pax_global_header 0000666 0000000 0000000 00000000064 14331263461 0014515 g ustar 00root root 0000000 0000000 52 comment=3993f20461f0604bdd27f849af30d7a2a2842e37
web-proxy-docker-ns4/ 0000775 0000000 0000000 00000000000 14331263461 0014764 5 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/.dockerignore 0000664 0000000 0000000 00000000034 14331263461 0017435 0 ustar 00root root 0000000 0000000 *
!conf.d/
!www/
!snippets/
web-proxy-docker-ns4/.env 0000664 0000000 0000000 00000000037 14331263461 0015555 0 ustar 00root root 0000000 0000000 COMPOSE_PROJECT_NAME=web-proxy
web-proxy-docker-ns4/.gitignore 0000664 0000000 0000000 00000000625 14331263461 0016757 0 ustar 00root root 0000000 0000000 ~*
*~
*.sw[op]
*.py[cod]
.DS_Store
__pycache__/
.vagrant/
vendor/
Thumbs.db
*.retry
.svn/
.sass-cache/
*.log
*.out
*.so
node_modules/
.npm/
nbproject/
*.ipynb
.idea/
*.egg-info/
*.[ao]
.classpath
.cache/
bower_components/
*.class
*.[ewj]ar
secring.*
.*.kate-swp
.swp.*
.directory
.Trash-*
build/
_build/
dist/
.tox/
*.pdf
*.exe
*.dll
*.gz
*.tgz
*.tar
*.rar
*.zip
*.pid
*.lock
*.env
.bundle/
!Pipfile.lock
web-proxy-docker-ns4/.gitlab-ci.yml 0000664 0000000 0000000 00000001164 14331263461 0017422 0 ustar 00root root 0000000 0000000 ---
include:
- project: shore/ci-stuff
file: templates/pre-commit.yml
- project: shore/ci-stuff
file: templates/docker.yml
stages:
- test
- build
- deploy
build:
extends: .compose-build
tags: ["$CI_COMMIT_BRANCH.shore.co.il"]
rules:
# yamllint disable-line rule:line-length
- if: &if $CI_COMMIT_BRANCH == "host01" || $CI_COMMIT_BRANCH == "ns4" || $CI_COMMIT_BRANCH
== "kodi"
pull:
extends: .compose-pull
tags: ["$CI_COMMIT_BRANCH.shore.co.il"]
rules:
- if: *if
run:
extends: .compose-run
tags: ["$CI_COMMIT_BRANCH.shore.co.il"]
rules:
- if: *if
when: manual
web-proxy-docker-ns4/.pre-commit-config.yaml 0000664 0000000 0000000 00000002656 14331263461 0021256 0 ustar 00root root 0000000 0000000 ---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks.git
rev: v4.0.1
hooks:
- id: check-added-large-files
- id: check-json
- id: check-merge-conflict
- id: check-symlinks
- id: check-xml
- id: detect-private-key
- id: end-of-file-fixer
- id: trailing-whitespace
exclude: \.diff$
- repo: https://github.com/codespell-project/codespell.git
rev: v2.1.0
hooks:
- id: codespell
- repo: https://github.com/Yelp/detect-secrets.git
rev: v1.1.0
hooks:
- id: detect-secrets
- repo: https://github.com/amperser/proselint.git
rev: 0.10.2
hooks:
- id: proselint
types: [plain-text]
exclude: LICENSE
- repo: https://gitlab.com/devopshq/gitlab-ci-linter.git
rev: v1.0.2
hooks:
- id: gitlab-ci-linter
args:
- "--server"
- https://git.shore.co.il
- repo: https://git.shore.co.il/nimrod/yamltool.git
rev: v0.1.2
hooks:
- id: yamltool
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.26.3
hooks:
- id: yamllint
- repo: https://github.com/executablebooks/mdformat.git
rev: 0.7.10
hooks:
- id: mdformat
- repo: https://git.shore.co.il/nimrod/pre-commit-hooks.git
rev: v0.2.0
hooks:
- id: docker-compose
- repo: https://github.com/AleksaC/hadolint-py.git
rev: v2.8.0
hooks:
- id: hadolint
web-proxy-docker-ns4/Dockerfile 0000664 0000000 0000000 00000002107 14331263461 0016756 0 ustar 00root root 0000000 0000000 FROM nginx:1.23.2-alpine
# hadolint ignore=DL3018
RUN rm -rf /etc/nginx/conf./* && \
chmod 777 /run && \
apk add --no-cache --update libcap openssl && \
curl https://letsencrypt.org/certs/isrg-root-ocsp-x1.pem.txt > /etc/ssl/ocsp.pem && \
mkdir /var/ssl &&\
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /var/ssl/dhparams &&\
chmod 644 /var/ssl/dhparams && \
install -d -m 755 -o root -g root /etc/nginx/snippets && \
install -d -m 755 -o root -g root /var/ssl && \
install -d -m 700 -o nginx -g nginx /var/cache/nginx && \
openssl req -x509 \
-newkey rsa:4096 \
-keyout /var/ssl/site.key \
-nodes \
-out /var/ssl/site.crt \
-batch && \
setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
chown nginx /var/ssl/site.*
COPY www/ /var/www/
COPY conf.d/ /etc/nginx/conf.d/
COPY snippets/ /etc/nginx/snippets/
USER nginx
RUN nginx -t
HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' --header "Host: status" http://localhost/ || exit 1
web-proxy-docker-ns4/LICENSE.txt 0000664 0000000 0000000 00000002054 14331263461 0016610 0 ustar 00root root 0000000 0000000 MIT License
Copyright (c) 2021 Adar Nimrod
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
web-proxy-docker-ns4/README.md 0000664 0000000 0000000 00000001074 14331263461 0016245 0 ustar 00root root 0000000 0000000 # Web proxy
[![pipeline status](https://git.shore.co.il/shore/web-proxy-docker/badges/master/pipeline.svg)](https://git.shore.co.il/shore/web-proxy-docker/-/commits/master)
> Web proxy Dockerized setup.
## License
This software is licensed under the MIT license (see `LICENSE.txt`).
## Author Information
Nimrod Adar, [contact me](mailto:nimrod@shore.co.il) or visit my
[website](https://www.shore.co.il/). Patches are welcome via
[`git send-email`](http://git-scm.com/book/en/v2/Git-Commands-Email). The repository
is located at: .
web-proxy-docker-ns4/conf.d/ 0000775 0000000 0000000 00000000000 14331263461 0016133 5 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/conf.d/autoconfig.shore.co.il.conf 0000664 0000000 0000000 00000001323 14331263461 0023261 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name autoconfig.shore.co.il autoconfig.nehe.sr;
root /var/www/autoconfig.shore.co.il/;
include snippets/www-acme-challenge.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/robots-allow-all.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name autoconfig.shore.co.il autoconfig.nehe.sr;
root /var/www/autoconfig.shore.co.il/;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
}
web-proxy-docker-ns4/conf.d/default.conf 0000664 0000000 0000000 00000000673 14331263461 0020434 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80 default_server;
listen [::]:80 default_server;
include snippets/www-acme-challenge.conf;
location / { return 301 https://www.shore.co.il$request_uri; }
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-legacy.conf;
location / { return 301 https://www.shore.co.il$request_uri; }
}
web-proxy-docker-ns4/conf.d/elasticsearch.shore.co.il.conf 0000664 0000000 0000000 00000001546 14331263461 0023744 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
map $host $es { default elasticsearch; }
server {
listen 80;
listen [::]:80;
server_name elasticsearch.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name elasticsearch.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
location / {
proxy_pass http://$es:9200$request_uri;
proxy_http_version 1.1;
include snippets/allow-shore-ips.conf;
}
}
web-proxy-docker-ns4/conf.d/global.conf 0000664 0000000 0000000 00000001105 14331263461 0020237 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
# The resolver for the Docker network.
resolver 127.0.0.11 valid=30s;
gzip on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
include snippets/common-headers.conf;
# Validate proxied SSL connections.
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 4;
# For proxying /validate on different hosts to Vouch.
map $host $vouch { default vouch; }
web-proxy-docker-ns4/conf.d/kibana.shore.co.il.conf 0000664 0000000 0000000 00000001574 14331263461 0022360 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
map $host $kibana { default kibana; }
server {
listen 80;
listen [::]:80;
server_name kibana.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name kibana.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
include snippets/vouch.conf;
location / {
proxy_pass http://$kibana:5601$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
}
web-proxy-docker-ns4/conf.d/myip.shore.co.il.conf 0000664 0000000 0000000 00000001640 14331263461 0022103 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name myip.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
error_page 404 /;
location = / { return 200 "$remote_addr"; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name myip.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
error_page 404 /;
location = / {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "$remote_addr";
}
}
web-proxy-docker-ns4/conf.d/nehe.sr.conf 0000664 0000000 0000000 00000001341 14331263461 0020343 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name nehe.sr;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-www.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nehe.sr;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
include snippets/nextcloud-well-known.conf;
include snippets/activesync.conf;
include snippets/redirect-www.conf;
}
web-proxy-docker-ns4/conf.d/nehes.co.conf 0000664 0000000 0000000 00000001343 14331263461 0020505 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name nehes.co;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-www.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nehes.co;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
include snippets/nextcloud-well-known.conf;
include snippets/activesync.conf;
include snippets/redirect-www.conf;
}
web-proxy-docker-ns4/conf.d/registry.shore.co.il.conf 0000664 0000000 0000000 00000002313 14331263461 0022773 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
map $host $registry { default registry; }
map $host $registry_fe { default reg; }
server {
listen 80;
listen [::]:80;
server_name registry.shore.co.il;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name registry.shore.co.il;
include snippets/ssl-modern.conf;
location /v2/ {
proxy_pass http://$registry:5000$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
limit_except GET HEAD OPTIONS {
include snippets/allow-ns4.conf;
include snippets/allow-private-ips.conf;
}
}
location / {
proxy_pass http://$registry_fe:8080$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
}
web-proxy-docker-ns4/conf.d/shore.co.il.conf 0000664 0000000 0000000 00000001717 14331263461 0021133 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
map $host $z_push { default z-push; }
server {
listen 80;
listen [::]:80;
server_name shore.co.il;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-www.conf;
location = / { return 301 https://www.shore.co.il/blog/; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name shore.co.il;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
include snippets/nextcloud-well-known.conf;
include snippets/activesync.conf;
include snippets/redirect-www.conf;
include snippets/matrix-well-known.conf;
location = / { return 301 https://www.shore.co.il/blog/; }
}
web-proxy-docker-ns4/conf.d/status.conf 0000664 0000000 0000000 00000000272 14331263461 0020326 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name status;
location = / { stub_status; }
include snippets/allow-private-ips.conf;
}
web-proxy-docker-ns4/conf.d/www.nehe.sr.conf 0000664 0000000 0000000 00000001453 14331263461 0021172 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name www.nehe.sr;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.nehe.sr;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
root /var/www/www.nehe.sr/;
error_page 404 /404.html;
}
web-proxy-docker-ns4/conf.d/www.nehes.co.conf 0000664 0000000 0000000 00000001455 14331263461 0021334 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name www.nehes.co;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.nehes.co;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
root /var/www/www.nehe.sr/;
error_page 404 /404.html;
}
web-proxy-docker-ns4/conf.d/www.shore.co.il.conf 0000664 0000000 0000000 00000003434 14331263461 0021754 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name www.shore.co.il;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
location = / { return 301 https://$host/blog/; }
location /repo/ {
root /var/www/www.shore.co.il/;
autoindex on;
}
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.shore.co.il;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
root /var/www/www.shore.co.il/;
error_page 404 /;
location /repo/ { autoindex on; }
location = /resume { try_files $uri /resume/resume.html; }
location = /resume/ { index resume.html; }
location = / { return 301 https://$host/blog/; }
location /about { return 301 https://$host/blog/pages/about-me.html; }
location /spam { return 301 https://$host/blog/pages/spam.html; }
location = /blog {
try_files $uri /blog/index.html;
charset UTF-8;
}
location /cgit { return 301 https://git.shore.co.il/explore; }
location /cgit/ { return 301 https://git.shore.co.il/explore; }
location /git { return 301 https://git.shore.co.il/explore; }
location /git/ { return 301 https://git.shore.co.il/explore; }
}
web-proxy-docker-ns4/docker-compose.yml 0000664 0000000 0000000 00000003407 14331263461 0020425 0 ustar 00root root 0000000 0000000 ---
version: '3.5'
services:
proxy:
build:
context: ./
# command: ["nginx", "-g", "daemon off;"]
hostname: &hostname www.shore.co.il
networks:
default:
aliases:
- *hostname
- autoconfig.shore.co.il
- myip.shore.co.il
- nehe.sr
- registry.shore.co.il
- www.nehe.sr
ports:
- '80:80'
- '443:443'
restart: always
volumes:
- '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
- '/var/ssl/site.key:/var/ssl/site.key:ro'
- '/var/ssl/site.crt:/var/ssl/site.crt:ro'
- '/var/ssl/dhparams:/var/ssl/dhparams:ro'
- '/var/www/www.nehe.sr:/var/www/www.nehe.sr:ro'
- '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
- '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
vouch:
environment:
OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
# yamllint disable-line rule:line-length
OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}" # pragma: allowlist secret
OAUTH_PROVIDER: nextcloud
OAUTH_SCOPES: 'openid,email.profile'
OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
# yamllint disable-line rule:line-length
OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
VOUCH_DOMAINS: shore.co.il
VOUCH_JWT_MAXAGE: 10080 # 1 week.
VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}" # pragma: allowlist secret
image: quay.io/vouch/vouch-proxy:alpine-0.36.0
restart: always
networks:
default:
name: shore
web-proxy-docker-ns4/snippets/ 0000775 0000000 0000000 00000000000 14331263461 0016631 5 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/snippets/activesync.conf 0000664 0000000 0000000 00000001425 14331263461 0021652 0 ustar 00root root 0000000 0000000 location /AutoDiscover/ {
proxy_pass https://zpush.shore.co.il$request_uri;
include snippets/proxy-headers.conf;
include snippets/proxy-ssl.conf;
}
location /Autodiscover/ {
proxy_pass https://zpush.shore.co.il$request_uri;
include snippets/proxy-headers.conf;
include snippets/proxy-ssl.conf;
}
location /autodiscover/ {
proxy_pass https://zpush.shore.co.il$request_uri;
include snippets/proxy-headers.conf;
include snippets/proxy-ssl.conf;
}
location /Microsoft-Server-ActiveSync {
proxy_pass https://zpush.shore.co.il$request_uri;
include snippets/proxy-headers.conf;
include snippets/proxy-ssl.conf;
}
web-proxy-docker-ns4/snippets/ads-txt.conf 0000664 0000000 0000000 00000000412 14331263461 0021061 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location = /ads.txt {
if ($scheme = http) {
return 301 https://$host$request_uri;
}
if ($scheme = https) {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "contact=webmaster@shore.co.il\n";
}
}
web-proxy-docker-ns4/snippets/allow-ns1.conf 0000664 0000000 0000000 00000000073 14331263461 0021315 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
allow 62.219.131.121; # ns1.shore.co.il
web-proxy-docker-ns4/snippets/allow-ns4.conf 0000664 0000000 0000000 00000000072 14331263461 0021317 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
allow 163.172.74.36; # ns4.shore.co.il
web-proxy-docker-ns4/snippets/allow-private-ips.conf 0000664 0000000 0000000 00000000152 14331263461 0023055 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
allow 127.0.0.0/8;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
allow 172.16.0.0/12;
deny all;
web-proxy-docker-ns4/snippets/allow-shore-ips.conf 0000664 0000000 0000000 00000000173 14331263461 0022526 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
include snippets/allow-ns1.conf;
include snippets/allow-ns4.conf;
include snippets/allow-private-ips.conf;
web-proxy-docker-ns4/snippets/common-headers.conf 0000664 0000000 0000000 00000000571 14331263461 0022404 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
# add_headers are inherited from previous level if and only if there are no
# add_header directives defined on the current level. So any time there's an
# add_header directive there should be an `include snippets/common-headers.conf`
# directive as well.
add_header X-Frame-Options SAMEORIGIN always;
add_header Permissions-Policy interest-cohort=();
web-proxy-docker-ns4/snippets/ldap-auth.conf 0000664 0000000 0000000 00000000605 14331263461 0021360 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
auth_request /validate;
location = /validate {
proxy_pass https://auth.shore.co.il/validate;
proxy_http_version 1.1;
include snippets/proxy-ssl.conf;
proxy_ssl_name auth.shore.co.il;
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
web-proxy-docker-ns4/snippets/matrix-well-known.conf 0000664 0000000 0000000 00000000167 14331263461 0023103 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location = /.well-known/matrix/server {
return 200 "{\"m.server\": \"matrix.shore.co.il:443\"}";
}
web-proxy-docker-ns4/snippets/nextcloud-well-known.conf 0000664 0000000 0000000 00000000461 14331263461 0023601 0 ustar 00root root 0000000 0000000 location /.well-known/caldav {
return 301 https://nextcloud.shore.co.il/remote.php/dav;
}
location /.well-known/carddav {
return 301 https://nextcloud.shore.co.il/remote.php/dav;
}
location /.well-known/webfinger {
return 301 https://nextcloud.shore.co.il/public.php?service=webfinger;
}
web-proxy-docker-ns4/snippets/proxy-headers.conf 0000664 0000000 0000000 00000000574 14331263461 0022300 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_hide_header Strict-Transport-Security;
proxy_hide_header Public-Key-Pins;
proxy_hide_header Public-Key-Pins-Report-Only;
web-proxy-docker-ns4/snippets/proxy-ssl.conf 0000664 0000000 0000000 00000000307 14331263461 0021460 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
proxy_ssl_verify on;
proxy_ssl_verify_depth 3;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
web-proxy-docker-ns4/snippets/redirect-https.conf 0000664 0000000 0000000 00000000110 14331263461 0022431 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location / { return 301 https://$host$request_uri; }
web-proxy-docker-ns4/snippets/redirect-www.conf 0000664 0000000 0000000 00000000114 14331263461 0022117 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location / { return 301 https://www.$host$request_uri; }
web-proxy-docker-ns4/snippets/robots-allow-all.conf 0000664 0000000 0000000 00000000221 14331263461 0022665 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location = /robots.txt {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "User-agent: *\nDisallow:\n";
}
web-proxy-docker-ns4/snippets/robots-disallow-all.conf 0000664 0000000 0000000 00000000223 14331263461 0023367 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location = /robots.txt {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "User-agent: *\nDisallow: *\n";
}
web-proxy-docker-ns4/snippets/security-txt.conf 0000664 0000000 0000000 00000000534 14331263461 0022166 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location = /.well-known/security.txt {
if ($scheme = http) {
return 301 https://$host$request_uri;
}
if ($scheme = https) {
add_header Content-Type "text/plain; charset=utf-8";
return 200 "Contact: mailto:security@shore.co.il\nEncryption: https://www.shore.co.il/blog/static/nimrod.asc";
}
}
web-proxy-docker-ns4/snippets/ssl-common.conf 0000664 0000000 0000000 00000001206 14331263461 0021566 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
include snippets/common-headers.conf;
ssl_certificate /var/ssl/site.crt;
ssl_certificate_key /var/ssl/site.key;
ssl_dhparam /var/ssl/dhparams;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ocsp.pem;
web-proxy-docker-ns4/snippets/ssl-legacy.conf 0000664 0000000 0000000 00000000412 14331263461 0021540 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
include snippets/ssl-common.conf;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;
web-proxy-docker-ns4/snippets/ssl-modern.conf 0000664 0000000 0000000 00000000302 14331263461 0021556 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
include snippets/ssl-common.conf;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!NULL:!AES128:!ARIA128:!CAMELLIA:!SHA1:!kRSA;
web-proxy-docker-ns4/snippets/upgrade-secure.conf 0000664 0000000 0000000 00000000143 14331263461 0022411 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
if ($http_Upgrade-Insecure-Requests = 1) { return 301 https://$host$request_uri; }
web-proxy-docker-ns4/snippets/vouch.conf 0000664 0000000 0000000 00000002440 14331263461 0020624 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
# send all requests to the `/validate` endpoint for authorization
auth_request /validate;
location = /validate {
# forward the /validate request to Vouch Proxy
proxy_pass http://$vouch:9090/validate;
proxy_http_version 1.1;
internal;
include snippets/proxy-headers.conf;
# Vouch Proxy only acts on the request headers
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# optionally add X-Vouch-User as returned by Vouch Proxy along with the request
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
# these return values are used by the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
# if validate returns `401 not authorized` then forward the request to the error401block
error_page 401 = @error401;
location @error401 {
# redirect to Vouch Proxy for login
return 302 https://vouch.shore.co.il/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
web-proxy-docker-ns4/snippets/websockets.conf 0000664 0000000 0000000 00000000201 14331263461 0021642 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
web-proxy-docker-ns4/snippets/www-acme-challenge.conf 0000664 0000000 0000000 00000000131 14331263461 0023142 0 ustar 00root root 0000000 0000000 # vim: ft=nginx
location /.well-known/acme-challenge/ { root /var/www/www.shore.co.il; }
web-proxy-docker-ns4/www/ 0000775 0000000 0000000 00000000000 14331263461 0015610 5 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/www/.gitkeep 0000664 0000000 0000000 00000000000 14331263461 0017227 0 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/www/autoconfig.shore.co.il/ 0000775 0000000 0000000 00000000000 14331263461 0022070 5 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/www/autoconfig.shore.co.il/mail/ 0000775 0000000 0000000 00000000000 14331263461 0023012 5 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/www/autoconfig.shore.co.il/mail/config-v1.1.xml 0000664 0000000 0000000 00000002721 14331263461 0025466 0 ustar 00root root 0000000 0000000
shore.co.il
Shore technologies
Shore
imap.shore.co.il
993
SSL
password-cleartext
%EMAILLOCALPART%
smtp.shore.co.il
587
STARTTLS
password-cleartext
%EMAILLOCALPART%
nehe.sr
Nehes Realestate
Nehes
imap.shore.co.il
993
SSL
password-cleartext
%EMAILLOCALPART%
smtp.shore.co.il
587
STARTTLS
password-cleartext
%EMAILLOCALPART%
web-proxy-docker-ns4/www/www.shore.co.il/ 0000775 0000000 0000000 00000000000 14331263461 0020556 5 ustar 00root root 0000000 0000000 web-proxy-docker-ns4/www/www.shore.co.il/google88c23a5c89fa3cb3.html 0000664 0000000 0000000 00000000066 14331263461 0025146 0 ustar 00root root 0000000 0000000 google-site-verification: google88c23a5c89fa3cb3.html