Web proxy: Add ns4.

.gitlab-ci.yml

@@ -36,19 +36,19 @@ web-proxy kodi build:
   tags: ["kodi.shore.co.il"]
   variables:
     WORKDIR: Compose/web-proxy/kodi
-  # rules: &compose-rules
-  #   - if: $CI_PIPELINE_SOURCE == "schedule"
-  #   - if: $CI_PIPELINE_SOURCE == "push"
-  #     changes:
-  #       - $WORKDIR/*
-  #       - $WORKDIR/**/*
+  rules: &compose-rules
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+    - if: $CI_PIPELINE_SOURCE == "push"
+      changes:
+        - $WORKDIR/*
+        - $WORKDIR/**/*
 
 web-proxy kodi pull:
   extends: .compose-pull
   tags: ["kodi.shore.co.il"]
   variables:
     WORKDIR: Compose/web-proxy/kodi
-  # rules: *compose-rules
+  rules: *compose-rules
 
 web-proxy kodi run:
   extends: .compose-run
@@ -56,4 +56,26 @@ web-proxy kodi run:
   variables:
     WORKDIR: Compose/web-proxy/kodi
   when: manual
+  rules: *compose-rules
+
+web-proxy ns4 build:
+  extends: .compose-build
+  tags: ["ns4.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/ns4
+  # rules: *compose-rules
+
+web-proxy ns4 pull:
+  extends: .compose-pull
+  tags: ["ns4.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/ns4
+  # rules: *compose-rules
+
+web-proxy ns4 run:
+  extends: .compose-run
+  tags: ["ns4.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/ns4
+  when: manual
   # rules: *compose-rules

Compose/web-proxy/ns4/.dockerignore

+*
+!conf.d/
+!www/
+!snippets/

Compose/web-proxy/ns4/.env

+COMPOSE_PROJECT_NAME=web-proxy

Compose/web-proxy/ns4/Dockerfile

+# hadolint ignore=DL3006
+FROM registry.shore.co.il/nginx
+COPY --chown=root:root www/ /var/www/
+COPY --chown=root:root conf.d/ /etc/nginx/conf.d/
+COPY --chown=root:root snippets/ /etc/nginx/snippets/
+RUN nginx -t

Compose/web-proxy/ns4/conf.d/autoconfig.shore.co.il.conf

+# vim: ft=nginx
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name autoconfig.shore.co.il autoconfig.nehe.sr;
+    root        /var/www/autoconfig.shore.co.il/;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/robots-allow-all.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name autoconfig.shore.co.il autoconfig.nehe.sr;
+    root        /var/www/autoconfig.shore.co.il/;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+}

Compose/web-proxy/ns4/conf.d/elasticsearch.shore.co.il.conf

+# vim: ft=nginx
+map $host $es { default elasticsearch; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name elasticsearch.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name elasticsearch.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+
+    location / {
+        proxy_pass              http://$es:9200$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/allow-shore-ips.conf;
+    }
+}

Compose/web-proxy/ns4/conf.d/kibana.shore.co.il.conf

+# vim: ft=nginx
+map $host $kibana { default kibana; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name kibana.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name kibana.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+    include     snippets/vouch.conf;
+
+    location / {
+        proxy_pass              http://$kibana:5601$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+}

Compose/web-proxy/ns4/conf.d/myip.shore.co.il.conf

+# vim: ft=nginx
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         myip.shore.co.il;
+    include             snippets/robots-disallow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    include             snippets/www-acme-challenge.conf;
+    error_page 404      /;
+    location = /        { return 200 "$remote_addr"; }
+}
+
+server {
+    listen              443 ssl http2;
+    listen              [::]:443 ssl http2;
+    server_name         myip.shore.co.il;
+    include             snippets/robots-disallow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    include             snippets/ssl-legacy.conf;
+    error_page 404      /;
+    location = /        {
+        add_header Content-Type "text/plain; charset=utf-8";
+        return 200 "$remote_addr";
+    }
+}

Compose/web-proxy/ns4/conf.d/nehe.sr.conf

+# vim: ft=nginx
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name nehe.sr;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-www.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name nehe.sr;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    include     snippets/nextcloud-well-known.conf;
+    include     snippets/activesync.conf;
+    include     snippets/redirect-www.conf;
+}

Compose/web-proxy/ns4/conf.d/nehes.co.conf

+# vim: ft=nginx
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name nehes.co;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-www.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name nehes.co;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    include     snippets/nextcloud-well-known.conf;
+    include     snippets/activesync.conf;
+    include     snippets/redirect-www.conf;
+}

Compose/web-proxy/ns4/conf.d/registry.shore.co.il.conf

+# vim: ft=nginx
+map $host $registry { default registry; }
+map $host $registry_fe { default reg; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name registry.shore.co.il;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name registry.shore.co.il;
+    include     snippets/ssl-modern.conf;
+
+    location /v2/ {
+        proxy_pass                  http://$registry:5000$request_uri;
+        proxy_http_version          1.1;
+        include                     snippets/proxy-headers.conf;
+        # disable any limits to avoid HTTP 413 for large image uploads
+        client_max_body_size        0;
+        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+        chunked_transfer_encoding   on;
+        limit_except GET HEAD OPTIONS {
+            include snippets/allow-ns4.conf;
+            include snippets/allow-private-ips.conf;
+        }
+    }
+
+    location / {
+        proxy_pass          http://$registry_fe:8080$request_uri;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+    }
+}

Compose/web-proxy/ns4/conf.d/shore.co.il.conf

+# vim: ft=nginx
+map $host $z_push { default z-push; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-www.conf;
+
+    location = /        { return 301 https://www.shore.co.il/blog/; }
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    include     snippets/nextcloud-well-known.conf;
+    include     snippets/activesync.conf;
+    include     snippets/redirect-www.conf;
+    include     snippets/matrix-well-known.conf;
+
+    location = /        { return 301 https://www.shore.co.il/blog/; }
+}

Compose/web-proxy/ns4/conf.d/www.nehe.sr.conf

+# vim: ft=nginx
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         www.nehe.sr;
+    include             snippets/robots-allow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    include             snippets/www-acme-challenge.conf;
+    include             snippets/redirect-https.conf;
+}
+
+server {
+    listen              443 ssl http2;
+    listen              [::]:443 ssl http2;
+    server_name         www.nehe.sr;
+    include             snippets/robots-allow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    include             snippets/ssl-legacy.conf;
+    root                /var/www/www.nehe.sr/;
+    error_page 404      /404.html;
+}

Compose/web-proxy/ns4/conf.d/www.nehes.co.conf

+# vim: ft=nginx
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         www.nehes.co;
+    include             snippets/robots-allow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    include             snippets/www-acme-challenge.conf;
+    include             snippets/redirect-https.conf;
+}
+
+server {
+    listen              443 ssl http2;
+    listen              [::]:443 ssl http2;
+    server_name         www.nehes.co;
+    include             snippets/robots-allow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    include             snippets/ssl-legacy.conf;
+    root                /var/www/www.nehe.sr/;
+    error_page 404      /404.html;
+}

Compose/web-proxy/ns4/conf.d/www.shore.co.il.conf

+# vim: ft=nginx
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         www.shore.co.il;
+    include             snippets/robots-allow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    include             snippets/www-acme-challenge.conf;
+    location = /        { return 301 https://$host/blog/; }
+    location /repo/     {
+        root            /var/www/www.shore.co.il/;
+        autoindex       on;
+    }
+    include             snippets/redirect-https.conf;
+}
+
+server {
+    listen                  443 ssl http2;
+    listen                  [::]:443 ssl http2;
+    server_name             www.shore.co.il;
+    include                 snippets/robots-allow-all.conf;
+    include                 snippets/ads-txt.conf;
+    include                 snippets/security-txt.conf;
+    include                 snippets/ssl-legacy.conf;
+    root                    /var/www/www.shore.co.il/;
+    error_page 404          /;
+
+    location /repo/         { autoindex on; }
+    location = /resume      { try_files $uri /resume/resume.html; }
+    location = /resume/     { index resume.html; }
+
+    location = /            { return 301 https://$host/blog/; }
+    location /about         { return 301 https://$host/blog/pages/about-me.html; }
+    location /spam          { return 301 https://$host/blog/pages/spam.html; }
+    location = /blog        {
+        try_files $uri /blog/index.html;
+        charset UTF-8;
+    }
+
+    location /cgit          { return 301 https://git.shore.co.il/explore; }
+    location /cgit/         { return 301 https://git.shore.co.il/explore; }
+    location /git           { return 301 https://git.shore.co.il/explore; }
+    location /git/          { return 301 https://git.shore.co.il/explore; }
+}

Compose/web-proxy/ns4/docker-compose.yml

+---
+version: '3.5'
+services:
+  proxy:
+    build:
+      context: ./
+    # command: ["nginx", "-g", "daemon off;"]
+    hostname: &hostname www.shore.co.il
+    networks:
+      default:
+        aliases:
+          - *hostname
+          - autoconfig.shore.co.il
+          - myip.shore.co.il
+          - nehe.sr
+          - registry.shore.co.il
+          - www.nehe.sr
+    ports:
+      - '80:80'
+      - '443:443'
+    restart: always
+    volumes:
+      - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/ssl/site.key:/var/ssl/site.key:ro'
+      - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+      - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
+      - '/var/www/www.nehe.sr:/var/www/www.nehe.sr:ro'
+      - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
+      - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
+
+  vouch:
+    environment:
+      OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+      OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+      OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+      # yamllint disable-line rule:line-length
+      OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}"  # pragma: allowlist secret
+      OAUTH_PROVIDER: nextcloud
+      OAUTH_SCOPES: 'openid,email.profile'
+      OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+      # yamllint disable-line rule:line-length
+      OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+      VOUCH_DOMAINS: shore.co.il
+      VOUCH_JWT_MAXAGE: 10080  # 1 week.
+      VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}"  # pragma: allowlist secret
+    image: quay.io/vouch/vouch-proxy:alpine-0.36.0
+    restart: always
+
+networks:
+  default:
+    name: shore

Compose/web-proxy/ns4/snippets/activesync.conf

+location /AutoDiscover/ {
+    proxy_pass          https://zpush.shore.co.il$request_uri;
+    include             snippets/proxy-headers.conf;
+    include             snippets/proxy-ssl.conf;
+}
+
+location /Autodiscover/ {
+    proxy_pass          https://zpush.shore.co.il$request_uri;
+    include             snippets/proxy-headers.conf;
+    include             snippets/proxy-ssl.conf;
+}
+
+location /autodiscover/ {
+    proxy_pass          https://zpush.shore.co.il$request_uri;
+    include             snippets/proxy-headers.conf;
+    include             snippets/proxy-ssl.conf;
+}
+
+location /Microsoft-Server-ActiveSync {
+    proxy_pass          https://zpush.shore.co.il$request_uri;
+    include             snippets/proxy-headers.conf;
+    include             snippets/proxy-ssl.conf;
+}

Compose/web-proxy/ns4/snippets/nextcloud-well-known.conf

+location /.well-known/caldav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/carddav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/webfinger {
+    return  301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}

Compose/web-proxy/ns4/www/autoconfig.shore.co.il/mail/config-v1.1.xml

+<?xml version="1.0" encoding="UTF-8"?>
+
+<clientConfig version="1.1">
+  <emailProvider id="shore.co.il">
+    <domain>shore.co.il</domain>
+    <displayName>Shore technologies</displayName>
+    <displayShortName>Shore</displayShortName>
+    <incomingServer type="imap">
+      <hostname>imap.shore.co.il</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </incomingServer>
+    <outgoingServer type="smtp">
+      <hostname>smtp.shore.co.il</hostname>
+      <port>587</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </outgoingServer>
+  </emailProvider>
+  <emailProvider id="nehe.sr">
+    <domain>nehe.sr</domain>
+    <displayName>Nehes Realestate</displayName>
+    <displayShortName>Nehes</displayShortName>
+    <incomingServer type="imap">
+      <hostname>imap.shore.co.il</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </incomingServer>
+    <outgoingServer type="smtp">
+      <hostname>smtp.shore.co.il</hostname>
+      <port>587</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </outgoingServer>
+  </emailProvider>
+</clientConfig>

Compose/web-proxy/ns4/www/www.shore.co.il/google88c23a5c89fa3cb3.html

+google-site-verification: google88c23a5c89fa3cb3.html