1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/ssbroom_ynh.git synced 2024-09-03 20:26:29 +02:00
ssbroom_ynh/conf/full_nginx.conf

179 lines
5.4 KiB
Text
Raw Normal View History

2021-09-15 08:17:28 +02:00
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name __DOMAIN__ xmpp-upload.__DOMAIN__;
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/acme-challenge.conf.inc;
location /yunohost {
return 301 https://$http_host$request_uri;
}
location ^~ '/.well-known/ynh-diagnosis/' {
alias /tmp/.well-known/ynh-diagnosis/;
}
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/__DOMAIN__/autoconfig/mail/;
}
access_log /var/log/nginx/__DOMAIN__-access.log;
error_log /var/log/nginx/__DOMAIN__-error.log;
}
# vhost dedicated to XMPP http_upload
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xmpp-upload.__DOMAIN__;
root /dev/null;
location /upload/ {
alias /var/xmpp-upload/__DOMAIN__/upload/;
# Pass all requests to metronome, except for GET and HEAD requests.
limit_except GET HEAD {
proxy_pass http://localhost:5290;
}
include proxy_params;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization';
add_header 'Access-Control-Allow-Credentials' 'true';
client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
}
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
resolver 127.0.0.1 127.0.1.1 valid=300s;
resolver_timeout 5s;
access_log /var/log/nginx/xmpp-upload.__DOMAIN__-access.log;
error_log /var/log/nginx/xmpp-upload.__DOMAIN__-error.log;
}
# base ssl path
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name __DOMAIN__;
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
resolver 127.0.0.1 127.0.1.1 valid=300s;
resolver_timeout 5s;
location / {
proxy_pass http://localhost:8899;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# for websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/__DOMAIN__/autoconfig/mail/;
}
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/yunohost_sso.conf.inc;
include /etc/nginx/conf.d/yunohost_admin.conf.inc;
include /etc/nginx/conf.d/yunohost_api.conf.inc;
access_log /var/log/nginx/__DOMAIN__-access.log;
error_log /var/log/nginx/__DOMAIN__-error.log;
}
# alias ssl paths
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name "~^(?<alias>\w+)\.__DOMAINREGEX__$";
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
ssl_certificate_key /etc/yunohost/certs/__DOMAIN__/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/__DOMAIN__/crt.pem;
resolver 127.0.0.1 127.0.1.1 valid=300s;
resolver_timeout 5s;
location = / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# "rewrite" requests with subdomains to the non-wildcard url for alias resolving
# $is_args$args pass on ?encoding=json if present
proxy_pass http://localhost:8899/alias/$alias$is_args$args;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8899;
}
access_by_lua_file /usr/share/ssowat/access.lua;
#include /etc/nginx/conf.d/yunohost_sso.conf.inc;
#include /etc/nginx/conf.d/yunohost_admin.conf.inc;
#include /etc/nginx/conf.d/yunohost_api.conf.inc;
access_log /var/log/nginx/__DOMAIN__-access.log;
error_log /var/log/nginx/__DOMAIN__-error.log;
}
# redirect http to https
server {
if ($host ~ __DOMAIN__$ ) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name __DOMAIN__;
return 404; # managed by Certbot
}