first commit
Some checks failed
ShellCheck / Shell syntax checker (push) Has been cancelled

This commit is contained in:
titanz 2025-01-01 06:29:34 +01:00
parent dbdd308ffb
commit 0dc32f127e
Signed by: titanz
GPG Key ID: EABC72179C71D4F5
13 changed files with 512 additions and 9 deletions

View File

@ -1,7 +1,5 @@
# NGINX Configs
[![ShellCheck](https://github.com/TommyTran732/NGINX-Configs/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/TommyTran732/NGINX-Configs/actions/workflows/shellcheck.yml)
These are my NGINX configurations. They are written for `nginx-core` with `nginx-mod-stream` on Fedora and mainline NGINX on RHEL.
## Getting Started
@ -12,7 +10,3 @@ These are my NGINX configurations. They are written for `nginx-core` with `nginx
4. Generate a certificate with your hostname with the `certbot/default-quic` example. Copy `etc/nginx/conf.d/default-quic.conf` to the corresponding directory on your server and edit it approprieately.
5. Generate certificates with the example in the certbot directory.
6. Make your actual vhost config based on the `sites_.*` samples in `/etc/nginx/conf.d`.
## Notes
This is used on my tunnel servers with multiple IP addresses. Hence, you may see addresses like `ipv4_1` and `ipv4_2`. Just replace them with your own ip addresses.

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name bitwarden.conorz.at;
ssl_certificate /etc/letsencrypt/live/bitwarden.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bitwarden.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/bitwarden.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:8081;
}
}

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name blog.conorz.at;
ssl_certificate /etc/letsencrypt/live/blog.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/blog.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:8084;
}
}

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name cloud.conorz.at;
ssl_certificate /etc/letsencrypt/live/cloud.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/cloud.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:8085;
}
}

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name comments.conorz.at;
ssl_certificate /etc/letsencrypt/live/comments.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/comments.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/comments.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:8086;
}
}

View File

@ -0,0 +1,46 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name conorz.at;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem;
error_page 404 /404.html;
location = /404.html {
root /website/dist;
internal;
}
error_page 403 /403.html;
location = /403.html {
root /website/dist;
internal;
}
client_max_body_size 128M;
location / {
root /website/dist;
index index.html;
}
location ^~ /_matrix/ {
proxy_pass http://127.0.0.1:8008;
}
}

View File

@ -1,10 +1,10 @@
server {
listen ipv4_1:80 default_server;
listen [ipv6_1]:80 default_server;
listen 127.0.0.1:80 default_server;
# listen [ipv6_1]:80 default_server;
include snippets/universal_paths.conf;
location / {
return 308 https://$host$request_uri;
}
}
}

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name git.conorz.at;
ssl_certificate /etc/letsencrypt/live/git.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/git.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:3004;
}
}

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name monitorss.conorz.at;
ssl_certificate /etc/letsencrypt/live/monitorss.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/monitorss.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/monitorss.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:8001;
}
}

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name smart.conorz.at;
ssl_certificate /etc/letsencrypt/live/smart.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/smart.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/smart.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:8123;
}
}

164
etc/nginx/conf.d/terminal Normal file
View File

@ -0,0 +1,164 @@
#upstream terminal-default {
# zone vaultwarden-default 64k;
# server localhost:3002;
# keepalive 2;
#}
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr" proxyhost:"$proxy_host"';
#upstream terminal-ws {
# zone vaultwarden-ws 64k;
# server localhost:3012;
# keepalive 2;
#}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name conorz.at;
# location / {
# root /website;
# index index.html;
# try_files $uri $uri/ /index.html;
# }
return 301 https://$host$request_uri;
# error_page 404 /404.html;
# location = /404.html {
# root /error_page;
# internal;
#proxy_pass http://localhost:3002;
# }
}
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
# listen 8448 ssl;
# listen [::]:8448 ssl;
server_name conorz.at;
# Specify SSL Config when needed
# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/conorz.at-ssl.pem;
# ssl_certificate_key /etc/nginx/ssl/conorz.at/conorz.at-privkey.pem;
# ssl_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem;
# ssl_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem;
# ssl_certificate_key /etc/nginx/ssl/conorz.at/conorz.at-privkey.pem;
# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/conorz.at-fullchain.pem;
ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem;
error_page 404 /404.html;
location = /404.html {
root /website/dist;
internal;
}
error_page 403 /403.html;
location = /403.html {
root /website/dist;
internal;
}
client_max_body_size 128M;
location / {
root /website/dist;
index index.html;
# proxy_http_version 1.1;
# proxy_set_header "Connection" "";
# proxy_set_header HOST $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://terminal-default;
}
# location /matrix/nginx-proxy/data/matrix-domain/terminal/test.txt {
# proxy_http_version 1.1;
# proxy_set_header "Connection" "";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://terminal-default/resume.pdf;
# }
# location /gpg/index.html {
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Forwarded $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://vaultwarden-ws/gpg;
# }
location ^~ /_matrix/ {
proxy_set_header Host conorz.at;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8008;
#use correct protocol (https/http) and correct ip:port
proxy_read_timeout 90;
}
}
# location ^~ /_matrix/ {
# proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
# }
#}
#server {
# listen 8448 ssl http2;
# listen [::]:443 ssl http2;
# server_name conorz.at;
# access_log /var/log/nginx/access-matrix-9449.log vhost;
# Specify SSL Config when needed
# ssl_certificate /etc/nginx/ssl/conorz.at/matrix.conorz.at-fullchain.pem;
# ssl_certificate_key /etc/nginx/ssl/conorz.at/matrix.conorz.at-privkey.pem;
# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/matrix.conorz.at-ssl.pem;
# ssl_certificate /etc/letsencrypt/live/conorz.at/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/conorz.at/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/conorz.at/cert.pem;
# client_max_body_size 128M;
# location / {
# proxy_http_version 1.1;
# proxy_set_header "Connection" "";
# proxy_set_header HOST $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://terminal-default;
# }
# location ^~ /_matrix/ {
# proxy_set_header Host conorz.at;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://127.0.0.1:8008;
# proxy_read_timeout 90;
# }
#}

91
etc/nginx/conf.d/wl Normal file
View File

@ -0,0 +1,91 @@
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream dashboard-default {
zone dashboard-default 64k;
server 127.0.0.1:7200;
keepalive 2;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name wl.conorz.at;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name wl.conorz.at;
# Specify SSL Config when needed
# ssl_certificate /etc/nginx/ssl/conorz.at/wl.conorz.at-fullchain.pem;
# ssl_certificate_key /etc/nginx/ssl/conorz.at/wl.conorz.at-privkey.pem;
# ssl_trusted_certificate /etc/nginx/ssl/conorz.at/wl.conorz.at-fullchain.pem;
ssl_certificate /etc/letsencrypt/live/wl.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wl.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wl.conorz.at/cert.pem;
client_max_body_size 128M;
location / {
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dashboard-default;
}
# location /notifications/hub/negotiate {
# proxy_http_version 1.1;
# proxy_set_header "Connection" "";
#
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_pass http://vaultwarden-default;
# }
# location /notifications/hub {
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Forwarded $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://vaultwarden-ws;
# }
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_http_version 1.1;
# proxy_set_header "Connection" "";
#
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
#
# proxy_pass http://vaultwarden-default;
#}
}

View File

@ -0,0 +1,26 @@
server {
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
server_name wl.conorz.at;
ssl_certificate /etc/letsencrypt/live/wl.conorz.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wl.conorz.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wl.conorz.at/chain.pem;
include snippets/hsts.conf;
include snippets/security.conf;
include snippets/quic.conf;
include snippets/proxy.conf;
include snippets/robots.conf;
include snippets/universal_paths.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
location / {
proxy_pass http://127.0.0.1:7200;
}
}