nginx: serve extra sites if requested

2 years ago · 9d6c61672c
parent e317ac9b92
commit 9d6c61672c
18 changed files with 54 additions and 143 deletions
--- a/7
+++ b/7
@ -82,6 +82,10 @@ data/gitea/host-setup.done:
 keycloak-setup: secrets-setup
 	docker exec keycloak /setup.sh
 # Determine the extra hostnames that need to be included in the SSL cert
 # see sites/README.md for an explanation of how to add additional sites
 EXTRA_HOSTNAMES=$(foreach f,$(wildcard sites/*.conf),$(notdir $(f:.conf=)))
 certbot:
 	$(DOCKER) \
 		run --entrypoint '/bin/sh -c "\
@ -97,8 +101,11 @@ certbot:
 			-d $(DOMAIN_NAME) \
 			$(foreach m,$(MODULES),\
 				-d $($(call UC,$m)_HOSTNAME).$(DOMAIN_NAME)) \
 			$(foreach m,$(EXTRA_HOSTNAMES),\
 				-d $m) \
 		"' certbot
 nginx-reload:
 	$(DOCKER) restart nginx
 nextcloud-restart:
--- a/gitea/nginx.conf
+++ b/gitea/nginx.conf
@ -26,10 +26,5 @@ server {
 		return 302 https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/user/oauth2/keycloak;
 	}
-	listen 443 ssl;
+	include /etc/nginx/includes/ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/grafana/nginx.conf
+++ b/grafana/nginx.conf
@ -41,12 +41,7 @@ server {
                proxy_set_header Connection $connection_upgrade;
        }
-	listen 443 ssl;
+	include /etc/nginx/includes/ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/hedgedoc/nginx.conf
+++ b/hedgedoc/nginx.conf
@ -56,10 +56,5 @@ server {
                proxy_set_header Connection $connection_upgrade;
        }
-	listen 443 ssl;
+	include /etc/nginx/includes/ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/keycloak/nginx.conf
+++ b/keycloak/nginx.conf
@ -10,12 +10,7 @@ server {
 		proxy_set_header X-Forwarded-Proto https;
 	}
-	listen 443 ssl;
+	include /etc/nginx/includes/ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/mastodon/nginx.conf
+++ b/mastodon/nginx.conf
@ -14,22 +14,9 @@ upstream mastodon-streaming {
 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
 server {
  listen 443 ssl http2;
  server_name ${MASTODON_HOSTNAME} ${MASTODON_HOSTNAME}.${DOMAIN_NAME};
-  ssl_protocols TLSv1.2 TLSv1.3;
+  include /etc/nginx/includes/ssl.conf;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  include /etc/nginx/includes/challenge.conf;
  # Uncomment these lines once you acquire a certificate:
  # ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
  # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
  keepalive_timeout    70;
  sendfile             on;
--- a/matrix/nginx.conf
+++ b/matrix/nginx.conf
@ -60,12 +60,5 @@ server {
 	listen 8448 ssl http2 default_server;
 	#listen [::]:8448 ssl http2 default_server;
-	# For the user connection
+	include /etc/nginx/includes/ssl.conf;
 	listen 443 ssl http2;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/mobilizon/nginx.conf
+++ b/mobilizon/nginx.conf
@ -26,10 +26,5 @@ server {
 		return 302 https://${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}/auth/keycloak;
 	}
-	listen 443 ssl;
+	include /etc/nginx/includes/ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/nextcloud/nginx.conf
+++ b/nextcloud/nginx.conf
@ -34,11 +34,5 @@ server {
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
-	listen 443 ssl;
+	include /etc/nginx/includes/ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/nginx.yaml
+++ b/nginx.yaml
@ -21,6 +21,7 @@ services:
      - ./html:/var/www/html:ro
      - ./data/nginx/certbot/www:/var/www/certbot:ro
      - ./data/nginx/certbot/conf:/etc/letsencrypt:rw
      - ./sites:/etc/nginx/sites-enabled:ro
      - /home:/home:ro
  certbot:
--- a/nginx/default.conf
+++ b/nginx/default.conf
@ -113,11 +113,11 @@ server {
 		proxy_pass http://hedgedoc:3000$request_uri;
 	}
-	listen 443 ssl default_server;
+	# this one can't include ssl.conf since it must be default server
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	listen 443 ssl http2 default_server;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	ssl_certificate /etc/nginx/fullchain.pem;
 	ssl_certificate_key /etc/nginx/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/nginx/docker-entrypoint.d/10-createkey.sh
+++ b/nginx/docker-entrypoint.d/10-createkey.sh
@ -8,6 +8,11 @@ fi
 certdir="/etc/letsencrypt/live/${DOMAIN_NAME}"
 # ensure that the keys are available with a fixed path
 for key in fullchain.pem privkey.pem ; do
 	ln -sf "$certdir/$key" "/etc/nginx/$key" || exit 1
 done
 if [ -r "$certdir/fullchain.pem" ]; then
 	exit 0
 fi
--- a/nginx/etc/includes/ssl.conf
+++ b/nginx/etc/includes/ssl.conf
@ -0,0 +1,9 @@
 # All SSL enabled websites use these parameters
 # the key will be filled in by the certbot tool
 listen 443 ssl http2;
 ssl_certificate /etc/nginx/fullchain.pem;
 ssl_certificate_key /etc/nginx/privkey.pem;
 include /etc/nginx/includes/options-ssl-nginx.conf;
 include /etc/nginx/includes/challenge.conf;
 ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
--- a/nginx/etc/nginx.conf
+++ b/nginx/etc/nginx.conf
@ -71,7 +71,7 @@ http {
 	##
 	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
+	include /etc/nginx/sites-enabled/*.conf;
 	include /tmp/sites-enabled/*;
 log_format main 'XXXX $http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '
--- a/nginx/nginx/templates/chat.conf.template
+++ b/nginx/nginx/templates/chat.conf.template
@ -1,73 +0,0 @@
 map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
 }
 server {
 	server_name ${MATRIX_HOSTNAME};
 	client_max_body_size 128m;
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 	#include /etc/nginx/mime.types;
 	#default_type application/octet-stream;
 	gzip on;
 	gzip_disable "msie6";
 	proxy_read_timeout 1800s;
 	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 	chunked_transfer_encoding on;
 	location / {
 		proxy_pass http://host.docker.internal:5000;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 	location ~ ^(/_matrix|/_synapse/client) {
 		# note: do not add a path (even a single /) after the port in `proxy_pass`,
 		# otherwise nginx will canonicalise the URI and cause signature verification
 		# errors.
 		proxy_pass http://host.docker.internal:5008;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Host $host;
 		# Nginx by default only allows file uploads up to 1M in size
 		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
 		client_max_body_size 50M;
 	}
 	# serve the static content for the well known files
 	location /.well-known/matrix/server {
 		default_type application/json;
 		return 200 '{"m.server": "${MATRIX_HOSTNAME}:443"}';
 	}
 	location /.well-known/matrix/client {
 		default_type application/json;
 		return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}"}}';  
 	}
 	# The federation port is not enabled; go through 443
 	#listen 8448 ssl http2 default_server;
 	#listen [::]:8448 ssl http2 default_server;
 	# For the user connection
 	listen 443 ssl http2;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/nitter/nginx.conf
+++ b/nitter/nginx.conf
@ -24,10 +24,5 @@ server {
 		proxy_set_header X-Real-IP $remote_addr;
 	}
-	listen 443 ssl;
+	include /etc/nginx/includes/ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/sites/.gitignore
+++ b/sites/.gitignore
@ -0,0 +1 @@
 *.conf
--- a/sites/README.md
+++ b/sites/README.md
@ -0,0 +1,17 @@
 # Extra sites to proxy through nginx
 This is useful if you have only one external IP and need to
 route to non-dockerized systems or things that live outside
 of the hackerspace-zone ecosystem.
 Drop files in here named `fully.qualified.example.com.conf` and they will be
 added to the nginx environment, plus `make certbot` will include them in
 the SSL cert that it retrieves.
 Note that `envsubst` will *NOT* be run on these files.
 For the SSL key and ciphers, please add:
 ```
 include /etc/nginx/includes/ssl.conf
 ```