titanz/NGINX-Configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Put reuseport into the default site config

Browse Source
This commit is contained in:
Tommy 2024-06-29 14:56:28 -07:00 committed by GitHub
parent dcd36c9051
commit 616669f832
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -9,7 +9,7 @@ These are my NGINX configurations. They are written for Fedora CoreOS's `nginx-c
1. Install `nginx-core`, `nginx-mod-stream`, and `policycoreutils-python-utils` on Fedora. Makesure `rsync` is available on the OS. 1. Install `nginx-core`, `nginx-mod-stream`, and `policycoreutils-python-utils` on Fedora. Makesure `rsync` is available on the OS.
2. Comment out the default server block in `/etc/nginx/nginx.conf`. 2. Comment out the default server block in `/etc/nginx/nginx.conf`.
3. Run `setup.sh` 3. Run `setup.sh`
4. Make a dummy vhost listening on port `80` with the server_name you want. 4. Generate a certificate with your hostname with the `certbot/default-quic` example. Copy `etc/nginx/conf.d/sites_default_quic.conf` to the corresponding directory on your server and edit it approprieately.
5. Generate certificates with the example in the certbot directory. 5. Generate certificates with the example in the certbot directory.
6. Make your actual vhost config based on the `sites_.*` samples in `/etc/nginx/conf.d`. 6. Make your actual vhost config based on the `sites_.*` samples in `/etc/nginx/conf.d`.

7
certbot/default-quic Normal file
View File

@ -0,0 +1,7 @@
certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
--key-type ecdsa --must-staple \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name hostname.of.your.server \
-d hostname.of.your.server
restorecon -Rv /var/cache/certbot-ocsp-fetcher

7
certbot/miniflux Normal file
View File

@ -0,0 +1,7 @@
certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
--key-type ecdsa --must-staple \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name miniflux.yourdomain.tld \
-d miniflux.yourdomain.tld
restorecon -Rv /var/cache/certbot-ocsp-fetcher

2
certbot/uptime-kuma
View File

@ -3,3 +3,5 @@ certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name uptime.yourdomain.tld \ --cert-name uptime.yourdomain.tld \
-d uptime.yourdomain.tld -d uptime.yourdomain.tld
restorecon -Rv /var/cache/certbot-ocsp-fetcher

17
etc/nginx/conf.d/sites_default_quic.conf Normal file
View File

@ -0,0 +1,17 @@
server {
listen ipv4_1:443 quic reuseport;
listen ipv4_1:443 ssl;
listen [ipv6_1]:443 quic reuseport;
listen [ipv6_1]:443 ssl;
server_name hostname.of.your.server;
include snippets/universal_paths.conf;
include snippets/hsts.conf;
include snippets/quic.conf;
ssl_certificate /etc/letsencrypt/live/hostname.of.your.server/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hostname.of.your.server/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/hostname.of.your.server/chain.pem;
ssl_stapling_file /var/cache/certbot-ocsp-fetcher/hostname.of.your.server.der;
}

4
etc/nginx/conf.d/sites_uptime-kuma.conf
View File

@ -1,9 +1,9 @@
# This file assumes you have an uptime kuma instance running on the server # This file assumes you have an uptime kuma instance running on the server
server { server {
listen ipv4_1:443 quic reuseport; listen ipv4_1:443 quic;
listen ipv4_1:443 ssl; listen ipv4_1:443 ssl;
listen [ipv6_1]:443 quic reuseport; listen [ipv6_1]:443 quic;
listen [ipv6_1]:443 ssl; listen [ipv6_1]:443 ssl;
server_name uptime.yourdomain.tld; server_name uptime.yourdomain.tld;