nginx: default to redirect everything on port 80

3 years ago · 5ab56b0dcd
parent bada2f23a9
commit 5ab56b0dcd
9 changed files with 86 additions and 44 deletions
--- a/html/index.html
+++ b/html/index.html
@ -0,0 +1,3 @@
+<h1>hackerspace.zone</h1>
+
+Home page.
--- a/nginx/docker-compose.yaml
+++ b/nginx/docker-compose.yaml
@ -9,6 +9,7 @@ services:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/templates:/etc/nginx/templates
      - ./nginx/includes:/etc/nginx/includes
+      - ../html:/var/www
      - ./data/certbot/www:/var/www/certbot
      - ./data/certbot/conf:/etc/letsencrypt
    env_file:
--- a/nginx/nginx/templates/000-default.conf.template
+++ b/nginx/nginx/templates/000-default.conf.template
@ -1,13 +1,13 @@
+# Redirect *all* port 80 traffic to the same thing on port 443
 server {
-	listen 80;
-	server_name ${DOMAIN_NAME};
+	listen 80 default_server;
 	location / {
 		return 301 https://$host$request_uri;
 	}
 }

 server {
-	server_name ${DOMAIN_NAME};
+	#server_name ${DOMAIN_NAME} default;
 	client_max_body_size 128m;

 	sendfile on;
@ -27,9 +27,14 @@ server {
 	chunked_transfer_encoding on;

 	location / {
+		root /var/www;
 	}

-	listen 443 ssl;
+	location /.well-known/matrix {
+		proxy_pass https://${MATRIX_HOSTNAME};
+	}
+
+	listen 443 ssl default_server;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
--- a/nginx/nginx/templates/chat.conf.template
+++ b/nginx/nginx/templates/chat.conf.template
@ -0,0 +1,73 @@
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
+
+server {
+	server_name ${MATRIX_HOSTNAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	#include /etc/nginx/mime.types;
+	#default_type application/octet-stream;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
+	chunked_transfer_encoding on;
+
+	location / {
+		proxy_pass http://host.docker.internal:5000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	location ~ ^(/_matrix|/_synapse/client) {
+		# note: do not add a path (even a single /) after the port in `proxy_pass`,
+		# otherwise nginx will canonicalise the URI and cause signature verification
+		# errors.
+		proxy_pass http://host.docker.internal:5008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+
+		# Nginx by default only allows file uploads up to 1M in size
+		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+		client_max_body_size 50M;
+	}
+
+	# serve the static content for the well known files
+	location /.well-known/matrix/server {
+		default_type application/json;
+		return 200 '{"m.server": "${MATRIX_HOSTNAME}:443"}';
+	}
+
+	location /.well-known/matrix/client {
+		default_type application/json;
+		return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}"}}';  
+	}
+
+	# The federation port is not enabled; go through 443
+	#listen 8448 ssl http2 default_server;
+	#listen [::]:8448 ssl http2 default_server;
+
+	# For the user connection
+	listen 443 ssl http2;
+
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/nginx/includes/options-ssl-nginx.conf;
+	include /etc/nginx/includes/challenge.conf;
+	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+}
+
+
--- a/nginx/nginx/templates/cloud.conf.template
+++ b/nginx/nginx/templates/cloud.conf.template
@ -1,11 +1,3 @@
-server {
-	listen 80;
-	server_name ${NEXTCLOUD_HOSTNAME};
-	location / {
-		return 301 https://$host$request_uri;
-	}
-}
-
 server {
 	server_name ${NEXTCLOUD_HOSTNAME};
 	client_max_body_size 128m;
--- a/nginx/nginx/templates/dashboard.conf.template
+++ b/nginx/nginx/templates/dashboard.conf.template
@ -1,11 +1,3 @@
-server {
-	listen 80;
-	server_name ${GRAFANA_HOSTNAME};
-	location / {
-		return 301 https://$host$request_uri;
-	}
-}
-
 map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
--- a/nginx/nginx/templates/docs.conf.template
+++ b/nginx/nginx/templates/docs.conf.template
@ -1,11 +1,3 @@
-server {
-	listen 80;
-	server_name ${HEDGEDOC_HOSTNAME};
-	location / {
-		return 301 https://$host$request_uri;
-	}
-}
-
 map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
--- a/nginx/nginx/templates/login.conf.template
+++ b/nginx/nginx/templates/login.conf.template
@ -1,11 +1,3 @@
-server {
-	listen 80;
-	server_name login.${DOMAIN_NAME};
-	location / {
-		return 301 https://$host$request_uri;
-	}
-}
-
 server {
 	server_name login.${DOMAIN_NAME};
 	client_max_body_size 128m;
--- a/nginx/nginx/templates/social.conf.template
+++ b/nginx/nginx/templates/social.conf.template
@ -1,11 +1,3 @@
-server {
-	listen 80;
-	server_name social.${DOMAIN_NAME};
-	location / {
-		return 301 https://$host$request_uri;
-	}
-}
-
 map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;