collection.dockerfile/alpine/nginx/nginx.conf

255 lines
7.8 KiB
Nginx Configuration File

user nginx;
worker_processes 2;
daemon off;
load_module "modules/ngx_http_dav_ext_module.so";
error_log /var/log/nginx/error-local.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 2000;
}
http {
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
client_max_body_size 200M;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
# caching
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=zone1:10m max_size=1G;
proxy_temp_path /tmp/nginx-proxy 1 2;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
log_format cached '$remote_addr '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $upstream_cache_status';
# Useragent ACL: works but ubuntu online accounts does not provide any useragent
#map $http_user_agent $useragent_acl {
# default deny;
# ~(Desktop|Chrome|Nextcloud-iOS|Nextcloud-android|mirall|Mozilla/5\.0|git|ansible-httpget|Go-http-client) allow;
#}
# _ _ _ _
# _ __ | |__ _ __ | |__ __ _ _ __ __| | | ___ _ __
# | '_ \| '_ \| '_ \ _____| '_ \ / _` | '_ \ / _` | |/ _ \ '__|
# | |_) | | | | |_) |_____| | | | (_| | | | | (_| | | __/ |
# | .__/|_| |_| .__/ |_| |_|\__,_|_| |_|\__,_|_|\___|_|
# |_| |_|
#
upstream php-handler {
server 192.168.86.210:9000;
#server unix:/var/run/php/php7.2-fpm.sock;
}
server {
listen 80 default_server;
# root /var/www/null;
root /var/www/letsencrypt;
# for letsencrypt / acme-tiny
location /.well-known {
try_files $uri $uri/ =404;
}
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
location / {
return 301 https://$host$request_uri;
}
# Useragent ACL
# if ($useragent_acl = deny) {
# return 403;
# }
# letsencrypt validation
#location /.well-known/acme-challenge/ {
# alias /var/www/letsencrypt/;
#}
#if ($http_x_forwarded_proto != "https") {
# return 301 https://$host$request_uri;
# }
}
server {
listen 443 ssl http2 default_server;
root /var/www;
# still need TLS1.2 for Lixil Jenkins git pull
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
ssl_certificate /home/ssl/xpk.headdesk.me.crt;
ssl_certificate_key /home/ssl/xpk.headdesk.me.key;
# filter out PROPFIND in access log
set $logme 1;
if ($request_method = PROPFIND) {
set $logme 0;
}
access_log /var/log/nginx/access.log cached if=$logme;
# Useragent ACL
# if ($useragent_acl = deny) {
# return 403;
#}
#location / {
# proxy_pass http://192.168.86.10:8080/;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header HTTP_X_FORWARDED_PROTO https;
# proxy_set_header Host $host;
# proxy_cache_bypass $http_pragma $http_authorization;
# }
# letsencrypt validation
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
fastcgi_hide_header X-Powered-By;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location /nextcloud/ {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ ^\/nextcloud.*\.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
}
location ~ ^\/nextcloud.*\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
}
location /git/ {
proxy_pass http://192.168.86.53:3000/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
# caching: do not enable, causes cross account caching!
# proxy_cache zone1;
# proxy_cache_valid 200 302 5m;
# proxy_cache_valid any 10m;
}
location /pad/ {
proxy_pass http://192.168.86.51:9001/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cookie_path / "/pad; HTTPOnly; Secure";
proxy_cookie_flags express secure httponly;
}
location /jenkins/ {
proxy_pass http://192.168.86.55:8080/jenkins/;
proxy_redirect default;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
}
location /mon/ {
proxy_pass http://192.168.86.57/;
proxy_buffering off;
proxy_redirect default;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cookie_path / "/mon; HTTPOnly; Secure";
proxy_cookie_flags express secure httponly;
}
location /enpass/ {
root /var/www;
auth_basic enpass;
auth_basic_user_file /var/www/enpass/.htpass;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:rw all:r;
create_full_put_path on;
autoindex on;
}
}
}