From 87db6821c31236db2c54b60a4964264903dcfcf3 Mon Sep 17 00:00:00 2001 From: pegasust Date: Tue, 27 Sep 2022 22:13:33 -0700 Subject: [PATCH] monorepo setup --- {nginx => .nginx}/.env | 0 {nginx => .nginx}/LICENSE | 0 {nginx => .nginx}/README.md | 0 {nginx => .nginx}/certbot/Dockerfile | 0 {nginx => .nginx}/certbot/certbot.sh | 0 {nginx => .nginx}/config.env | 2 +- {nginx => .nginx}/cron/Dockerfile | 0 {nginx => .nginx}/cron/renew_certs.sh | 0 {nginx => .nginx}/docker-compose.yml | 0 .../html/felia.pegasust.com}/index.html | 0 .nginx/nginx-proxy/certs/default.crt | 30 ++ .nginx/nginx-proxy/certs/default.key | 52 ++ .nginx/nginx-proxy/certs/dhparam.pem | 13 + .nginx/nginx-proxy/conf.d/default.conf | 68 +++ .nginx/nginx-proxy/docker-compose.yml | 53 ++ .nginx/nginx-proxy/nginx.tmpl | 479 ++++++++++++++++++ {nginx => .nginx}/nginx/Dockerfile | 0 {nginx => .nginx}/nginx/default.conf | 0 {nginx => .nginx}/nginx/gzip.conf | 0 {nginx => .nginx}/nginx/hsts.conf | 0 {nginx => .nginx}/nginx/nginx.sh | 0 .../nginx/options-ssl-nginx.conf | 0 {nginx => .nginx}/nginx/site.conf.tpl | 4 +- .nginx/proxy | 1 + .nginx/self/docker-compose.yml | 19 + .nginx/self/user_conf.d/example_server.conf | 19 + .../vhosts/felia.pegasust.com.conf | 2 +- about-me | 1 + c4c-secret-manager | 1 + cloudflare-nginx/_nginx/conf.d/default.conf | 45 -- cloudflare-nginx/_nginx/fastcgi_params | 25 - cloudflare-nginx/_nginx/mime.types | 99 ---- cloudflare-nginx/_nginx/modules | 1 - cloudflare-nginx/_nginx/nginx.conf | 32 -- cloudflare-nginx/_nginx/scgi_params | 17 - cloudflare-nginx/_nginx/uwsgi_params | 17 - cloudflare-nginx/nginx/conf.d/default.conf | 57 ++- cloudflare-nginx/nginx/conf.d/localhost.conf | 24 + .../nginx/conf.d/pegasust.com.conf | 8 +- cloudflare-nginx/nginx/ssl_params | 4 +- 40 files changed, 812 insertions(+), 261 deletions(-) rename {nginx => .nginx}/.env (100%) rename {nginx => .nginx}/LICENSE (100%) rename {nginx => .nginx}/README.md (100%) rename {nginx => .nginx}/certbot/Dockerfile (100%) rename {nginx => .nginx}/certbot/certbot.sh (100%) rename {nginx => .nginx}/config.env (74%) rename {nginx => .nginx}/cron/Dockerfile (100%) rename {nginx => .nginx}/cron/renew_certs.sh (100%) rename {nginx => .nginx}/docker-compose.yml (100%) rename {nginx/html/felia.hwtr.dev => .nginx/html/felia.pegasust.com}/index.html (100%) create mode 100644 .nginx/nginx-proxy/certs/default.crt create mode 100644 .nginx/nginx-proxy/certs/default.key create mode 100644 .nginx/nginx-proxy/certs/dhparam.pem create mode 100644 .nginx/nginx-proxy/conf.d/default.conf create mode 100644 .nginx/nginx-proxy/docker-compose.yml create mode 100644 .nginx/nginx-proxy/nginx.tmpl rename {nginx => .nginx}/nginx/Dockerfile (100%) rename {nginx => .nginx}/nginx/default.conf (100%) rename {nginx => .nginx}/nginx/gzip.conf (100%) rename {nginx => .nginx}/nginx/hsts.conf (100%) rename {nginx => .nginx}/nginx/nginx.sh (100%) rename {nginx => .nginx}/nginx/options-ssl-nginx.conf (100%) rename {nginx => .nginx}/nginx/site.conf.tpl (86%) create mode 160000 .nginx/proxy create mode 100644 .nginx/self/docker-compose.yml create mode 100644 .nginx/self/user_conf.d/example_server.conf rename nginx/vhosts/felia.hwtr.dev.conf => .nginx/vhosts/felia.pegasust.com.conf (52%) create mode 120000 about-me create mode 120000 c4c-secret-manager delete mode 100644 cloudflare-nginx/_nginx/conf.d/default.conf delete mode 100644 cloudflare-nginx/_nginx/fastcgi_params delete mode 100644 cloudflare-nginx/_nginx/mime.types delete mode 120000 cloudflare-nginx/_nginx/modules delete mode 100644 cloudflare-nginx/_nginx/nginx.conf delete mode 100644 cloudflare-nginx/_nginx/scgi_params delete mode 100644 cloudflare-nginx/_nginx/uwsgi_params create mode 100644 cloudflare-nginx/nginx/conf.d/localhost.conf diff --git a/nginx/.env b/.nginx/.env similarity index 100% rename from nginx/.env rename to .nginx/.env diff --git a/nginx/LICENSE b/.nginx/LICENSE similarity index 100% rename from nginx/LICENSE rename to .nginx/LICENSE diff --git a/nginx/README.md b/.nginx/README.md similarity index 100% rename from nginx/README.md rename to .nginx/README.md diff --git a/nginx/certbot/Dockerfile b/.nginx/certbot/Dockerfile similarity index 100% rename from nginx/certbot/Dockerfile rename to .nginx/certbot/Dockerfile diff --git a/nginx/certbot/certbot.sh b/.nginx/certbot/certbot.sh similarity index 100% rename from nginx/certbot/certbot.sh rename to .nginx/certbot/certbot.sh diff --git a/nginx/config.env b/.nginx/config.env similarity index 74% rename from nginx/config.env rename to .nginx/config.env index 6f3d84c..6ca9b40 100644 --- a/nginx/config.env +++ b/.nginx/config.env @@ -1,4 +1,4 @@ -DOMAINS="felia.hwtr.dev" +DOMAINS="felia.pegasust.com" CERTBOT_EMAILS="pegasucksgg@gmail.com" CERTBOT_TEST_CERT=1 CERTBOT_RSA_KEY_SIZE=4096 diff --git a/nginx/cron/Dockerfile b/.nginx/cron/Dockerfile similarity index 100% rename from nginx/cron/Dockerfile rename to .nginx/cron/Dockerfile diff --git a/nginx/cron/renew_certs.sh b/.nginx/cron/renew_certs.sh similarity index 100% rename from nginx/cron/renew_certs.sh rename to .nginx/cron/renew_certs.sh diff --git a/nginx/docker-compose.yml b/.nginx/docker-compose.yml similarity index 100% rename from nginx/docker-compose.yml rename to .nginx/docker-compose.yml diff --git a/nginx/html/felia.hwtr.dev/index.html b/.nginx/html/felia.pegasust.com/index.html similarity index 100% rename from nginx/html/felia.hwtr.dev/index.html rename to .nginx/html/felia.pegasust.com/index.html diff --git a/.nginx/nginx-proxy/certs/default.crt b/.nginx/nginx-proxy/certs/default.crt new file mode 100644 index 0000000..75e507c --- /dev/null +++ b/.nginx/nginx-proxy/certs/default.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFOTCCAyGgAwIBAgIUAm8CZUQ1+Od1jv1AGsHNyexaL/8wDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhbGV0c2VuY3J5cHQtbmdpbngtcHJveHktY29tcGFuaW9u +MB4XDTIyMDkyNzIwMjgwOVoXDTIzMDkyNzIwMjgwOVowLDEqMCgGA1UEAwwhbGV0 +c2VuY3J5cHQtbmdpbngtcHJveHktY29tcGFuaW9uMIICIjANBgkqhkiG9w0BAQEF +AAOCAg8AMIICCgKCAgEAsnT/TXyuYw1pIC0p8fquduql8e3tzn+iUzkuvXV76lD/ +OogUzIveXEWPMEpQN77n7+eDzfId53+3ea5+LyWBw2jrvOIutszhOVzaH9TQhLcJ +AIfCnM9q6vHDnUpoWM4qVyCfW+V46DeRX+AGWWmr8kz8dGgG0NOaklENV+4Bn/Wz +m0xXi3JL7cjIIhdpBFiV2aPC1/HGt5p7v40ncfFb2A6vUestAxU57yLZEgzznMVO +6nIIltLW2B3ecXDrIyWUWBLW2ZIqvCujBJ71MTVXkagboAzvjt0jWFOXoNlnmp6V +TIy+sd/dUbgstmxZtWOMGRrUeJbMevwyxKuy6/3660UTF5b1owW/nOvt8NheXC9Y +vD9CxKYnkR46Gi7m1SdWWir8OT3jl3QMpk3jlq0UuVm0dAKT/F/eR0ov202/VGXY +slmwMfKipDxFBgiYoOr9/vp7HGz2VdU4n35vTTIcfGdFosChiVJnZyda8XPYevQR +IjfI3aWDMYR0QgEdBEBrOLstvm4j7pnCvTIB0aDCFw8ze4XdycoIFsmQgkGsgUFN +7LGhC0WORVVAnELZIYGYOinV0fuEaYNS0OLnkrGPyq5by1rvBabWGxkluEfT57KC +It96lye83FHo6T4wK3WLFgvWWzJ+QBD7+CxMwVX73ZF39ePF2BLhYXcvWcyQTYUC +AwEAAaNTMFEwHQYDVR0OBBYEFByqdTRCFmrkve7RQYcut4yPDnZFMB8GA1UdIwQY +MBaAFByqdTRCFmrkve7RQYcut4yPDnZFMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggIBAFtiiAq8g33lB4lL8JUlpGSyqq8KAziUEz/QuKtmD2WssU89 +Mc38MhsKCjkdPc9dVxww8d4u/ccYr9cm+WUrGRb3fZ1UXcNhBf2kg3Yn+xgjNowi +NrqgBgH7e8auT1sKKD6ZX97QrpAvuWychzDnxZQ2VQGi4RZ42t8R6lOkAbvXK9zx +5O7jUsleRJ7vVBNwVw7dKWYIFuSJVfQ/LaZEmjCIZCveaUMROTkz9cioCpzcO1RK +6ItmLjRgORx+mXPVtTxF4kaNVMqc5kC11487BC8jVPSThzQSkZU2f+vkCTupOMs2 +jY5iEdufjw7/hFzL30ORwiqiU7BvD4EXnJdF94zVjpVaWpLzBwMb2+tFpDwIpPfL +dXboa6NayfqjqzKrzyUBUp2vjB5ZJ5DUGeaRhysTWENSw4fXYA7a2EbsQ6yUFOjl +Dqo1TtUvXdtIWtcGKUDGBX2sEsiNaSxjNpDJrNJgOj2rY04ndy5xmR/f2WYpFKUj +iC5lIT6pxlei15Ju11+Zbd/JwOj9XdV6iOGOgV2xY7LkX3MCMzt1ScOo6wuIY+xF +2LcE+o0wuEIq6i0QlyTQ9fNP7yaknBfq4mN87X5bkZ1qzSKXbPBeRvqAuQutLpNr +uvl3tySe7MbOk+eBSLDO+oM8P4IA/9hs3lFanVDHLM4PGnw1PyCQ2yGXYqn6 +-----END CERTIFICATE----- diff --git a/.nginx/nginx-proxy/certs/default.key b/.nginx/nginx-proxy/certs/default.key new file mode 100644 index 0000000..126b31e --- /dev/null +++ b/.nginx/nginx-proxy/certs/default.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCydP9NfK5jDWkg +LSnx+q526qXx7e3Of6JTOS69dXvqUP86iBTMi95cRY8wSlA3vufv54PN8h3nf7d5 +rn4vJYHDaOu84i62zOE5XNof1NCEtwkAh8Kcz2rq8cOdSmhYzipXIJ9b5XjoN5Ff +4AZZaavyTPx0aAbQ05qSUQ1X7gGf9bObTFeLckvtyMgiF2kEWJXZo8LX8ca3mnu/ +jSdx8VvYDq9R6y0DFTnvItkSDPOcxU7qcgiW0tbYHd5xcOsjJZRYEtbZkiq8K6ME +nvUxNVeRqBugDO+O3SNYU5eg2WeanpVMjL6x391RuCy2bFm1Y4wZGtR4lsx6/DLE +q7Lr/frrRRMXlvWjBb+c6+3w2F5cL1i8P0LEpieRHjoaLubVJ1ZaKvw5PeOXdAym +TeOWrRS5WbR0ApP8X95HSi/bTb9UZdiyWbAx8qKkPEUGCJig6v3++nscbPZV1Tif +fm9NMhx8Z0WiwKGJUmdnJ1rxc9h69BEiN8jdpYMxhHRCAR0EQGs4uy2+biPumcK9 +MgHRoMIXDzN7hd3JyggWyZCCQayBQU3ssaELRY5FVUCcQtkhgZg6KdXR+4Rpg1LQ +4ueSsY/KrlvLWu8FptYbGSW4R9PnsoIi33qXJ7zcUejpPjArdYsWC9ZbMn5AEPv4 +LEzBVfvdkXf148XYEuFhdy9ZzJBNhQIDAQABAoICAGDTBeoe6ecoUY95sbZu0tYG +fj8DXvGZYpNRBUEaSz9Y7wHs74wDn4Pk4cnLqDZ2yBTsQiEtang+XWgR+rjN2tgR +R0ZWWg4on1KmRFrc9r3rKWE2R6sZBuOuhPoEcxUr1uEq/Au6N52W+LNSM1+z6+0t +RBRMlNYc2VLl0x2QLyWBBBAQnbc1Lmk3dQ66MOqAvd018vODZNQdZ2MIzQwPbkuN +vCXwOZ3gmGxdNfWLPWojy6t8b5iVkKf1nMlkANAzBYe7wQKPQcySyIIrVNF8JaUL +1uFB44BaD2FPCYfmLUZBILRF8PlFgylhijD4HLxD5LGCUyGSgCOCTnFSz2MnjEnN +iZKjsfMj6Wpp6Lam5P5Pb82C3X3znBw51b8KZJLNObFQrYh21dvEeOIhP0m4Okuw +NCYUe0UNTQmMFoy/R49v54Be4mPWC1nljaisxKUCBt8bQDa0Dm6E85rq9wcsmf5O +TlP190BJaSFCkpc7jvM8eR8WVjYLSsaGtI9S7TAxRNcyhPvFW5iA0xEa+cbSh1Wq +a/HuOaRlIaAv6InlVcKxI6xUuNakXHmxYLeuagJ1ODqof9sP82cs7Vs7vW43j2yg +TGrDiSA468bFZZsUeTPmvHeLSluUvO087ny6Ezo7Ai2s9QhlFTtM3gnYvv9bzoqY +e28HRAbZ8Cd03VMmWSoJAoIBAQDoyma7SqmZq8+hKJHMWJWYjPEKNtznOIpkzVfa +9XtUFEaYGHfOXmhUa/hMq5eBai8iq9c4x/iThyciS4hJgVQ6h45hTDl2mpaktroF +aKr7Z+bmDsMh/TcTiADVKFuTDEiMSKPN0sqKlokgI5nMdTXhOnj9NCahAua3JV9J +fJeWCiTZpY8a4boGagEmrVANqKQNlm5HJHUeNZvuj9fzCSfxTyqAoKFs6l2CuUd6 +3bAWrd8pVTlBOPzPCsLSEGvdVndjYaCNPZtB+LQuf/Gbp4dFlmeMtqE/zqnc1oa2 +JMyQM/UGEoLfpTk09T4XBIkUo8E9unbYqZ4e4JcAey3IdDpnAoIBAQDEP9HdqkNC +5GXlzAiy7I3tBDsnmuGtCQg1Mu0mSUqbXzsGP5lCfgJPuuVeNjROcI5B66O9C0mW +CoCbUEvj6gjtexjlCGNDsajSPCnPzVud6n4uqcLK3xF0071p1eG97SYaKqOKm44Q +XL+0vV6qRCmITZXsdPoMbdku4eY4TpKLycxdnxATsQkaGHyWZ17MfiPfAEXU918i +OZ/6v0fgX3jEkSDZADdpizmq2z2xAOw7euwjhFuepSphSCAzXU68ZWnuHEkDUNQr +NhLGVJ6r6YFFIjrfGVN2fcxw/AaTRqYytAp3KqE7cAp1YWgeSjEQeYNyCRg3DGap +jY9ZMdFN/R0zAoIBAQDmJPRbxfzWyF2FXq6F8C41m2HST1sl3Wg1MC3jcz5yaXlB +dS88/2j1zai1ZA9tCqV/CZTFti2y7LNr3HDo+sti8hF5b/p/n2W/gkd2gXxJAPfu +CjowqD6DOLpaAoRGZKZ0ynvnSLalPR5kf83VrSuPeFeVPLHUDSI7ft8tr9fNpkm4 +Q02vrepT3Qk2S7IRTuCh7k8oVorTSvzWZa+Bv1OV5kaG1EfDfhDk5HgeqH0mbs9p +9a+dI9IMfv8M3t9E++8cebBY8sdD+bVpI2SiFoZN7dyB6SySAKc+hXi5Krhy+GsN +jc+Fe7uK98pix0Ee/qZVeLt2iHqi3DdtalphC0eRAoIBAA7lARqfx4cWKp2sRKS/ +y23Hum2hFau6WcMf4FvdiCoOqj4pKYqgYbCHcM0btBCX/lQGfGDmsGkQ1v3ytC/S +HWdYxmTrpA0JONTr+Ahrf56Wo4kLHVukXoDNaTzVHNL7Yr7tqYflknyvbWVcUgj+ +L2DG8rAFmMzEsY0bXAu9+uVdJYOdhOzZrOUsIpiPs+Q1VqegL6ygMbo5QWkYh24C +EPpqQWH24D3EcVYEWcRLW6KQC8gOTZ3Wz0ae4MLFPCqUT9vgjbIQummlKvuehIRr +roH+vRUdqPX/SjrxBda7r/V9MKYmuCH4uPJ7uBlEbEDh2BYZlprm+Au6ULzmSQpw +QX0CggEABTb7EMQ52kik90TBp9uDqDmcbLfk9d2cv4/KZpuTaN5Qnp3eDZCy+Z4E +iiiSa0cM2AJZtoRhnmX0z21oOrqeiWq+a0tuyHEoKJMv0gZLUPr//UTJaOb33aOA +jOEYzSUUvnXQ/6QW3DBYanB/DXoo+Hj6Ycv6yoWu9uLcfvnfr7PZ7eBGE5XJmp/a +iQ+SKvgsRuKYU1yGtjh6Le6yUTtILT6LWoqFe2t8ITPC9Cn6uy0QfCWj0oJ+2NPv +i7VdEuRwHq4TTfF69FdjUC2sbI6PAcl3cL7RKuF6sXNPyg2y7AWo0P43Uo/WWoUT +JcJ1iGmjPfvLy0ZuB4UDyTkGsUt/6Q== +-----END PRIVATE KEY----- diff --git a/.nginx/nginx-proxy/certs/dhparam.pem b/.nginx/nginx-proxy/certs/dhparam.pem new file mode 100644 index 0000000..3cf0fcb --- /dev/null +++ b/.nginx/nginx-proxy/certs/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- diff --git a/.nginx/nginx-proxy/conf.d/default.conf b/.nginx/nginx-proxy/conf.d/default.conf new file mode 100644 index 0000000..4578eed --- /dev/null +++ b/.nginx/nginx-proxy/conf.d/default.conf @@ -0,0 +1,68 @@ +# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the +# scheme used to connect to this server +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $http_x_forwarded_proto; + '' $scheme; +} +# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the +# server port the client connected to +map $http_x_forwarded_port $proxy_x_forwarded_port { + default $http_x_forwarded_port; + '' $server_port; +} +# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any +# Connection header that may have been passed to this server +map $http_upgrade $proxy_connection { + default upgrade; + '' close; +} +# Apply fix for very long server names +server_names_hash_bucket_size 128; +# Default dhparam +# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto +map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl { + default off; + https on; +} +gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '"$upstream_addr"'; +access_log off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; +error_log /dev/stderr; +# HTTP 1.1 support +proxy_http_version 1.1; +proxy_buffering off; +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $proxy_connection; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; +proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; +proxy_set_header X-Original-URI $request_uri; +# Mitigate httpoxy attack (see README for details) +proxy_set_header Proxy ""; +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + server_tokens off; + listen 80; + access_log /var/log/nginx/access.log vhost; + return 503; +} +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + server_tokens off; + listen 443 ssl http2; + access_log /var/log/nginx/access.log vhost; + return 503; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; +} diff --git a/.nginx/nginx-proxy/docker-compose.yml b/.nginx/nginx-proxy/docker-compose.yml new file mode 100644 index 0000000..749786a --- /dev/null +++ b/.nginx/nginx-proxy/docker-compose.yml @@ -0,0 +1,53 @@ +version: '3' +services: + nginx: + image: nginx + labels: + com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true" + container_name: nginx + restart: unless-stopped + logging: + options: + max-size: "10m" + max-file: "3" + ports: + - "80:80" + - "443:443" + volumes: + - ./conf.d:/etc/nginx/conf.d + - ./vhost.d:/etc/nginx/vhost.d + - ./html:/usr/share/nginx/html + - ./certs:/etc/nginx/certs:ro + + nginx-gen: + image: jwilder/docker-gen + command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf + container_name: nginx-gen + restart: unless-stopped + volumes: + - ./conf.d:/etc/nginx/conf.d + - ./vhost.d:/etc/nginx/vhost.d + - ./html:/usr/share/nginx/html + - ./certs:/etc/nginx/certs:ro + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro + + nginx-letsencrypt: + image: jrcs/letsencrypt-nginx-proxy-companion + container_name: nginx-letsencrypt + restart: unless-stopped + volumes: + - ./conf.d:/etc/nginx/conf.d + - ./vhost.d:/etc/nginx/vhost.d + - ./html:/usr/share/nginx/html + - ./certs:/etc/nginx/certs:rw + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + NGINX_DOCKER_GEN_CONTAINER: "nginx-gen" + NGINX_PROXY_CONTAINER: "nginx" + +networks: + default: + external: + name: nginx-proxy + diff --git a/.nginx/nginx-proxy/nginx.tmpl b/.nginx/nginx-proxy/nginx.tmpl new file mode 100644 index 0000000..e8a555d --- /dev/null +++ b/.nginx/nginx-proxy/nginx.tmpl @@ -0,0 +1,479 @@ +{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }} + +{{ $nginx_proxy_version := coalesce $.Env.NGINX_PROXY_VERSION "" }} +{{ $external_http_port := coalesce $.Env.HTTP_PORT "80" }} +{{ $external_https_port := coalesce $.Env.HTTPS_PORT "443" }} +{{ $debug_all := $.Env.DEBUG }} +{{ $sha1_upstream_name := parseBool (coalesce $.Env.SHA1_UPSTREAM_NAME "false") }} +{{ $default_root_response := coalesce $.Env.DEFAULT_ROOT "404" }} + +{{ define "ssl_policy" }} + {{ if eq .ssl_policy "Mozilla-Modern" }} + ssl_protocols TLSv1.3; + {{/* nginx currently lacks ability to choose ciphers in TLS 1.3 in configuration, see https://trac.nginx.org/nginx/ticket/1529 /*}} + {{/* a possible workaround can be modify /etc/ssl/openssl.cnf to change it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12 ) /*}} + {{/* explicitly set ngnix default value in order to allow single servers to override the global http value */}} + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers off; + {{ else if eq .ssl_policy "Mozilla-Intermediate" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + {{ else if eq .ssl_policy "Mozilla-Old" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }} + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2016-08" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2015-05" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2015-03" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + {{ else if eq .ssl_policy "AWS-2015-02" }} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA'; + ssl_prefer_server_ciphers on; + {{ end }} +{{ end }} + +{{ define "location" }} + location {{ .Path }} { + {{ if eq .NetworkTag "internal" }} + # Only allow traffic from internal clients + include /etc/nginx/network_internal.conf; + {{ end }} + + {{ if eq .Proto "uwsgi" }} + include uwsgi_params; + uwsgi_pass {{ trim .Proto }}://{{ trim .Upstream }}; + {{ else if eq .Proto "fastcgi" }} + root {{ trim .VhostRoot }}; + include fastcgi_params; + fastcgi_pass {{ trim .Upstream }}; + {{ else if eq .Proto "grpc" }} + grpc_pass {{ trim .Proto }}://{{ trim .Upstream }}; + {{ else }} + proxy_pass {{ trim .Proto }}://{{ trim .Upstream }}{{ trim .Dest }}; + {{ end }} + + {{ if (exists (printf "/etc/nginx/htpasswd/%s" .Host)) }} + auth_basic "Restricted {{ .Host }}"; + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" .Host) }}; + {{ end }} + + {{ if (exists (printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) )) }} + include {{ printf "/etc/nginx/vhost.d/%s_%s_location" .Host (sha1 .Path) }}; + {{ else if (exists (printf "/etc/nginx/vhost.d/%s_location" .Host)) }} + include {{ printf "/etc/nginx/vhost.d/%s_location" .Host}}; + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} + include /etc/nginx/vhost.d/default_location; + {{ end }} +} +{{ end }} + +{{ define "upstream" }} + {{ $networks := .Networks }} + {{ $debug_all := .Debug }} +upstream {{ .Upstream }} { + {{ $server_found := "false" }} + {{ range $container := .Containers }} + {{ $debug := (eq (coalesce $container.Env.DEBUG $debug_all "false") "true") }} + {{/* If only 1 port exposed, use that as a default, else 80 */}} + {{ $defaultPort := (when (eq (len $container.Addresses) 1) (first $container.Addresses) (dict "Port" "80")).Port }} + {{ $port := (coalesce $container.Env.VIRTUAL_PORT $defaultPort) }} + {{ $address := where $container.Addresses "Port" $port | first }} + {{ if $debug }} + # Exposed ports: {{ $container.Addresses }} + # Default virtual port: {{ $defaultPort }} + # VIRTUAL_PORT: {{ $container.Env.VIRTUAL_PORT }} + {{ if not $address }} + # /!\ Virtual port not exposed + {{ end }} + {{ end }} + {{ range $knownNetwork := $networks }} + {{ range $containerNetwork := $container.Networks }} + {{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }} + ## Can be connected with "{{ $containerNetwork.Name }}" network + {{ if $address }} + {{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} + {{ if and $container.Node.ID $address.HostPort }} + {{ $server_found = "true" }} + # {{ $container.Node.Name }}/{{ $container.Name }} + server {{ $container.Node.Address.IP }}:{{ $address.HostPort }}; + {{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}} + {{ else if $containerNetwork }} + {{ $server_found = "true" }} + # {{ $container.Name }} + server {{ $containerNetwork.IP }}:{{ $address.Port }}; + {{ end }} + {{ else if $containerNetwork }} + # {{ $container.Name }} + {{ if $containerNetwork.IP }} + {{ $server_found = "true" }} + server {{ $containerNetwork.IP }}:{{ $port }}; + {{ else }} + # /!\ No IP for this network! + {{ end }} + {{ end }} + {{ else }} + # Cannot connect to network '{{ $containerNetwork.Name }}' of this container + {{ end }} + {{ end }} + {{ end }} + {{ end }} + {{/* nginx-proxy/nginx-proxy#1105 */}} + {{ if (eq $server_found "false") }} + # Fallback entry + server 127.0.0.1 down; + {{ end }} +} +{{ end }} + +{{ if ne $nginx_proxy_version "" }} +# nginx-proxy version : {{ $nginx_proxy_version }} +{{ end }} + +# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the +# scheme used to connect to this server +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $http_x_forwarded_proto; + '' $scheme; +} + +# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the +# server port the client connected to +map $http_x_forwarded_port $proxy_x_forwarded_port { + default $http_x_forwarded_port; + '' $server_port; +} + +# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any +# Connection header that may have been passed to this server +map $http_upgrade $proxy_connection { + default upgrade; + '' close; +} + +# Apply fix for very long server names +server_names_hash_bucket_size 128; + +# Default dhparam +{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }} +ssl_dhparam /etc/nginx/dhparam/dhparam.pem; +{{ end }} + +# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto +map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl { + default off; + https on; +} + +gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '"$upstream_addr"'; + +access_log off; + +{{/* Get the SSL_POLICY defined by this container, falling back to "Mozilla-Intermediate" */}} +{{ $ssl_policy := or ($.Env.SSL_POLICY) "Mozilla-Intermediate" }} +{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }} +error_log /dev/stderr; + +{{ if $.Env.RESOLVERS }} +resolver {{ $.Env.RESOLVERS }}; +{{ end }} + +{{ if (exists "/etc/nginx/proxy.conf") }} +include /etc/nginx/proxy.conf; +{{ else }} +# HTTP 1.1 support +proxy_http_version 1.1; +proxy_buffering off; +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $proxy_connection; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; +proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; +proxy_set_header X-Original-URI $request_uri; + +# Mitigate httpoxy attack (see README for details) +proxy_set_header Proxy ""; +{{ end }} + +{{ $access_log := (or (and (not $.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }} + +{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }} +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + server_tokens off; + listen {{ $external_http_port }}; + {{ if $enable_ipv6 }} + listen [::]:{{ $external_http_port }}; + {{ end }} + {{ $access_log }} + return 503; +} + +{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + server_tokens off; + listen {{ $external_https_port }} ssl http2; + {{ if $enable_ipv6 }} + listen [::]:{{ $external_https_port }} ssl http2; + {{ end }} + {{ $access_log }} + return 503; + + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; +} +{{ end }} + +{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} + +{{ $host := trim $host }} +{{ $is_regexp := hasPrefix "~" $host }} +{{ $upstream_name := when (or $is_regexp $sha1_upstream_name) (sha1 $host) $host }} + +{{ $paths := groupBy $containers "Env.VIRTUAL_PATH" }} +{{ $nPaths := len $paths }} + +{{ if eq $nPaths 0 }} + # {{ $host }} + {{ template "upstream" (dict "Upstream" $upstream_name "Containers" $containers "Networks" $CurrentContainer.Networks "Debug" $debug_all) }} +{{ else }} + {{ range $path, $containers := $paths }} + {{ $sum := sha1 $path }} + {{ $upstream := printf "%s-%s" $upstream_name $sum }} + # {{ $host }}{{ $path }} + {{ template "upstream" (dict "Upstream" $upstream "Containers" $containers "Networks" $CurrentContainer.Networks "Debug" $debug_all) }} + {{ end }} +{{ end }} + +{{ $default_host := or ($.Env.DEFAULT_HOST) "" }} +{{ $default_server := index (dict $host "" $default_host "default_server") $host }} + +{{/* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "" */}} +{{ $server_tokens := trim (or (first (groupByKeys $containers "Env.SERVER_TOKENS")) "") }} + + +{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}} +{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) (or $.Env.HTTPS_METHOD "redirect") }} + +{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default) */}} +{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }} + +{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}} +{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) (or $.Env.HSTS "max-age=31536000") }} + +{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}} +{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }} + + +{{/* Get the first cert name defined by containers w/ the same vhost */}} +{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} + +{{/* Get the best matching cert by name for the vhost. */}} +{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} + +{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} +{{ $vhostCert := trimSuffix ".crt" $vhostCert }} +{{ $vhostCert := trimSuffix ".key" $vhostCert }} + +{{/* Use the cert specified on the container or fallback to the best vhost match */}} +{{ $cert := (coalesce $certName $vhostCert) }} + +{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} + +{{ if $is_https }} + +{{ if eq $https_method "redirect" }} +server { + server_name {{ $host }}; + {{ if $server_tokens }} + server_tokens {{ $server_tokens }}; + {{ end }} + listen {{ $external_http_port }} {{ $default_server }}; + {{ if $enable_ipv6 }} + listen [::]:{{ $external_http_port }} {{ $default_server }}; + {{ end }} + {{ $access_log }} + + # Do not HTTPS redirect Let'sEncrypt ACME challenge + location ^~ /.well-known/acme-challenge/ { + auth_basic off; + auth_request off; + allow all; + root /usr/share/nginx/html; + try_files $uri =404; + break; + } + + location / { + {{ if eq $external_https_port "443" }} + return 301 https://$host$request_uri; + {{ else }} + return 301 https://$host:{{ $external_https_port }}$request_uri; + {{ end }} + } +} +{{ end }} + +server { + server_name {{ $host }}; + {{ if $server_tokens }} + server_tokens {{ $server_tokens }}; + {{ end }} + listen {{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ if $enable_ipv6 }} + listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ end }} + {{ $access_log }} + + {{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }} + + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; + ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; + + {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} + ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; + {{ end }} + + {{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }}; + {{ end }} + + {{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }} + add_header Strict-Transport-Security "{{ trim $hsts }}" always; + {{ end }} + + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ else if (exists "/etc/nginx/vhost.d/default") }} + include /etc/nginx/vhost.d/default; + {{ end }} + + {{ if eq $nPaths 0 }} + {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} + {{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }} + + {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}} + {{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }} + {{ template "location" (dict "Path" "/" "Proto" $proto "Upstream" $upstream_name "Host" $host "VhostRoot" $vhost_root "Dest" "" "NetworkTag" $network_tag) }} + {{ else }} + {{ range $path, $container := $paths }} + {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost-vpath, falling back to "http" */}} + {{ $proto := trim (or (first (groupByKeys $container "Env.VIRTUAL_PROTO")) "http") }} + + {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}} + {{ $network_tag := or (first (groupByKeys $container "Env.NETWORK_ACCESS")) "external" }} + {{ $sum := sha1 $path }} + {{ $upstream := printf "%s-%s" $upstream_name $sum }} + {{ $dest := (or (first (groupByKeys $container "Env.VIRTUAL_DEST")) "") }} + {{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }} + {{ end }} + {{ if (not (contains $paths "/")) }} + location / { + return {{ $default_root_response }}; + } + {{ end }} + {{ end }} +} + +{{ end }} + +{{ if or (not $is_https) (eq $https_method "noredirect") }} + +server { + server_name {{ $host }}; + {{ if $server_tokens }} + server_tokens {{ $server_tokens }}; + {{ end }} + listen {{ $external_http_port }} {{ $default_server }}; + {{ if $enable_ipv6 }} + listen [::]:{{ $external_http_port }} {{ $default_server }}; + {{ end }} + {{ $access_log }} + + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ else if (exists "/etc/nginx/vhost.d/default") }} + include /etc/nginx/vhost.d/default; + {{ end }} + + {{ if eq $nPaths 0 }} + {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} + {{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }} + + {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}} + {{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }} + {{ template "location" (dict "Path" "/" "Proto" $proto "Upstream" $upstream_name "Host" $host "VhostRoot" $vhost_root "Dest" "" "NetworkTag" $network_tag) }} + {{ else }} + {{ range $path, $container := $paths }} + {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost-vpath, falling back to "http" */}} + {{ $proto := trim (or (first (groupByKeys $container "Env.VIRTUAL_PROTO")) "http") }} + + {{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}} + {{ $network_tag := or (first (groupByKeys $container "Env.NETWORK_ACCESS")) "external" }} + {{ $sum := sha1 $path }} + {{ $upstream := printf "%s-%s" $upstream_name $sum }} + {{ $dest := (or (first (groupByKeys $container "Env.VIRTUAL_DEST")) "") }} + {{ template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag) }} + {{ end }} + {{ if (not (contains $paths "/")) }} + location / { + return {{ $default_root_response }}; + } + {{ end }} + {{ end }} +} + +{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +server { + server_name {{ $host }}; + {{ if $server_tokens }} + server_tokens {{ $server_tokens }}; + {{ end }} + listen {{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ if $enable_ipv6 }} + listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }}; + {{ end }} + {{ $access_log }} + return 500; + + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; +} +{{ end }} + +{{ end }} +{{ end }} diff --git a/nginx/nginx/Dockerfile b/.nginx/nginx/Dockerfile similarity index 100% rename from nginx/nginx/Dockerfile rename to .nginx/nginx/Dockerfile diff --git a/nginx/nginx/default.conf b/.nginx/nginx/default.conf similarity index 100% rename from nginx/nginx/default.conf rename to .nginx/nginx/default.conf diff --git a/nginx/nginx/gzip.conf b/.nginx/nginx/gzip.conf similarity index 100% rename from nginx/nginx/gzip.conf rename to .nginx/nginx/gzip.conf diff --git a/nginx/nginx/hsts.conf b/.nginx/nginx/hsts.conf similarity index 100% rename from nginx/nginx/hsts.conf rename to .nginx/nginx/hsts.conf diff --git a/nginx/nginx/nginx.sh b/.nginx/nginx/nginx.sh similarity index 100% rename from nginx/nginx/nginx.sh rename to .nginx/nginx/nginx.sh diff --git a/nginx/nginx/options-ssl-nginx.conf b/.nginx/nginx/options-ssl-nginx.conf similarity index 100% rename from nginx/nginx/options-ssl-nginx.conf rename to .nginx/nginx/options-ssl-nginx.conf diff --git a/nginx/nginx/site.conf.tpl b/.nginx/nginx/site.conf.tpl similarity index 86% rename from nginx/nginx/site.conf.tpl rename to .nginx/nginx/site.conf.tpl index c3491ef..29b770b 100644 --- a/nginx/nginx/site.conf.tpl +++ b/.nginx/nginx/site.conf.tpl @@ -2,8 +2,8 @@ server { listen 80; server_name ${domain} www.${domain}; - location /.well-known/acme-challenge/ { - root /var/www/certbot/${domain}; + location ^~ /.well-known/acme-challenge/* { + root /var/www/certbot/${domain}/; } location / { diff --git a/.nginx/proxy b/.nginx/proxy new file mode 160000 index 0000000..5b66f76 --- /dev/null +++ b/.nginx/proxy @@ -0,0 +1 @@ +Subproject commit 5b66f76f29a58f2928e6b1092c66869466a11146 diff --git a/.nginx/self/docker-compose.yml b/.nginx/self/docker-compose.yml new file mode 100644 index 0000000..e6d4dc0 --- /dev/null +++ b/.nginx/self/docker-compose.yml @@ -0,0 +1,19 @@ +version: '3' + +services: + nginx: + image: jonasal/nginx-certbot:latest + restart: unless-stopped + environment: + - CERTBOT_EMAIL=pegasucksgg@gmail.com + - STAGING=1 + - DEBUG=1 + ports: + - 80:80 + - 443:443 + volumes: + - nginx_secrets:/etc/letsencrypt + - ./user_conf.d:/etc/nginx/user_conf.d + +volumes: + nginx_secrets: diff --git a/.nginx/self/user_conf.d/example_server.conf b/.nginx/self/user_conf.d/example_server.conf new file mode 100644 index 0000000..325a78f --- /dev/null +++ b/.nginx/self/user_conf.d/example_server.conf @@ -0,0 +1,19 @@ +server { + # Listen to port 443 on both IPv4 and IPv6. + listen 443 ssl default_server reuseport; + listen [::]:443 ssl default_server reuseport; + + # Domain names this server should respond to. + server_name felia.pegasust.com www.felia.pegasust.com; + + # Load the certificate files. + ssl_certificate /etc/letsencrypt/live/felia/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/felia/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/felia/chain.pem; + + # Load the Diffie-Hellman parameter. + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + + return 200 'Let\'s Encrypt certificate successfully installed!'; + add_header Content-Type text/plain; +} diff --git a/nginx/vhosts/felia.hwtr.dev.conf b/.nginx/vhosts/felia.pegasust.com.conf similarity index 52% rename from nginx/vhosts/felia.hwtr.dev.conf rename to .nginx/vhosts/felia.pegasust.com.conf index 224b1bf..9742315 100644 --- a/nginx/vhosts/felia.hwtr.dev.conf +++ b/.nginx/vhosts/felia.pegasust.com.conf @@ -1,4 +1,4 @@ location / { - root /var/www/html/felia.hwtr.dev; + root /var/www/html/felia.pegasust.com; index index.html index.htm; } diff --git a/about-me b/about-me new file mode 120000 index 0000000..421ef8d --- /dev/null +++ b/about-me @@ -0,0 +1 @@ +/home/ubuntu_admin/local_repos/about-me/ \ No newline at end of file diff --git a/c4c-secret-manager b/c4c-secret-manager new file mode 120000 index 0000000..a64794c --- /dev/null +++ b/c4c-secret-manager @@ -0,0 +1 @@ +/home/ubuntu_admin/local_repos/c4c-secret-manager/ \ No newline at end of file diff --git a/cloudflare-nginx/_nginx/conf.d/default.conf b/cloudflare-nginx/_nginx/conf.d/default.conf deleted file mode 100644 index ac54d8e..0000000 --- a/cloudflare-nginx/_nginx/conf.d/default.conf +++ /dev/null @@ -1,45 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name localhost; - - #access_log /var/log/nginx/host.access.log main; - - location / { - root /usr/share/nginx/html; - index index.html index.htm; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} - diff --git a/cloudflare-nginx/_nginx/fastcgi_params b/cloudflare-nginx/_nginx/fastcgi_params deleted file mode 100644 index 28decb9..0000000 --- a/cloudflare-nginx/_nginx/fastcgi_params +++ /dev/null @@ -1,25 +0,0 @@ - -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; diff --git a/cloudflare-nginx/_nginx/mime.types b/cloudflare-nginx/_nginx/mime.types deleted file mode 100644 index 1c00d70..0000000 --- a/cloudflare-nginx/_nginx/mime.types +++ /dev/null @@ -1,99 +0,0 @@ - -types { - text/html html htm shtml; - text/css css; - text/xml xml; - image/gif gif; - image/jpeg jpeg jpg; - application/javascript js; - application/atom+xml atom; - application/rss+xml rss; - - text/mathml mml; - text/plain txt; - text/vnd.sun.j2me.app-descriptor jad; - text/vnd.wap.wml wml; - text/x-component htc; - - image/avif avif; - image/png png; - image/svg+xml svg svgz; - image/tiff tif tiff; - image/vnd.wap.wbmp wbmp; - image/webp webp; - image/x-icon ico; - image/x-jng jng; - image/x-ms-bmp bmp; - - font/woff woff; - font/woff2 woff2; - - application/java-archive jar war ear; - application/json json; - application/mac-binhex40 hqx; - application/msword doc; - application/pdf pdf; - application/postscript ps eps ai; - application/rtf rtf; - application/vnd.apple.mpegurl m3u8; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; - application/vnd.ms-excel xls; - application/vnd.ms-fontobject eot; - application/vnd.ms-powerpoint ppt; - application/vnd.oasis.opendocument.graphics odg; - application/vnd.oasis.opendocument.presentation odp; - application/vnd.oasis.opendocument.spreadsheet ods; - application/vnd.oasis.opendocument.text odt; - application/vnd.openxmlformats-officedocument.presentationml.presentation - pptx; - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet - xlsx; - application/vnd.openxmlformats-officedocument.wordprocessingml.document - docx; - application/vnd.wap.wmlc wmlc; - application/wasm wasm; - application/x-7z-compressed 7z; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-perl pl pm; - application/x-pilot prc pdb; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert der pem crt; - application/x-xpinstall xpi; - application/xhtml+xml xhtml; - application/xspf+xml xspf; - application/zip zip; - - application/octet-stream bin exe dll; - application/octet-stream deb; - application/octet-stream dmg; - application/octet-stream iso img; - application/octet-stream msi msp msm; - - audio/midi mid midi kar; - audio/mpeg mp3; - audio/ogg ogg; - audio/x-m4a m4a; - audio/x-realaudio ra; - - video/3gpp 3gpp 3gp; - video/mp2t ts; - video/mp4 mp4; - video/mpeg mpeg mpg; - video/quicktime mov; - video/webm webm; - video/x-flv flv; - video/x-m4v m4v; - video/x-mng mng; - video/x-ms-asf asx asf; - video/x-ms-wmv wmv; - video/x-msvideo avi; -} diff --git a/cloudflare-nginx/_nginx/modules b/cloudflare-nginx/_nginx/modules deleted file mode 120000 index 4b9b33f..0000000 --- a/cloudflare-nginx/_nginx/modules +++ /dev/null @@ -1 +0,0 @@ -/usr/lib/nginx/modules \ No newline at end of file diff --git a/cloudflare-nginx/_nginx/nginx.conf b/cloudflare-nginx/_nginx/nginx.conf deleted file mode 100644 index 5e076aa..0000000 --- a/cloudflare-nginx/_nginx/nginx.conf +++ /dev/null @@ -1,32 +0,0 @@ - -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/cloudflare-nginx/_nginx/scgi_params b/cloudflare-nginx/_nginx/scgi_params deleted file mode 100644 index 6d4ce4f..0000000 --- a/cloudflare-nginx/_nginx/scgi_params +++ /dev/null @@ -1,17 +0,0 @@ - -scgi_param REQUEST_METHOD $request_method; -scgi_param REQUEST_URI $request_uri; -scgi_param QUERY_STRING $query_string; -scgi_param CONTENT_TYPE $content_type; - -scgi_param DOCUMENT_URI $document_uri; -scgi_param DOCUMENT_ROOT $document_root; -scgi_param SCGI 1; -scgi_param SERVER_PROTOCOL $server_protocol; -scgi_param REQUEST_SCHEME $scheme; -scgi_param HTTPS $https if_not_empty; - -scgi_param REMOTE_ADDR $remote_addr; -scgi_param REMOTE_PORT $remote_port; -scgi_param SERVER_PORT $server_port; -scgi_param SERVER_NAME $server_name; diff --git a/cloudflare-nginx/_nginx/uwsgi_params b/cloudflare-nginx/_nginx/uwsgi_params deleted file mode 100644 index 09c732c..0000000 --- a/cloudflare-nginx/_nginx/uwsgi_params +++ /dev/null @@ -1,17 +0,0 @@ - -uwsgi_param QUERY_STRING $query_string; -uwsgi_param REQUEST_METHOD $request_method; -uwsgi_param CONTENT_TYPE $content_type; -uwsgi_param CONTENT_LENGTH $content_length; - -uwsgi_param REQUEST_URI $request_uri; -uwsgi_param PATH_INFO $document_uri; -uwsgi_param DOCUMENT_ROOT $document_root; -uwsgi_param SERVER_PROTOCOL $server_protocol; -uwsgi_param REQUEST_SCHEME $scheme; -uwsgi_param HTTPS $https if_not_empty; - -uwsgi_param REMOTE_ADDR $remote_addr; -uwsgi_param REMOTE_PORT $remote_port; -uwsgi_param SERVER_PORT $server_port; -uwsgi_param SERVER_NAME $server_name; diff --git a/cloudflare-nginx/nginx/conf.d/default.conf b/cloudflare-nginx/nginx/conf.d/default.conf index 8f4e363..ac54d8e 100644 --- a/cloudflare-nginx/nginx/conf.d/default.conf +++ b/cloudflare-nginx/nginx/conf.d/default.conf @@ -1,24 +1,45 @@ -# NOTE: Felia is under Cox ISP, which blocks port 80 anyways. -# we're just going to leave it like this for now server { - listen 80; - listen [::]:80; - server_name localhost; - return 302 https://$server_name$request_uri; -} + listen 80; + listen [::]:80; + server_name localhost; -server { - # SSL configuration - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - include /etc/nginx/ssl_params; - - server_name _; - root /var/www/html; - index index.html index.htm index.nginx-debian.html; + #access_log /var/log/nginx/host.access.log main; location / { - try_files $uri $uri/ =404; + root /usr/share/nginx/html; + index index.html index.htm; } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} } + diff --git a/cloudflare-nginx/nginx/conf.d/localhost.conf b/cloudflare-nginx/nginx/conf.d/localhost.conf new file mode 100644 index 0000000..63060d8 --- /dev/null +++ b/cloudflare-nginx/nginx/conf.d/localhost.conf @@ -0,0 +1,24 @@ +# NOTE: Felia is under Cox ISP, which blocks port 80 anyways. +# we're just going to leave it like this for now +server { + listen 80; + listen [::]:80; + server_name localhost; + return 302 https://$server_name$request_uri; +} + +server { + # SSL configuration + listen 443 ssl http2; + listen [::]:443 ssl http2; + + include /etc/nginx/ssl_params; + + server_name localhost; + root /var/www/localhost/html; + index index.html index.htm index.nginx-debian.html; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/cloudflare-nginx/nginx/conf.d/pegasust.com.conf b/cloudflare-nginx/nginx/conf.d/pegasust.com.conf index 4c4b988..9b1b539 100644 --- a/cloudflare-nginx/nginx/conf.d/pegasust.com.conf +++ b/cloudflare-nginx/nginx/conf.d/pegasust.com.conf @@ -15,10 +15,16 @@ server { include /etc/nginx/ssl_params; server_name pegasust.com; - root /var/www/html/pegasust.com; + root /var/www/pegasust.com/html; index index.html index.htm index.nginx-debian.html; location / { try_files $uri $uri/ =404; } + location /vault/ { + proxy_pass http://localhost:8200; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } } diff --git a/cloudflare-nginx/nginx/ssl_params b/cloudflare-nginx/nginx/ssl_params index 8c02e8b..157e6cc 100644 --- a/cloudflare-nginx/nginx/ssl_params +++ b/cloudflare-nginx/nginx/ssl_params @@ -1,5 +1,5 @@ ssl_certificate /etc/ssl/cert.pem; ssl_certificate_key /etc/ssl/key.pem; -ssl_client_certificate /etc/ssl/cloudflare.crt; -ssl_verify_client on; +# ssl_client_certificate /etc/ssl/cloudflare.crt; +# ssl_verify_client on;