220 lines
6.9 KiB
Nginx Configuration File
220 lines
6.9 KiB
Nginx Configuration File
user nginx;
|
|
worker_processes 2;
|
|
daemon off;
|
|
load_module "modules/ngx_http_dav_ext_module.so";
|
|
|
|
error_log /var/log/nginx/error-local.log warn;
|
|
pid /var/run/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 2000;
|
|
}
|
|
|
|
http {
|
|
server_tokens off;
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
sendfile on;
|
|
keepalive_timeout 65;
|
|
client_max_body_size 2000M;
|
|
|
|
gzip on;
|
|
gzip_min_length 1100;
|
|
gzip_buffers 4 8k;
|
|
gzip_types text/plain;
|
|
|
|
# caching
|
|
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=zone1:10m max_size=1G;
|
|
proxy_temp_path /tmp/nginx-proxy 1 2;
|
|
proxy_cache_key "$scheme$request_method$host$request_uri";
|
|
proxy_ignore_headers Expires Cache-Control;
|
|
proxy_cache_use_stale error timeout invalid_header http_502;
|
|
proxy_cache_bypass $cookie_session;
|
|
proxy_no_cache $cookie_session;
|
|
proxy_headers_hash_max_size 1024;
|
|
proxy_headers_hash_bucket_size 128;
|
|
|
|
log_format cached '$remote_addr '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" $upstream_cache_status';
|
|
|
|
|
|
# Useragent ACL: works but ubuntu online accounts does not provide any useragent
|
|
#map $http_user_agent $useragent_acl {
|
|
# default deny;
|
|
# ~(Desktop|Chrome|Nextcloud-iOS|Nextcloud-android|mirall|Mozilla/5\.0|git|ansible-httpget|Go-http-client) allow;
|
|
#}
|
|
|
|
# _ _ _ _
|
|
# _ __ | |__ _ __ | |__ __ _ _ __ __| | | ___ _ __
|
|
# | '_ \| '_ \| '_ \ _____| '_ \ / _` | '_ \ / _` | |/ _ \ '__|
|
|
# | |_) | | | | |_) |_____| | | | (_| | | | | (_| | | __/ |
|
|
# | .__/|_| |_| .__/ |_| |_|\__,_|_| |_|\__,_|_|\___|_|
|
|
# |_| |_|
|
|
#
|
|
|
|
upstream php-handler {
|
|
server 192.168.86.210:9000;
|
|
#server unix:/var/run/php/php7.2-fpm.sock;
|
|
}
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
root /var/www/null;
|
|
# Useragent ACL
|
|
# if ($useragent_acl = deny) {
|
|
# return 403;
|
|
# }
|
|
if ($http_x_forwarded_proto != "https") {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2 default_server;
|
|
root /var/www;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
|
|
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off;
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Robots-Tag none;
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header Referrer-Policy no-referrer;
|
|
|
|
ssl_certificate /home/ssl/nginx.pem;
|
|
ssl_certificate_key /home/ssl/xpk.headdesk.me.key;
|
|
|
|
# filter out PROPFIND in access log
|
|
set $logme 1;
|
|
|
|
if ($request_method = PROPFIND) {
|
|
set $logme 0;
|
|
}
|
|
|
|
access_log /var/log/nginx/access.log cached if=$logme;
|
|
|
|
# Useragent ACL
|
|
# if ($useragent_acl = deny) {
|
|
# return 403;
|
|
#}
|
|
|
|
#location / {
|
|
# proxy_pass http://192.168.86.10:8080/;
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
# proxy_set_header HTTP_X_FORWARDED_PROTO https;
|
|
# proxy_set_header Host $host;
|
|
# proxy_cache_bypass $http_pragma $http_authorization;
|
|
# }
|
|
|
|
fastcgi_hide_header X-Powered-By;
|
|
location = /.well-known/carddav {
|
|
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
|
|
}
|
|
location = /.well-known/caldav {
|
|
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
|
|
}
|
|
location /nextcloud/ {
|
|
rewrite ^ /nextcloud/index.php;
|
|
}
|
|
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
|
|
deny all;
|
|
}
|
|
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
|
|
deny all;
|
|
}
|
|
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
|
|
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
|
|
set $path_info $fastcgi_path_info;
|
|
try_files $fastcgi_script_name =404;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param PATH_INFO $path_info;
|
|
fastcgi_param HTTPS on;
|
|
# Avoid sending the security headers twice
|
|
fastcgi_param modHeadersAvailable true;
|
|
# Enable pretty urls
|
|
fastcgi_param front_controller_active true;
|
|
fastcgi_pass php-handler;
|
|
fastcgi_intercept_errors on;
|
|
fastcgi_request_buffering off;
|
|
}
|
|
|
|
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
|
|
try_files $uri/ =404;
|
|
index index.php;
|
|
}
|
|
|
|
location ~ ^\/nextcloud.*\.(?:css|js|woff2?|svg|gif|map)$ {
|
|
try_files $uri /nextcloud/index.php$request_uri;
|
|
add_header Cache-Control "public, max-age=15778463";
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Robots-Tag none;
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header Referrer-Policy no-referrer;
|
|
}
|
|
location ~ ^\/nextcloud.*\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
|
|
try_files $uri /nextcloud/index.php$request_uri;
|
|
}
|
|
|
|
location /git/ {
|
|
proxy_pass http://192.168.86.53:3000/;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header HTTP_X_FORWARDED_PROTO https;
|
|
proxy_set_header Host $host;
|
|
# caching: do not enable, causes cross account caching!
|
|
# proxy_cache zone1;
|
|
# proxy_cache_valid 200 302 5m;
|
|
# proxy_cache_valid any 10m;
|
|
}
|
|
|
|
location /pad/ {
|
|
proxy_pass http://192.168.86.51:9001/;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header HTTP_X_FORWARDED_PROTO https;
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
location /jenkins/ {
|
|
proxy_pass http://192.168.86.55:8080/jenkins/;
|
|
proxy_redirect default;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header HTTP_X_FORWARDED_PROTO https;
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
location /mon/ {
|
|
proxy_pass http://192.168.86.57/;
|
|
proxy_redirect default;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header HTTP_X_FORWARDED_PROTO https;
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
location /enpass/ {
|
|
root /var/www;
|
|
auth_basic enpass;
|
|
auth_basic_user_file /var/www/enpass/.htpass;
|
|
dav_methods PUT DELETE MKCOL COPY MOVE;
|
|
dav_ext_methods PROPFIND OPTIONS;
|
|
dav_access user:rw group:rw all:r;
|
|
create_full_put_path on;
|
|
autoindex on;
|
|
}
|
|
}
|
|
}
|