nginx: serve extra sites if requested

1 year ago · 9d6c61672c
parent e317ac9b92
commit 9d6c61672c
18 changed files with 54 additions and 143 deletions
--- a/7
+++ b/7
@ -82,6 +82,10 @@ data/gitea/host-setup.done:
 keycloak-setup: secrets-setup
 	docker exec keycloak /setup.sh

+# Determine the extra hostnames that need to be included in the SSL cert
+# see sites/README.md for an explanation of how to add additional sites
+EXTRA_HOSTNAMES=$(foreach f,$(wildcard sites/*.conf),$(notdir $(f:.conf=)))
+
 certbot:
 	$(DOCKER) \
 		run --entrypoint '/bin/sh -c "\
@ -97,8 +101,11 @@ certbot:
 			-d $(DOMAIN_NAME) \
 			$(foreach m,$(MODULES),\
 				-d $($(call UC,$m)_HOSTNAME).$(DOMAIN_NAME)) \
+			$(foreach m,$(EXTRA_HOSTNAMES),\
+				-d $m) \
 		"' certbot

+
 nginx-reload:
 	$(DOCKER) restart nginx
 nextcloud-restart:
--- a/gitea/nginx.conf
+++ b/gitea/nginx.conf
@ -26,10 +26,5 @@ server {
 		return 302 https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/user/oauth2/keycloak;
 	}

-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+	include /etc/nginx/includes/ssl.conf;
 }
--- a/grafana/nginx.conf
+++ b/grafana/nginx.conf
@ -41,12 +41,7 @@ server {
                proxy_set_header Connection $connection_upgrade;
        }

-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+	include /etc/nginx/includes/ssl.conf;
 }


--- a/hedgedoc/nginx.conf
+++ b/hedgedoc/nginx.conf
@ -56,10 +56,5 @@ server {
                proxy_set_header Connection $connection_upgrade;
        }

-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+	include /etc/nginx/includes/ssl.conf;
 }
--- a/keycloak/nginx.conf
+++ b/keycloak/nginx.conf
@ -10,12 +10,7 @@ server {
 		proxy_set_header X-Forwarded-Proto https;
 	}

-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+	include /etc/nginx/includes/ssl.conf;
 }


--- a/mastodon/nginx.conf
+++ b/mastodon/nginx.conf
@ -14,22 +14,9 @@ upstream mastodon-streaming {
 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;

 server {
-  listen 443 ssl http2;
  server_name ${MASTODON_HOSTNAME} ${MASTODON_HOSTNAME}.${DOMAIN_NAME};

-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_tickets off;
-  include /etc/nginx/includes/challenge.conf;
-
-  # Uncomment these lines once you acquire a certificate:
-  # ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
-  # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
-
-  ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+  include /etc/nginx/includes/ssl.conf;

  keepalive_timeout    70;
  sendfile             on;
--- a/matrix/nginx.conf
+++ b/matrix/nginx.conf
@ -60,12 +60,5 @@ server {
 	listen 8448 ssl http2 default_server;
 	#listen [::]:8448 ssl http2 default_server;

-	# For the user connection
-	listen 443 ssl http2;
-
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+	include /etc/nginx/includes/ssl.conf;
 }
--- a/mobilizon/nginx.conf
+++ b/mobilizon/nginx.conf
@ -26,10 +26,5 @@ server {
 		return 302 https://${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}/auth/keycloak;
 	}

-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+	include /etc/nginx/includes/ssl.conf;
 }
--- a/nextcloud/nginx.conf
+++ b/nextcloud/nginx.conf
@ -34,11 +34,5 @@ server {
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}

-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
-
+	include /etc/nginx/includes/ssl.conf;
 }
--- a/nginx.yaml
+++ b/nginx.yaml
@ -21,6 +21,7 @@ services:
      - ./html:/var/www/html:ro
      - ./data/nginx/certbot/www:/var/www/certbot:ro
      - ./data/nginx/certbot/conf:/etc/letsencrypt:rw
+      - ./sites:/etc/nginx/sites-enabled:ro
      - /home:/home:ro

  certbot:
--- a/nginx/default.conf
+++ b/nginx/default.conf
@ -113,11 +113,11 @@ server {
 		proxy_pass http://hedgedoc:3000$request_uri;
 	}

-	listen 443 ssl default_server;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	# this one can't include ssl.conf since it must be default server
+	listen 443 ssl http2 default_server;
+	ssl_certificate /etc/nginx/fullchain.pem;
+	ssl_certificate_key /etc/nginx/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
-
 }
--- a/nginx/docker-entrypoint.d/10-createkey.sh
+++ b/nginx/docker-entrypoint.d/10-createkey.sh
@ -8,6 +8,11 @@ fi

 certdir="/etc/letsencrypt/live/${DOMAIN_NAME}"

+# ensure that the keys are available with a fixed path
+for key in fullchain.pem privkey.pem ; do
+	ln -sf "$certdir/$key" "/etc/nginx/$key" || exit 1
+done
+
 if [ -r "$certdir/fullchain.pem" ]; then
 	exit 0
 fi
--- a/nginx/etc/includes/ssl.conf
+++ b/nginx/etc/includes/ssl.conf
@ -0,0 +1,9 @@
+# All SSL enabled websites use these parameters
+# the key will be filled in by the certbot tool
+
+listen 443 ssl http2;
+ssl_certificate /etc/nginx/fullchain.pem;
+ssl_certificate_key /etc/nginx/privkey.pem;
+include /etc/nginx/includes/options-ssl-nginx.conf;
+include /etc/nginx/includes/challenge.conf;
+ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
--- a/nginx/etc/nginx.conf
+++ b/nginx/etc/nginx.conf
@ -71,7 +71,7 @@ http {
 	##

 	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
+	include /etc/nginx/sites-enabled/*.conf;
 	include /tmp/sites-enabled/*;

 log_format main 'XXXX $http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '
--- a/nginx/nginx/templates/chat.conf.template
+++ b/nginx/nginx/templates/chat.conf.template
@ -1,73 +0,0 @@
-map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ''      close;
-}
-
-server {
-	server_name ${MATRIX_HOSTNAME};
-	client_max_body_size 128m;
-
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-	#include /etc/nginx/mime.types;
-	#default_type application/octet-stream;
-
-	gzip on;
-	gzip_disable "msie6";
-
-	proxy_read_timeout 1800s;
-
-	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
-	chunked_transfer_encoding on;
-
-	location / {
-		proxy_pass http://host.docker.internal:5000;
-		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto $scheme;
-	}
-
-	location ~ ^(/_matrix|/_synapse/client) {
-		# note: do not add a path (even a single /) after the port in `proxy_pass`,
-		# otherwise nginx will canonicalise the URI and cause signature verification
-		# errors.
-		proxy_pass http://host.docker.internal:5008;
-		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_set_header Host $host;
-
-		# Nginx by default only allows file uploads up to 1M in size
-		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
-		client_max_body_size 50M;
-	}
-
-	# serve the static content for the well known files
-	location /.well-known/matrix/server {
-		default_type application/json;
-		return 200 '{"m.server": "${MATRIX_HOSTNAME}:443"}';
-	}
-
-	location /.well-known/matrix/client {
-		default_type application/json;
-		return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}"}}';  
-	}
-
-	# The federation port is not enabled; go through 443
-	#listen 8448 ssl http2 default_server;
-	#listen [::]:8448 ssl http2 default_server;
-
-	# For the user connection
-	listen 443 ssl http2;
-
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
-}
-
-
--- a/nitter/nginx.conf
+++ b/nitter/nginx.conf
@ -24,10 +24,5 @@ server {
 		proxy_set_header X-Real-IP $remote_addr;
 	}

-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+	include /etc/nginx/includes/ssl.conf;
 }
--- a/sites/.gitignore
+++ b/sites/.gitignore
@ -0,0 +1 @@
+*.conf
--- a/sites/README.md
+++ b/sites/README.md
@ -0,0 +1,17 @@
+# Extra sites to proxy through nginx
+
+This is useful if you have only one external IP and need to
+route to non-dockerized systems or things that live outside
+of the hackerspace-zone ecosystem.
+
+Drop files in here named `fully.qualified.example.com.conf` and they will be
+added to the nginx environment, plus `make certbot` will include them in
+the SSL cert that it retrieves.
+
+Note that `envsubst` will *NOT* be run on these files.
+
+For the SSL key and ciphers, please add:
+
+```
+include /etc/nginx/includes/ssl.conf
+```