From a0299960b51819fd590b2a34fc6b10ea46929a42 Mon Sep 17 00:00:00 2001 From: Darks Date: Mon, 3 Aug 2020 19:28:39 +0200 Subject: [PATCH] Added Nginx config --- nginx/common.conf | 11 ++++ nginx/conf.d/blockuseragents.conf | 7 +++ nginx/conf.d/ddos.conf | 17 ++++++ nginx/conf.d/header.conf | 6 ++ nginx/gzip.conf | 4 ++ nginx/nginx.conf | 29 ++++++++++ nginx/sites-available/000-default.conf | 22 +++++++ nginx/sites-available/bible.conf | 51 ++++++++++++++++ nginx/sites-available/creativecalc.conf | 57 ++++++++++++++++++ nginx/sites-available/gitea.conf | 41 +++++++++++++ nginx/sites-available/grafana.conf | 37 ++++++++++++ nginx/sites-available/mumbleweb.conf | 47 +++++++++++++++ nginx/sites-available/p7.conf | 42 ++++++++++++++ nginx/sites-available/pc-dev.conf | 77 +++++++++++++++++++++++++ nginx/sites-available/pc.conf | 76 ++++++++++++++++++++++++ nginx/ssl.conf | 8 +++ 16 files changed, 532 insertions(+) create mode 100644 nginx/common.conf create mode 100644 nginx/conf.d/blockuseragents.conf create mode 100644 nginx/conf.d/ddos.conf create mode 100644 nginx/conf.d/header.conf create mode 100644 nginx/gzip.conf create mode 100644 nginx/nginx.conf create mode 100644 nginx/sites-available/000-default.conf create mode 100644 nginx/sites-available/bible.conf create mode 100644 nginx/sites-available/creativecalc.conf create mode 100644 nginx/sites-available/gitea.conf create mode 100644 nginx/sites-available/grafana.conf create mode 100644 nginx/sites-available/mumbleweb.conf create mode 100644 nginx/sites-available/p7.conf create mode 100644 nginx/sites-available/pc-dev.conf create mode 100644 nginx/sites-available/pc.conf create mode 100644 nginx/ssl.conf diff --git a/nginx/common.conf b/nginx/common.conf new file mode 100644 index 0000000..bfc4424 --- /dev/null +++ b/nginx/common.conf @@ -0,0 +1,11 @@ +location ^~ /.well-known/acme-challenge { + alias /var/www/dehydrated; +} + +if ($blockedagent) { + return 403; +} + +if ($request_method !~ ^(GET|PUT|POST)$ ) { + return 444; +} diff --git a/nginx/conf.d/blockuseragents.conf b/nginx/conf.d/blockuseragents.conf new file mode 100644 index 0000000..00045ba --- /dev/null +++ b/nginx/conf.d/blockuseragents.conf @@ -0,0 +1,7 @@ +map $http_user_agent $blockedagent { + default 0; + ~*malicious 1; + ~*backdoor 1; + ~*crawler 1; + ~*spider 1; +} diff --git a/nginx/conf.d/ddos.conf b/nginx/conf.d/ddos.conf new file mode 100644 index 0000000..e8303f3 --- /dev/null +++ b/nginx/conf.d/ddos.conf @@ -0,0 +1,17 @@ +# Slow DDOS Protection + +client_body_timeout 10; +client_header_timeout 10; +keepalive_timeout 5 5; +send_timeout 10; + + +# DDOS Protection + +# Maximum request per IP // 100 per seconde +limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s; +limit_req zone=flood burst=100 nodelay; + +# Maximum Connection per IP // 100 per seconde +limit_conn_zone $binary_remote_addr zone=ddos:10m; +limit_conn ddos 100; diff --git a/nginx/conf.d/header.conf b/nginx/conf.d/header.conf new file mode 100644 index 0000000..6470c68 --- /dev/null +++ b/nginx/conf.d/header.conf @@ -0,0 +1,6 @@ +# Bad Header Protection +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header Referrer-Policy "strict-origin-when-cross-origin"; +add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; diff --git a/nginx/gzip.conf b/nginx/gzip.conf new file mode 100644 index 0000000..947c82b --- /dev/null +++ b/nginx/gzip.conf @@ -0,0 +1,4 @@ +gzip on; +gzip_vary on; +gzip_types *; +gzip_min_length 1000; diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..982e26b --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,29 @@ +user http; +worker_processes auto; +error_log /var/log/nginx/error.log; +include /etc/nginx/modules-enabled/*.conf; + +events { + multi_accept on; + use epoll; + worker_connections 256; +} + +http { + + index index.html index.htm index.php; + + server_tokens off; + + include /etc/nginx/mime.types; + charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + types_hash_bucket_size 128; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/nginx/sites-available/000-default.conf b/nginx/sites-available/000-default.conf new file mode 100644 index 0000000..df236d4 --- /dev/null +++ b/nginx/sites-available/000-default.conf @@ -0,0 +1,22 @@ +server { + + listen 127.0.0.1:8080; + + access_log off; + + location /nginx-status { + stub_status on; + } + +} + +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + + include common.conf; + + return 301 https://www.planet-casio.com; +} diff --git a/nginx/sites-available/bible.conf b/nginx/sites-available/bible.conf new file mode 100644 index 0000000..5b73269 --- /dev/null +++ b/nginx/sites-available/bible.conf @@ -0,0 +1,51 @@ +server { + listen [::]:80; + listen *:80; + + server_name bible.planet-casio.com; + + include common.conf; + + access_log /var/log/nginx/bible_access.log; + error_log /var/log/nginx/bible_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen [::]:443 ssl http2; + listen *:443 ssl http2; + + server_name bible.planet-casio.com; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/bible.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/bible.planet-casio.com/privkey.pem; + + access_log /var/log/nginx/bible_access.log; + error_log /var/log/nginx/bible_error.log; + + root /home/bible/www; + + location / { + autoindex on; + charset utf8; + rewrite ^/casio(.*)$ /common/casio$1 permanent; + rewrite ^/hardware(.*)$ /common/hardware$1 permanent; + rewrite ^/renesas(.*)$ /common/renesas$1 permanent; + rewrite ^/misc(.*)$ /common/misc$1 permanent; + rewrite ^/user_manuals(.*)$ /common/user_manuals$1 permanent; + } + + location /yatis/.git/ { + deny all; + } + + location /cakeisalie5/websaves/graph100.com/forum/ { + charset ISO-8859; + } +} diff --git a/nginx/sites-available/creativecalc.conf b/nginx/sites-available/creativecalc.conf new file mode 100644 index 0000000..06c079a --- /dev/null +++ b/nginx/sites-available/creativecalc.conf @@ -0,0 +1,57 @@ +server { + listen [::]:80; + listen *:80; + + server_name creativecalc.fr www.creativecalc.fr; + + include common.conf; + + access_log /var/log/nginx/creativecalc_access.log; + error_log /var/log/nginx/creativecalc_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen [::]:443 ssl http2; + listen *:443 ssl http2; + + server_name creativecalc.fr; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/creativecalc.fr/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/creativecalc.fr/privkey.pem; + + access_log /var/log/nginx/creativecalc_access.log; + error_log /var/log/nginx/creativecalc_error.log; + + location / { + return 301 https://www.creativecalc.fr$request_uri; + } +} + +server { + listen [::]:443 ssl http2; + listen *:443 ssl http2; + + server_name www.creativecalc.fr; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/creativecalc.fr/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/creativecalc.fr/privkey.pem; + + access_log /var/log/nginx/creativecalc_access.log; + error_log /var/log/nginx/creativecalc_error.log; + + root /home/creativecalc/www; + + location /assets/fonts { + expires 365d; + } +} diff --git a/nginx/sites-available/gitea.conf b/nginx/sites-available/gitea.conf new file mode 100644 index 0000000..a98d7da --- /dev/null +++ b/nginx/sites-available/gitea.conf @@ -0,0 +1,41 @@ +server { + listen [::]:80; + listen *:80; + + server_name gitea.planet-casio.com git.planet-casio.com; + + include common.conf; + + access_log /var/log/nginx/gitea_access.log; + error_log /var/log/nginx/gitea_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen [::]:443 ssl http2; + listen *:443 ssl http2; + + server_name gitea.planet-casio.com git.planet-casio.com; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/gitea.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/gitea.planet-casio.com/privkey.pem; + + access_log /var/log/nginx/gitea_access.log; + error_log /var/log/nginx/gitea_error.log; + + if ($http_host != "gitea.planet-casio.com") { + rewrite ^ https://gitea.planet-casio.com$request_uri permanent; + } + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://127.0.0.1:3001; + } +} diff --git a/nginx/sites-available/grafana.conf b/nginx/sites-available/grafana.conf new file mode 100644 index 0000000..641fa12 --- /dev/null +++ b/nginx/sites-available/grafana.conf @@ -0,0 +1,37 @@ +server { + listen [::]:80; + listen *:80; + + server_name grafana.planet-casio.com; + + include common.conf; + + access_log /var/log/nginx/grafana_access.log; + error_log /var/log/nginx/grafana_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen [::]:443 ssl http2; + listen *:443 ssl http2; + + server_name grafana.planet-casio.com; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/grafana.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/grafana.planet-casio.com/privkey.pem; + + access_log /var/log/nginx/grafana_access.log; + error_log /var/log/nginx/grafana_error.log; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://127.0.0.1:3000; + } +} diff --git a/nginx/sites-available/mumbleweb.conf b/nginx/sites-available/mumbleweb.conf new file mode 100644 index 0000000..66b60c0 --- /dev/null +++ b/nginx/sites-available/mumbleweb.conf @@ -0,0 +1,47 @@ +server { + listen [::]:80; + listen *:80; + + server_name mumble.planet-casio.com; + + include common.conf; + + access_log /var/log/nginx/mumbleweb_access.log; + error_log /var/log/nginx/mumbleweb_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen [::]:443 ssl; + listen *:443 ssl; + + server_name mumble.planet-casio.com; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem; + + access_log /var/log/nginx/mumbleweb_access.log; + error_log /var/log/nginx/mumbleweb_error.log; + + location / { + root /usr/local/lib/node_modules/mumble-web/dist; + } + + location /client { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_pass http://localhost:64737; + } +} + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} diff --git a/nginx/sites-available/p7.conf b/nginx/sites-available/p7.conf new file mode 100644 index 0000000..ef89c17 --- /dev/null +++ b/nginx/sites-available/p7.conf @@ -0,0 +1,42 @@ +server { + listen [::]:80; + listen *:80; + + server_name p7.planet-casio.com; + + include common.conf; + + access_log /var/log/nginx/p7_access.log; + error_log /var/log/nginx/p7_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen [::]:443 ssl http2; + listen *:443 ssl http2; + + server_name p7.planet-casio.com; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/p7.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/p7.planet-casio.com/privkey.pem; + + access_log /var/log/nginx/p7_access.log; + error_log /var/log/nginx/p7_error.log; + + root /home/p7/www; + + location /pub { + alias /home/p7/pub; + autoindex on; + } + + location / { + index fr.html; + } +} diff --git a/nginx/sites-available/pc-dev.conf b/nginx/sites-available/pc-dev.conf new file mode 100644 index 0000000..140da38 --- /dev/null +++ b/nginx/sites-available/pc-dev.conf @@ -0,0 +1,77 @@ +server { + set $env pc-dev; + + listen [::]:80; + listen *:80; + +# server_name dev.planet-casio.com; + server_name v5.planet-casio.com; + + include common.conf; + + access_log /var/log/nginx/${env}_access.log; + error_log /var/log/nginx/${env}_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + set $env pc-dev; + + listen [::]:443 ssl http2; + listen *:443 ssl http2; + +# server_name dev.planet-casio.com; + server_name v5.planet-casio.com; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem; + + access_log /var/log/nginx/${env}_access.log; + error_log /var/log/nginx/${env}_error.log; + + root /home/pc-dev/www; + + # Serve files from /static as static files + location /static { + alias /home/${env}/www/app/static; + try_files $uri =404; + expires 7d; + add_header Cache-Control "public"; + include gzip.conf; + } + + # Serve avatars + location /avatar { + alias /home/${env}/data/avatars; + try_files $uri /default_avatar.png; + expires max; + add_header Cache-Control "public"; + include gzip.conf; + } + + # Serve files + location /fichiers { + alias /home/${env}/data/fichiers; + try_files $uri =404; + expires 7d; + add_header Cache-Control "public"; + include gzip.conf; + } + + # Pass everything else to the application + location / { + try_files @fake @application; + } + + location @application { + include uwsgi_params; + uwsgi_pass unix:/run/uwsgi.${env}/socket; + } +} + diff --git a/nginx/sites-available/pc.conf b/nginx/sites-available/pc.conf new file mode 100644 index 0000000..65f67c0 --- /dev/null +++ b/nginx/sites-available/pc.conf @@ -0,0 +1,76 @@ +server { + set $env pc; + + listen [::]:80; + listen *:80; + +# server_name dev.planet-casio.com; + server_name v5.planet-casio.com; + + include common.conf; + + access_log /var/log/nginx/${env}_access.log; + error_log /var/log/nginx/${env}_error.log; + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + set $env pc; + + listen [::]:443 ssl http2; + listen *:443 ssl http2; + +# server_name dev.planet-casio.com; + server_name v5.planet-casio.com; + + include common.conf; + include ssl.conf; + + ssl_certificate /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem; + + access_log /var/log/nginx/${env}_access.log; + error_log /var/log/nginx/${env}_error.log; + + root /home/pc-dev/www; + + # Serve files from /static as static files + location /static { + alias /home/${env}/www/app/static; + try_files $uri =404; + expires 7d; + add_header Cache-Control "public"; + include gzip.conf; + } + + # Serve avatars + location /avatar { + alias /home/${env}/data/avatars; + try_files $uri /default_avatar.png; + expires max; + add_header Cache-Control "public"; + include gzip.conf; + } + + # Serve files + location /fichiers { + alias /home/${env}/data/fichiers; + try_files $uri =404; + expires 7d; + add_header Cache-Control "public"; + include gzip.conf; + } + + # Pass everything else to the application + location / { + try_files @fake @application; + } + + location @application { + include uwsgi_params; + uwsgi_pass unix:/run/uwsgi.${env}/socket; + } +} diff --git a/nginx/ssl.conf b/nginx/ssl.conf new file mode 100644 index 0000000..34eb42d --- /dev/null +++ b/nginx/ssl.conf @@ -0,0 +1,8 @@ +ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.3 TLSv1.2; +ssl_ciphers 'ECDHE+CHACHA20:ECDHE+AESGCM'; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 5m; +ssl_dhparam /etc/ssl/ssl.dh/dhparam.pem; +ssl_stapling on; +ssl_stapling_verify on;