diff --git a/nginx/data/certbot/conf/options-ssl-nginx.conf b/nginx/data/certbot/conf/options-ssl-nginx.conf new file mode 100644 index 0000000..98b1c4a --- /dev/null +++ b/nginx/data/certbot/conf/options-ssl-nginx.conf @@ -0,0 +1,14 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA"; diff --git a/nginx/data/certbot/conf/ssl-dhparams.pem b/nginx/data/certbot/conf/ssl-dhparams.pem new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/nginx/data/certbot/conf/ssl-dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/nginx/data/nginx/nginx.conf b/nginx/data/nginx/nginx.conf new file mode 100644 index 0000000..8453aee --- /dev/null +++ b/nginx/data/nginx/nginx.conf @@ -0,0 +1,88 @@ +#user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +env DOMAIN_NAME; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + #access_log syslog:server=localhost; + #error_log syslog:server=localhost; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + include /tmp/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/nginx/data/nginx/templates/login.conf.template b/nginx/data/nginx/templates/login.conf.template new file mode 100644 index 0000000..30a9286 --- /dev/null +++ b/nginx/data/nginx/templates/login.conf.template @@ -0,0 +1,26 @@ +server { + listen 80; + server_name login.${DOMAIN_NAME}; + location / { + return 301 https://$host$request_uri; + } +} + +server { + server_name login.${DOMAIN_NAME}; + client_max_body_size 128m; + + location / { + proxy_pass http://spacestation:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +} + + diff --git a/nginx/docker-compose.yaml b/nginx/docker-compose.yaml new file mode 100644 index 0000000..a14d910 --- /dev/null +++ b/nginx/docker-compose.yaml @@ -0,0 +1,22 @@ +version: '3' +services: + nginx: + image: nginx:1.21-alpine + ports: + - "80:80" + - "443:443" + volumes: + - ./data/nginx/nginx.conf:/etc/nginx/nginx.conf + #- ./data/nginx/sites-enabled:/etc/nginx/sites-enabled + - ./data/nginx/templates:/etc/nginx/templates + - ./data/certbot/conf:/etc/letsencrypt + - ./data/certbot/www:/var/www/certbot + env_file: + - env.production + #environment: + #- NGINX_ENVSUBST_OUTPUT_DIR=/tmp/sites-enabled + certbot: + image: certbot/certbot + volumes: + - ./data/certbot/conf:/etc/letsencrypt + - ./data/certbot/www:/var/www/certbot diff --git a/nginx/env.production b/nginx/env.production new file mode 100644 index 0000000..d7bb678 --- /dev/null +++ b/nginx/env.production @@ -0,0 +1 @@ +DOMAIN_NAME=example.com diff --git a/nginx/setup b/nginx/setup new file mode 100755 index 0000000..a234039 --- /dev/null +++ b/nginx/setup @@ -0,0 +1,26 @@ +#!/bin/bash +ENV=env.production +if [ ! -r "$ENV" ]; then + echo >&2 "$ENV: not found?" + exit 1 +fi + +source env.production + +if [ -z "${DOMAIN_NAME}" ]; then + echo >&2 "DOMAIN_NAME not set" + exit 1 +fi + +certdir="data/certbot/conf/live/${DOMAIN_NAME}" +mkdir -p "$certdir" + +openssl req \ + -x509 \ + -newkey rsa:2048 \ + -keyout "$certdir/privkey.pem" \ + -out "$certdir/fullchain.pem" \ + -sha256 \ + -nodes \ + -days 365 \ + -subj "/CN=${DOMAIN_NAME}'" \