From 5ab56b0dcd3223ed09a1b28b3fd7e54bf1197cab Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 4 May 2022 09:28:46 +0000 Subject: [PATCH] nginx: default to redirect everything on port 80 --- html/index.html | 3 + nginx/docker-compose.yaml | 1 + .../nginx/templates/000-default.conf.template | 13 +++- nginx/nginx/templates/chat.conf.template | 73 +++++++++++++++++++ nginx/nginx/templates/cloud.conf.template | 8 -- nginx/nginx/templates/dashboard.conf.template | 8 -- nginx/nginx/templates/docs.conf.template | 8 -- nginx/nginx/templates/login.conf.template | 8 -- nginx/nginx/templates/social.conf.template | 8 -- 9 files changed, 86 insertions(+), 44 deletions(-) create mode 100644 html/index.html create mode 100644 nginx/nginx/templates/chat.conf.template diff --git a/html/index.html b/html/index.html new file mode 100644 index 0000000..5647090 --- /dev/null +++ b/html/index.html @@ -0,0 +1,3 @@ +

hackerspace.zone

+ +Home page. diff --git a/nginx/docker-compose.yaml b/nginx/docker-compose.yaml index 2f5c93f..5516e96 100644 --- a/nginx/docker-compose.yaml +++ b/nginx/docker-compose.yaml @@ -9,6 +9,7 @@ services: - ./nginx/nginx.conf:/etc/nginx/nginx.conf - ./nginx/templates:/etc/nginx/templates - ./nginx/includes:/etc/nginx/includes + - ../html:/var/www - ./data/certbot/www:/var/www/certbot - ./data/certbot/conf:/etc/letsencrypt env_file: diff --git a/nginx/nginx/templates/000-default.conf.template b/nginx/nginx/templates/000-default.conf.template index 47b26a6..491ca2b 100644 --- a/nginx/nginx/templates/000-default.conf.template +++ b/nginx/nginx/templates/000-default.conf.template @@ -1,13 +1,13 @@ +# Redirect *all* port 80 traffic to the same thing on port 443 server { - listen 80; - server_name ${DOMAIN_NAME}; + listen 80 default_server; location / { return 301 https://$host$request_uri; } } server { - server_name ${DOMAIN_NAME}; + #server_name ${DOMAIN_NAME} default; client_max_body_size 128m; sendfile on; @@ -27,9 +27,14 @@ server { chunked_transfer_encoding on; location / { + root /var/www; } - listen 443 ssl; + location /.well-known/matrix { + proxy_pass https://${MATRIX_HOSTNAME}; + } + + listen 443 ssl default_server; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; include /etc/nginx/includes/options-ssl-nginx.conf; diff --git a/nginx/nginx/templates/chat.conf.template b/nginx/nginx/templates/chat.conf.template new file mode 100644 index 0000000..54da46c --- /dev/null +++ b/nginx/nginx/templates/chat.conf.template @@ -0,0 +1,73 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + server_name ${MATRIX_HOSTNAME}; + client_max_body_size 128m; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + #include /etc/nginx/mime.types; + #default_type application/octet-stream; + + gzip on; + gzip_disable "msie6"; + + proxy_read_timeout 1800s; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) + chunked_transfer_encoding on; + + location / { + proxy_pass http://host.docker.internal:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location ~ ^(/_matrix|/_synapse/client) { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://host.docker.internal:5008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + # serve the static content for the well known files + location /.well-known/matrix/server { + default_type application/json; + return 200 '{"m.server": "${MATRIX_HOSTNAME}:443"}'; + } + + location /.well-known/matrix/client { + default_type application/json; + return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}"}}'; + } + + # The federation port is not enabled; go through 443 + #listen 8448 ssl http2 default_server; + #listen [::]:8448 ssl http2 default_server; + + # For the user connection + listen 443 ssl http2; + + ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; + include /etc/nginx/includes/options-ssl-nginx.conf; + include /etc/nginx/includes/challenge.conf; + ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; +} + + diff --git a/nginx/nginx/templates/cloud.conf.template b/nginx/nginx/templates/cloud.conf.template index ccf30fe..306003a 100644 --- a/nginx/nginx/templates/cloud.conf.template +++ b/nginx/nginx/templates/cloud.conf.template @@ -1,11 +1,3 @@ -server { - listen 80; - server_name ${NEXTCLOUD_HOSTNAME}; - location / { - return 301 https://$host$request_uri; - } -} - server { server_name ${NEXTCLOUD_HOSTNAME}; client_max_body_size 128m; diff --git a/nginx/nginx/templates/dashboard.conf.template b/nginx/nginx/templates/dashboard.conf.template index f6eba64..c4327d2 100644 --- a/nginx/nginx/templates/dashboard.conf.template +++ b/nginx/nginx/templates/dashboard.conf.template @@ -1,11 +1,3 @@ -server { - listen 80; - server_name ${GRAFANA_HOSTNAME}; - location / { - return 301 https://$host$request_uri; - } -} - map $http_upgrade $connection_upgrade { default upgrade; '' close; diff --git a/nginx/nginx/templates/docs.conf.template b/nginx/nginx/templates/docs.conf.template index ef4244a..c5e8241 100644 --- a/nginx/nginx/templates/docs.conf.template +++ b/nginx/nginx/templates/docs.conf.template @@ -1,11 +1,3 @@ -server { - listen 80; - server_name ${HEDGEDOC_HOSTNAME}; - location / { - return 301 https://$host$request_uri; - } -} - map $http_upgrade $connection_upgrade { default upgrade; '' close; diff --git a/nginx/nginx/templates/login.conf.template b/nginx/nginx/templates/login.conf.template index d51c0ab..397b5c6 100644 --- a/nginx/nginx/templates/login.conf.template +++ b/nginx/nginx/templates/login.conf.template @@ -1,11 +1,3 @@ -server { - listen 80; - server_name login.${DOMAIN_NAME}; - location / { - return 301 https://$host$request_uri; - } -} - server { server_name login.${DOMAIN_NAME}; client_max_body_size 128m; diff --git a/nginx/nginx/templates/social.conf.template b/nginx/nginx/templates/social.conf.template index a18f404..9170395 100644 --- a/nginx/nginx/templates/social.conf.template +++ b/nginx/nginx/templates/social.conf.template @@ -1,11 +1,3 @@ -server { - listen 80; - server_name social.${DOMAIN_NAME}; - location / { - return 301 https://$host$request_uri; - } -} - map $http_upgrade $connection_upgrade { default upgrade; '' close;