Browse Source

Added Nginx config

master
Darks 1 month ago
parent
commit
a0299960b5
Signed by: Darks <l.gatin@neuf.fr> GPG Key ID: F61F10FA138E797C
16 changed files with 532 additions and 0 deletions
  1. +11
    -0
      nginx/common.conf
  2. +7
    -0
      nginx/conf.d/blockuseragents.conf
  3. +17
    -0
      nginx/conf.d/ddos.conf
  4. +6
    -0
      nginx/conf.d/header.conf
  5. +4
    -0
      nginx/gzip.conf
  6. +29
    -0
      nginx/nginx.conf
  7. +22
    -0
      nginx/sites-available/000-default.conf
  8. +51
    -0
      nginx/sites-available/bible.conf
  9. +57
    -0
      nginx/sites-available/creativecalc.conf
  10. +41
    -0
      nginx/sites-available/gitea.conf
  11. +37
    -0
      nginx/sites-available/grafana.conf
  12. +47
    -0
      nginx/sites-available/mumbleweb.conf
  13. +42
    -0
      nginx/sites-available/p7.conf
  14. +77
    -0
      nginx/sites-available/pc-dev.conf
  15. +76
    -0
      nginx/sites-available/pc.conf
  16. +8
    -0
      nginx/ssl.conf

+ 11
- 0
nginx/common.conf View File

@@ -0,0 +1,11 @@
location ^~ /.well-known/acme-challenge {
alias /var/www/dehydrated;
}

if ($blockedagent) {
return 403;
}

if ($request_method !~ ^(GET|PUT|POST)$ ) {
return 444;
}

+ 7
- 0
nginx/conf.d/blockuseragents.conf View File

@@ -0,0 +1,7 @@
map $http_user_agent $blockedagent {
default 0;
~*malicious 1;
~*backdoor 1;
~*crawler 1;
~*spider 1;
}

+ 17
- 0
nginx/conf.d/ddos.conf View File

@@ -0,0 +1,17 @@
# Slow DDOS Protection

client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;


# DDOS Protection

# Maximum request per IP // 100 per seconde
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;

# Maximum Connection per IP // 100 per seconde
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;

+ 6
- 0
nginx/conf.d/header.conf View File

@@ -0,0 +1,6 @@
# Bad Header Protection
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

+ 4
- 0
nginx/gzip.conf View File

@@ -0,0 +1,4 @@
gzip on;
gzip_vary on;
gzip_types *;
gzip_min_length 1000;

+ 29
- 0
nginx/nginx.conf View File

@@ -0,0 +1,29 @@
user http;
worker_processes auto;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
multi_accept on;
use epoll;
worker_connections 256;
}

http {

index index.html index.htm index.php;

server_tokens off;

include /etc/nginx/mime.types;
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;

sendfile on;
tcp_nopush on;
tcp_nodelay on;

types_hash_bucket_size 128;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

+ 22
- 0
nginx/sites-available/000-default.conf View File

@@ -0,0 +1,22 @@
server {

listen 127.0.0.1:8080;

access_log off;

location /nginx-status {
stub_status on;
}

}

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;

include common.conf;

return 301 https://www.planet-casio.com;
}

+ 51
- 0
nginx/sites-available/bible.conf View File

@@ -0,0 +1,51 @@
server {
listen [::]:80;
listen *:80;

server_name bible.planet-casio.com;
include common.conf;

access_log /var/log/nginx/bible_access.log;
error_log /var/log/nginx/bible_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;

server_name bible.planet-casio.com;
include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/bible.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/bible.planet-casio.com/privkey.pem;

access_log /var/log/nginx/bible_access.log;
error_log /var/log/nginx/bible_error.log;

root /home/bible/www;

location / {
autoindex on;
charset utf8;
rewrite ^/casio(.*)$ /common/casio$1 permanent;
rewrite ^/hardware(.*)$ /common/hardware$1 permanent;
rewrite ^/renesas(.*)$ /common/renesas$1 permanent;
rewrite ^/misc(.*)$ /common/misc$1 permanent;
rewrite ^/user_manuals(.*)$ /common/user_manuals$1 permanent;
}

location /yatis/.git/ {
deny all;
}

location /cakeisalie5/websaves/graph100.com/forum/ {
charset ISO-8859;
}
}

+ 57
- 0
nginx/sites-available/creativecalc.conf View File

@@ -0,0 +1,57 @@
server {
listen [::]:80;
listen *:80;

server_name creativecalc.fr www.creativecalc.fr;
include common.conf;

access_log /var/log/nginx/creativecalc_access.log;
error_log /var/log/nginx/creativecalc_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;

server_name creativecalc.fr;
include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/creativecalc.fr/privkey.pem;

access_log /var/log/nginx/creativecalc_access.log;
error_log /var/log/nginx/creativecalc_error.log;

location / {
return 301 https://www.creativecalc.fr$request_uri;
}
}

server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;

server_name www.creativecalc.fr;
include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/creativecalc.fr/privkey.pem;

access_log /var/log/nginx/creativecalc_access.log;
error_log /var/log/nginx/creativecalc_error.log;

root /home/creativecalc/www;

location /assets/fonts {
expires 365d;
}
}

+ 41
- 0
nginx/sites-available/gitea.conf View File

@@ -0,0 +1,41 @@
server {
listen [::]:80;
listen *:80;

server_name gitea.planet-casio.com git.planet-casio.com;
include common.conf;

access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;

server_name gitea.planet-casio.com git.planet-casio.com;
include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/gitea.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/gitea.planet-casio.com/privkey.pem;

access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;

if ($http_host != "gitea.planet-casio.com") {
rewrite ^ https://gitea.planet-casio.com$request_uri permanent;
}

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:3001;
}
}

+ 37
- 0
nginx/sites-available/grafana.conf View File

@@ -0,0 +1,37 @@
server {
listen [::]:80;
listen *:80;

server_name grafana.planet-casio.com;
include common.conf;

access_log /var/log/nginx/grafana_access.log;
error_log /var/log/nginx/grafana_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;

server_name grafana.planet-casio.com;
include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/grafana.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/grafana.planet-casio.com/privkey.pem;

access_log /var/log/nginx/grafana_access.log;
error_log /var/log/nginx/grafana_error.log;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:3000;
}
}

+ 47
- 0
nginx/sites-available/mumbleweb.conf View File

@@ -0,0 +1,47 @@
server {
listen [::]:80;
listen *:80;

server_name mumble.planet-casio.com;
include common.conf;

access_log /var/log/nginx/mumbleweb_access.log;
error_log /var/log/nginx/mumbleweb_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
listen [::]:443 ssl;
listen *:443 ssl;

server_name mumble.planet-casio.com;

include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem;

access_log /var/log/nginx/mumbleweb_access.log;
error_log /var/log/nginx/mumbleweb_error.log;

location / {
root /usr/local/lib/node_modules/mumble-web/dist;
}

location /client {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://localhost:64737;
}
}

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

+ 42
- 0
nginx/sites-available/p7.conf View File

@@ -0,0 +1,42 @@
server {
listen [::]:80;
listen *:80;

server_name p7.planet-casio.com;
include common.conf;

access_log /var/log/nginx/p7_access.log;
error_log /var/log/nginx/p7_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;

server_name p7.planet-casio.com;
include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/p7.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/p7.planet-casio.com/privkey.pem;

access_log /var/log/nginx/p7_access.log;
error_log /var/log/nginx/p7_error.log;

root /home/p7/www;

location /pub {
alias /home/p7/pub;
autoindex on;
}

location / {
index fr.html;
}
}

+ 77
- 0
nginx/sites-available/pc-dev.conf View File

@@ -0,0 +1,77 @@
server {
set $env pc-dev;
listen [::]:80;
listen *:80;

# server_name dev.planet-casio.com;
server_name v5.planet-casio.com;
include common.conf;

access_log /var/log/nginx/${env}_access.log;
error_log /var/log/nginx/${env}_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
set $env pc-dev;
listen [::]:443 ssl http2;
listen *:443 ssl http2;

# server_name dev.planet-casio.com;
server_name v5.planet-casio.com;
include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;

access_log /var/log/nginx/${env}_access.log;
error_log /var/log/nginx/${env}_error.log;

root /home/pc-dev/www;

# Serve files from /static as static files
location /static {
alias /home/${env}/www/app/static;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}

# Serve avatars
location /avatar {
alias /home/${env}/data/avatars;
try_files $uri /default_avatar.png;
expires max;
add_header Cache-Control "public";
include gzip.conf;
}

# Serve files
location /fichiers {
alias /home/${env}/data/fichiers;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}

# Pass everything else to the application
location / {
try_files @fake @application;
}

location @application {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi.${env}/socket;
}
}


+ 76
- 0
nginx/sites-available/pc.conf View File

@@ -0,0 +1,76 @@
server {
set $env pc;

listen [::]:80;
listen *:80;

# server_name dev.planet-casio.com;
server_name v5.planet-casio.com;

include common.conf;

access_log /var/log/nginx/${env}_access.log;
error_log /var/log/nginx/${env}_error.log;

location / {
return 301 https://$server_name$request_uri;
}
}

server {
set $env pc;

listen [::]:443 ssl http2;
listen *:443 ssl http2;

# server_name dev.planet-casio.com;
server_name v5.planet-casio.com;

include common.conf;
include ssl.conf;

ssl_certificate /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;

access_log /var/log/nginx/${env}_access.log;
error_log /var/log/nginx/${env}_error.log;

root /home/pc-dev/www;

# Serve files from /static as static files
location /static {
alias /home/${env}/www/app/static;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}

# Serve avatars
location /avatar {
alias /home/${env}/data/avatars;
try_files $uri /default_avatar.png;
expires max;
add_header Cache-Control "public";
include gzip.conf;
}

# Serve files
location /fichiers {
alias /home/${env}/data/fichiers;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}

# Pass everything else to the application
location / {
try_files @fake @application;
}

location @application {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi.${env}/socket;
}
}

+ 8
- 0
nginx/ssl.conf View File

@@ -0,0 +1,8 @@
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE+CHACHA20:ECDHE+AESGCM';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /etc/ssl/ssl.dh/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

Loading…
Cancel
Save