first commit

2025-01-01 06:29:34 +01:00 · 2025-01-01 06:29:34 +01:00 · 0dc32f127e
commit 0dc32f127e
parent dbdd308ffb
13 changed files with 512 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,5 @@
 # NGINX Configs
 [![ShellCheck](https://github.com/TommyTran732/NGINX-Configs/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/TommyTran732/NGINX-Configs/actions/workflows/shellcheck.yml)
 These are my NGINX configurations. They are written for `nginx-core` with `nginx-mod-stream` on Fedora and mainline NGINX on RHEL.
 ## Getting Started
@ -12,7 +10,3 @@ These are my NGINX configurations. They are written for `nginx-core` with `nginx
 4. Generate a certificate with your hostname with the `certbot/default-quic` example. Copy `etc/nginx/conf.d/default-quic.conf` to the corresponding directory on your server and edit it approprieately.
 5. Generate certificates with the example in the certbot directory.
 6. Make your actual vhost config based on the `sites_.*` samples in `/etc/nginx/conf.d`.
 ## Notes
 This is used on my tunnel servers with multiple IP addresses. Hence, you may see addresses like `ipv4_1` and `ipv4_2`. Just replace them with your own ip addresses.
--- a/etc/nginx/conf.d/bitwarden.conorz.at.conf
+++ b/etc/nginx/conf.d/bitwarden.conorz.at.conf
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name bitwarden.conorz.at;
    ssl_certificate /etc/letsencrypt/live/bitwarden.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/bitwarden.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/bitwarden.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:8081;
    }
 }
--- a/etc/nginx/conf.d/blog.conorz.at.conf
+++ b/etc/nginx/conf.d/blog.conorz.at.conf
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name blog.conorz.at;
    ssl_certificate /etc/letsencrypt/live/blog.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blog.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/blog.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:8084;
    }
 }
--- a/etc/nginx/conf.d/cloud.conorz.at.conf
+++ b/etc/nginx/conf.d/cloud.conorz.at.conf
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name cloud.conorz.at;
    ssl_certificate /etc/letsencrypt/live/cloud.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/cloud.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:8085;
    }
 }
--- a/etc/nginx/conf.d/comments.conorz.at.conf
+++ b/etc/nginx/conf.d/comments.conorz.at.conf
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name comments.conorz.at;
    ssl_certificate /etc/letsencrypt/live/comments.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/comments.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/comments.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:8086;
    }
 }
--- a/etc/nginx/conf.d/conorz.at.conf
+++ b/etc/nginx/conf.d/conorz.at.conf
@ -0,0 +1,46 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name conorz.at;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem;
    error_page 404 /404.html;
    location = /404.html {
      root /website/dist;
      internal;
    }
    error_page 403 /403.html;
    location = /403.html {
      root /website/dist;
      internal;
    }
    client_max_body_size 128M;
    location / {
      root /website/dist;
      index index.html;
    }
    location ^~ /_matrix/ {
        proxy_pass http://127.0.0.1:8008;
    }
 }
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@ -1,6 +1,6 @@
 server {
-    listen ipv4_1:80 default_server;
+    listen 127.0.0.1:80 default_server;
-    listen [ipv6_1]:80 default_server;
+#    listen [ipv6_1]:80 default_server;
    include snippets/universal_paths.conf;
--- a/etc/nginx/conf.d/git.conorz.at.conf
+++ b/etc/nginx/conf.d/git.conorz.at.conf
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name git.conorz.at;
    ssl_certificate /etc/letsencrypt/live/git.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/git.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/git.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:3004;
    }
 }
--- a/etc/nginx/conf.d/monitorss.conorz.at.conf
+++ b/etc/nginx/conf.d/monitorss.conorz.at.conf
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name monitorss.conorz.at;
    ssl_certificate /etc/letsencrypt/live/monitorss.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/monitorss.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/monitorss.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:8001;
    }
 }
--- a/etc/nginx/conf.d/smart.conorz.at
+++ b/etc/nginx/conf.d/smart.conorz.at
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name smart.conorz.at;
    ssl_certificate /etc/letsencrypt/live/smart.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/smart.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/smart.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:8123;
    }
 }
--- a/etc/nginx/conf.d/terminal
+++ b/etc/nginx/conf.d/terminal
@ -0,0 +1,164 @@
 #upstream terminal-default {
 #  zone vaultwarden-default 64k;
 #  server localhost:3002;
 #  keepalive 2;
 #}
 log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent" '
                 '"$upstream_addr" proxyhost:"$proxy_host"';
 #upstream terminal-ws {
 #  zone vaultwarden-ws 64k;
 #  server localhost:3012;
 #  keepalive 2;
 #}
 # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name conorz.at;
 #    location / {
 #      root /website;
 #      index index.html;
 #      try_files $uri $uri/ /index.html;
 #    }
    return 301 https://$host$request_uri;
 #      error_page 404 /404.html;
 #      location = /404.html {
 #        root /error_page;
 #        internal;
        #proxy_pass http://localhost:3002;
 #    }
 }
 server {
    listen 443 ssl http2;
   # listen [::]:443 ssl http2; 
 #    listen 8448 ssl;
 #    listen [::]:8448 ssl;
    server_name conorz.at;
 # Specify SSL Config when needed
 #    ssl_trusted_certificate /etc/nginx/ssl/conorz.at/conorz.at-ssl.pem;
 #    ssl_certificate_key /etc/nginx/ssl/conorz.at/conorz.at-privkey.pem;
 #    ssl_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem;
 #    ssl_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem;
 #    ssl_certificate_key /etc/nginx/ssl/conorz.at/conorz.at-privkey.pem;
 #    ssl_trusted_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem;
    ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem;
    error_page 404 /404.html;
    location = /404.html {
      root /website/dist;
      internal;
    }
    error_page 403 /403.html;
    location = /403.html {
      root /website/dist;
      internal;
    }
    client_max_body_size 128M;
    location / {
      root /website/dist;
      index index.html;
 #      proxy_http_version 1.1;
 #      proxy_set_header "Connection" "";
 #      proxy_set_header HOST $host;
 #      proxy_set_header X-Real-IP $remote_addr;
 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #      proxy_set_header X-Forwarded-Proto $scheme;
 #      proxy_pass http://terminal-default;
   }
 #    location /matrix/nginx-proxy/data/matrix-domain/terminal/test.txt {
 #      proxy_http_version 1.1;
 #      proxy_set_header "Connection" "";
 #      proxy_set_header Host $host;
 #      proxy_set_header X-Real-IP $remote_addr;
 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #      proxy_set_header X-Forwarded-Proto $scheme;
 #      proxy_pass http://terminal-default/resume.pdf;
 #    }
 #    location /gpg/index.html {
 #      proxy_http_version 1.1;
 #      proxy_set_header Upgrade $http_upgrade;
 #      proxy_set_header Connection "upgrade";
 #      proxy_set_header Host $host;
 #      proxy_set_header X-Real-IP $remote_addr;
 #      proxy_set_header Forwarded $remote_addr;
 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #      proxy_set_header X-Forwarded-Proto $scheme;
 #      proxy_pass http://vaultwarden-ws/gpg;
 #    }
        location ^~ /_matrix/ {
                proxy_set_header        Host conorz.at;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_pass              http://127.0.0.1:8008; 
 #use correct protocol (https/http) and correct ip:port
                proxy_read_timeout      90;
        }
 }
 #    location ^~ /_matrix/ {
 #        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
 #    }
 #}
 #server {
 #    listen 8448 ssl http2;
   # listen [::]:443 ssl http2;
 #    server_name conorz.at;
 #    access_log /var/log/nginx/access-matrix-9449.log vhost;
    # Specify SSL Config when needed
 #    ssl_certificate /etc/nginx/ssl/conorz.at/matrix.conorz.at-fullchain.pem;
 #    ssl_certificate_key /etc/nginx/ssl/conorz.at/matrix.conorz.at-privkey.pem;
 #    ssl_trusted_certificate /etc/nginx/ssl/conorz.at/matrix.conorz.at-ssl.pem;
 #    ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem;
 #    ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem;
 #    ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem;
 #    client_max_body_size 128M;
 #    location / {
 #      proxy_http_version 1.1;
 #      proxy_set_header "Connection" "";
 #      proxy_set_header HOST $host;
 #      proxy_set_header X-Real-IP $remote_addr;
 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #      proxy_set_header X-Forwarded-Proto $scheme;
 #      proxy_pass http://terminal-default;
 #   }
 #        location ^~ /_matrix/ {
 #                proxy_set_header        Host conorz.at;
 #                proxy_set_header        X-Real-IP $remote_addr;
 #                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
 #                proxy_set_header        X-Forwarded-Proto $scheme;
 #                proxy_pass              http://127.0.0.1:8008;
 #                proxy_read_timeout      90;
 #        }
 #}
--- a/etc/nginx/conf.d/wl
+++ b/etc/nginx/conf.d/wl
@ -0,0 +1,91 @@
 # The `upstream` directives ensure that you have a http/1.1 connection
 # This enables the keepalive option and better performance
 #
 # Define the server IP and ports here.
 upstream dashboard-default {
  zone dashboard-default 64k;
  server 127.0.0.1:7200;
  keepalive 2;
 }
 # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name wl.conorz.at;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl http2;
   # listen [::]:443 ssl http2;
    server_name wl.conorz.at;
    # Specify SSL Config when needed
 #    ssl_certificate /etc/nginx/ssl/conorz.at/wl.conorz.at-fullchain.pem;
 #    ssl_certificate_key /etc/nginx/ssl/conorz.at/wl.conorz.at-privkey.pem;
 #    ssl_trusted_certificate /etc/nginx/ssl/conorz.at/wl.conorz.at-fullchain.pem;
    ssl_certificate /etc/letsencrypt/live/wl.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wl.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/wl.conorz.at/cert.pem;
    client_max_body_size 128M;
    location / {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://dashboard-default;
    }
 #    location /notifications/hub/negotiate {
 #      proxy_http_version 1.1;
 #      proxy_set_header "Connection" "";
 #
 #      proxy_set_header Host $host;
 #      proxy_set_header X-Real-IP $remote_addr;
 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #      proxy_set_header X-Forwarded-Proto $scheme;
 #
 #      proxy_pass http://vaultwarden-default;
 #    }
 #    location /notifications/hub {
 #      proxy_http_version 1.1;
 #      proxy_set_header Upgrade $http_upgrade;
 #      proxy_set_header Connection "upgrade";
 #     proxy_set_header Host $host;
 #      proxy_set_header X-Real-IP $remote_addr;
 #      proxy_set_header Forwarded $remote_addr;
 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #      proxy_set_header X-Forwarded-Proto $scheme;
 #      proxy_pass http://vaultwarden-ws;
 #    }
    # Optionally add extra authentication besides the ADMIN_TOKEN
    # Remove the comments below `#` and create the htpasswd_file to have it active
    #
    #location /admin {
    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #  auth_basic "Private";
    #  auth_basic_user_file /path/to/htpasswd_file;
    #
    #  proxy_http_version 1.1;
    #  proxy_set_header "Connection" "";
    #
    #  proxy_set_header Host $host;
    #  proxy_set_header X-Real-IP $remote_addr;
    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #  proxy_set_header X-Forwarded-Proto $scheme;
    #
    #  proxy_pass http://vaultwarden-default;
    #}
 }
--- a/etc/nginx/conf.d/wl.conorz.at
+++ b/etc/nginx/conf.d/wl.conorz.at
@ -0,0 +1,26 @@
 server {
    listen 443 quic;
    listen 443 ssl;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    server_name wl.conorz.at;
    ssl_certificate /etc/letsencrypt/live/wl.conorz.at/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wl.conorz.at/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/wl.conorz.at/chain.pem;
    include snippets/hsts.conf;
    include snippets/security.conf;
    include snippets/quic.conf;
    include snippets/proxy.conf;
    include snippets/robots.conf;
    include snippets/universal_paths.conf;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    location / {
        proxy_pass http://127.0.0.1:7200;
    }
 }