- templates/nginx/code.conf.template | 22 ------------------ templates/nginx/common/http-listen | 2 ++ templates/nginx/common/https-listen | 3 +++ templates/nginx/conf.d/2fa.conf.template | 17 ++++++++++++++ templates/nginx/conf.d/code.conf.template | 20 ++++++++++++++++ templates/nginx/conf.d/forbid_unknown_domain.conf | 9 ++++++++ templates/nginx/conf.d/git.conf.template | 20 ++++++++++++++++ templates/nginx/conf.d/mail.conf.template | 25 ++++++++++++++++++++ templates/nginx/conf.d/root.conf.template | 26 +++++++++++++++++++++ templates/nginx/conf.d/ssl.conf.template | 17 ++++++++++++++ templates/nginx/conf.d/timeline.conf.template | 6 +++++ templates/nginx/conf.d/websocket.conf | 4 ++++ templates/nginx/forbid_unknown_domain.conf | 8 ------- templates/nginx/git.conf.template | 22 ------------------ templates/nginx/mail.conf.template | 27 ---------------------- templates/nginx/root.conf.template | 28 ----------------------- templates/nginx/ssl.conf.template | 17 -------------- templates/nginx/timeline.conf.template | 7 ------ templates/nginx/websocket.conf | 4 ---- 20 files changed, 149 insertions(+), 154 deletions(-) delete mode 100644 templates/nginx/2fa.conf.template delete mode 100644 templates/nginx/code.conf.template create mode 100644 templates/nginx/common/http-listen create mode 100644 templates/nginx/common/https-listen create mode 100644 templates/nginx/conf.d/2fa.conf.template create mode 100644 templates/nginx/conf.d/code.conf.template create mode 100644 templates/nginx/conf.d/forbid_unknown_domain.conf create mode 100644 templates/nginx/conf.d/git.conf.template create mode 100644 templates/nginx/conf.d/mail.conf.template create mode 100644 templates/nginx/conf.d/root.conf.template create mode 100644 templates/nginx/conf.d/ssl.conf.template create mode 100644 templates/nginx/conf.d/timeline.conf.template create mode 100644 templates/nginx/conf.d/websocket.conf delete mode 100644 templates/nginx/forbid_unknown_domain.conf delete mode 100644 templates/nginx/git.conf.template delete mode 100644 templates/nginx/mail.conf.template delete mode 100644 templates/nginx/root.conf.template delete mode 100644 templates/nginx/ssl.conf.template delete mode 100644 templates/nginx/timeline.conf.template delete mode 100644 templates/nginx/websocket.conf (limited to 'templates/nginx') diff --git a/templates/nginx/2fa.conf.template b/templates/nginx/2fa.conf.template deleted file mode 100644 index aad66c1..0000000 --- a/templates/nginx/2fa.conf.template +++ /dev/null @@ -1,19 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name 2fa.${CRUPEST_DOMAIN}; - - location / { - include common/proxy-common; - proxy_pass http://2fauth:8000/; - } -} - -server { - listen 80; - listen [::]:80; - server_name 2fa.${CRUPEST_DOMAIN}; - - include common/https-redirect; - include common/acme-challenge; -} diff --git a/templates/nginx/code.conf.template b/templates/nginx/code.conf.template deleted file mode 100644 index a67500d..0000000 --- a/templates/nginx/code.conf.template +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name code.${CRUPEST_DOMAIN}; - - location / { - include common/proxy-common; - proxy_pass http://debian-dev:8080/; - } - - client_max_body_size 5G; -} - - -server { - listen 80; - listen [::]:80; - server_name code.${CRUPEST_DOMAIN}; - - include common/https-redirect; - include common/acme-challenge; -} diff --git a/templates/nginx/common/http-listen b/templates/nginx/common/http-listen new file mode 100644 index 0000000..76cb18d --- /dev/null +++ b/templates/nginx/common/http-listen @@ -0,0 +1,2 @@ +listen 80; +listen [::]:80; diff --git a/templates/nginx/common/https-listen b/templates/nginx/common/https-listen new file mode 100644 index 0000000..db2f68e --- /dev/null +++ b/templates/nginx/common/https-listen @@ -0,0 +1,3 @@ +listen 443 ssl; +listen [::]:443 ssl; +http2 on; diff --git a/templates/nginx/conf.d/2fa.conf.template b/templates/nginx/conf.d/2fa.conf.template new file mode 100644 index 0000000..278e4a1 --- /dev/null +++ b/templates/nginx/conf.d/2fa.conf.template @@ -0,0 +1,17 @@ +server { + server_name 2fa.${CRUPEST_DOMAIN}; + include common/https-listen; + + location / { + include common/proxy-common; + proxy_pass http://2fauth:8000/; + } +} + +server { + server_name 2fa.${CRUPEST_DOMAIN}; + include common/http-listen; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/conf.d/code.conf.template b/templates/nginx/conf.d/code.conf.template new file mode 100644 index 0000000..205c7ba --- /dev/null +++ b/templates/nginx/conf.d/code.conf.template @@ -0,0 +1,20 @@ +server { + server_name code.${CRUPEST_DOMAIN}; + include common/https-listen; + + location / { + include common/proxy-common; + proxy_pass http://debian-dev:8080/; + } + + client_max_body_size 5G; +} + + +server { + server_name code.${CRUPEST_DOMAIN}; + include common/http-listen; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/conf.d/forbid_unknown_domain.conf b/templates/nginx/conf.d/forbid_unknown_domain.conf new file mode 100644 index 0000000..515942b --- /dev/null +++ b/templates/nginx/conf.d/forbid_unknown_domain.conf @@ -0,0 +1,9 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + + return 444; +} diff --git a/templates/nginx/conf.d/git.conf.template b/templates/nginx/conf.d/git.conf.template new file mode 100644 index 0000000..3a2948c --- /dev/null +++ b/templates/nginx/conf.d/git.conf.template @@ -0,0 +1,20 @@ +server { + server_name git.${CRUPEST_DOMAIN}; + include common/https-listen; + + location / { + include common/proxy-common; + proxy_pass http://forgejo:3000/; + } + + client_max_body_size 5G; +} + + +server { + server_name git.${CRUPEST_DOMAIN}; + include common/http-listen; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/conf.d/mail.conf.template b/templates/nginx/conf.d/mail.conf.template new file mode 100644 index 0000000..40adf28 --- /dev/null +++ b/templates/nginx/conf.d/mail.conf.template @@ -0,0 +1,25 @@ +server { + server_name mail.${CRUPEST_DOMAIN}; + include common/https-listen; + + location / { + include common/proxy-common; + proxy_pass http://roundcubemail:80/; + } + + location /rspamd/ { + include common/proxy-common; + proxy_pass http://mailserver:11334/; + } + + client_max_body_size 5G; +} + + +server { + server_name mail.${CRUPEST_DOMAIN}; + include common/http-listen; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/conf.d/root.conf.template b/templates/nginx/conf.d/root.conf.template new file mode 100644 index 0000000..a0b08f8 --- /dev/null +++ b/templates/nginx/conf.d/root.conf.template @@ -0,0 +1,26 @@ +server { + server_name ${CRUPEST_DOMAIN}; + include common/https-listen; + + location / { + root /srv/www; + } + + location /_$CRUPEST_V2RAY_PATH { + if ($http_upgrade != "websocket") { + return 404; + } + + proxy_redirect off; + include common/proxy-common; + proxy_pass http://v2ray:10000; + } +} + +server { + server_name ${CRUPEST_DOMAIN}; + include common/http-listen; + + include common/https-redirect; + include common/acme-challenge; +} diff --git a/templates/nginx/conf.d/ssl.conf.template b/templates/nginx/conf.d/ssl.conf.template new file mode 100644 index 0000000..54205f1 --- /dev/null +++ b/templates/nginx/conf.d/ssl.conf.template @@ -0,0 +1,17 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. Contents are based on https://ssl-config.mozilla.org + +ssl_certificate /etc/letsencrypt/live/${CRUPEST_DOMAIN}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/${CRUPEST_DOMAIN}/privkey.pem; + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/templates/nginx/conf.d/timeline.conf.template b/templates/nginx/conf.d/timeline.conf.template new file mode 100644 index 0000000..a467594 --- /dev/null +++ b/templates/nginx/conf.d/timeline.conf.template @@ -0,0 +1,6 @@ +server { + server_name timeline.${CRUPEST_DOMAIN}; + include common/http-listen; + + include common/acme-challenge; +} diff --git a/templates/nginx/conf.d/websocket.conf b/templates/nginx/conf.d/websocket.conf new file mode 100644 index 0000000..32af4c3 --- /dev/null +++ b/templates/nginx/conf.d/websocket.conf @@ -0,0 +1,4 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} diff --git a/templates/nginx/forbid_unknown_domain.conf b/templates/nginx/forbid_unknown_domain.conf deleted file mode 100644 index ae96393..0000000 --- a/templates/nginx/forbid_unknown_domain.conf +++ /dev/null @@ -1,8 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - return 444; -} diff --git a/templates/nginx/git.conf.template b/templates/nginx/git.conf.template deleted file mode 100644 index ea2a627..0000000 --- a/templates/nginx/git.conf.template +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name git.${CRUPEST_DOMAIN}; - - location / { - include common/proxy-common; - proxy_pass http://forgejo:3000/; - } - - client_max_body_size 5G; -} - - -server { - listen 80; - listen [::]:80; - server_name git.${CRUPEST_DOMAIN}; - - include common/https-redirect; - include common/acme-challenge; -} diff --git a/templates/nginx/mail.conf.template b/templates/nginx/mail.conf.template deleted file mode 100644 index ba2e44e..0000000 --- a/templates/nginx/mail.conf.template +++ /dev/null @@ -1,27 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name mail.${CRUPEST_DOMAIN}; - - location / { - include common/proxy-common; - proxy_pass http://roundcubemail:80/; - } - - location /rspamd/ { - include common/proxy-common; - proxy_pass http://mailserver:11334/; - } - - client_max_body_size 5G; -} - - -server { - listen 80; - listen [::]:80; - server_name mail.${CRUPEST_DOMAIN}; - - include common/https-redirect; - include common/acme-challenge; -} diff --git a/templates/nginx/root.conf.template b/templates/nginx/root.conf.template deleted file mode 100644 index 3f20cf1..0000000 --- a/templates/nginx/root.conf.template +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ${CRUPEST_DOMAIN}; - - location / { - root /srv/www; - } - - location /_$CRUPEST_V2RAY_PATH { - if ($http_upgrade != "websocket") { - return 404; - } - - proxy_redirect off; - include common/proxy-common; - proxy_pass http://v2ray:10000; - } -} - -server { - listen 80; - listen [::]:80; - server_name ${CRUPEST_DOMAIN}; - - include common/https-redirect; - include common/acme-challenge; -} diff --git a/templates/nginx/ssl.conf.template b/templates/nginx/ssl.conf.template deleted file mode 100644 index 54205f1..0000000 --- a/templates/nginx/ssl.conf.template +++ /dev/null @@ -1,17 +0,0 @@ -# This file contains important security parameters. If you modify this file -# manually, Certbot will be unable to automatically provide future security -# updates. Instead, Certbot will print and log an error message with a path to -# the up-to-date file that you will need to refer to when manually updating -# this file. Contents are based on https://ssl-config.mozilla.org - -ssl_certificate /etc/letsencrypt/live/${CRUPEST_DOMAIN}/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/${CRUPEST_DOMAIN}/privkey.pem; - -ssl_session_cache shared:le_nginx_SSL:10m; -ssl_session_timeout 1440m; -ssl_session_tickets off; - -ssl_protocols TLSv1.2 TLSv1.3; -ssl_prefer_server_ciphers off; - -ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/templates/nginx/timeline.conf.template b/templates/nginx/timeline.conf.template deleted file mode 100644 index db908e8..0000000 --- a/templates/nginx/timeline.conf.template +++ /dev/null @@ -1,7 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name timeline.${CRUPEST_DOMAIN}; - - include common/acme-challenge; -} diff --git a/templates/nginx/websocket.conf b/templates/nginx/websocket.conf deleted file mode 100644 index 32af4c3..0000000 --- a/templates/nginx/websocket.conf +++ /dev/null @@ -1,4 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} -- cgit v1.2.3