Added Nginx config

2020-08-03 19:28:39 +02:00 · 2020-08-03 19:28:39 +02:00 · a0299960b5
parent a17c235b32
commit a0299960b5
16 changed files with 532 additions and 0 deletions
--- a/nginx/common.conf
+++ b/nginx/common.conf
@ -0,0 +1,11 @@
+location ^~ /.well-known/acme-challenge {
+	alias /var/www/dehydrated;
+}
+
+if ($blockedagent) {
+	return 403;
+}
+
+if ($request_method !~ ^(GET|PUT|POST)$ ) {
+	return 444;
+}
--- a/nginx/conf.d/blockuseragents.conf
+++ b/nginx/conf.d/blockuseragents.conf
@ -0,0 +1,7 @@
+map $http_user_agent $blockedagent {
+    default         0;
+    ~*malicious     1;
+    ~*backdoor      1;
+    ~*crawler       1;
+    ~*spider        1;
+}
--- a/nginx/conf.d/ddos.conf
+++ b/nginx/conf.d/ddos.conf
@ -0,0 +1,17 @@
+# Slow DDOS Protection
+
+client_body_timeout         10;
+client_header_timeout       10;
+keepalive_timeout           5 5;
+send_timeout                10;
+
+
+# DDOS Protection
+
+# Maximum request per IP // 100 per seconde
+limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
+limit_req zone=flood burst=100 nodelay;
+
+# Maximum Connection per IP // 100 per seconde
+limit_conn_zone $binary_remote_addr zone=ddos:10m;
+limit_conn ddos 100;
--- a/nginx/conf.d/header.conf
+++ b/nginx/conf.d/header.conf
@ -0,0 +1,6 @@
+# Bad Header Protection
+add_header X-Frame-Options           SAMEORIGIN;
+add_header X-Content-Type-Options    nosniff;
+add_header X-XSS-Protection          "1; mode=block";
+add_header Referrer-Policy           "strict-origin-when-cross-origin";
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
--- a/nginx/gzip.conf
+++ b/nginx/gzip.conf
@ -0,0 +1,4 @@
+gzip		on;
+gzip_vary	on;
+gzip_types	*;
+gzip_min_length	1000;
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -0,0 +1,29 @@
+user http;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    multi_accept on;
+    use epoll;
+    worker_connections 256;
+}
+
+http {
+
+    index               index.html index.htm index.php;
+
+    server_tokens       off;
+
+    include             /etc/nginx/mime.types;
+    charset_types       text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+
+    types_hash_bucket_size 128;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
--- a/nginx/sites-available/000-default.conf
+++ b/nginx/sites-available/000-default.conf
@ -0,0 +1,22 @@
+server {
+
+    listen 127.0.0.1:8080;
+
+    access_log off;
+
+    location /nginx-status {
+        stub_status on;
+    }
+
+}
+
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+	
+	server_name _;
+
+	include common.conf;
+
+	return 301 https://www.planet-casio.com;
+}
--- a/nginx/sites-available/bible.conf
+++ b/nginx/sites-available/bible.conf
@ -0,0 +1,51 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name bible.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/bible_access.log;
+	error_log /var/log/nginx/bible_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name bible.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/bible.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/bible.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/bible_access.log;
+	error_log /var/log/nginx/bible_error.log;
+
+	root /home/bible/www;
+
+	location / {
+		autoindex on;
+		charset utf8;
+		rewrite ^/casio(.*)$ /common/casio$1 permanent;
+		rewrite ^/hardware(.*)$ /common/hardware$1 permanent;
+		rewrite ^/renesas(.*)$ /common/renesas$1 permanent;
+		rewrite ^/misc(.*)$ /common/misc$1 permanent;
+		rewrite ^/user_manuals(.*)$ /common/user_manuals$1 permanent;
+	}
+
+	location /yatis/.git/ {
+		deny all;
+	}
+
+	location /cakeisalie5/websaves/graph100.com/forum/ {
+		charset ISO-8859;
+	}
+}
--- a/nginx/sites-available/creativecalc.conf
+++ b/nginx/sites-available/creativecalc.conf
@ -0,0 +1,57 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name creativecalc.fr www.creativecalc.fr;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/creativecalc_access.log;
+	error_log /var/log/nginx/creativecalc_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name creativecalc.fr;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/creativecalc.fr/privkey.pem;
+
+	access_log /var/log/nginx/creativecalc_access.log;
+	error_log /var/log/nginx/creativecalc_error.log;
+
+	location / {
+		return 301 https://www.creativecalc.fr$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name www.creativecalc.fr;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/creativecalc.fr/privkey.pem;
+
+	access_log /var/log/nginx/creativecalc_access.log;
+	error_log /var/log/nginx/creativecalc_error.log;
+
+	root /home/creativecalc/www;
+
+	location /assets/fonts {
+		expires 365d;
+	}
+}
--- a/nginx/sites-available/gitea.conf
+++ b/nginx/sites-available/gitea.conf
@ -0,0 +1,41 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name gitea.planet-casio.com git.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/gitea_access.log;
+	error_log /var/log/nginx/gitea_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name gitea.planet-casio.com git.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/gitea.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/gitea.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/gitea_access.log;
+	error_log /var/log/nginx/gitea_error.log;
+
+	if ($http_host != "gitea.planet-casio.com") {
+                 rewrite ^ https://gitea.planet-casio.com$request_uri permanent;
+	}
+
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://127.0.0.1:3001;
+	}
+}
--- a/nginx/sites-available/grafana.conf
+++ b/nginx/sites-available/grafana.conf
@ -0,0 +1,37 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name grafana.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/grafana_access.log;
+	error_log /var/log/nginx/grafana_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name grafana.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/grafana.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/grafana.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/grafana_access.log;
+	error_log /var/log/nginx/grafana_error.log;
+
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://127.0.0.1:3000;
+	}
+}
--- a/nginx/sites-available/mumbleweb.conf
+++ b/nginx/sites-available/mumbleweb.conf
@ -0,0 +1,47 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name mumble.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/mumbleweb_access.log;
+	error_log /var/log/nginx/mumbleweb_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl;
+	listen *:443 ssl;
+
+	server_name mumble.planet-casio.com;
+
+	include common.conf;
+	include ssl.conf;
+
+        ssl_certificate      /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem;
+        ssl_certificate_key  /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/mumbleweb_access.log;
+	error_log /var/log/nginx/mumbleweb_error.log;
+
+	location / {
+		root /usr/local/lib/node_modules/mumble-web/dist;
+	}
+
+	location /client {
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_pass http://localhost:64737;
+	}
+}
+
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	'' close;
+}
--- a/nginx/sites-available/p7.conf
+++ b/nginx/sites-available/p7.conf
@ -0,0 +1,42 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name p7.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/p7_access.log;
+	error_log /var/log/nginx/p7_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name p7.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/p7.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/p7.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/p7_access.log;
+	error_log /var/log/nginx/p7_error.log;
+
+	root /home/p7/www;
+
+	location /pub {
+		alias /home/p7/pub;
+		autoindex on;
+	}
+
+	location / {
+		index fr.html;
+	}
+}
--- a/nginx/sites-available/pc-dev.conf
+++ b/nginx/sites-available/pc-dev.conf
@ -0,0 +1,77 @@
+server {
+	set $env pc-dev;
+	
+	listen [::]:80;
+	listen *:80;
+
+#	server_name dev.planet-casio.com;
+	server_name v5.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/${env}_access.log;
+	error_log /var/log/nginx/${env}_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	set $env pc-dev;
+	
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+#	server_name dev.planet-casio.com;
+	server_name v5.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/${env}_access.log;
+	error_log /var/log/nginx/${env}_error.log;
+
+	root /home/pc-dev/www;
+
+	# Serve files from /static as static files
+	location /static {
+		alias /home/${env}/www/app/static;
+		try_files	$uri =404;
+		expires		7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve avatars
+	location /avatar {
+		alias /home/${env}/data/avatars;
+		try_files	$uri /default_avatar.png;
+		expires 	max;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve files
+	location /fichiers {
+		alias /home/${env}/data/fichiers;
+		try_files	$uri =404;
+		expires 	7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Pass everything else to the application
+	location / {
+		try_files	@fake @application;
+	}
+
+	location @application {
+		include		uwsgi_params;
+		uwsgi_pass	unix:/run/uwsgi.${env}/socket;
+	}
+}
+
--- a/nginx/sites-available/pc.conf
+++ b/nginx/sites-available/pc.conf
@ -0,0 +1,76 @@
+server {
+	set $env pc;
+
+	listen [::]:80;
+	listen *:80;
+
+#	server_name dev.planet-casio.com;
+	server_name v5.planet-casio.com;
+
+	include common.conf;
+
+	access_log /var/log/nginx/${env}_access.log;
+	error_log /var/log/nginx/${env}_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	set $env pc;
+
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+#	server_name dev.planet-casio.com;
+	server_name v5.planet-casio.com;
+
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/${env}_access.log;
+	error_log /var/log/nginx/${env}_error.log;
+
+	root /home/pc-dev/www;
+
+	# Serve files from /static as static files
+	location /static {
+		alias /home/${env}/www/app/static;
+		try_files	$uri =404;
+		expires		7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve avatars
+	location /avatar {
+		alias /home/${env}/data/avatars;
+		try_files	$uri /default_avatar.png;
+		expires 	max;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve files
+	location /fichiers {
+		alias /home/${env}/data/fichiers;
+		try_files	$uri =404;
+		expires 	7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Pass everything else to the application
+	location / {
+		try_files	@fake @application;
+	}
+
+	location @application {
+		include		uwsgi_params;
+		uwsgi_pass	unix:/run/uwsgi.${env}/socket;
+	}
+}
--- a/nginx/ssl.conf
+++ b/nginx/ssl.conf
@ -0,0 +1,8 @@
+ssl_prefer_server_ciphers   on;
+ssl_protocols               TLSv1.3 TLSv1.2;
+ssl_ciphers                 'ECDHE+CHACHA20:ECDHE+AESGCM';
+ssl_session_cache           shared:SSL:10m;
+ssl_session_timeout         5m;
+ssl_dhparam                 /etc/ssl/ssl.dh/dhparam.pem;
+ssl_stapling                on;
+ssl_stapling_verify         on;