mirror of
https://github.com/YunoHost-Apps/ssbroom_ynh.git
synced 2024-09-03 20:26:29 +02:00
179 lines
5.4 KiB
Text
179 lines
5.4 KiB
Text
|
map $http_upgrade $connection_upgrade {
|
||
|
default upgrade;
|
||
|
'' close;
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
listen 80;
|
||
|
listen [::]:80;
|
||
|
server_name __DOMAIN__ xmpp-upload.__DOMAIN__;
|
||
|
|
||
|
access_by_lua_file /usr/share/ssowat/access.lua;
|
||
|
|
||
|
include /etc/nginx/conf.d/acme-challenge.conf.inc;
|
||
|
|
||
|
location /yunohost {
|
||
|
return 301 https://$http_host$request_uri;
|
||
|
}
|
||
|
|
||
|
location ^~ '/.well-known/ynh-diagnosis/' {
|
||
|
alias /tmp/.well-known/ynh-diagnosis/;
|
||
|
}
|
||
|
|
||
|
location ^~ '/.well-known/autoconfig/mail/' {
|
||
|
alias /var/www/.well-known/__DOMAIN__/autoconfig/mail/;
|
||
|
}
|
||
|
|
||
|
access_log /var/log/nginx/__DOMAIN__-access.log;
|
||
|
error_log /var/log/nginx/__DOMAIN__-error.log;
|
||
|
}
|
||
|
|
||
|
# vhost dedicated to XMPP http_upload
|
||
|
server {
|
||
|
listen 443 ssl http2;
|
||
|
listen [::]:443 ssl http2;
|
||
|
server_name xmpp-upload.__DOMAIN__;
|
||
|
root /dev/null;
|
||
|
|
||
|
location /upload/ {
|
||
|
alias /var/xmpp-upload/__DOMAIN__/upload/;
|
||
|
# Pass all requests to metronome, except for GET and HEAD requests.
|
||
|
limit_except GET HEAD {
|
||
|
proxy_pass http://localhost:5290;
|
||
|
}
|
||
|
|
||
|
include proxy_params;
|
||
|
add_header 'Access-Control-Allow-Origin' '*';
|
||
|
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
|
||
|
add_header 'Access-Control-Allow-Headers' 'Authorization';
|
||
|
add_header 'Access-Control-Allow-Credentials' 'true';
|
||
|
client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
|
||
|
}
|
||
|
|
||
|
include /etc/nginx/conf.d/security.conf.inc;
|
||
|
|
||
|
ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
|
||
|
ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem;
|
||
|
|
||
|
|
||
|
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
|
||
|
|
||
|
|
||
|
# OCSP settings
|
||
|
ssl_stapling on;
|
||
|
ssl_stapling_verify on;
|
||
|
ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
|
||
|
resolver 127.0.0.1 127.0.1.1 valid=300s;
|
||
|
resolver_timeout 5s;
|
||
|
|
||
|
access_log /var/log/nginx/xmpp-upload.__DOMAIN__-access.log;
|
||
|
error_log /var/log/nginx/xmpp-upload.__DOMAIN__-error.log;
|
||
|
}
|
||
|
|
||
|
# base ssl path
|
||
|
server {
|
||
|
listen 443 ssl http2;
|
||
|
listen [::]:443 ssl http2;
|
||
|
server_name __DOMAIN__;
|
||
|
|
||
|
include /etc/nginx/conf.d/security.conf.inc;
|
||
|
|
||
|
ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
|
||
|
ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem;
|
||
|
|
||
|
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
|
||
|
|
||
|
# OCSP settings
|
||
|
ssl_stapling on;
|
||
|
ssl_stapling_verify on;
|
||
|
ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
|
||
|
resolver 127.0.0.1 127.0.1.1 valid=300s;
|
||
|
resolver_timeout 5s;
|
||
|
|
||
|
location / {
|
||
|
proxy_pass http://localhost:8899;
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Forwarded-Host $host;
|
||
|
proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
|
||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
# for websocket
|
||
|
proxy_http_version 1.1;
|
||
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
proxy_set_header Connection $connection_upgrade;
|
||
|
}
|
||
|
|
||
|
location ^~ '/.well-known/autoconfig/mail/' {
|
||
|
alias /var/www/.well-known/__DOMAIN__/autoconfig/mail/;
|
||
|
}
|
||
|
|
||
|
access_by_lua_file /usr/share/ssowat/access.lua;
|
||
|
|
||
|
include /etc/nginx/conf.d/yunohost_sso.conf.inc;
|
||
|
include /etc/nginx/conf.d/yunohost_admin.conf.inc;
|
||
|
include /etc/nginx/conf.d/yunohost_api.conf.inc;
|
||
|
|
||
|
access_log /var/log/nginx/__DOMAIN__-access.log;
|
||
|
error_log /var/log/nginx/__DOMAIN__-error.log;
|
||
|
}
|
||
|
|
||
|
# alias ssl paths
|
||
|
server {
|
||
|
listen 443 ssl http2;
|
||
|
listen [::]:443 ssl http2;
|
||
|
server_name "~^(?<alias>\w+)\.__DOMAINREGEX__$";
|
||
|
|
||
|
include /etc/nginx/conf.d/security.conf.inc;
|
||
|
|
||
|
ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
|
||
|
ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem;
|
||
|
|
||
|
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
|
||
|
|
||
|
# OCSP settings
|
||
|
ssl_stapling on;
|
||
|
ssl_stapling_verify on;
|
||
|
ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
|
||
|
resolver 127.0.0.1 127.0.1.1 valid=300s;
|
||
|
resolver_timeout 5s;
|
||
|
|
||
|
location = / {
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Forwarded-Host $host;
|
||
|
proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
|
||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
# "rewrite" requests with subdomains to the non-wildcard url for alias resolving
|
||
|
# $is_args$args pass on ?encoding=json if present
|
||
|
proxy_pass http://localhost:8899/alias/$alias$is_args$args;
|
||
|
}
|
||
|
|
||
|
location / {
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Forwarded-Host $host;
|
||
|
proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
|
||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
proxy_pass http://localhost:8899;
|
||
|
}
|
||
|
|
||
|
access_by_lua_file /usr/share/ssowat/access.lua;
|
||
|
|
||
|
#include /etc/nginx/conf.d/yunohost_sso.conf.inc;
|
||
|
#include /etc/nginx/conf.d/yunohost_admin.conf.inc;
|
||
|
#include /etc/nginx/conf.d/yunohost_api.conf.inc;
|
||
|
|
||
|
access_log /var/log/nginx/__DOMAIN__-access.log;
|
||
|
error_log /var/log/nginx/__DOMAIN__-error.log;
|
||
|
}
|
||
|
|
||
|
# redirect http to https
|
||
|
server {
|
||
|
if ($host ~ __DOMAIN__$ ) {
|
||
|
return 301 https://$host$request_uri;
|
||
|
} # managed by Certbot
|
||
|
|
||
|
|
||
|
listen 80;
|
||
|
listen [::]:80;
|
||
|
server_name __DOMAIN__;
|
||
|
return 404; # managed by Certbot
|
||
|
}
|