diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f9f2d534868d102d55422d0a7c9aa0787dca942b..212f91a95bc3bc3c353468837626c63924e55f87 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -63,14 +63,14 @@ web-proxy ns4 build:
tags: ["ns4.shore.co.il"]
variables:
WORKDIR: Compose/web-proxy/ns4
- # rules: *compose-rules
+ rules: *compose-rules
web-proxy ns4 pull:
extends: .compose-pull
tags: ["ns4.shore.co.il"]
variables:
WORKDIR: Compose/web-proxy/ns4
- # rules: *compose-rules
+ rules: *compose-rules
web-proxy ns4 run:
extends: .compose-run
@@ -78,4 +78,26 @@ web-proxy ns4 run:
variables:
WORKDIR: Compose/web-proxy/ns4
when: manual
+ rules: *compose-rules
+
+web-proxy host01 build:
+ extends: .compose-build
+ tags: ["host01.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/host01
+ # rules: *compose-rules
+
+web-proxy host01 pull:
+ extends: .compose-pull
+ tags: ["host01.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/host01
+ # rules: *compose-rules
+
+web-proxy host01 run:
+ extends: .compose-run
+ tags: ["host01.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/host01
+ when: manual
# rules: *compose-rules
diff --git a/Compose/web-proxy/host01/.dockerignore b/Compose/web-proxy/host01/.dockerignore
new file mode 100644
index 0000000000000000000000000000000000000000..380e2e62d48d3718eee6fb713bc578042f0ab6fd
--- /dev/null
+++ b/Compose/web-proxy/host01/.dockerignore
@@ -0,0 +1,4 @@
+*
+!conf.d/
+!www/
+!snippets/
diff --git a/Compose/web-proxy/host01/.env b/Compose/web-proxy/host01/.env
new file mode 100644
index 0000000000000000000000000000000000000000..2f5dd33f1fa1c5ff48896989639d1af9a803ecab
--- /dev/null
+++ b/Compose/web-proxy/host01/.env
@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=web-proxy
diff --git a/Compose/web-proxy/host01/Dockerfile b/Compose/web-proxy/host01/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..15337788c4c6c173df1e4f886edef3063d8ae8b5
--- /dev/null
+++ b/Compose/web-proxy/host01/Dockerfile
@@ -0,0 +1,10 @@
+# hadolint ignore=DL3006
+FROM registry.shore.co.il/nginx
+USER root
+RUN cp --archive /var/ssl/site.key /var/ssl/mail.key && \
+ cp --archive /var/ssl/site.crt /var/ssl/mail.crt
+USER nginx
+COPY --chown=root:root www/ /var/www/
+COPY --chown=root:root conf.d/ /etc/nginx/conf.d/
+COPY --chown=root:root snippets/ /etc/nginx/snippets/
+RUN nginx -t
diff --git a/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..8e6e33e018944a14e2f6a7ab920e37553dbb116e
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf
@@ -0,0 +1,35 @@
+# vim: ft=nginx
+map $host $auth { default auth; }
+
+limit_req_zone $binary_remote_addr zone=ldap_auth:2m rate=2r/s;
+limit_req_status 429;
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name auth.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name auth.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+
+ location / {
+ proxy_pass http://$auth:8080$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/allow-shore-ips.conf;
+ limit_req zone=ldap_auth burst=10 delay=2;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..5c985d2757ca89c9e46fc6732084b6f62f09d11e
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf
@@ -0,0 +1,71 @@
+# vim: ft=nginx
+map $host $code { default code; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name code.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name code.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ # The following was copied (and modified) from
+ # https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-with-nginx-webserver.
+
+ # static files
+ location ^~ /browser {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ }
+
+ # WOPI discovery URL
+ location ^~ /hosting/discovery {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+
+ # Capabilities
+ location ^~ /hosting/capabilities {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+
+ # main websocket
+ location ~ ^/cool/(.*)/ws$ {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/websockets.conf;
+ }
+
+ # download, presentation and image upload
+ location ~ ^/(c|l)ool {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+
+ # Admin Console websocket
+ location ^~ /cool/adminws {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/websockets.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..d408b7d77c8e2aaa82a5e3647206d06ccebe0c63
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf
@@ -0,0 +1,31 @@
+# vim: ft=nginx
+map $host $git { default gitlab; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name git.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name git.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / {
+ proxy_pass http://$git$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_set_header X-Forwarded-Ssl on;
+ client_max_body_size 512m;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..2bb9eb2399f788d18118fa29e163ec6d2c42d25f
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf
@@ -0,0 +1,31 @@
+# vim: ft=nginx
+map $host $lam { default ldap-account-manager; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name lam.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name lam.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / {
+ proxy_pass http://$lam$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ include snippets/allow-private-ips.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..fa99b280626b9a401c977a4fe3beedf13f83f699
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf
@@ -0,0 +1,35 @@
+# vim: ft=nginx
+server {
+ listen 80;
+ listen [::]:80;
+ server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il mta-sts.nehe.sr;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name mta-sts.shore.co.il mta-sts.nehe.sr;
+ root /var/www/mail.shore.co.il/;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+
+ # Copied from snippetes/ssl.conf.
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+ add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+ include snippets/common-headers.conf;
+ ssl_certificate /var/ssl/mail.crt;
+ ssl_certificate_key /var/ssl/mail.key;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ ssl_ciphers !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 5m;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ocsp.pem;
+}
diff --git a/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..33a9b73263b590ff728fa2cc0642ee4a05a5463d
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf
@@ -0,0 +1,32 @@
+# vim: ft=nginx
+map $host $nextcloud { default nextcloud; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name nextcloud.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name nextcloud.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+ include snippets/nextcloud-well-known.conf;
+
+ location / {
+ proxy_pass http://$nextcloud$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ client_max_body_size 512m;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..db9e761a20fd8a95fdfb92c0b3f3dba29993fcad
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf
@@ -0,0 +1,29 @@
+# vim: ft=nginx
+map $host $notify { default notifier; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name notify.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name notify.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-legacy.conf;
+
+ location / {
+ proxy_pass http://$notify:8080$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..189579f4419a35d50a175bb94bd479ae00e8b458
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf
@@ -0,0 +1,40 @@
+# vim: ft=nginx
+map $host $sogo { default sogo; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name sogo.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name sogo.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / { return 301 https://$host/SOGo/; }
+ location /SOGo { return 301 https://$host/SOGo/; }
+ location /SOGo/ {
+ proxy_pass http://$sogo:20000$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ include snippets/allow-private-ips.conf;
+
+ # Copied from http://wiki.sogo.nu/nginxSettings
+ proxy_set_header x-webobjects-server-protocol HTTP/1.1;
+ proxy_set_header x-webobjects-remote-host $sogo;
+ proxy_set_header x-webobjects-server-name $server_name;
+ proxy_set_header x-webobjects-server-url $scheme://$host;
+ proxy_set_header x-webobjects-server-port $server_port;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ec6ce8a9a4fefed7f40b04a83594999920039e0d
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf
@@ -0,0 +1,29 @@
+# vim: ft=nginx
+# The $vouch variable is defined in global.conf, it's needed by other servers
+# and deployments.
+server {
+ listen 80;
+ listen [::]:80;
+ server_name vouch.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name vouch.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / {
+ proxy_pass http://$vouch:9090;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..aa251063e4fffc3c7fd91c77a600d143238a595d
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf
@@ -0,0 +1,29 @@
+# vim: ft=nginx
+map $host $zpush { default z-push; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name zpush.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name zpush.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-legacy.conf;
+
+ location / {
+ proxy_pass http://$zpush;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/docker-compose.yml b/Compose/web-proxy/host01/docker-compose.yml
new file mode 100644
index 0000000000000000000000000000000000000000..698fbe6d62fd2f36e5bbc6f59410e7a43049b54e
--- /dev/null
+++ b/Compose/web-proxy/host01/docker-compose.yml
@@ -0,0 +1,54 @@
+---
+version: '3.5'
+services:
+ proxy:
+ build:
+ context: ./
+ # command: ["nginx", "-g", "daemon off;"]
+ hostname: &hostname nextcloud.shore.co.il
+ networks:
+ default:
+ aliases:
+ - *hostname
+ - code.shore.co.il
+ - elasticsearch.shore.co.il
+ - git.shore.co.il
+ - kibana.shore.co.il
+ - lam.shore.co.il
+ - mta-sts.shore.co.il
+ - sogo.shore.co.il
+ - vouch.shore.co.il
+ - zpush.shore.co.il
+ ports:
+ - '80:80'
+ - '443:443'
+ restart: always
+ volumes:
+ - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+ - '/var/ssl/site.key:/var/ssl/site.key:ro'
+ - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+ - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
+ - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
+ - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
+
+ vouch:
+ environment:
+ OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+ OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+ OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+ # yamllint disable-line rule:line-length
+ OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}" # pragma: allowlist secret
+ OAUTH_PROVIDER: nextcloud
+ OAUTH_SCOPES: 'openid,email.profile'
+ OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+ # yamllint disable-line rule:line-length
+ OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+ VOUCH_DOMAINS: shore.co.il
+ VOUCH_JWT_MAXAGE: 10080 # 1 week.
+ VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}" # pragma: allowlist secret
+ image: quay.io/vouch/vouch-proxy:alpine-0.36.0
+ restart: always
+
+networks:
+ default:
+ name: shore
diff --git a/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf b/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf
new file mode 100644
index 0000000000000000000000000000000000000000..f615565196d8cdaf782f460030ec1514fa4c232a
--- /dev/null
+++ b/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf
@@ -0,0 +1,11 @@
+location /.well-known/caldav {
+ return 301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/carddav {
+ return 301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/webfinger {
+ return 301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}
diff --git a/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt b/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt
new file mode 100644
index 0000000000000000000000000000000000000000..d81ad3bd1d3e08fc496eb36c44c38c3605ced45a
--- /dev/null
+++ b/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt
@@ -0,0 +1,4 @@
+version: STSv1
+mode: testing
+mx: smtp.shore.co.il
+max_age: 86400