commit cf41358c4c9eb1aa6ff8220d3cf32431f22c5ff0 Author: root Date: Tue Jun 24 15:47:45 2025 +0200 Inital Commit diff --git a/sites-available/activesync.conf b/sites-available/activesync.conf new file mode 100644 index 0000000..e664da0 --- /dev/null +++ b/sites-available/activesync.conf @@ -0,0 +1,54 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/activesync/ levels=1:2 keys_zone=my_cache_activesync:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ + listen 80; + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + return 301 https://$server_name/webapp$request_uri; + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/activesync.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/activesync.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + + access_log /var/log/nginx/owa-access_log; + error_log /var/log/nginx/owa-error_log; + + + set $upstream 10.0.0.21; + + location /Microsoft-Server-ActiveSync { + + proxy_cache my_cache_activesync; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} + diff --git a/sites-available/blog.conf b/sites-available/blog.conf new file mode 100644 index 0000000..342eed9 --- /dev/null +++ b/sites-available/blog.conf @@ -0,0 +1,58 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +#proxy_cache_path /tmp/blog levels=1:2 keys_zone=my_cache_blog:10m max_size=10g +# inactive=60m use_temp_path=off; + + +server{ + listen 80; + server_name blog.egonetix.de; + return 301 https://$server_name/$request_uri; + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/blog.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/blog.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name blog.egonetix.de; + access_log /var/log/nginx/blog-access_log; + error_log /var/log/nginx/blog-error_log; + + set $upstream 10.0.0.48; + + location / { + +# proxy_cache my_cache_blog; +# proxy_cache_revalidate on; +# proxy_cache_min_uses 3; +# proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; +# proxy_cache_lock on; +# proxy_pass_header Authorization; + proxy_pass http://$upstream:8083; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_http_version 1.1; +# proxy_set_header Connection ""; +# proxy_buffering off; +# client_max_body_size 0; +# proxy_read_timeout 36000s; +# proxy_redirect off; +# proxy_ssl_session_reuse off; + +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; + + } + +} diff --git a/sites-available/chat.conf b/sites-available/chat.conf new file mode 100644 index 0000000..cc3dde6 --- /dev/null +++ b/sites-available/chat.conf @@ -0,0 +1,59 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + + +server{ + listen 10.0.0.48:80; + server_name chat.egonetix.de; + return 301 https://$server_name$request_uri; + # set $upstream 10.0.0.40; + #location /_matrix/ { +# + # proxy_pass http://$upstream:8008/; + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + # proxy_set_header Host $http_host; +# + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forward-Proto http; + # proxy_set_header X-Nginx-Proxy true; +# + # proxy_redirect off; + +#} +} + +server { + listen 10.0.0.48:443 ssl; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/chat.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/chat.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name chat.egonetix.de; + access_log /var/log/nginx/chat-access.log; + error_log /var/log/nginx/chat-error.log; + + set $upstream 10.0.0.48; + + location /_matrix { + + proxy_pass http://$upstream:8008; + proxy_set_header X-Forwarded-For $remote_addr; + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "upgrade"; + # proxy_set_header Host $http_host; + + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forward-Proto http; + # proxy_set_header X-Nginx-Proxy true; + # proxy_ssl_session_reuse off; + # proxy_redirect off; + } +} diff --git a/sites-available/default b/sites-available/default new file mode 100644 index 0000000..7cd6403 --- /dev/null +++ b/sites-available/default @@ -0,0 +1,90 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + location /.well-known { + alias /var/www/sub.domain.com/.well-known; + } + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php7.0-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php7.0-fpm: + # fastcgi_pass unix:/run/php/php7.0-fpm.sock; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/sites-available/default.dpkg-dist b/sites-available/default.dpkg-dist new file mode 100644 index 0000000..c5af914 --- /dev/null +++ b/sites-available/default.dpkg-dist @@ -0,0 +1,91 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass PHP scripts to FastCGI server + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php-fpm (or other unix sockets): + # fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/sites-available/dudle.conf b/sites-available/dudle.conf new file mode 100644 index 0000000..0964db3 --- /dev/null +++ b/sites-available/dudle.conf @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/dudle/ levels=1:2 keys_zone=my_cache_dudle:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name dudle.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/dudle.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dudle.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name dudle.egonetix.de; + + access_log /var/log/nginx/dudle-access_log; + error_log /var/log/nginx/dudle-error_log; + + set $upstream 10.0.0.13; + + + location / { + + proxy_cache my_cache_dudle; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8088; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/email.conf b/sites-available/email.conf new file mode 100644 index 0000000..a5235dd --- /dev/null +++ b/sites-available/email.conf @@ -0,0 +1,146 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/email/ levels=1:2 keys_zone=my_cache_email:10m max_size=10g + inactive=60m use_temp_path=off; + + +server{ + listen 80; + server_name email.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + return 301 https://$server_name/webapp$request_uri; + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/email.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/email.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name email.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + + access_log /var/log/nginx/email-access_log; + error_log /var/log/nginx/email-error_log; + + + set $upstream 10.0.0.23; + +rewrite ^/$ /egroupware; + + location /egroupware { + + proxy_cache my_cache_email; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + location /Microsoft-Server-ActiveSync { + proxy_cache my_cache_email; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location ~* /Autodiscover/Autodiscover.xml { + access_log /var/log/nginx/z-push-autodiscover-access.log; + error_log /var/log/nginx/z-push-autodiscover-error.log; + fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php; + fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + include fastcgi_params; + proxy_cache my_cache_email; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + + location /email { + proxy_cache my_cache_email; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /caldav { + proxy_cache my_cache_email; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} + diff --git a/sites-available/essen.conf b/sites-available/essen.conf new file mode 100644 index 0000000..1b4c5a9 --- /dev/null +++ b/sites-available/essen.conf @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/essen/ levels=1:2 keys_zone=my_cache_essen:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name essen.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/essen.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/essen.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name essen.egonetix.de; + + access_log /var/log/nginx/essen-access_log; + error_log /var/log/nginx/essen-error_log; + + set $upstream 10.0.0.48; + + + location / { + + proxy_cache my_cache_essen; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8090; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + } + +} diff --git a/sites-available/gitea.conf b/sites-available/gitea.conf new file mode 100644 index 0000000..eef3d6a --- /dev/null +++ b/sites-available/gitea.conf @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/gitea/ levels=1:2 keys_zone=my_cache_gitea:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name gitea.egonetix.de; + return 301 https://$server_name/gitea$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/gitea.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gitea.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name gitea.egonetix.de; + + access_log /var/log/nginx/gitea-access_log; + error_log /var/log/nginx/gitea-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_gitea; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:4000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/helferlein.conf b/sites-available/helferlein.conf new file mode 100644 index 0000000..771f153 --- /dev/null +++ b/sites-available/helferlein.conf @@ -0,0 +1,58 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +#proxy_cache_path /tmp/helferlein levels=1:2 keys_zone=my_cache_helferlein:10m max_size=10g +# inactive=60m use_temp_path=off; + + +server{ + listen 80; + server_name helferlein.egonetix.de; + return 301 https://$server_name/$request_uri; + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/helferlein.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/helferlein.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name helferlein.egonetix.de; + access_log /var/log/nginx/helferlein-access_log; + error_log /var/log/nginx/helferlein-error_log; + + set $upstream 10.0.0.48; + + location / { + +# proxy_cache my_cache_helferlein; +# proxy_cache_revalidate on; +# proxy_cache_min_uses 3; +# proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; +# proxy_cache_lock on; +# proxy_pass_header Authorization; + proxy_pass http://$upstream:8082; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_http_version 1.1; +# proxy_set_header Connection ""; +# proxy_buffering off; +# client_max_body_size 0; +# proxy_read_timeout 36000s; +# proxy_redirect off; +# proxy_ssl_session_reuse off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + } + +} diff --git a/sites-available/hoarder.conf b/sites-available/hoarder.conf new file mode 100644 index 0000000..0dbe5c4 --- /dev/null +++ b/sites-available/hoarder.conf @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/hoarder/ levels=1:2 keys_zone=my_cache_hoarder:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name hoarder.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/hoarder.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/hoarder.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name hoarder.egonetix.de; + + access_log /var/log/nginx/hoarder-access_log; + error_log /var/log/nginx/hoarder-error_log; + + set $upstream 10.0.0.48; + + + location / { + + proxy_cache my_cache_hoarder; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8084; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/homematic.conf b/sites-available/homematic.conf new file mode 100644 index 0000000..d1be8bd --- /dev/null +++ b/sites-available/homematic.conf @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/homematic/ levels=1:2 keys_zone=my_cache_homematic:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name homematic.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/homematic.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/homematic.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name homematic.egonetix.de; + + access_log /var/log/nginx/homematic-access_log; + error_log /var/log/nginx/homematic-error_log; + + set $upstream 172.20.20.51; + + location / { + + proxy_cache my_cache_homematic; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering on; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + auth_basic "Username and Password Required"; + auth_basic_user_file /etc/nginx/.htpasswd; + + } +} diff --git a/sites-available/imap.conf b/sites-available/imap.conf new file mode 100644 index 0000000..422b839 --- /dev/null +++ b/sites-available/imap.conf @@ -0,0 +1,33 @@ + +mail { + server_name mail.egonetix.de; + auth_http localhost:9000/cgi-bin/nginxauth.cgi; + + proxy_pass_error_message on; + + ssl on; + ssl_certificate /etc/letsencrypt/live/imap.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/imap.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + server { + listen 25; + protocol smtp; + smtp_auth login plain cram-md5; + } + + server { + listen 110; + protocol pop3; + pop3_auth plain apop cram-md5; +} + + server { + listen 143; + protocol imap; + } +} diff --git a/sites-available/jitsi.conf b/sites-available/jitsi.conf new file mode 100644 index 0000000..9281222 --- /dev/null +++ b/sites-available/jitsi.conf @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/jitsi/ levels=1:2 keys_zone=my_cache_jitsi:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name jitsi.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/jitsi.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/jitsi.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name jitsi.egonetix.de; + + access_log /var/log/nginx/jitsi-access_log; + error_log /var/log/nginx/jitsi-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_jitsi; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/kontakt_luftglanz.conf b/sites-available/kontakt_luftglanz.conf new file mode 100644 index 0000000..474725b --- /dev/null +++ b/sites-available/kontakt_luftglanz.conf @@ -0,0 +1,68 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/luftglanz/ levels=1:2 keys_zone=my_cache_luftglanz:10m max_size=10g + inactive=60m use_temp_path=off; + +server { + listen 80; + server_name kontakt.luftglanz.de; + return 301 https://$server_name/luftglanz$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + server_name kontakt.luftglanz.de; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + ssl_certificate /etc/letsencrypt/live/kontakt.luftglanz.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/kontakt.luftglanz.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + access_log /var/log/nginx/luftglanz-access_log; + error_log /var/log/nginx/luftglanz-error_log; + + set $upstream 10.0.0.48; + + location / { + proxy_cache my_cache_luftglanz; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + + proxy_pass http://$upstream:8100; + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Connection $http_connection; + + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + # Optional HTTP Basic Auth + # auth_basic "Username and Password Required"; + # auth_basic_user_file /etc/nginx/.htpasswd; + } + + location /ws { + proxy_pass http://$upstream:8100; + proxy_http_version 1.1; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } +} + diff --git a/sites-available/mailgw.conf b/sites-available/mailgw.conf new file mode 100644 index 0000000..f06d09f --- /dev/null +++ b/sites-available/mailgw.conf @@ -0,0 +1,54 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/mailgw/ levels=1:2 keys_zone=my_cache_mailgw:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ + listen 80; + server_name srvmailgw02.egonetix.de; + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/srvmailgw02.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/srvmailgw02.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name srvmailgw02.egonetix.de; + + access_log /var/log/nginx/mailgw-access_log; + error_log /var/log/nginx/mailgw-error_log; + + set $upstream 10.0.0.37; + + location / { + + proxy_cache my_cache_mailgw; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:8006; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + #auth_basic "Username and Password Required"; + #auth_basic_user_file /etc/nginx/.htpasswd; + + } + +} diff --git a/sites-available/mailgw03.conf b/sites-available/mailgw03.conf new file mode 100644 index 0000000..dc6e82a --- /dev/null +++ b/sites-available/mailgw03.conf @@ -0,0 +1,54 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/mailgw03/ levels=1:2 keys_zone=my_cache_mailgw03:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ + listen 80; + server_name srvmailgw03.egonetix.de; + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/srvmailgw03.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/srvmailgw03.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name srvmailgw03.egonetix.de; + + access_log /var/log/nginx/mailgw03-access_log; + error_log /var/log/nginx/mailgw03-error_log; + + set $upstream 10.0.0.37; + + location / { + + proxy_cache my_cache_mailgw; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:8006; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + #auth_basic "Username and Password Required"; + #auth_basic_user_file /etc/nginx/.htpasswd; + + } + +} diff --git a/sites-available/matrix.conf b/sites-available/matrix.conf new file mode 100644 index 0000000..45df521 --- /dev/null +++ b/sites-available/matrix.conf @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + + +server{ + listen 10.0.0.29:80; + server_name matrix.egonetix.de; + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 http2 ssl; + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name matrix.egonetix.de; + access_log /var/log/nginx/matrix-access.log; + error_log /var/log/nginx/matrix-error.log; + + set $upstream 10.0.0.48; + + location /_matrix { + + proxy_pass http://$upstream:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} + +server { + listen 10.0.0.29:8448 http2 ssl; + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/matrix.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name matrix.egonetix.de; + access_log /var/log/nginx/matrix-access.log; + error_log /var/log/nginx/matrix-error.log; + + set $upstream 10.0.0.48; + + location /_matrix { + + proxy_pass http://$upstream:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} diff --git a/sites-available/nextcloud.conf b/sites-available/nextcloud.conf new file mode 100644 index 0000000..1639031 --- /dev/null +++ b/sites-available/nextcloud.conf @@ -0,0 +1,74 @@ +add_header X-Robots-Tag "no-referrer, noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/nextcloud/ levels=1:2 keys_zone=my_cache_nextcloud:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ + listen 80; + server_name nextcloud.egonetix.de; + return 301 https://$server_name/$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Referrer-Policy "no-referrer" always; + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/nextcloud.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/nextcloud.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name nextcloud.egonetix.de; + + access_log /var/log/nginx/nextcloud-access_log; + error_log /var/log/nginx/nextcloud-error_log; + + proxy_set_header X-Forwarded-Proto $scheme; + + set $upstream 10.0.0.48; + +#rewrite ^/$ /nextcloud; + + location / { + + proxy_cache my_cache_nextcloud; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8089; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# add_header Referrer-Policy no-referrer; +# proxy_set_header X-Forwarded-Proto https; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 20G; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + } + +location = /.well-known/carddav { +return 301 $scheme://$host/remote.php/dav; +} +location = /.well-known/caldav { +return 301 $scheme://$host/remote.php/dav; +} +} + diff --git a/sites-available/office.conf b/sites-available/office.conf new file mode 100644 index 0000000..eb91597 --- /dev/null +++ b/sites-available/office.conf @@ -0,0 +1,62 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/office/ levels=1:2 keys_zone=my_cache_office:10m max_size=10g + inactive=60m use_temp_path=off; + +server{ + listen 80; + server_name office.egonetix.de; + return 301 https://$server_name/$request_uri; + + access_log /var/log/nginx/office-access_log; + error_log /var/log/nginx/office-error_log; + + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + +# SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/office.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/office.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name office.egonetix.de; + + access_log /var/log/nginx/office-access_log; + error_log /var/log/nginx/office-error_log; + + proxy_set_header X-Forwarded-Proto $scheme; + + set $upstream 10.0.0.48; + +# location / + +location ~ (/|/welcome|/healthcheck|/coauthoring|/ConvertService.ashx|/cache) { + + proxy_cache my_cache_office; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:9980; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Connection ""; + proxy_http_version 1.1; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} + diff --git a/sites-available/onlyoffice.conf_bakk b/sites-available/onlyoffice.conf_bakk new file mode 100644 index 0000000..647e550 --- /dev/null +++ b/sites-available/onlyoffice.conf_bakk @@ -0,0 +1,88 @@ +upstream docservice { + server 10.0.0.34:4433; +} + +map $http_host $this_host { + "" $host; + default $http_host; +} + +map $http_x_forwarded_proto $the_scheme { + default $http_x_forwarded_proto; + "" $scheme; +} + +map $http_x_forwarded_host $the_host { + default $http_x_forwarded_host; + "" $this_host; +} + +map $http_upgrade $proxy_connection { + default upgrade; + "" close; +} + +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $proxy_connection; +proxy_set_header X-Forwarded-Host $the_host; +proxy_set_header X-Forwarded-Proto $the_scheme; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +## Normal HTTP host +server { + listen 0.0.0.0:80; + server_name onlyoffice.egonetix.de; + server_tokens off; + + ## Redirects all traffic to the HTTPS host + root /nowhere; ## root doesn't have to be a valid path since we are redirecting + rewrite ^ https://$host$request_uri? permanent; +} + +server { + listen 0.0.0.0:443 ssl; + server_name onlyoffice.egonetix.de; + server_tokens off; + root /usr/share/nginx/html; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl on; + ssl_certificate /etc/letsencrypt/live/egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/egonetix.de/privkey.pem; + + ssl_verify_client off; + + ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache builtin:1000 shared:SSL:10m; + + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security max-age=31536000; + # add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 10s; + + ## [Optional] Generate a stronger DHE parameter: + ## cd /etc/ssl/certs + ## sudo openssl dhparam -out dhparam.pem 4096 + ## + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + location / { + proxy_pass https://docservice; + proxy_http_version 1.1; + } +} diff --git a/sites-available/owa.conf b/sites-available/owa.conf new file mode 100644 index 0000000..c716044 --- /dev/null +++ b/sites-available/owa.conf @@ -0,0 +1,167 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g + inactive=60m use_temp_path=off; + + +server{ + listen 80; + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + return 301 https://$server_name/webapp$request_uri; + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + + access_log /var/log/nginx/owa-access_log; + error_log /var/log/nginx/owa-error_log; + + + set $upstream 10.0.0.21; + +rewrite ^/$ /webapp; + + location /webapp { + + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + location /Microsoft-Server-ActiveSync { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /webmeetings { + + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + + location ~* /Autodiscover/Autodiscover.xml { + access_log /var/log/nginx/z-push-autodiscover-access.log; + error_log /var/log/nginx/z-push-autodiscover-error.log; + fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php; + fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + include fastcgi_params; + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + + location /owa { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /caldav { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} + diff --git a/sites-available/owa_egroupware.conf b/sites-available/owa_egroupware.conf new file mode 100644 index 0000000..da398c5 --- /dev/null +++ b/sites-available/owa_egroupware.conf @@ -0,0 +1,167 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/owa/ levels=1:2 keys_zone=my_cache_owa:10m max_size=10g + inactive=60m use_temp_path=off; + + +server{ + listen 80; + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + return 301 https://$server_name/webapp$request_uri; + +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/owa.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/owa.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name owa.egonetix.de autodiscover.egonetix.de mail.egonetix.de; + + access_log /var/log/nginx/owa-access_log; + error_log /var/log/nginx/owa-error_log; + + + set $upstream 10.0.0.23; + +rewrite ^/$ /egroupware; + + location /egroupware { + + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + location /Microsoft-Server-ActiveSync { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /webmeetings { + + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + + location ~* /Autodiscover/Autodiscover.xml { + access_log /var/log/nginx/z-push-autodiscover-access.log; + error_log /var/log/nginx/z-push-autodiscover-error.log; + fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php; + fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + include fastcgi_params; + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +} + + location /owa { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /caldav { + proxy_cache my_cache_owa; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} + diff --git a/sites-available/plex.conf b/sites-available/plex.conf new file mode 100644 index 0000000..e6ab145 --- /dev/null +++ b/sites-available/plex.conf @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/plex/ levels=1:2 keys_zone=my_cache_plex:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name plex.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/plex.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/plex.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name plex.egonetix.de; + + access_log /var/log/nginx/plex-access_log; + error_log /var/log/nginx/plex-error_log; + + set $upstream 10.0.0.48; + #set $upstream 172.20.20.6; + + location / { + + proxy_cache my_cache_plex; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:32400; + proxy_ssl_server_name on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/portal.conf b/sites-available/portal.conf new file mode 100644 index 0000000..e8951c4 --- /dev/null +++ b/sites-available/portal.conf @@ -0,0 +1,70 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +server { + listen 80; + server_name portal.egonetix.de; + + # Redirect all HTTP traffic to HTTPS + return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;" always; + + # Remove or update unsupported origin trial features. + # For example, comment out or remove these if not using them: + # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()"; + + # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources. + + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + server_name portal.egonetix.de; + access_log /var/log/nginx/portal-access_log; + error_log /var/log/nginx/portal-error_log; + + root /var/www/html; + index index.html index.php; # Added index.php as potential index file + + # PHP Processing Configuration - Updated for PHP 8.1 + location ~ \.php$ { + include snippets/fastcgi-php.conf; + + # Use PHP 8.1 socket (most common path on Ubuntu 22.04) + fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; + + # Alternative options if the above doesn't work: + #fastcgi_pass unix:/run/php/php8.1-fpm.sock; + #fastcgi_pass 127.0.0.1:9000; + + # Increase timeout and buffer size for troubleshooting + fastcgi_connect_timeout 300; + fastcgi_read_timeout 300; + fastcgi_send_timeout 300; + fastcgi_buffer_size 32k; + fastcgi_buffers 16 16k; + + # Set the correct document root + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors on; + } + + # Reverse proxy for API calls. + # If your backend expects the API without the "/api" prefix, use the proxy_pass below. + location /api/ { + proxy_pass http://127.0.0.1:3000; + # If your backend requires the /api prefix, change to: + # proxy_pass http://127.0.0.1:3000/api/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + diff --git a/sites-available/portal_backup.conf b/sites-available/portal_backup.conf new file mode 100644 index 0000000..d9454d8 --- /dev/null +++ b/sites-available/portal_backup.conf @@ -0,0 +1,56 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; +server { + listen 80; + server_name portal.egonetix.de; + + # Redirect any HTTP request to HTTPS + return 301 https://$server_name$request_uri; + +} + + +server { +# The IP that you forwarded in your router (nginx proxy) + listen 10.0.0.29:443 ssl http2; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + +# Make site accessible from http://localhost/ + server_name portal.egonetix.de; + + access_log /var/log/nginx/portal-access_log; + error_log /var/log/nginx/portal-error_log; + +# return 301 https://$server_name$request_uri; +# The internal IP of the VM that hosts your Apache config +# set $upstream 10.0.0.10; + +root /var/www/html; + index index.html; + +# location /.well-known { +# alias /var/www/sub.domain.com/.well-known; +# } + +# location / { + +# proxy_pass_header Authorization; +# proxy_pass http://$upstream; +# proxy_set_header Host $host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_http_version 1.1; +# proxy_set_header Connection ""; +# proxy_buffering off; +# client_max_body_size 0; +# proxy_read_timeout 36000s; +# proxy_redirect off; +#} +} + diff --git a/sites-available/pwm.conf b/sites-available/pwm.conf new file mode 100644 index 0000000..2ec0ce3 --- /dev/null +++ b/sites-available/pwm.conf @@ -0,0 +1,119 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/pwm/ levels=1:2 keys_zone=my_cache_pwm:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name pwm.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'self' https: data:; base-uri 'self';"; + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/pwm.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/pwm.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name pwm.egonetix.de; + + access_log /var/log/nginx/pwm-access_log; + error_log /var/log/nginx/pwm-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_pwm; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:81; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /notifications/hub { + + proxy_cache my_cache_pwm; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:3012; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /notifications/hub/negotiate { + + proxy_cache my_cache_pwm; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:81; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + + location /admin { + + proxy_cache my_cache_pwm; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:81; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + auth_basic "Username and Password Required"; + auth_basic_user_file /etc/nginx/.htpasswd; + } +} + diff --git a/sites-available/remote.conf b/sites-available/remote.conf new file mode 100644 index 0000000..2b164b6 --- /dev/null +++ b/sites-available/remote.conf @@ -0,0 +1,54 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/remote/ levels=1:2 keys_zone=my_cache_remote:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name remote.egonetix.de; + return 301 https://$server_name/guacamole$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/remote.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/remote.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name remote.egonetix.de; + + access_log /var/log/nginx/remote-access_log; + error_log /var/log/nginx/remote-error_log; + + set $upstream 10.0.0.41; + + location /guacamole { + + proxy_cache my_cache_remote; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + auth_basic "Username and Password Required"; + auth_basic_user_file /etc/nginx/.htpasswd; + + } +} diff --git a/sites-available/rezepte.conf b/sites-available/rezepte.conf new file mode 100644 index 0000000..3309933 --- /dev/null +++ b/sites-available/rezepte.conf @@ -0,0 +1,63 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/rezepte/ levels=1:2 keys_zone=my_cache_rezepte:10m max_size=10g + inactive=60m use_temp_path=off; + +upstream swarm_nodes { +server srvdocker01:8090; #swarm node 1 +server srvdocker03:8090; #swarm node 2 +server srvdocker04:8090; #swarm node 3 +} + +resolver 10.0.0.21; + +server{ +listen 80; +server_name rezepte.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/rezepte.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rezepte.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name rezepte.egonetix.de; + + access_log /var/log/nginx/rezepte-access_log; + error_log /var/log/nginx/rezepte-error_log; + + set $upstream 10.0.0.48; + #set $upstream swarm_nodes; + #set $upstream 10.0.0.46; + + + location / { + + proxy_cache my_cache_rezepte; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8090; +# proxy_pass http://swarm_nodes; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + } + +} diff --git a/sites-available/srvhost03.conf b/sites-available/srvhost03.conf new file mode 100644 index 0000000..50b00b0 --- /dev/null +++ b/sites-available/srvhost03.conf @@ -0,0 +1,58 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/srvhost03/ levels=1:2 keys_zone=my_cache_srvhost03:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name srvhost03.egonetix.de; + return 301 https://$server_name$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name srvhost03.egonetix.de; + + access_log /var/log/nginx/srvhost03-access_log; + error_log /var/log/nginx/srvhost03-error_log; + + + set $upstream 95.216.21.105; + + location / { + + proxy_cache my_cache_srvhost03; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:8006; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; +# proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_send_timeout 3600s; + send_timeout 3600s; + proxy_redirect off; + proxy_ssl_session_reuse off; + auth_basic "Username and Password Required"; + auth_basic_user_file /etc/nginx/.htpasswd; + } +} + diff --git a/sites-available/stream.conf b/sites-available/stream.conf new file mode 100644 index 0000000..66ff2dc --- /dev/null +++ b/sites-available/stream.conf @@ -0,0 +1,74 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/stream/ levels=1:2 keys_zone=my_cache_stream:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name stream.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/stream.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/stream.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name stream.egonetix.de; + + access_log /var/log/nginx/stream-access.log; + error_log /var/log/nginx/stream-error.log; + + set $upstream 10.0.0.48; + + + location / { + + proxy_cache my_cache_stream; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8096; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + + location /socket { + + proxy_cache my_cache_stream; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8096; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/subsonic.conf b/sites-available/subsonic.conf new file mode 100644 index 0000000..594331c --- /dev/null +++ b/sites-available/subsonic.conf @@ -0,0 +1,50 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/subsonic/ levels=1:2 keys_zone=my_cache_subsonic:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name subsonic.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/subsonic.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/subsonic.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name subsonic.egonetix.de; + + access_log /var/log/nginx/subsonic-access_log; + error_log /var/log/nginx/subsonic-error_log; + + set $upstream 10.0.0.10; + + location / { + + proxy_cache my_cache_subsonic; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:446; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/sync.conf b/sites-available/sync.conf new file mode 100644 index 0000000..ef10a4b --- /dev/null +++ b/sites-available/sync.conf @@ -0,0 +1,50 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/sync/ levels=1:2 keys_zone=my_cache_sync:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name sync.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/sync.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/sync.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name sync.egonetix.de; + + access_log /var/log/nginx/sync-access_log; + error_log /var/log/nginx/sync-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_sync; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:18089; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/unifi.conf b/sites-available/unifi.conf new file mode 100644 index 0000000..7f2076b --- /dev/null +++ b/sites-available/unifi.conf @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/unifi/ levels=1:2 keys_zone=my_cache_unifi:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name unifi.egonetix.de; +return 301 https://$server_name$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/unifi.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/unifi.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name unifi.egonetix.de; + + access_log /var/log/nginx/unifi-access_log; + error_log /var/log/nginx/unifi-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_unifi; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream:8443; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} + diff --git a/sites-available/unterhaltung.conf b/sites-available/unterhaltung.conf new file mode 100644 index 0000000..648c148 --- /dev/null +++ b/sites-available/unterhaltung.conf @@ -0,0 +1,56 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/unterhaltung/ levels=1:2 keys_zone=my_unterhaltung_remote:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name unterhaltung.egonetix.de; + return 301 https://$server_name/$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/unterhaltung.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/unterhaltung.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name unterhaltung.egonetix.de; + + access_log /var/log/nginx/unterhaltung-access_log; + error_log /var/log/nginx/unterhaltung-error_log; + + set $upstream 10.0.0.22; + #set $upstream 10.0.0.13; + + location / { + + proxy_cache my_cache_remote; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; +# proxy_pass http://$upstream:8085; + proxy_pass http://$upstream:5800; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + auth_basic "Username and Password Required"; + auth_basic_user_file /etc/nginx/.htpasswd; + + } +} diff --git a/sites-available/wallabag.conf b/sites-available/wallabag.conf new file mode 100644 index 0000000..021f9f5 --- /dev/null +++ b/sites-available/wallabag.conf @@ -0,0 +1,52 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/wallabag/ levels=1:2 keys_zone=my_cache_wallabag:10m max_size=10g + inactive=60m use_temp_path=off; +server{ +listen 80; +server_name wallabag.egonetix.de; +return 301 https://$server_name$request_uri; +} + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/wallabag.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wallabag.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name wallabag.egonetix.de; + + access_log /var/log/nginx/wallabag-access_log; + error_log /var/log/nginx/wallabag-error_log; + + set $upstream 10.0.0.48; + + + location / { + + proxy_cache my_cache_wallabag; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8087; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } + +} diff --git a/sites-available/wiki.conf b/sites-available/wiki.conf new file mode 100644 index 0000000..19b6781 --- /dev/null +++ b/sites-available/wiki.conf @@ -0,0 +1,51 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/wiki/ levels=1:2 keys_zone=my_cache_wiki:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name wiki.egonetix.de; + return 301 https://$server_name/wiki$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/wiki.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wiki.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name wiki.egonetix.de; + + access_log /var/log/nginx/wiki-access_log; + error_log /var/log/nginx/wiki-error_log; + + set $upstream 10.0.0.10; + + location /wiki { + + proxy_cache my_cache_wiki; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass https://$upstream; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; + + } +} diff --git a/sites-available/zabbix.conf b/sites-available/zabbix.conf new file mode 100644 index 0000000..ab52b96 --- /dev/null +++ b/sites-available/zabbix.conf @@ -0,0 +1,53 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + +proxy_cache_path /tmp/zabbix/ levels=1:2 keys_zone=my_cache_zabbix:10m max_size=10g + inactive=60m use_temp_path=off; +server{ + listen 80; + server_name zabbix.egonetix.de; + return 301 https://$server_name/zabbix$request_uri; +} + + +server { + listen 10.0.0.29:443 ssl http2; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # SSL config + ssl on; + ssl_certificate /etc/letsencrypt/live/zabbix.egonetix.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/zabbix.egonetix.de/privkey.pem; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Make site accessible from http://localhost/ + server_name zabbix.egonetix.de; + + access_log /var/log/nginx/zabbix-access_log; + error_log /var/log/nginx/zabbix-error_log; + + set $upstream 10.0.0.48; + + location / { + + proxy_cache my_cache_zabbix; + proxy_cache_revalidate on; + proxy_cache_min_uses 3; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + proxy_pass_header Authorization; + proxy_pass http://$upstream:8092; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_redirect off; + proxy_ssl_session_reuse off; +# auth_basic "Username and Password Required"; +# auth_basic_user_file /etc/nginx/.htpasswd; + + } +}