reorganization of nginx configs

2018-05-15 17:15:51 -04:00 · 2018-05-15 17:15:51 -04:00 · ca554f9571
parent 9f24840148
commit ca554f9571
10 changed files with 108 additions and 124 deletions
--- a/README.md
+++ b/README.md
@ -14,7 +14,8 @@ this time.

 ## Settings

- **DNSADDR:** DNS IPs (space-delimited)
+- **ADMINIP:** Administrative Access IP
+- **DNSADDR:** Resolver IPs (Space-Delimited)
 - **PUID:** Volume Owner UID
 - **PGID:** Volume Owner GID
 - **SSLEMAIL:** LetsEncrypt Email Address
--- a/override/etc/cont-init.d/20-nginx
+++ b/override/etc/cont-init.d/20-nginx
@ -1,7 +1,11 @@
 #!/usr/bin/with-contenv bash

 DNSADDR=${DNSADDR:-"8.8.8.8 8.8.4.4"}
+ADMINIP=${ADMINIP:-"127.0.0.1"}
+TRUSTSN=${TRUSTSN:-"192.168.0.0/16"}
+
 SSLPRIMARY=`echo $SSLDOMAINS | tr ',' ' ' | awk '{print $1}'`
+DOMAINNAME=${SSLPRIMARY:-"example.net"}

 THISIP=`ifconfig eth0 | grep 'inet addr' | tr ':' ' ' | awk '{print $3}'`
 THISSN=`ifconfig eth0 | grep 'inet addr' | tr ':' ' ' | awk '{print $7}'`
@ -13,29 +17,31 @@ if [[ ! -f /mnt/config/etc/mime.types ]]; then
 fi

 if [[ ! -f /mnt/config/etc/nginx.conf ]]; then
+  s6-setuidgid guardian cp /etc/nginx/nginx.conf /mnt/config/etc/nginx.conf
+  sed -i -e "s~8.8.8.8 8.8.4.4~${DNSADDR}~g" /mnt/config/etc/nginx.conf
+
  if [[ ! -z "${SSLPRIMARY}" ]]; then
-    sed -e "s/8.8.8.8 8.8.4.4/${DNSADDR}/g" /etc/nginx/nginx.conf | sed -e 's/#SSL://g' | sed -e 's/#NOSSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.conf  | grep -v ""
+    sed -i -e 's/#SSL://g' /mnt/config/etc/nginx.conf
  else
-    sed -e "s/8.8.8.8 8.8.4.4/${DNSADDR}/g" /etc/nginx/nginx.conf | sed -e 's/#NOSSL://g' | sed -e 's/#SSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.conf  | grep -v ""
-  fi
-  if ! grep -q 'REPLACE_WITH_TRUSTED_PROXY_SUBNET' /etc/nginx/nginx.d/default.conf; then
-    s6-setuidgid guardian sed -i -e 's/#NOPROXY:/#/g' /mnt/config/etc/nginx.conf
-    s6-setuidgid guardian sed -i -e 's/#PROXY://g' /mnt/config/etc/nginx.conf
-  else
-    s6-setuidgid guardian sed -i -e 's/#NOPROXY://g' /mnt/config/etc/nginx.conf
-    s6-setuidgid guardian sed -i -e 's/#PROXY:/#/g' /mnt/config/etc/nginx.conf
+    sed -i -e 's/#SSL:/#/g' /mnt/config/etc/nginx.conf
  fi
 fi

 if [[ ! -d /mnt/config/etc/nginx.d ]]; then
  s6-setuidgid guardian mkdir -p /mnt/config/etc/nginx.d
-  if [[ ! -z "${SSLPRIMARY}" ]]; then
-    sed -e "s/REPLACE_WITH_DOMAIN_NAME/${SSLPRIMARY}/g" /etc/nginx/nginx.d/default.conf | sed -e 's/#SSL://g' | sed -e 's/#NOSSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.d/default.conf  | grep -v ""
-  else
-    sed -e 's/#NOSSL://g' /etc/nginx/nginx.d/default.conf | sed -e 's/#SSL:/#/g' | s6-setuidgid guardian tee /mnt/config/etc/nginx.d/default.conf  | grep -v ""
-  fi
-  s6-setuidgid guardian sed -i -e "s/REPLACE_WITH_TRUSTED_PROXY_SUBNET/${TRSTIP}\/${TRSTPF}/g" /mnt/config/etc/nginx.d/default.conf
  s6-setuidgid guardian cp -n /etc/nginx/nginx.d/* /mnt/config/etc/nginx.d/
+  grep -rl '127.0.0.1' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s/127.0.0.1/${ADMINIP}/g"
+  grep -rl 'example.net' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s/example.net/${DOMAINNAME}/g"
+  grep -rl 'ip_from 192.168.0.0/16' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s~ip_from 192.168.0.0/16~ip_from ${TRSTIP}/${TRSTPF}~g"
+  grep -rl 'allow 192.168.0.0/16' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e "s~allow 192.168.0.0/16~allow ${TRUSTSN}~g"
+
+  if [[ ! -z "${SSLPRIMARY}" ]]; then
+    grep -rl '#NOSSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#NOSSL:/#/g'
+    grep -rl '#SSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#SSL://g'
+  else
+    grep -rl '#NOSSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#NOSSL://g'
+    grep -rl '#SSL:' /mnt/config/etc/nginx.d | xargs -n1 sed -i -e 's/#SSL:/#/g'
+  fi
 fi

 if [[ ! -z "${SSLPRIMARY}" ]]; then
--- a/override/etc/nginx/nginx.conf
+++ b/override/etc/nginx/nginx.conf
@ -12,8 +12,6 @@ events {
 }

 http {
-	# ngx_http_core_module
-
 	include mime.types;

 	client_body_buffer_size 128k;
@ -35,70 +33,9 @@ http {
 	tcp_nopush on;
 	types_hash_max_size 2048;

-	# ngx_http_charset_module
-
 	charset utf-8;
-
-	# ngx_http_gzip_module
-
-	#PROXY:gzip on;
-	#PROXY:gzip_comp_level 4;
-	#PROXY:gzip_min_length 256;
-	#PROXY:gzip_proxied no-cache no-store private expired auth;
-	#PROXY:gzip_types text/css text/mathml text/plain text/xml image/svg+xml application/atom+xml application/javascript application/json application/rss+xml application/xhtml+xml application/xspf+xml;
-	#PROXY:gzip_vary on;
-
-	# ngx_http_headers_module
-
-	#SSL:add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-	#NOPROXY:add_header X-Content-Type-Options nosniff;
-	#NOPROXY:add_header X-Frame-Options SAMEORIGIN;
-	#NOPROXY:add_header X-Robots-Tag noarchive;
-	#NOPROXY:add_header X-XSS-Protection "1; mode=block";
-
-	# ngx_http_index_module
-
 	index index.html;
-
-	# ngx_http_log_module
-
-	log_format rt_cache '$remote_addr - $upstream_cache_status [$time_local]  '
-		'"$request" $status $body_bytes_sent '
-		'"$http_referer" "$http_user_agent"';
-
-	#PROXY:access_log /mnt/config/log/nginx-access.log rt_cache;
-	#NOPROXY:access_log /mnt/config/log/nginx-access.log;
-
-	# ngx_http_ssl_module
-	# https://cipherli.st/
-
-	#SSL:ssl_protocols TLSv1.2 TLSv1.3;
-	#SSL:ssl_prefer_server_ciphers on;
-	#SSL:ssl_dhparam /mnt/config/ssl/dhparam.pem;
-	#SSL:ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
-	#SSL:ssl_ecdh_curve secp384r1;
-	#SSL:ssl_session_timeout 10m;
-	#SSL:ssl_session_cache shared:SSL:10m;
-	#SSL:ssl_session_tickets off;
-	#SSL:ssl_stapling on;
-	#SSL:ssl_stapling_verify on;
-
-	# Default Caching
-
-	#PROXY:proxy_cache_path /mnt/config/cache levels=1:2 keys_zone=www_cache:10m max_size=10g inactive=1d use_temp_path=off;
-	#PROXY:proxy_cache www_cache;
-	#PROXY:proxy_cache_background_update on;
-	#PROXY:proxy_cache_key $scheme$host$request_uri;
-	#PROXY:proxy_cache_lock on;
-	#PROXY:proxy_cache_revalidate on;
-	#PROXY:proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-	#PROXY:proxy_cache_valid 30m;
-
-	map $remote_addr $cache_status {
-		127.0.0.1 $upstream_cache_status;
-		default "";
-	}
-	#PROXY:add_header X-Cache-Status $cache_status;
+	access_log /mnt/config/log/nginx-access.log;

 	map $sent_http_content_type $expires {
 		default                    off;
@ -112,7 +49,7 @@ http {
 		~video/                    42d;
 	}

-	# Other Stuff
-
+	#SSL:include nginx.d/_gzip.inc;
+	#SSL:include nginx.d/_ssl.inc;
 	include nginx.d/*.conf;
 }
--- a/override/etc/nginx/nginx.d/_gzip.inc
+++ b/override/etc/nginx/nginx.d/_gzip.inc
@ -0,0 +1,6 @@
+gzip on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied no-cache no-store private expired auth;
+gzip_types text/css text/mathml text/plain text/xml image/svg+xml application/atom+xml application/javascript application/json application/rss+xml application/xhtml+xml application/xspf+xml;
+gzip_vary on;
--- a/override/etc/nginx/nginx.d/_proxy.inc
+++ b/override/etc/nginx/nginx.d/_proxy.inc
@ -0,0 +1,18 @@
+map $remote_addr $cache_status {
+	127.0.0.1 $upstream_cache_status;
+	default "";
+}
+
+log_format rt_cache '$remote_addr - $upstream_cache_status [$time_local]  '
+	'"$request" $status $body_bytes_sent '
+	'"$http_referer" "$http_user_agent"';
+access_log /mnt/config/log/nginx-access.log rt_cache;
+
+proxy_cache_path /mnt/config/cache levels=1:2 keys_zone=www_cache:10m max_size=10g inactive=1d use_temp_path=off;
+proxy_cache www_cache;
+proxy_cache_background_update on;
+proxy_cache_key $scheme$host$request_uri;
+proxy_cache_lock on;
+proxy_cache_revalidate on;
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+proxy_cache_valid 30m;
--- a/override/etc/nginx/nginx.d/_server_local.inc
+++ b/override/etc/nginx/nginx.d/_server_local.inc
@ -0,0 +1,21 @@
+#NOSSL:listen 80 default_server;
+#SSL:listen 443 http2 ssl;
+#SSL:ssl_certificate /mnt/config/ssl/live/example.net/fullchain.pem;
+#SSL:ssl_certificate_key /mnt/config/ssl/live/example.net/privkey.pem;
+#SSL:ssl_trusted_certificate /mnt/config/ssl/live/example.net/chain.pem;
+#SSL:add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+autoindex off;
+add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Robots-Tag noarchive;
+add_header X-XSS-Protection "1; mode=block";
+expires $expires;
+
+set_real_ip_from 192.168.0.0/16;
+real_ip_header X-Real-IP;
+real_ip_recursive on;
+
+location ~ /\. {
+	deny all;
+}
--- a/override/etc/nginx/nginx.d/_server_proxy.inc
+++ b/override/etc/nginx/nginx.d/_server_proxy.inc
@ -0,0 +1,14 @@
+#NOSSL:listen 80;
+#SSL:listen 443 http2 ssl;
+#SSL:ssl_certificate /mnt/config/ssl/live/example.net/fullchain.pem;
+#SSL:ssl_certificate_key /mnt/config/ssl/live/example.net/privkey.pem;
+#SSL:ssl_trusted_certificate /mnt/config/ssl/live/example.net/chain.pem;
+#SSL:add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-Cache-Status $cache_status;
+
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Host $host:$server_port;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Proto $scheme;
--- a/override/etc/nginx/nginx.d/_ssl.inc
+++ b/override/etc/nginx/nginx.d/_ssl.inc
@ -0,0 +1,11 @@
+# https://cipherli.st/
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+ssl_dhparam /mnt/config/ssl/dhparam.pem;
+ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+ssl_ecdh_curve secp384r1;
+ssl_session_timeout 10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
--- a/override/etc/nginx/nginx.d/default.conf
+++ b/override/etc/nginx/nginx.d/default.conf
@ -5,47 +5,7 @@
 #SSL:}

 server {
-	#NOSSL:listen 80 default_server;
-	#SSL:listen 443 http2 ssl;
-	#SSL:ssl_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/fullchain.pem;
-	#SSL:ssl_certificate_key /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/privkey.pem;
-	#SSL:ssl_trusted_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/chain.pem;
-
 	server_name _;
+	include _server_local.inc;
 	root /mnt/config/www/default;
-
-	autoindex off;
-	add_header X-Content-Type-Options nosniff;
-	add_header X-Frame-Options SAMEORIGIN;
-	add_header X-Robots-Tag noarchive;
-	add_header X-XSS-Protection "1; mode=block";
-	expires $expires;
-	
-	location ~ /\. {
-		deny all;
-	}
-}
-
-# ============= #
-# PROXY EXAMPLE #
-# ============= #
-	
-#server {
-#	#NOSSL:listen 80;
-#	#SSL:listen 443 http2 ssl;
-#	#SSL:ssl_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/fullchain.pem;
-#	#SSL:ssl_certificate_key /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/privkey.pem;
-#	#SSL:ssl_trusted_certificate /mnt/config/ssl/live/REPLACE_WITH_DOMAIN_NAME/chain.pem;
-#
-#	server_name subdomain.REPLACE_WITH_DOMAIN_NAME;
-#
-#	location / {
-#		proxy_set_header Host $host;
-#		proxy_set_header X-Real-IP $remote_addr;
-#		proxy_set_header X-Forwarded-Host $host:$server_port;
-#		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#		proxy_set_header X-Forwarded-Port $server_port;
-#		proxy_set_header X-Forwarded-Proto $scheme;
-#		proxy_pass http://IP:PORT/;
-#	}
-#}
+}
--- a/override/etc/nginx/nginx.d/proxy.conf
+++ b/override/etc/nginx/nginx.d/proxy.conf
@ -0,0 +1,10 @@
+#include _proxy.inc;
+
+#server {
+#	server_name subdomain.example.net;
+#	include _server_proxy.inc;
+#
+#	location / {
+#		proxy_pass http://IP:PORT/;
+#	}
+#}