nginx: serve extra sites if requested

single-dockerfile
Ubuntu 2 years ago
parent e317ac9b92
commit 9d6c61672c
  1. 7
      Makefile
  2. 7
      gitea/nginx.conf
  3. 7
      grafana/nginx.conf
  4. 7
      hedgedoc/nginx.conf
  5. 7
      keycloak/nginx.conf
  6. 15
      mastodon/nginx.conf
  7. 9
      matrix/nginx.conf
  8. 7
      mobilizon/nginx.conf
  9. 8
      nextcloud/nginx.conf
  10. 1
      nginx.yaml
  11. 8
      nginx/default.conf
  12. 5
      nginx/docker-entrypoint.d/10-createkey.sh
  13. 9
      nginx/etc/includes/ssl.conf
  14. 2
      nginx/etc/nginx.conf
  15. 73
      nginx/nginx/templates/chat.conf.template
  16. 7
      nitter/nginx.conf
  17. 1
      sites/.gitignore
  18. 17
      sites/README.md

@ -82,6 +82,10 @@ data/gitea/host-setup.done:
keycloak-setup: secrets-setup
docker exec keycloak /setup.sh
# Determine the extra hostnames that need to be included in the SSL cert
# see sites/README.md for an explanation of how to add additional sites
EXTRA_HOSTNAMES=$(foreach f,$(wildcard sites/*.conf),$(notdir $(f:.conf=)))
certbot:
$(DOCKER) \
run --entrypoint '/bin/sh -c "\
@ -97,8 +101,11 @@ certbot:
-d $(DOMAIN_NAME) \
$(foreach m,$(MODULES),\
-d $($(call UC,$m)_HOSTNAME).$(DOMAIN_NAME)) \
$(foreach m,$(EXTRA_HOSTNAMES),\
-d $m) \
"' certbot
nginx-reload:
$(DOCKER) restart nginx
nextcloud-restart:

@ -26,10 +26,5 @@ server {
return 302 https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/user/oauth2/keycloak;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

@ -41,12 +41,7 @@ server {
proxy_set_header Connection $connection_upgrade;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

@ -56,10 +56,5 @@ server {
proxy_set_header Connection $connection_upgrade;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

@ -10,12 +10,7 @@ server {
proxy_set_header X-Forwarded-Proto https;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

@ -14,22 +14,9 @@ upstream mastodon-streaming {
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
server {
listen 443 ssl http2;
server_name ${MASTODON_HOSTNAME} ${MASTODON_HOSTNAME}.${DOMAIN_NAME};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
include /etc/nginx/includes/challenge.conf;
# Uncomment these lines once you acquire a certificate:
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/ssl.conf;
keepalive_timeout 70;
sendfile on;

@ -60,12 +60,5 @@ server {
listen 8448 ssl http2 default_server;
#listen [::]:8448 ssl http2 default_server;
# For the user connection
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

@ -26,10 +26,5 @@ server {
return 302 https://${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}/auth/keycloak;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

@ -34,11 +34,5 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

@ -21,6 +21,7 @@ services:
- ./html:/var/www/html:ro
- ./data/nginx/certbot/www:/var/www/certbot:ro
- ./data/nginx/certbot/conf:/etc/letsencrypt:rw
- ./sites:/etc/nginx/sites-enabled:ro
- /home:/home:ro
certbot:

@ -113,11 +113,11 @@ server {
proxy_pass http://hedgedoc:3000$request_uri;
}
listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
# this one can't include ssl.conf since it must be default server
listen 443 ssl http2 default_server;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
}

@ -8,6 +8,11 @@ fi
certdir="/etc/letsencrypt/live/${DOMAIN_NAME}"
# ensure that the keys are available with a fixed path
for key in fullchain.pem privkey.pem ; do
ln -sf "$certdir/$key" "/etc/nginx/$key" || exit 1
done
if [ -r "$certdir/fullchain.pem" ]; then
exit 0
fi

@ -0,0 +1,9 @@
# All SSL enabled websites use these parameters
# the key will be filled in by the certbot tool
listen 443 ssl http2;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;

@ -71,7 +71,7 @@ http {
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /etc/nginx/sites-enabled/*.conf;
include /tmp/sites-enabled/*;
log_format main 'XXXX $http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '

@ -1,73 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name ${MATRIX_HOSTNAME};
client_max_body_size 128m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
proxy_read_timeout 1800s;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
proxy_pass http://host.docker.internal:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://host.docker.internal:5008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
# serve the static content for the well known files
location /.well-known/matrix/server {
default_type application/json;
return 200 '{"m.server": "${MATRIX_HOSTNAME}:443"}';
}
location /.well-known/matrix/client {
default_type application/json;
return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}"}}';
}
# The federation port is not enabled; go through 443
#listen 8448 ssl http2 default_server;
#listen [::]:8448 ssl http2 default_server;
# For the user connection
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
}

@ -24,10 +24,5 @@ server {
proxy_set_header X-Real-IP $remote_addr;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
include /etc/nginx/includes/ssl.conf;
}

1
sites/.gitignore vendored

@ -0,0 +1 @@
*.conf

@ -0,0 +1,17 @@
# Extra sites to proxy through nginx
This is useful if you have only one external IP and need to
route to non-dockerized systems or things that live outside
of the hackerspace-zone ecosystem.
Drop files in here named `fully.qualified.example.com.conf` and they will be
added to the nginx environment, plus `make certbot` will include them in
the SSL cert that it retrieves.
Note that `envsubst` will *NOT* be run on these files.
For the SSL key and ciphers, please add:
```
include /etc/nginx/includes/ssl.conf
```
Loading…
Cancel
Save