reorganization of nginx configs
This commit is contained in:
parent
9f24840148
commit
ca554f9571
|
@ -14,7 +14,8 @@ this time.
|
|||
|
||||
## Settings
|
||||
|
||||
- **DNSADDR:** DNS IPs (space-delimited)
|
||||
- **ADMINIP:** Administrative Access IP
|
||||
- **DNSADDR:** Resolver IPs (Space-Delimited)
|
||||
- **PUID:** Volume Owner UID
|
||||
- **PGID:** Volume Owner GID
|
||||
- **SSLEMAIL:** LetsEncrypt Email Address
|
||||
|
|
|
@ -1,7 +1,11 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
|
||||
DNSADDR=${DNSADDR:-"8.8.8.8 8.8.4.4"}
|
||||
ADMINIP=${ADMINIP:-"127.0.0.1"}
|
||||
TRUSTSN=${TRUSTSN:-"192.168.0.0/16"}
|
||||
|
||||
SSLPRIMARY=`echo $SSLDOMAINS | tr ',' ' ' | awk '{print $1}'`
|
||||
DOMAINNAME=${SSLPRIMARY:-"example.net"}
|
||||
|
||||
THISIP=`ifconfig eth0 | grep 'inet addr' | tr ':' ' ' | awk '{print $3}'`
|
||||
THISSN=`ifconfig eth0 | grep 'inet addr' | tr ':' ' ' | awk '{print $7}'`
|
||||
|
@ -13,29 +17,31 @@ if [[ ! -f /mnt/config/etc/mime.types ]]; then
|
|||
fi
|
||||
|
||||
if [[ ! -f /mnt/config/etc/nginx.conf ]]; then
|
||||
s6-setuidgid guardian cp /etc/nginx/nginx.conf /mnt/config/etc/nginx.conf
|
||||
sed -i -e "s~8.8.8.8 8.8.4.4~${DNSADDR}~g" /mnt/config/etc/nginx.conf
|
||||
|
||||
if [[ ! -z "${SSLPRIMARY}" ]]; then
|
||||
sed -e "s/8.8.8.8 8.8.4.4/${DNSADDR}/g" /etc/nginx/nginx.conf | sed -e 's/#SSL://g' | sed -e 's/#NOSSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.conf | grep -v ""
|
||||
sed -i -e 's/#SSL://g' /mnt/config/etc/nginx.conf
|
||||
else
|
||||
sed -e "s/8.8.8.8 8.8.4.4/${DNSADDR}/g" /etc/nginx/nginx.conf | sed -e 's/#NOSSL://g' | sed -e 's/#SSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.conf | grep -v ""
|
||||
fi
|
||||
if ! grep -q 'REPLACE_WITH_TRUSTED_PROXY_SUBNET' /etc/nginx/nginx.d/default.conf; then
|
||||
s6-setuidgid guardian sed -i -e 's/#NOPROXY:/#/g' /mnt/config/etc/nginx.conf
|
||||
s6-setuidgid guardian sed -i -e 's/#PROXY://g' /mnt/config/etc/nginx.conf
|
||||
else
|
||||
s6-setuidgid guardian sed -i -e 's/#NOPROXY://g' /mnt/config/etc/nginx.conf
|
||||
s6-setuidgid guardian sed -i -e 's/#PROXY:/#/g' /mnt/config/etc/nginx.conf
|
||||
sed -i -e 's/#SSL:/#/g' /mnt/config/etc/nginx.conf
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ ! -d /mnt/config/etc/nginx.d ]]; then
|
||||
s6-setuidgid guardian mkdir -p /mnt/config/etc/nginx.d
|
||||
if [[ ! -z "${SSLPRIMARY}" ]]; then
|
||||
sed -e "s/REPLACE_WITH_DOMAIN_NAME/${SSLPRIMARY}/g" /etc/nginx/nginx.d/default.conf | sed -e 's/#SSL://g' | sed -e 's/#NOSSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.d/default.conf | grep -v ""
|
||||
else
|
||||
sed -e 's/#NOSSL://g' /etc/nginx/nginx.d/default.conf | sed -e 's/#SSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.d/default.conf | grep -v ""
|
||||
fi
|
||||
s6-setuidgid guardian sed -i -e "s/REPLACE_WITH_TRUSTED_PROXY_SUBNET/${TRSTIP}\/${TRSTPF}/g" /mnt/config/etc/nginx.d/default.conf
|
||||
s6-setuidgid guardian cp -n /etc/nginx/nginx.d/* /mnt/config/etc/nginx.d/
|
||||
grep -rl '127.0.0.1' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s/127.0.0.1/${ADMINIP}/g"
|
||||
grep -rl 'example.net' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s/example.net/${DOMAINNAME}/g"
|
||||
grep -rl 'ip_from 192.168.0.0/16' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s~ip_from 192.168.0.0/16~ip_from ${TRSTIP}/${TRSTPF}~g"
|
||||
grep -rl 'allow 192.168.0.0/16' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s~allow 192.168.0.0/16~allow ${TRUSTSN}~g"
|
||||
|
||||
if [[ ! -z "${SSLPRIMARY}" ]]; then
|
||||
grep -rl '#NOSSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#NOSSL:/#/g'
|
||||
grep -rl '#SSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#SSL://g'
|
||||
else
|
||||
grep -rl '#NOSSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#NOSSL://g'
|
||||
grep -rl '#SSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#SSL:/#/g'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ ! -z "${SSLPRIMARY}" ]]; then
|
||||
|
|
|
@ -12,8 +12,6 @@ events {
|
|||
}
|
||||
|
||||
http {
|
||||
# ngx_http_core_module
|
||||
|
||||
include mime.types;
|
||||
|
||||
client_body_buffer_size 128k;
|
||||
|
@ -35,70 +33,9 @@ http {
|
|||
tcp_nopush on;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
# ngx_http_charset_module
|
||||
|
||||
charset utf-8;
|
||||
|
||||
# ngx_http_gzip_module
|
||||
|
||||
#PROXY:gzip on;
|
||||
#PROXY:gzip_comp_level 4;
|
||||
#PROXY:gzip_min_length 256;
|
||||
#PROXY:gzip_proxied no-cache no-store private expired auth;
|
||||
#PROXY:gzip_types text/css text/mathml text/plain text/xml image/svg+xml application/atom+xml application/javascript application/json application/rss+xml application/xhtml+xml application/xspf+xml;
|
||||
#PROXY:gzip_vary on;
|
||||
|
||||
# ngx_http_headers_module
|
||||
|
||||
#SSL:add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
#NOPROXY:add_header X-Content-Type-Options nosniff;
|
||||
#NOPROXY:add_header X-Frame-Options SAMEORIGIN;
|
||||
#NOPROXY:add_header X-Robots-Tag noarchive;
|
||||
#NOPROXY:add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
# ngx_http_index_module
|
||||
|
||||
index index.html;
|
||||
|
||||
# ngx_http_log_module
|
||||
|
||||
log_format rt_cache '$remote_addr - $upstream_cache_status [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
#PROXY:access_log /mnt/config/log/nginx-access.log rt_cache;
|
||||
#NOPROXY:access_log /mnt/config/log/nginx-access.log;
|
||||
|
||||
# ngx_http_ssl_module
|
||||
# https://cipherli.st/
|
||||
|
||||
#SSL:ssl_protocols TLSv1.2 TLSv1.3;
|
||||
#SSL:ssl_prefer_server_ciphers on;
|
||||
#SSL:ssl_dhparam /mnt/config/ssl/dhparam.pem;
|
||||
#SSL:ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
||||
#SSL:ssl_ecdh_curve secp384r1;
|
||||
#SSL:ssl_session_timeout 10m;
|
||||
#SSL:ssl_session_cache shared:SSL:10m;
|
||||
#SSL:ssl_session_tickets off;
|
||||
#SSL:ssl_stapling on;
|
||||
#SSL:ssl_stapling_verify on;
|
||||
|
||||
# Default Caching
|
||||
|
||||
#PROXY:proxy_cache_path /mnt/config/cache levels=1:2 keys_zone=www_cache:10m max_size=10g inactive=1d use_temp_path=off;
|
||||
#PROXY:proxy_cache www_cache;
|
||||
#PROXY:proxy_cache_background_update on;
|
||||
#PROXY:proxy_cache_key $scheme$host$request_uri;
|
||||
#PROXY:proxy_cache_lock on;
|
||||
#PROXY:proxy_cache_revalidate on;
|
||||
#PROXY:proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
||||
#PROXY:proxy_cache_valid 30m;
|
||||
|
||||
map $remote_addr $cache_status {
|
||||
127.0.0.1 $upstream_cache_status;
|
||||
default "";
|
||||
}
|
||||
#PROXY:add_header X-Cache-Status $cache_status;
|
||||
access_log /mnt/config/log/nginx-access.log;
|
||||
|
||||
map $sent_http_content_type $expires {
|
||||
default off;
|
||||
|
@ -112,7 +49,7 @@ http {
|
|||
~video/ 42d;
|
||||
}
|
||||
|
||||
# Other Stuff
|
||||
|
||||
#SSL:include nginx.d/_gzip.inc;
|
||||
#SSL:include nginx.d/_ssl.inc;
|
||||
include nginx.d/*.conf;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
gzip on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied no-cache no-store private expired auth;
|
||||
gzip_types text/css text/mathml text/plain text/xml image/svg+xml application/atom+xml application/javascript application/json application/rss+xml application/xhtml+xml application/xspf+xml;
|
||||
gzip_vary on;
|
|
@ -0,0 +1,18 @@
|
|||
map $remote_addr $cache_status {
|
||||
127.0.0.1 $upstream_cache_status;
|
||||
default "";
|
||||
}
|
||||
|
||||
log_format rt_cache '$remote_addr - $upstream_cache_status [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
access_log /mnt/config/log/nginx-access.log rt_cache;
|
||||
|
||||
proxy_cache_path /mnt/config/cache levels=1:2 keys_zone=www_cache:10m max_size=10g inactive=1d use_temp_path=off;
|
||||
proxy_cache www_cache;
|
||||
proxy_cache_background_update on;
|
||||
proxy_cache_key $scheme$host$request_uri;
|
||||
proxy_cache_lock on;
|
||||
proxy_cache_revalidate on;
|
||||
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
||||
proxy_cache_valid 30m;
|
|
@ -0,0 +1,21 @@
|
|||
#NOSSL:listen 80 default_server;
|
||||
#SSL:listen 443 http2 ssl;
|
||||
#SSL:ssl_certificate /mnt/config/ssl/live/example.net/fullchain.pem;
|
||||
#SSL:ssl_certificate_key /mnt/config/ssl/live/example.net/privkey.pem;
|
||||
#SSL:ssl_trusted_certificate /mnt/config/ssl/live/example.net/chain.pem;
|
||||
#SSL:add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
|
||||
autoindex off;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Robots-Tag noarchive;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
expires $expires;
|
||||
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
real_ip_header X-Real-IP;
|
||||
real_ip_recursive on;
|
||||
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
|
@ -0,0 +1,14 @@
|
|||
#NOSSL:listen 80;
|
||||
#SSL:listen 443 http2 ssl;
|
||||
#SSL:ssl_certificate /mnt/config/ssl/live/example.net/fullchain.pem;
|
||||
#SSL:ssl_certificate_key /mnt/config/ssl/live/example.net/privkey.pem;
|
||||
#SSL:ssl_trusted_certificate /mnt/config/ssl/live/example.net/chain.pem;
|
||||
#SSL:add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
add_header X-Cache-Status $cache_status;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
@ -0,0 +1,11 @@
|
|||
# https://cipherli.st/
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_dhparam /mnt/config/ssl/dhparam.pem;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
||||
ssl_ecdh_curve secp384r1;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
|
@ -5,47 +5,7 @@
|
|||
#SSL:}
|
||||
|
||||
server {
|
||||
#NOSSL:listen 80 default_server;
|
||||
#SSL:listen 443 http2 ssl;
|
||||
#SSL:ssl_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/fullchain.pem;
|
||||
#SSL:ssl_certificate_key /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/privkey.pem;
|
||||
#SSL:ssl_trusted_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/chain.pem;
|
||||
|
||||
server_name _;
|
||||
include _server_local.inc;
|
||||
root /mnt/config/www/default;
|
||||
|
||||
autoindex off;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Robots-Tag noarchive;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
expires $expires;
|
||||
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
|
||||
# ============= #
|
||||
# PROXY EXAMPLE #
|
||||
# ============= #
|
||||
|
||||
#server {
|
||||
# #NOSSL:listen 80;
|
||||
# #SSL:listen 443 http2 ssl;
|
||||
# #SSL:ssl_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/fullchain.pem;
|
||||
# #SSL:ssl_certificate_key /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/privkey.pem;
|
||||
# #SSL:ssl_trusted_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/chain.pem;
|
||||
#
|
||||
# server_name subdomain.REPLACE_WITH_DOMAIN_NAME;
|
||||
#
|
||||
# location / {
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# proxy_pass http://IP:PORT/;
|
||||
# }
|
||||
#}
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
#include _proxy.inc;
|
||||
|
||||
#server {
|
||||
# server_name subdomain.example.net;
|
||||
# include _server_proxy.inc;
|
||||
#
|
||||
# location / {
|
||||
# proxy_pass http://IP:PORT/;
|
||||
# }
|
||||
#}
|
Loading…
Reference in New Issue