From ba92a6a118c6a71a06d148bc5d6eda62af3abf53 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 11 Feb 2023 18:55:38 +0200
Subject: [PATCH] Web proxy: Add host01.
---
.gitlab-ci.yml | 26 ++++++-
Compose/web-proxy/host01/.dockerignore | 4 ++
Compose/web-proxy/host01/.env | 1 +
Compose/web-proxy/host01/Dockerfile | 10 +++
.../host01/conf.d/auth.shore.co.il.conf | 35 +++++++++
.../host01/conf.d/code.shore.co.il.conf | 71 +++++++++++++++++++
.../host01/conf.d/git.shore.co.il.conf | 31 ++++++++
.../host01/conf.d/lam.shore.co.il.conf | 31 ++++++++
.../host01/conf.d/mail.shore.co.il.conf | 35 +++++++++
.../host01/conf.d/nextcloud.shore.co.il.conf | 32 +++++++++
.../host01/conf.d/notify.shore.co.il.conf | 29 ++++++++
.../host01/conf.d/sogo.shore.co.il.conf | 40 +++++++++++
.../host01/conf.d/vouch.shore.co.il.conf | 29 ++++++++
.../host01/conf.d/zpush.shore.co.il.conf | 29 ++++++++
Compose/web-proxy/host01/docker-compose.yml | 54 ++++++++++++++
.../host01/snippets/nextcloud-well-known.conf | 11 +++
.../mail.shore.co.il/.well-known/mta-sts.txt | 4 ++
17 files changed, 470 insertions(+), 2 deletions(-)
create mode 100644 Compose/web-proxy/host01/.dockerignore
create mode 100644 Compose/web-proxy/host01/.env
create mode 100644 Compose/web-proxy/host01/Dockerfile
create mode 100644 Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/code.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/git.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf
create mode 100644 Compose/web-proxy/host01/docker-compose.yml
create mode 100644 Compose/web-proxy/host01/snippets/nextcloud-well-known.conf
create mode 100644 Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f9f2d53..212f91a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -63,14 +63,14 @@ web-proxy ns4 build:
tags: ["ns4.shore.co.il"]
variables:
WORKDIR: Compose/web-proxy/ns4
- # rules: *compose-rules
+ rules: *compose-rules
web-proxy ns4 pull:
extends: .compose-pull
tags: ["ns4.shore.co.il"]
variables:
WORKDIR: Compose/web-proxy/ns4
- # rules: *compose-rules
+ rules: *compose-rules
web-proxy ns4 run:
extends: .compose-run
@@ -78,4 +78,26 @@ web-proxy ns4 run:
variables:
WORKDIR: Compose/web-proxy/ns4
when: manual
+ rules: *compose-rules
+
+web-proxy host01 build:
+ extends: .compose-build
+ tags: ["host01.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/host01
+ # rules: *compose-rules
+
+web-proxy host01 pull:
+ extends: .compose-pull
+ tags: ["host01.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/host01
+ # rules: *compose-rules
+
+web-proxy host01 run:
+ extends: .compose-run
+ tags: ["host01.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/host01
+ when: manual
# rules: *compose-rules
diff --git a/Compose/web-proxy/host01/.dockerignore b/Compose/web-proxy/host01/.dockerignore
new file mode 100644
index 0000000..380e2e6
--- /dev/null
+++ b/Compose/web-proxy/host01/.dockerignore
@@ -0,0 +1,4 @@
+*
+!conf.d/
+!www/
+!snippets/
diff --git a/Compose/web-proxy/host01/.env b/Compose/web-proxy/host01/.env
new file mode 100644
index 0000000..2f5dd33
--- /dev/null
+++ b/Compose/web-proxy/host01/.env
@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=web-proxy
diff --git a/Compose/web-proxy/host01/Dockerfile b/Compose/web-proxy/host01/Dockerfile
new file mode 100644
index 0000000..1533778
--- /dev/null
+++ b/Compose/web-proxy/host01/Dockerfile
@@ -0,0 +1,10 @@
+# hadolint ignore=DL3006
+FROM registry.shore.co.il/nginx
+USER root
+RUN cp --archive /var/ssl/site.key /var/ssl/mail.key && \
+ cp --archive /var/ssl/site.crt /var/ssl/mail.crt
+USER nginx
+COPY --chown=root:root www/ /var/www/
+COPY --chown=root:root conf.d/ /etc/nginx/conf.d/
+COPY --chown=root:root snippets/ /etc/nginx/snippets/
+RUN nginx -t
diff --git a/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf
new file mode 100644
index 0000000..8e6e33e
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf
@@ -0,0 +1,35 @@
+# vim: ft=nginx
+map $host $auth { default auth; }
+
+limit_req_zone $binary_remote_addr zone=ldap_auth:2m rate=2r/s;
+limit_req_status 429;
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name auth.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name auth.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+
+ location / {
+ proxy_pass http://$auth:8080$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/allow-shore-ips.conf;
+ limit_req zone=ldap_auth burst=10 delay=2;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf
new file mode 100644
index 0000000..5c985d2
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/code.shore.co.il.conf
@@ -0,0 +1,71 @@
+# vim: ft=nginx
+map $host $code { default code; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name code.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name code.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ # The following was copied (and modified) from
+ # https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-with-nginx-webserver.
+
+ # static files
+ location ^~ /browser {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ }
+
+ # WOPI discovery URL
+ location ^~ /hosting/discovery {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+
+ # Capabilities
+ location ^~ /hosting/capabilities {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+
+ # main websocket
+ location ~ ^/cool/(.*)/ws$ {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/websockets.conf;
+ }
+
+ # download, presentation and image upload
+ location ~ ^/(c|l)ool {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+
+ # Admin Console websocket
+ location ^~ /cool/adminws {
+ proxy_pass http://$code:9980$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/websockets.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf
new file mode 100644
index 0000000..d408b7d
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/git.shore.co.il.conf
@@ -0,0 +1,31 @@
+# vim: ft=nginx
+map $host $git { default gitlab; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name git.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name git.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / {
+ proxy_pass http://$git$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_set_header X-Forwarded-Ssl on;
+ client_max_body_size 512m;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf
new file mode 100644
index 0000000..2bb9eb2
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf
@@ -0,0 +1,31 @@
+# vim: ft=nginx
+map $host $lam { default ldap-account-manager; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name lam.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name lam.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / {
+ proxy_pass http://$lam$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ include snippets/allow-private-ips.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf
new file mode 100644
index 0000000..fa99b28
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf
@@ -0,0 +1,35 @@
+# vim: ft=nginx
+server {
+ listen 80;
+ listen [::]:80;
+ server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il mta-sts.nehe.sr;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name mta-sts.shore.co.il mta-sts.nehe.sr;
+ root /var/www/mail.shore.co.il/;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+
+ # Copied from snippetes/ssl.conf.
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+ add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+ include snippets/common-headers.conf;
+ ssl_certificate /var/ssl/mail.crt;
+ ssl_certificate_key /var/ssl/mail.key;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ ssl_ciphers !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 5m;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ocsp.pem;
+}
diff --git a/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf
new file mode 100644
index 0000000..33a9b73
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf
@@ -0,0 +1,32 @@
+# vim: ft=nginx
+map $host $nextcloud { default nextcloud; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name nextcloud.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name nextcloud.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+ include snippets/nextcloud-well-known.conf;
+
+ location / {
+ proxy_pass http://$nextcloud$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ client_max_body_size 512m;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf
new file mode 100644
index 0000000..db9e761
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf
@@ -0,0 +1,29 @@
+# vim: ft=nginx
+map $host $notify { default notifier; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name notify.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name notify.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-legacy.conf;
+
+ location / {
+ proxy_pass http://$notify:8080$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf
new file mode 100644
index 0000000..189579f
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf
@@ -0,0 +1,40 @@
+# vim: ft=nginx
+map $host $sogo { default sogo; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name sogo.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name sogo.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / { return 301 https://$host/SOGo/; }
+ location /SOGo { return 301 https://$host/SOGo/; }
+ location /SOGo/ {
+ proxy_pass http://$sogo:20000$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ include snippets/allow-private-ips.conf;
+
+ # Copied from http://wiki.sogo.nu/nginxSettings
+ proxy_set_header x-webobjects-server-protocol HTTP/1.1;
+ proxy_set_header x-webobjects-remote-host $sogo;
+ proxy_set_header x-webobjects-server-name $server_name;
+ proxy_set_header x-webobjects-server-url $scheme://$host;
+ proxy_set_header x-webobjects-server-port $server_port;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf
new file mode 100644
index 0000000..ec6ce8a
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf
@@ -0,0 +1,29 @@
+# vim: ft=nginx
+# The $vouch variable is defined in global.conf, it's needed by other servers
+# and deployments.
+server {
+ listen 80;
+ listen [::]:80;
+ server_name vouch.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name vouch.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-modern.conf;
+
+ location / {
+ proxy_pass http://$vouch:9090;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf b/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf
new file mode 100644
index 0000000..aa25106
--- /dev/null
+++ b/Compose/web-proxy/host01/conf.d/zpush.shore.co.il.conf
@@ -0,0 +1,29 @@
+# vim: ft=nginx
+map $host $zpush { default z-push; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name zpush.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name zpush.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-legacy.conf;
+
+ location / {
+ proxy_pass http://$zpush;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/host01/docker-compose.yml b/Compose/web-proxy/host01/docker-compose.yml
new file mode 100644
index 0000000..698fbe6
--- /dev/null
+++ b/Compose/web-proxy/host01/docker-compose.yml
@@ -0,0 +1,54 @@
+---
+version: '3.5'
+services:
+ proxy:
+ build:
+ context: ./
+ # command: ["nginx", "-g", "daemon off;"]
+ hostname: &hostname nextcloud.shore.co.il
+ networks:
+ default:
+ aliases:
+ - *hostname
+ - code.shore.co.il
+ - elasticsearch.shore.co.il
+ - git.shore.co.il
+ - kibana.shore.co.il
+ - lam.shore.co.il
+ - mta-sts.shore.co.il
+ - sogo.shore.co.il
+ - vouch.shore.co.il
+ - zpush.shore.co.il
+ ports:
+ - '80:80'
+ - '443:443'
+ restart: always
+ volumes:
+ - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+ - '/var/ssl/site.key:/var/ssl/site.key:ro'
+ - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+ - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
+ - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
+ - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
+
+ vouch:
+ environment:
+ OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+ OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+ OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+ # yamllint disable-line rule:line-length
+ OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}" # pragma: allowlist secret
+ OAUTH_PROVIDER: nextcloud
+ OAUTH_SCOPES: 'openid,email.profile'
+ OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+ # yamllint disable-line rule:line-length
+ OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+ VOUCH_DOMAINS: shore.co.il
+ VOUCH_JWT_MAXAGE: 10080 # 1 week.
+ VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}" # pragma: allowlist secret
+ image: quay.io/vouch/vouch-proxy:alpine-0.36.0
+ restart: always
+
+networks:
+ default:
+ name: shore
diff --git a/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf b/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf
new file mode 100644
index 0000000..f615565
--- /dev/null
+++ b/Compose/web-proxy/host01/snippets/nextcloud-well-known.conf
@@ -0,0 +1,11 @@
+location /.well-known/caldav {
+ return 301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/carddav {
+ return 301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/webfinger {
+ return 301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}
diff --git a/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt b/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt
new file mode 100644
index 0000000..d81ad3b
--- /dev/null
+++ b/Compose/web-proxy/host01/www/mail.shore.co.il/.well-known/mta-sts.txt
@@ -0,0 +1,4 @@
+version: STSv1
+mode: testing
+mx: smtp.shore.co.il
+max_age: 86400
--
GitLab