diff --git a/README.md b/README.md index 42cb3b0..fee3b29 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # NGINX Configs -[![ShellCheck](https://github.com/TommyTran732/NGINX-Configs/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/TommyTran732/NGINX-Configs/actions/workflows/shellcheck.yml) - These are my NGINX configurations. They are written for `nginx-core` with `nginx-mod-stream` on Fedora and mainline NGINX on RHEL. ## Getting Started @@ -12,7 +10,3 @@ These are my NGINX configurations. They are written for `nginx-core` with `nginx 4. Generate a certificate with your hostname with the `certbot/default-quic` example. Copy `etc/nginx/conf.d/default-quic.conf` to the corresponding directory on your server and edit it approprieately. 5. Generate certificates with the example in the certbot directory. 6. Make your actual vhost config based on the `sites_.*` samples in `/etc/nginx/conf.d`. - -## Notes - -This is used on my tunnel servers with multiple IP addresses. Hence, you may see addresses like `ipv4_1` and `ipv4_2`. Just replace them with your own ip addresses. diff --git a/etc/nginx/conf.d/bitwarden.conorz.at.conf b/etc/nginx/conf.d/bitwarden.conorz.at.conf new file mode 100644 index 0000000..3179657 --- /dev/null +++ b/etc/nginx/conf.d/bitwarden.conorz.at.conf @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name bitwarden.conorz.at; + + ssl_certificate /etc/letsencrypt/live/bitwarden.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/bitwarden.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/bitwarden.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:8081; + } +} diff --git a/etc/nginx/conf.d/blog.conorz.at.conf b/etc/nginx/conf.d/blog.conorz.at.conf new file mode 100644 index 0000000..58938c6 --- /dev/null +++ b/etc/nginx/conf.d/blog.conorz.at.conf @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name blog.conorz.at; + + ssl_certificate /etc/letsencrypt/live/blog.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/blog.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/blog.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:8084; + } +} diff --git a/etc/nginx/conf.d/cloud.conorz.at.conf b/etc/nginx/conf.d/cloud.conorz.at.conf new file mode 100644 index 0000000..e1e2914 --- /dev/null +++ b/etc/nginx/conf.d/cloud.conorz.at.conf @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name cloud.conorz.at; + + ssl_certificate /etc/letsencrypt/live/cloud.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/cloud.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:8085; + } +} diff --git a/etc/nginx/conf.d/comments.conorz.at.conf b/etc/nginx/conf.d/comments.conorz.at.conf new file mode 100644 index 0000000..d38610c --- /dev/null +++ b/etc/nginx/conf.d/comments.conorz.at.conf @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name comments.conorz.at; + + ssl_certificate /etc/letsencrypt/live/comments.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/comments.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/comments.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:8086; + } +} diff --git a/etc/nginx/conf.d/conorz.at.conf b/etc/nginx/conf.d/conorz.at.conf new file mode 100644 index 0000000..37ed169 --- /dev/null +++ b/etc/nginx/conf.d/conorz.at.conf @@ -0,0 +1,46 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name conorz.at; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem; + + error_page 404 /404.html; + + location = /404.html { + root /website/dist; + internal; + } + error_page 403 /403.html; + + location = /403.html { + root /website/dist; + internal; + } + client_max_body_size 128M; + + location / { + root /website/dist; + index index.html; + } + + + location ^~ /_matrix/ { + proxy_pass http://127.0.0.1:8008; + } +} diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index 88e03b1..34680f3 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -1,10 +1,10 @@ server { - listen ipv4_1:80 default_server; - listen [ipv6_1]:80 default_server; + listen 127.0.0.1:80 default_server; +# listen [ipv6_1]:80 default_server; include snippets/universal_paths.conf; location / { return 308 https://$host$request_uri; } -} \ No newline at end of file +} diff --git a/etc/nginx/conf.d/git.conorz.at.conf b/etc/nginx/conf.d/git.conorz.at.conf new file mode 100644 index 0000000..8d98207 --- /dev/null +++ b/etc/nginx/conf.d/git.conorz.at.conf @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name git.conorz.at; + + ssl_certificate /etc/letsencrypt/live/git.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/git.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:3004; + } +} diff --git a/etc/nginx/conf.d/monitorss.conorz.at.conf b/etc/nginx/conf.d/monitorss.conorz.at.conf new file mode 100644 index 0000000..dbb3b67 --- /dev/null +++ b/etc/nginx/conf.d/monitorss.conorz.at.conf @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name monitorss.conorz.at; + + ssl_certificate /etc/letsencrypt/live/monitorss.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/monitorss.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/monitorss.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:8001; + } +} diff --git a/etc/nginx/conf.d/smart.conorz.at b/etc/nginx/conf.d/smart.conorz.at new file mode 100644 index 0000000..96a49ba --- /dev/null +++ b/etc/nginx/conf.d/smart.conorz.at @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name smart.conorz.at; + + ssl_certificate /etc/letsencrypt/live/smart.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/smart.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/smart.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:8123; + } +} diff --git a/etc/nginx/conf.d/terminal b/etc/nginx/conf.d/terminal new file mode 100644 index 0000000..aa1757b --- /dev/null +++ b/etc/nginx/conf.d/terminal @@ -0,0 +1,164 @@ +#upstream terminal-default { +# zone vaultwarden-default 64k; +# server localhost:3002; +# keepalive 2; +#} + +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '"$upstream_addr" proxyhost:"$proxy_host"'; +#upstream terminal-ws { +# zone vaultwarden-ws 64k; +# server localhost:3012; +# keepalive 2; +#} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name conorz.at; + +# location / { +# root /website; +# index index.html; +# try_files $uri $uri/ /index.html; +# } + return 301 https://$host$request_uri; +# error_page 404 /404.html; +# location = /404.html { +# root /error_page; +# internal; + #proxy_pass http://localhost:3002; +# } +} + +server { + listen 443 ssl http2; + # listen [::]:443 ssl http2; + +# listen 8448 ssl; +# listen [::]:8448 ssl; + + server_name conorz.at; + +# Specify SSL Config when needed +# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/conorz.at-ssl.pem; +# ssl_certificate_key /etc/nginx/ssl/conorz.at/conorz.at-privkey.pem; +# ssl_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem; + +# ssl_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem; +# ssl_certificate_key /etc/nginx/ssl/conorz.at/conorz.at-privkey.pem; +# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem; + + ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem; + + error_page 404 /404.html; + + location = /404.html { + root /website/dist; + internal; + } + error_page 403 /403.html; + + location = /403.html { + root /website/dist; + internal; + } + client_max_body_size 128M; + + location / { + root /website/dist; + index index.html; +# proxy_http_version 1.1; +# proxy_set_header "Connection" ""; + +# proxy_set_header HOST $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; + +# proxy_pass http://terminal-default; + } + +# location /matrix/nginx-proxy/data/matrix-domain/terminal/test.txt { +# proxy_http_version 1.1; +# proxy_set_header "Connection" ""; + +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; + +# proxy_pass http://terminal-default/resume.pdf; +# } + +# location /gpg/index.html { +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "upgrade"; + +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header Forwarded $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; + +# proxy_pass http://vaultwarden-ws/gpg; +# } + + location ^~ /_matrix/ { + proxy_set_header Host conorz.at; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://127.0.0.1:8008; +#use correct protocol (https/http) and correct ip:port + proxy_read_timeout 90; + } + +} +# location ^~ /_matrix/ { +# proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:; +# } +#} +#server { +# listen 8448 ssl http2; + # listen [::]:443 ssl http2; +# server_name conorz.at; +# access_log /var/log/nginx/access-matrix-9449.log vhost; + + # Specify SSL Config when needed +# ssl_certificate /etc/nginx/ssl/conorz.at/matrix.conorz.at-fullchain.pem; +# ssl_certificate_key /etc/nginx/ssl/conorz.at/matrix.conorz.at-privkey.pem; +# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/matrix.conorz.at-ssl.pem; + +# ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem; +# ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem; + +# client_max_body_size 128M; + +# location / { +# proxy_http_version 1.1; +# proxy_set_header "Connection" ""; + +# proxy_set_header HOST $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; + +# proxy_pass http://terminal-default; +# } +# location ^~ /_matrix/ { +# proxy_set_header Host conorz.at; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# proxy_pass http://127.0.0.1:8008; +# proxy_read_timeout 90; +# } +#} diff --git a/etc/nginx/conf.d/wl b/etc/nginx/conf.d/wl new file mode 100644 index 0000000..6400547 --- /dev/null +++ b/etc/nginx/conf.d/wl @@ -0,0 +1,91 @@ +# The `upstream` directives ensure that you have a http/1.1 connection +# This enables the keepalive option and better performance +# +# Define the server IP and ports here. +upstream dashboard-default { + zone dashboard-default 64k; + server 127.0.0.1:7200; + keepalive 2; +} + + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name wl.conorz.at; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + # listen [::]:443 ssl http2; + server_name wl.conorz.at; + + # Specify SSL Config when needed +# ssl_certificate /etc/nginx/ssl/conorz.at/wl.conorz.at-fullchain.pem; +# ssl_certificate_key /etc/nginx/ssl/conorz.at/wl.conorz.at-privkey.pem; +# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/wl.conorz.at-fullchain.pem; + ssl_certificate /etc/letsencrypt/live/wl.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wl.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/wl.conorz.at/cert.pem; + + client_max_body_size 128M; + + location / { + proxy_http_version 1.1; + proxy_set_header "Connection" ""; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://dashboard-default; + } + +# location /notifications/hub/negotiate { +# proxy_http_version 1.1; +# proxy_set_header "Connection" ""; +# +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; +# +# proxy_pass http://vaultwarden-default; +# } + +# location /notifications/hub { +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "upgrade"; + + # proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header Forwarded $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Proto $scheme; + +# proxy_pass http://vaultwarden-ws; +# } + + # Optionally add extra authentication besides the ADMIN_TOKEN + # Remove the comments below `#` and create the htpasswd_file to have it active + # + #location /admin { + # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ + # auth_basic "Private"; + # auth_basic_user_file /path/to/htpasswd_file; + # + # proxy_http_version 1.1; + # proxy_set_header "Connection" ""; + # + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # + # proxy_pass http://vaultwarden-default; + #} +} diff --git a/etc/nginx/conf.d/wl.conorz.at b/etc/nginx/conf.d/wl.conorz.at new file mode 100644 index 0000000..41a7dfc --- /dev/null +++ b/etc/nginx/conf.d/wl.conorz.at @@ -0,0 +1,26 @@ +server { + listen 443 quic; + listen 443 ssl; + listen [::]:443 quic; + listen [::]:443 ssl; + + server_name wl.conorz.at; + + ssl_certificate /etc/letsencrypt/live/wl.conorz.at/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wl.conorz.at/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/wl.conorz.at/chain.pem; + + include snippets/hsts.conf; + include snippets/security.conf; + include snippets/quic.conf; + include snippets/proxy.conf; + include snippets/robots.conf; + include snippets/universal_paths.conf; + + add_header Cross-Origin-Resource-Policy "same-origin" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + location / { + proxy_pass http://127.0.0.1:7200; + } +}