|
|
|
vhost_traffic_status_zone;
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 80 default_server;
|
|
|
|
|
|
|
|
# this works on the docker container with http_stub built in
|
|
|
|
# only allow from localhost
|
|
|
|
location /nginx_status {
|
|
|
|
stub_status on;
|
|
|
|
access_log off;
|
|
|
|
allow 127.0.0.1;
|
|
|
|
deny all;
|
|
|
|
}
|
|
|
|
|
|
|
|
# this works with the vts module
|
|
|
|
location /status {
|
|
|
|
vhost_traffic_status_display;
|
|
|
|
vhost_traffic_status_display_format html;
|
|
|
|
access_log off;
|
|
|
|
#allow 127.0.0.1;
|
|
|
|
#deny all;
|
|
|
|
}
|
|
|
|
|
|
|
|
# forward certbot challenges to the certbot directory
|
|
|
|
include /etc/nginx/includes/challenge.conf;
|
|
|
|
|
|
|
|
# Redirect *all other* port 80 traffic to the same thing on port 443
|
|
|
|
location / {
|
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
#server_name ${DOMAIN_NAME} default;
|
|
|
|
client_max_body_size 128m;
|
|
|
|
|
|
|
|
sendfile on;
|
|
|
|
tcp_nopush on;
|
|
|
|
tcp_nodelay on;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
types_hash_max_size 2048;
|
|
|
|
#include /etc/nginx/mime.types;
|
|
|
|
#default_type application/octet-stream;
|
|
|
|
|
|
|
|
gzip on;
|
|
|
|
gzip_disable "msie6";
|
|
|
|
|
|
|
|
proxy_read_timeout 1800s;
|
|
|
|
|
|
|
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
|
|
|
|
chunked_transfer_encoding on;
|
|
|
|
|
|
|
|
# delegated Matrix server
|
|
|
|
location /.well-known/matrix {
|
|
|
|
#return 302 https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
|
|
|
|
proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
|
|
|
|
location = /.well-known/host-meta {
|
|
|
|
return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
|
|
|
|
}
|
|
|
|
location = /.well-known/webfinger {
|
|
|
|
return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
# OpenID services
|
|
|
|
location = /.well-known/openid-configuration {
|
|
|
|
return 302 https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
# tilde club home directories
|
|
|
|
location ~ ^/~(.+?)(/.*)?$ {
|
|
|
|
alias /home/$1/public_html$2;
|
|
|
|
index index.html index.htm;
|
|
|
|
autoindex on;
|
|
|
|
}
|
|
|
|
|
|
|
|
# /html files are served from the static html site
|
|
|
|
location /html {
|
|
|
|
root /var/www;
|
|
|
|
autoindex off;
|
|
|
|
}
|
|
|
|
|
|
|
|
# default home page goes to hedgedoc document "Main_Page"; please add your own content!
|
|
|
|
location = / {
|
|
|
|
return 302 https://${DOMAIN_NAME}/Main_Page;
|
|
|
|
}
|
|
|
|
# rewrite /s/ links to the bare link
|
|
|
|
location ~ ^/s/(.*) {
|
|
|
|
return 302 https://${DOMAIN_NAME}/$1;
|
|
|
|
}
|
|
|
|
# normal pages go to hedgedoc static site (need to define ports in the env)
|
|
|
|
# need to rewrite the CSP so that it allows reframing from the main site
|
|
|
|
location / {
|
|
|
|
proxy_cache mycache;
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
proxy_ignore_headers Cache-Control;
|
|
|
|
|
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}";
|
|
|
|
proxy_pass http://hedgedoc:3000/s$request_uri;
|
|
|
|
proxy_cache_valid any 1m;
|
|
|
|
|
|
|
|
}
|
|
|
|
# while javascript and config stuff goes to non-static hedgedoc site
|
|
|
|
location ~ ^/(js|build|config$) {
|
|
|
|
proxy_cache mycache;
|
|
|
|
add_header X-Cache-Status $upstream_cache_status;
|
|
|
|
proxy_ignore_headers Cache-Control;
|
|
|
|
proxy_cache_valid any 1m;
|
|
|
|
|
|
|
|
proxy_pass http://hedgedoc:3000$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
# this one can't include ssl.conf since it must be default server
|
|
|
|
listen 443 ssl http2 default_server;
|
|
|
|
ssl_certificate /etc/nginx/fullchain.pem;
|
|
|
|
ssl_certificate_key /etc/nginx/privkey.pem;
|
|
|
|
include /etc/nginx/includes/options-ssl-nginx.conf;
|
|
|
|
include /etc/nginx/includes/challenge.conf;
|
|
|
|
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
|
|
|
|
}
|