From 6259f0be35955aa701cf9f5051a963724ae51987 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Fri, 22 Jan 2021 23:21:42 +0100 Subject: [PATCH] init --- README.md | 1 + mime.types | 89 ++++++++++++++++++++++++++++++++++++ nginx.conf | 61 ++++++++++++++++++++++++ sites-available/default | 37 +++++++++++++++ sites-available/http_2_https | 14 ++++++ sites-available/nextcloud | 32 +++++++++++++ sites-enabled/default | 1 + sites-enabled/http_2_https | 1 + snippets/fastcgi-php.conf | 13 ++++++ snippets/letsencrypt.conf | 4 ++ snippets/snakeoil.conf | 5 ++ snippets/ssl.conf | 15 ++++++ snippets/ssl_options.conf | 9 ++++ 13 files changed, 282 insertions(+) create mode 100644 README.md create mode 100644 mime.types create mode 100644 nginx.conf create mode 100644 sites-available/default create mode 100644 sites-available/http_2_https create mode 100644 sites-available/nextcloud create mode 120000 sites-enabled/default create mode 120000 sites-enabled/http_2_https create mode 100644 snippets/fastcgi-php.conf create mode 100644 snippets/letsencrypt.conf create mode 100644 snippets/snakeoil.conf create mode 100644 snippets/ssl.conf create mode 100644 snippets/ssl_options.conf diff --git a/README.md b/README.md new file mode 100644 index 0000000..733a21e --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# Example Conf for Nginx multidomain reverse proxy diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..45ae3b5 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,61 @@ +user www-data; +worker_processes 4; +pid /run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_static on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/sites-enabled/*; +} diff --git a/sites-available/default b/sites-available/default new file mode 100644 index 0000000..91ffda7 --- /dev/null +++ b/sites-available/default @@ -0,0 +1,37 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + root /var/www/html; + index index.html; + + server_name my.domain.com; + + ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; + include /etc/nginx/snippets/ssl_options.conf; + + # Configure maximum picture size + # Note that Diaspora has a client side check set at 4M + client_max_body_size 5M; + client_body_buffer_size 256K; + + sendfile on; + send_timeout 600s; + + + location / { + proxy_pass http://192.168.2.1/; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + + proxy_buffering on; + proxy_buffers 12 12k; + proxy_redirect off; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header Host $host; + } +} diff --git a/sites-available/http_2_https b/sites-available/http_2_https new file mode 100644 index 0000000..5c8216c --- /dev/null +++ b/sites-available/http_2_https @@ -0,0 +1,14 @@ +server { + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; + + server_name *.de ; + + include /etc/nginx/snippets/letsencrypt.conf; + + root /var/www/html; + index index.html; + location / { + rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https + } +} diff --git a/sites-available/nextcloud b/sites-available/nextcloud new file mode 100644 index 0000000..950d736 --- /dev/null +++ b/sites-available/nextcloud @@ -0,0 +1,32 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + root /var/www/html; + index index.html; + + server_name cloud.domain.com; + + ssl_certificate /etc/letsencrypt/live/cloud.domain.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.domain.com/privkey.pem; + include /etc/nginx/snippets/ssl_options.conf; + + client_body_in_file_only clean; + client_body_buffer_size 128K; + + client_max_body_size 5g; + + sendfile on; + send_timeout 600s; + + location / { + proxy_pass http://192.168.2.2/; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + } +} diff --git a/sites-enabled/default b/sites-enabled/default new file mode 120000 index 0000000..6d9ba33 --- /dev/null +++ b/sites-enabled/default @@ -0,0 +1 @@ +../sites-available/default \ No newline at end of file diff --git a/sites-enabled/http_2_https b/sites-enabled/http_2_https new file mode 120000 index 0000000..732b60c --- /dev/null +++ b/sites-enabled/http_2_https @@ -0,0 +1 @@ +../sites-available/http_2_https \ No newline at end of file diff --git a/snippets/fastcgi-php.conf b/snippets/fastcgi-php.conf new file mode 100644 index 0000000..467a9e7 --- /dev/null +++ b/snippets/fastcgi-php.conf @@ -0,0 +1,13 @@ +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info ^(.+?\.php)(/.*)$; + +# Check that the PHP script exists before passing it +try_files $fastcgi_script_name =404; + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +fastcgi_index index.php; +include fastcgi.conf; diff --git a/snippets/letsencrypt.conf b/snippets/letsencrypt.conf new file mode 100644 index 0000000..074499f --- /dev/null +++ b/snippets/letsencrypt.conf @@ -0,0 +1,4 @@ +location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/letsencrypt; +} diff --git a/snippets/snakeoil.conf b/snippets/snakeoil.conf new file mode 100644 index 0000000..ad26c3e --- /dev/null +++ b/snippets/snakeoil.conf @@ -0,0 +1,5 @@ +# Self signed certificates generated by the ssl-cert package +# Don't use them in a production server! + +ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; +ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; diff --git a/snippets/ssl.conf b/snippets/ssl.conf new file mode 100644 index 0000000..bab5987 --- /dev/null +++ b/snippets/ssl.conf @@ -0,0 +1,15 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2; +ssl_ciphers EECDH+AESGCM:EECDH+AES; +ssl_ecdh_curve secp384r1; +ssl_prefer_server_ciphers on; + +ssl_stapling on; +ssl_stapling_verify on; + +add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; diff --git a/snippets/ssl_options.conf b/snippets/ssl_options.conf new file mode 100644 index 0000000..7f7631a --- /dev/null +++ b/snippets/ssl_options.conf @@ -0,0 +1,9 @@ +ssl_session_timeout 1d; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; +ssl_prefer_server_ciphers on; +ssl_dhparam /etc/ssl/certs/dhparam.pem; +ssl_session_cache shared:SSL:50m; +ssl_stapling on; +ssl_stapling_verify on; +add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;