From 9d6c61672cc3609c18f16aadd4175f20867af1e1 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Fri, 18 Nov 2022 21:03:24 +0000 Subject: [PATCH] nginx: serve extra sites if requested --- Makefile | 7 +++ gitea/nginx.conf | 7 +-- grafana/nginx.conf | 7 +-- hedgedoc/nginx.conf | 7 +-- keycloak/nginx.conf | 7 +-- mastodon/nginx.conf | 15 +---- matrix/nginx.conf | 9 +-- mobilizon/nginx.conf | 7 +-- nextcloud/nginx.conf | 8 +-- nginx.yaml | 1 + nginx/default.conf | 8 +-- nginx/docker-entrypoint.d/10-createkey.sh | 5 ++ nginx/etc/includes/ssl.conf | 9 +++ nginx/etc/nginx.conf | 2 +- nginx/nginx/templates/chat.conf.template | 73 ----------------------- nitter/nginx.conf | 7 +-- sites/.gitignore | 1 + sites/README.md | 17 ++++++ 18 files changed, 54 insertions(+), 143 deletions(-) create mode 100644 nginx/etc/includes/ssl.conf delete mode 100644 nginx/nginx/templates/chat.conf.template create mode 100644 sites/.gitignore create mode 100644 sites/README.md diff --git a/Makefile b/Makefile index 7fdb804..43852d3 100644 --- a/Makefile +++ b/Makefile @@ -82,6 +82,10 @@ data/gitea/host-setup.done: keycloak-setup: secrets-setup docker exec keycloak /setup.sh +# Determine the extra hostnames that need to be included in the SSL cert +# see sites/README.md for an explanation of how to add additional sites +EXTRA_HOSTNAMES=$(foreach f,$(wildcard sites/*.conf),$(notdir $(f:.conf=))) + certbot: $(DOCKER) \ run --entrypoint '/bin/sh -c "\ @@ -97,8 +101,11 @@ certbot: -d $(DOMAIN_NAME) \ $(foreach m,$(MODULES),\ -d $($(call UC,$m)_HOSTNAME).$(DOMAIN_NAME)) \ + $(foreach m,$(EXTRA_HOSTNAMES),\ + -d $m) \ "' certbot + nginx-reload: $(DOCKER) restart nginx nextcloud-restart: diff --git a/gitea/nginx.conf b/gitea/nginx.conf index 25671e8..07a0585 100644 --- a/gitea/nginx.conf +++ b/gitea/nginx.conf @@ -26,10 +26,5 @@ server { return 302 https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/user/oauth2/keycloak; } - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; + include /etc/nginx/includes/ssl.conf; } diff --git a/grafana/nginx.conf b/grafana/nginx.conf index 5fd36b5..73f2279 100644 --- a/grafana/nginx.conf +++ b/grafana/nginx.conf @@ -41,12 +41,7 @@ server { proxy_set_header Connection $connection_upgrade; } - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; + include /etc/nginx/includes/ssl.conf; } diff --git a/hedgedoc/nginx.conf b/hedgedoc/nginx.conf index 7a32b62..fe92826 100644 --- a/hedgedoc/nginx.conf +++ b/hedgedoc/nginx.conf @@ -56,10 +56,5 @@ server { proxy_set_header Connection $connection_upgrade; } - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; + include /etc/nginx/includes/ssl.conf; } diff --git a/keycloak/nginx.conf b/keycloak/nginx.conf index e7398b5..559a331 100644 --- a/keycloak/nginx.conf +++ b/keycloak/nginx.conf @@ -10,12 +10,7 @@ server { proxy_set_header X-Forwarded-Proto https; } - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; + include /etc/nginx/includes/ssl.conf; } diff --git a/mastodon/nginx.conf b/mastodon/nginx.conf index 22f9489..31a38db 100644 --- a/mastodon/nginx.conf +++ b/mastodon/nginx.conf @@ -14,22 +14,9 @@ upstream mastodon-streaming { proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; server { - listen 443 ssl http2; server_name ${MASTODON_HOSTNAME} ${MASTODON_HOSTNAME}.${DOMAIN_NAME}; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - include /etc/nginx/includes/challenge.conf; - - # Uncomment these lines once you acquire a certificate: - # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; + include /etc/nginx/includes/ssl.conf; keepalive_timeout 70; sendfile on; diff --git a/matrix/nginx.conf b/matrix/nginx.conf index 5ee4671..24c1bb3 100644 --- a/matrix/nginx.conf +++ b/matrix/nginx.conf @@ -60,12 +60,5 @@ server { listen 8448 ssl http2 default_server; #listen [::]:8448 ssl http2 default_server; - # For the user connection - listen 443 ssl http2; - - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; + include /etc/nginx/includes/ssl.conf; } diff --git a/mobilizon/nginx.conf b/mobilizon/nginx.conf index afbb1dd..32c474e 100644 --- a/mobilizon/nginx.conf +++ b/mobilizon/nginx.conf @@ -26,10 +26,5 @@ server { return 302 https://${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}/auth/keycloak; } - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; + include /etc/nginx/includes/ssl.conf; } diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf index 3276a21..fa165d8 100644 --- a/nextcloud/nginx.conf +++ b/nextcloud/nginx.conf @@ -34,11 +34,5 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; - + include /etc/nginx/includes/ssl.conf; } diff --git a/nginx.yaml b/nginx.yaml index b54d2c6..2599dcf 100644 --- a/nginx.yaml +++ b/nginx.yaml @@ -21,6 +21,7 @@ services: - ./html:/var/www/html:ro - ./data/nginx/certbot/www:/var/www/certbot:ro - ./data/nginx/certbot/conf:/etc/letsencrypt:rw + - ./sites:/etc/nginx/sites-enabled:ro - /home:/home:ro certbot: diff --git a/nginx/default.conf b/nginx/default.conf index 9953951..7acd24f 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -113,11 +113,11 @@ server { proxy_pass http://hedgedoc:3000$request_uri; } - listen 443 ssl default_server; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; + # this one can't include ssl.conf since it must be default server + listen 443 ssl http2 default_server; + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; include /etc/nginx/includes/options-ssl-nginx.conf; include /etc/nginx/includes/challenge.conf; ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; - } diff --git a/nginx/docker-entrypoint.d/10-createkey.sh b/nginx/docker-entrypoint.d/10-createkey.sh index eb718ef..1fd36f0 100755 --- a/nginx/docker-entrypoint.d/10-createkey.sh +++ b/nginx/docker-entrypoint.d/10-createkey.sh @@ -8,6 +8,11 @@ fi certdir="/etc/letsencrypt/live/${DOMAIN_NAME}" +# ensure that the keys are available with a fixed path +for key in fullchain.pem privkey.pem ; do + ln -sf "$certdir/$key" "/etc/nginx/$key" || exit 1 +done + if [ -r "$certdir/fullchain.pem" ]; then exit 0 fi diff --git a/nginx/etc/includes/ssl.conf b/nginx/etc/includes/ssl.conf new file mode 100644 index 0000000..a3fb796 --- /dev/null +++ b/nginx/etc/includes/ssl.conf @@ -0,0 +1,9 @@ +# All SSL enabled websites use these parameters +# the key will be filled in by the certbot tool + +listen 443 ssl http2; +ssl_certificate /etc/nginx/fullchain.pem; +ssl_certificate_key /etc/nginx/privkey.pem; +include /etc/nginx/includes/options-ssl-nginx.conf; +include /etc/nginx/includes/challenge.conf; +ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; diff --git a/nginx/etc/nginx.conf b/nginx/etc/nginx.conf index 7cbedce..ad8ab09 100644 --- a/nginx/etc/nginx.conf +++ b/nginx/etc/nginx.conf @@ -71,7 +71,7 @@ http { ## include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + include /etc/nginx/sites-enabled/*.conf; include /tmp/sites-enabled/*; log_format main 'XXXX $http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" ' diff --git a/nginx/nginx/templates/chat.conf.template b/nginx/nginx/templates/chat.conf.template deleted file mode 100644 index 54da46c..0000000 --- a/nginx/nginx/templates/chat.conf.template +++ /dev/null @@ -1,73 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server { - server_name ${MATRIX_HOSTNAME}; - client_max_body_size 128m; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - #include /etc/nginx/mime.types; - #default_type application/octet-stream; - - gzip on; - gzip_disable "msie6"; - - proxy_read_timeout 1800s; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) - chunked_transfer_encoding on; - - location / { - proxy_pass http://host.docker.internal:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ ^(/_matrix|/_synapse/client) { - # note: do not add a path (even a single /) after the port in `proxy_pass`, - # otherwise nginx will canonicalise the URI and cause signature verification - # errors. - proxy_pass http://host.docker.internal:5008; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 50M; - } - - # serve the static content for the well known files - location /.well-known/matrix/server { - default_type application/json; - return 200 '{"m.server": "${MATRIX_HOSTNAME}:443"}'; - } - - location /.well-known/matrix/client { - default_type application/json; - return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}"}}'; - } - - # The federation port is not enabled; go through 443 - #listen 8448 ssl http2 default_server; - #listen [::]:8448 ssl http2 default_server; - - # For the user connection - listen 443 ssl http2; - - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; -} - - diff --git a/nitter/nginx.conf b/nitter/nginx.conf index 6627d79..6124d33 100644 --- a/nitter/nginx.conf +++ b/nitter/nginx.conf @@ -24,10 +24,5 @@ server { proxy_set_header X-Real-IP $remote_addr; } - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem; - include /etc/nginx/includes/options-ssl-nginx.conf; - include /etc/nginx/includes/challenge.conf; - ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; + include /etc/nginx/includes/ssl.conf; } diff --git a/sites/.gitignore b/sites/.gitignore new file mode 100644 index 0000000..fee9217 --- /dev/null +++ b/sites/.gitignore @@ -0,0 +1 @@ +*.conf diff --git a/sites/README.md b/sites/README.md new file mode 100644 index 0000000..2c60310 --- /dev/null +++ b/sites/README.md @@ -0,0 +1,17 @@ +# Extra sites to proxy through nginx + +This is useful if you have only one external IP and need to +route to non-dockerized systems or things that live outside +of the hackerspace-zone ecosystem. + +Drop files in here named `fully.qualified.example.com.conf` and they will be +added to the nginx environment, plus `make certbot` will include them in +the SSL cert that it retrieves. + +Note that `envsubst` will *NOT* be run on these files. + +For the SSL key and ciphers, please add: + +``` +include /etc/nginx/includes/ssl.conf +```