From b3fe570a480c7def6ee00f6fee56f0aa23b4867f Mon Sep 17 00:00:00 2001 From: Boris Tsirenshchikov Date: Sat, 22 Apr 2023 01:48:50 +0500 Subject: [PATCH] First commit --- fastcgi.conf | 26 +++++++ nginx.conf | 81 +++++++++++++++++++++ nginxconfig.io/general.conf | 31 ++++++++ nginxconfig.io/letsencrypt.conf | 4 + nginxconfig.io/security.conf | 12 +++ sites-available/drive.eax.app.conf | 64 ++++++++++++++++ sites-available/eax.app.conf | 48 ++++++++++++ sites-available/esphome.local.eax.app.conf | 64 ++++++++++++++++ sites-available/git.eax.app.conf | 42 +++++++++++ sites-available/grafana.local.eax.app.conf | 61 ++++++++++++++++ sites-available/ha1.eax.app.conf | 63 ++++++++++++++++ sites-available/radarr.conf | 68 +++++++++++++++++ sites-available/sonarr.conf | 65 +++++++++++++++++ sites-available/swagger.eax.app.conf | 56 ++++++++++++++ sites-available/torrent.local.eax.app.conf | 65 +++++++++++++++++ sites-available/woodpecker.git.eax.app.conf | 42 +++++++++++ sites-enabled/drive.eax.app.conf | 1 + sites-enabled/eax.app.conf | 1 + sites-enabled/esphome.local.eax.app.conf | 1 + sites-enabled/git.eax.app.conf | 1 + sites-enabled/grafana.local.eax.app.conf | 1 + sites-enabled/ha1.eax.app.conf | 1 + sites-enabled/radarr.conf | 1 + sites-enabled/sonarr.conf | 1 + sites-enabled/swagger.eax.app.conf | 1 + sites-enabled/torrent.local.eax.app.conf | 1 + sites-enabled/woodpecker.git.eax.app.conf | 1 + 27 files changed, 803 insertions(+) create mode 100644 fastcgi.conf create mode 100755 nginx.conf create mode 100755 nginxconfig.io/general.conf create mode 100755 nginxconfig.io/letsencrypt.conf create mode 100755 nginxconfig.io/security.conf create mode 100755 sites-available/drive.eax.app.conf create mode 100755 sites-available/eax.app.conf create mode 100755 sites-available/esphome.local.eax.app.conf create mode 100644 sites-available/git.eax.app.conf create mode 100755 sites-available/grafana.local.eax.app.conf create mode 100755 sites-available/ha1.eax.app.conf create mode 100644 sites-available/radarr.conf create mode 100644 sites-available/sonarr.conf create mode 100755 sites-available/swagger.eax.app.conf create mode 100755 sites-available/torrent.local.eax.app.conf create mode 100644 sites-available/woodpecker.git.eax.app.conf create mode 120000 sites-enabled/drive.eax.app.conf create mode 120000 sites-enabled/eax.app.conf create mode 120000 sites-enabled/esphome.local.eax.app.conf create mode 120000 sites-enabled/git.eax.app.conf create mode 120000 sites-enabled/grafana.local.eax.app.conf create mode 120000 sites-enabled/ha1.eax.app.conf create mode 120000 sites-enabled/radarr.conf create mode 120000 sites-enabled/sonarr.conf create mode 120000 sites-enabled/swagger.eax.app.conf create mode 120000 sites-enabled/torrent.local.eax.app.conf create mode 120000 sites-enabled/woodpecker.git.eax.app.conf diff --git a/fastcgi.conf b/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/nginx.conf b/nginx.conf new file mode 100755 index 0000000..84a1314 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,81 @@ +# Generated by nginxconfig.io +# https://www.digitalocean.com/community/tools/nginx?domains.0.server.domain=eax.app&domains.0.server.documentRoot=%2Fsrv%2Fhtml%2Feax%2Fapp&domains.0.php.php=false&domains.0.routing.index=index.html&domains.0.routing.fallbackHtml=true&domains.0.logging.accessLog=true&domains.0.logging.errorLog=true&domains.0.restrict.postMethod=true&domains.0.restrict.putMethod=true&domains.0.restrict.patchMethod=true&domains.0.restrict.deleteMethod=true&global.https.ocspCloudflare=false&global.https.ocspOpenDns=false&global.https.letsEncryptRoot=%2Fsrv%2Fhttp%2Fletsencrypt%2Feax.app&global.https.letsEncryptCertRoot=%2Fetc%2Fnginx%2Fssl%2Fle&global.nginx.user=http&global.nginx.pid=&global.app.lang=ru + +user http; +worker_processes auto; +worker_rlimit_nofile 65535; + +# Load modules +include /etc/nginx/modules-enabled/*.conf; + +events { + multi_accept on; + worker_connections 65535; +} + +http { + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 2048; + types_hash_bucket_size 64; + client_max_body_size 16M; + + # MIME + include mime.types; + default_type application/octet-stream; + + # Logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + # SSL + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # Diffie-Hellman parameter for DHE ciphersuites + ssl_dhparam /etc/nginx/dhparam.pem; + + # Mozilla Intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # OCSP Stapling + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.8.8 8.8.4.4 valid=60s; + resolver_timeout 2s; + + set_real_ip_from 103.21.244.0/22; + set_real_ip_from 103.22.200.0/22; + set_real_ip_from 103.31.4.0/22; + set_real_ip_from 104.16.0.0/13; + set_real_ip_from 104.24.0.0/14; + set_real_ip_from 108.162.192.0/18; + set_real_ip_from 131.0.72.0/22; + set_real_ip_from 141.101.64.0/18; + set_real_ip_from 162.158.0.0/15; + set_real_ip_from 172.64.0.0/13; + set_real_ip_from 173.245.48.0/20; + set_real_ip_from 188.114.96.0/20; + set_real_ip_from 190.93.240.0/20; + set_real_ip_from 197.234.240.0/22; + set_real_ip_from 198.41.128.0/17; + set_real_ip_from 2400:cb00::/32; + set_real_ip_from 2606:4700::/32; + set_real_ip_from 2803:f800::/32; + set_real_ip_from 2405:b500::/32; + set_real_ip_from 2405:8100::/32; + set_real_ip_from 2c0f:f248::/32; + set_real_ip_from 2a06:98c0::/29; + + real_ip_header CF-Connecting-IP; + + # Load configs + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/nginxconfig.io/general.conf b/nginxconfig.io/general.conf new file mode 100755 index 0000000..8c2c391 --- /dev/null +++ b/nginxconfig.io/general.conf @@ -0,0 +1,31 @@ +# favicon.ico +location = /favicon.ico { + log_not_found off; + access_log off; +} + +# robots.txt +location = /robots.txt { + log_not_found off; + access_log off; +} + +# assets, media +location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { + expires 7d; + access_log off; +} + +# svg, fonts +location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ { + add_header Access-Control-Allow-Origin "*"; + expires 7d; + access_log off; +} + +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; \ No newline at end of file diff --git a/nginxconfig.io/letsencrypt.conf b/nginxconfig.io/letsencrypt.conf new file mode 100755 index 0000000..9922038 --- /dev/null +++ b/nginxconfig.io/letsencrypt.conf @@ -0,0 +1,4 @@ +# ACME-challenge +location ^~ /.well-known/acme-challenge/ { + root /srv/http/letsencrypt/eax.app; +} \ No newline at end of file diff --git a/nginxconfig.io/security.conf b/nginxconfig.io/security.conf new file mode 100755 index 0000000..12f6391 --- /dev/null +++ b/nginxconfig.io/security.conf @@ -0,0 +1,12 @@ +# security headers +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; +add_header Permissions-Policy "interest-cohort=()" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + +# . files +location ~ /\.(?!well-known) { + deny all; +} \ No newline at end of file diff --git a/sites-available/drive.eax.app.conf b/sites-available/drive.eax.app.conf new file mode 100755 index 0000000..ed2bb06 --- /dev/null +++ b/sites-available/drive.eax.app.conf @@ -0,0 +1,64 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.eax.app; + server_tokens off; + + # SSL + ssl_certificate /etc/letsencrypt/live/eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|POST|PUT|HEAD|CONNECT|OPTIONS|TRACE|DELETE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/drive.eax.app.access.log; + error_log /var/log/nginx/drive.eax.app.error.log warn; + + # index.html fallback + location / { + proxy_pass http://127.0.0.1:8888; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_read_timeout 1200s; + proxy_set_header X-Forwarded-Proto https; + } + + location /seafhttp/ { + proxy_pass http://127.0.0.1:8888/seafhttp/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_read_timeout 1200s; + proxy_set_header X-Forwarded-Proto https; + } + + # additional config + #include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name drive.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://drive.eax.app$request_uri; + } +} diff --git a/sites-available/eax.app.conf b/sites-available/eax.app.conf new file mode 100755 index 0000000..a57298b --- /dev/null +++ b/sites-available/eax.app.conf @@ -0,0 +1,48 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name eax.app; + root /srv/http/eax.app; + + # SSL + ssl_certificate /etc/letsencrypt/live/eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|HEAD|CONNECT|OPTIONS|TRACE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/eax.app.access.log; + error_log /var/log/nginx/eax.app.error.log warn; + + # index.html fallback + location / { + try_files $uri $uri/ /index.html; + } + + # index.php fallback + location ~ ^/api/ { + try_files $uri $uri/ /index.php?$query_string; + } + + # additional config + include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://eax.app$request_uri; + } +} diff --git a/sites-available/esphome.local.eax.app.conf b/sites-available/esphome.local.eax.app.conf new file mode 100755 index 0000000..3853f29 --- /dev/null +++ b/sites-available/esphome.local.eax.app.conf @@ -0,0 +1,64 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream esphome_backend { + server unix:/srv/homeassistant/run/esphome_dashboard.sock; + keepalive 32; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name esphome.local.eax.app; + + # SSL + ssl_certificate /etc/letsencrypt/live/local.eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/local.eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/local.eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|POST|HEAD|CONNECT|OPTIONS|TRACE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/esphome.local.eax.app.access.log; + error_log /var/log/nginx/esphome.local.eax.app.error.log warn; + location / { + proxy_pass http://esphome_backend/; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + location /ace { + proxy_pass http://esphome_backend/ace; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + # additional config + #include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name esphome.local.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://esphome.local.eax.app$request_uri; + } +} diff --git a/sites-available/git.eax.app.conf b/sites-available/git.eax.app.conf new file mode 100644 index 0000000..334001a --- /dev/null +++ b/sites-available/git.eax.app.conf @@ -0,0 +1,42 @@ +upstream gitea { + server 127.0.0.1:3001 fail_timeout=0; +} + +server { + #listen 80; # IPv4 HTTP + listen 443 ssl http2; # uncomment to enable IPv4 HTTPS + HTTP/2 + #listen [::]:80; # uncomment to enable IPv6 HTTP + #listen [::]:443 ssl http2; # uncomment to enable IPv6 HTTPS + HTTP/2 + server_name git.eax.app; + + access_log /var/log/gitea/nginx_access.log; + error_log /var/log/gitea/nginx_error.log; + + #ssl_certificate ssl/example.com.crt; + #ssl_certificate_key ssl/example.com.key; + + ssl_certificate /etc/letsencrypt/live/git.eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/git.eax.app/chain.pem; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitea; + proxy_redirect off; + proxy_http_version 1.1; + proxy_buffering off; + chunked_transfer_encoding off; + } +} + +server { + listen 80; + listen [::]:80; + server_name git.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://git.eax.app$request_uri; + } +} diff --git a/sites-available/grafana.local.eax.app.conf b/sites-available/grafana.local.eax.app.conf new file mode 100755 index 0000000..186b4ab --- /dev/null +++ b/sites-available/grafana.local.eax.app.conf @@ -0,0 +1,61 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream grafana_backend { + server unix:/run/grafana/grafana.sock; + keepalive 32; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name grafana.local.eax.app; + root /usr/share/nginx/html; + index index.html index.htm; + + # SSL + ssl_certificate /etc/letsencrypt/live/local.eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/local.eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/local.eax.app/chain.pem; + + # security + # include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|POST|PUT|HEAD|CONNECT|OPTIONS|TRACE|DELETE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/grafana.local.eax.app.access.log; + error_log /var/log/nginx/grafana.local.eax.app.error.log warn; + location / { + proxy_pass http://grafana_backend/; + proxy_set_header Host $http_host; + } + + location /api/live { + rewrite ^/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $http_host; + proxy_pass http://grafana_backend/; + } + # additional config + #include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name grafana.local.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://grafana.local.eax.app$request_uri; + } +} diff --git a/sites-available/ha1.eax.app.conf b/sites-available/ha1.eax.app.conf new file mode 100755 index 0000000..69bc06f --- /dev/null +++ b/sites-available/ha1.eax.app.conf @@ -0,0 +1,63 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ha1.eax.app; + root /srv/homeassistant/lib/python3.10/site-packages/hass_frontend/; + + # SSL + ssl_certificate /etc/letsencrypt/live/eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|POST|HEAD|CONNECT|OPTIONS|TRACE|DELETE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/ha1.eax.app.access.log; + error_log /var/log/nginx/ha1.eax.app.error.log warn; + + # index.html fallback + location / { + proxy_pass http://127.0.0.1:8123/; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + location /api/websocket { + proxy_pass http://127.0.0.1:8123/api/websocket; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + # additional config + include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name ha1.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://ha1.eax.app$request_uri; + } +} diff --git a/sites-available/radarr.conf b/sites-available/radarr.conf new file mode 100644 index 0000000..a436ca2 --- /dev/null +++ b/sites-available/radarr.conf @@ -0,0 +1,68 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream radarr_backend { + server 127.0.0.1:7878; + keepalive 32; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name radarr.local.eax.app; + + # SSL + ssl_certificate /etc/letsencrypt/live/local.eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/local.eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/local.eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|POST|PUT|DELETE|HEAD|CONNECT|OPTIONS|TRACE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/radarr.local.eax.app.access.log; + error_log /var/log/nginx/radarr.local.eax.app.error.log warn; + + # index.html fallback + location / { + #auth_basic off; + proxy_pass http://radarr_backend; + proxy_set_header Host 127.0.0.1:7878; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_cookie_path / "/; Secure"; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + #proxy_set_header Host $host; + #proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header X-Forwarded-Proto $scheme; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Host $server_name:$server_port; + #proxy_hide_header Referer; + #proxy_hide_header Origin; + #proxy_set_header Referer ''; + #proxy_set_header Origin ''; + } + # additional config + #include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name radarr.local.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://radarr.local.eax.app$request_uri; + } +} diff --git a/sites-available/sonarr.conf b/sites-available/sonarr.conf new file mode 100644 index 0000000..9e42d8b --- /dev/null +++ b/sites-available/sonarr.conf @@ -0,0 +1,65 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream sonarr_backend { + server 127.0.0.1:8989; + keepalive 32; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name sonarr.local.eax.app; + + # SSL + ssl_certificate /etc/letsencrypt/live/local.eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/local.eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/local.eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|POST|PUT|DELETE|HEAD|CONNECT|OPTIONS|TRACE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/sonarr.local.eax.app.access.log; + error_log /var/log/nginx/sonarr.local.eax.app.error.log warn; + + # index.html fallback + location / { + #auth_basic off; + proxy_pass http://sonarr_backend; + proxy_set_header Host 127.0.0.1:8989; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_cookie_path / "/; Secure"; + #proxy_set_header Host $host; + #proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header X-Forwarded-Proto $scheme; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Host $server_name:$server_port; + #proxy_hide_header Referer; + #proxy_hide_header Origin; + #proxy_set_header Referer ''; + #proxy_set_header Origin ''; + } + # additional config + #include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name sonarr.local.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://sonarr.local.eax.app$request_uri; + } +} diff --git a/sites-available/swagger.eax.app.conf b/sites-available/swagger.eax.app.conf new file mode 100755 index 0000000..11aa37d --- /dev/null +++ b/sites-available/swagger.eax.app.conf @@ -0,0 +1,56 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name swagger.eax.app; + root /srv/http/swagger.eax.app; + + # SSL + ssl_certificate /etc/letsencrypt/live/eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|HEAD|CONNECT|OPTIONS|TRACE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/swagger.eax.app.access.log; + error_log /var/log/nginx/swagger.eax.app.error.log warn; + + # index.html fallback + location / { + try_files $uri $uri/ /index.html; + } + + # index.php fallback + location /api/ { + proxy_pass http://10.10.12.10:5000/swagger/0.1-alpha1/swagger.json; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header Accept-Encoding ""; + proxy_redirect off; + } + + sub_filter '"openapi": "3.0.1",' '"openapi": "3.0.1", "securityDefinitions":{"JWT":{"type":"apiKey","in":"header","name":"Authorization"}},"responses":{"UnauthorizedError":{"description":"Access token is missing or invalid"}},'; + sub_filter_types application/json; + sub_filter_once off; + + # additional config + include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + try_files $uri $uri/ /index.html; + } +} diff --git a/sites-available/torrent.local.eax.app.conf b/sites-available/torrent.local.eax.app.conf new file mode 100755 index 0000000..f051dd1 --- /dev/null +++ b/sites-available/torrent.local.eax.app.conf @@ -0,0 +1,65 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream qtorrent_backend { + server 127.0.0.1:8080; + keepalive 32; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name torrent.local.eax.app; + + # SSL + ssl_certificate /etc/letsencrypt/live/local.eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/local.eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/local.eax.app/chain.pem; + + # security + include nginxconfig.io/security.conf; + + # restrict methods + if ($request_method !~ ^(GET|POST|HEAD|CONNECT|OPTIONS|TRACE)$) { + return '405'; + } + + # logging + access_log /var/log/nginx/torrent.local.eax.app.access.log; + error_log /var/log/nginx/torrent.local.eax.app.error.log warn; + + # index.html fallback + location / { + #auth_basic off; + proxy_pass http://qtorrent_backend; + proxy_set_header Host 127.0.0.1:8080; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_cookie_path / "/; Secure"; + #proxy_set_header Host $host; + #proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header X-Forwarded-Proto $scheme; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Host $server_name:$server_port; + #proxy_hide_header Referer; + #proxy_hide_header Origin; + #proxy_set_header Referer ''; + #proxy_set_header Origin ''; + } + # additional config + #include nginxconfig.io/general.conf; +} + +# HTTP redirect +server { + listen 80; + listen [::]:80; + server_name torrent.local.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://torrent.local.eax.app$request_uri; + } +} diff --git a/sites-available/woodpecker.git.eax.app.conf b/sites-available/woodpecker.git.eax.app.conf new file mode 100644 index 0000000..83d7592 --- /dev/null +++ b/sites-available/woodpecker.git.eax.app.conf @@ -0,0 +1,42 @@ +upstream woodpecker { + server 127.0.0.1:3002 fail_timeout=0; +} + +server { + #listen 80; # IPv4 HTTP + listen 443 ssl http2; # uncomment to enable IPv4 HTTPS + HTTP/2 + #listen [::]:80; # uncomment to enable IPv6 HTTP + #listen [::]:443 ssl http2; # uncomment to enable IPv6 HTTPS + HTTP/2 + server_name woodpecker.git.eax.app; + + access_log /var/log/woodpecker/nginx_access.log; + error_log /var/log/woodpecker/nginx_error.log; + + #ssl_certificate ssl/example.com.crt; + #ssl_certificate_key ssl/example.com.key; + + ssl_certificate /etc/letsencrypt/live/git.eax.app/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.eax.app/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/git.eax.app/chain.pem; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://woodpecker; + proxy_redirect off; + proxy_http_version 1.1; + proxy_buffering off; + chunked_transfer_encoding off; + } +} + +server { + listen 80; + listen [::]:80; + server_name woodpecker.git.eax.app; + include nginxconfig.io/letsencrypt.conf; + + location / { + return 301 https://woodpecker.git.eax.app$request_uri; + } +} diff --git a/sites-enabled/drive.eax.app.conf b/sites-enabled/drive.eax.app.conf new file mode 120000 index 0000000..0ab5dd8 --- /dev/null +++ b/sites-enabled/drive.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/drive.eax.app.conf \ No newline at end of file diff --git a/sites-enabled/eax.app.conf b/sites-enabled/eax.app.conf new file mode 120000 index 0000000..07db69d --- /dev/null +++ b/sites-enabled/eax.app.conf @@ -0,0 +1 @@ +../sites-available/eax.app.conf \ No newline at end of file diff --git a/sites-enabled/esphome.local.eax.app.conf b/sites-enabled/esphome.local.eax.app.conf new file mode 120000 index 0000000..d0389b8 --- /dev/null +++ b/sites-enabled/esphome.local.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/esphome.local.eax.app.conf \ No newline at end of file diff --git a/sites-enabled/git.eax.app.conf b/sites-enabled/git.eax.app.conf new file mode 120000 index 0000000..3e1b136 --- /dev/null +++ b/sites-enabled/git.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/git.eax.app.conf \ No newline at end of file diff --git a/sites-enabled/grafana.local.eax.app.conf b/sites-enabled/grafana.local.eax.app.conf new file mode 120000 index 0000000..d957f9b --- /dev/null +++ b/sites-enabled/grafana.local.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/grafana.local.eax.app.conf \ No newline at end of file diff --git a/sites-enabled/ha1.eax.app.conf b/sites-enabled/ha1.eax.app.conf new file mode 120000 index 0000000..9bc51c5 --- /dev/null +++ b/sites-enabled/ha1.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/ha1.eax.app.conf \ No newline at end of file diff --git a/sites-enabled/radarr.conf b/sites-enabled/radarr.conf new file mode 120000 index 0000000..3d8af59 --- /dev/null +++ b/sites-enabled/radarr.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/radarr.conf \ No newline at end of file diff --git a/sites-enabled/sonarr.conf b/sites-enabled/sonarr.conf new file mode 120000 index 0000000..38f23d9 --- /dev/null +++ b/sites-enabled/sonarr.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/sonarr.conf \ No newline at end of file diff --git a/sites-enabled/swagger.eax.app.conf b/sites-enabled/swagger.eax.app.conf new file mode 120000 index 0000000..b4fabe1 --- /dev/null +++ b/sites-enabled/swagger.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/swagger.eax.app.conf \ No newline at end of file diff --git a/sites-enabled/torrent.local.eax.app.conf b/sites-enabled/torrent.local.eax.app.conf new file mode 120000 index 0000000..151d192 --- /dev/null +++ b/sites-enabled/torrent.local.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/torrent.local.eax.app.conf \ No newline at end of file diff --git a/sites-enabled/woodpecker.git.eax.app.conf b/sites-enabled/woodpecker.git.eax.app.conf new file mode 120000 index 0000000..706b77e --- /dev/null +++ b/sites-enabled/woodpecker.git.eax.app.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/woodpecker.git.eax.app.conf \ No newline at end of file