diff --git a/Dockerfile b/Dockerfile index 306914c77ea0f9ed5214e2ef0b45b1afe20cb349..d9b29f4df153b9ae4d62b10feb7c14942ddc1b1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ FROM nginx:1.20.0-alpine +ARG TRANSMISSION # hadolint ignore=DL3018 RUN rm -rf /etc/nginx/conf./* && \ chmod 777 /run && \ @@ -15,12 +16,20 @@ RUN rm -rf /etc/nginx/conf./* && \ -keyout /var/ssl/site.key \ -nodes \ -out /var/ssl/site.crt \ - -batch && \ + -days 2 \ + -subj "/C=US/ST=IL/L=None/O=None/OU=None/CN=localhost/" && \ + cp /var/ssl/site.crt /var/ssl/mail.crt && \ + cp /var/ssl/site.key /var/ssl/mail.key && \ setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \ - chown nginx /var/ssl/site.* + chown nginx /var/ssl/site.* /var/ssl/mail.* COPY www/ /var/www/ COPY conf.d/ /etc/nginx/conf.d/ COPY snippets/ /etc/nginx/snippets/ +# Another option would be to copy the file to the template directory and have +# the environment variable substitution happen in runtime, but that way would +# miss checking the syntax during the build process. +# hadolint ignore=SC2097,SC2098 +RUN TRANSMISSION=$TRANSMISSION sed -i "s/TRANSMISSION/$TRANSMISSION/" /etc/nginx/conf.d/www.shore.co.il.conf USER nginx RUN nginx -t HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' --header "Host: status" http://localhost/ || exit 1 diff --git a/README.md b/README.md index ec8bb8ecee29b3949e0e57b55abec3dee598e02e..cefa36008036a4f56ade0f559459f53fe0f4de34 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,6 @@ > Web proxy Dockerized setup. -## Branches - -The `master` branch doesn't have any configuration in it. The `ns4` and `host01` -branches have configuration for those hoss. - ## License This software is licensed under the MIT license (see `LICENSE.txt`). diff --git a/conf.d/git.shore.co.il.conf b/conf.d/git.shore.co.il.conf new file mode 100644 index 0000000000000000000000000000000000000000..65989ac3b029e156165587006b48e5382be24c8e --- /dev/null +++ b/conf.d/git.shore.co.il.conf @@ -0,0 +1,30 @@ +map $host $git { default gitlab; } + +server { + listen 80; + listen [::]:80; + server_name git.shore.co.il; + include snippets/robots-allow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + include snippets/www-acme-challenge.conf; + include snippets/redirect-https.conf; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name git.shore.co.il; + include snippets/robots-allow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + include snippets/ssl.conf; + + location / { + proxy_pass http://$git$request_uri; + proxy_http_version 1.1; + include snippets/proxy-headers.conf; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size 512m; + } +} diff --git a/conf.d/mail.shore.co.il.conf b/conf.d/mail.shore.co.il.conf new file mode 100644 index 0000000000000000000000000000000000000000..40bc1739fd1934f568f5db6d8f0303769808445a --- /dev/null +++ b/conf.d/mail.shore.co.il.conf @@ -0,0 +1,34 @@ +server { + listen 80; + listen [::]:80; + server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il; + root /var/www/mail.shore.co.il/; + include snippets/robots-disallow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name mta-sts.shore.co.il; + root /var/www/mail.shore.co.il/; + include snippets/robots-disallow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + + # Copied from snippetes/ssl.conf. + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\""; + include snippets/common-headers.conf; + ssl_certificate /var/ssl/mail.crt; + ssl_certificate_key /var/ssl/mail.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/ocsp.pem; +} diff --git a/conf.d/nextcloud.shore.co.il.conf b/conf.d/nextcloud.shore.co.il.conf new file mode 100644 index 0000000000000000000000000000000000000000..f138c70342c162f215538ff074cc3fbe1f0e5ac2 --- /dev/null +++ b/conf.d/nextcloud.shore.co.il.conf @@ -0,0 +1,31 @@ +map $host $nextcloud { default nextcloud; } + +server { + listen 80; + listen [::]:80; + server_name nextcloud.shore.co.il; + include snippets/robots-disallow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + include snippets/www-acme-challenge.conf; + include snippets/redirect-https.conf; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name nextcloud.shore.co.il; + include snippets/robots-disallow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + include snippets/ssl.conf; + include snippets/nextcloud-well-known.conf; + + location / { + proxy_pass http://$nextcloud$request_uri; + proxy_http_version 1.1; + include snippets/proxy-headers.conf; + proxy_hide_header X-Frame-Options; + client_max_body_size 512m; + } +} diff --git a/conf.d/shore.co.il.conf b/conf.d/shore.co.il.conf new file mode 100644 index 0000000000000000000000000000000000000000..48c587ef37038cc60f7b7656766f38bdf6c9d747 --- /dev/null +++ b/conf.d/shore.co.il.conf @@ -0,0 +1,31 @@ +map $host $z_push { default z-push; } + +server { + listen 80; + listen [::]:80; + server_name shore.co.il; + include snippets/robots-allow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + location = / { return 301 https://$host/blog/; } + location /repo/ { + root /var/www/www.shore.co.il/; + autoindex on; + } + include snippets/redirect-https.conf; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name shore.co.il; + include snippets/robots-allow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + include snippets/ssl.conf; + include snippets/nextcloud-well-known.conf; + include snippets/z-push.conf; + + location = / { return 301 https://www.shore.co.il/blog/; } + location / { return 301 https://www.shore.co.il$request_uri; } +} diff --git a/conf.d/www.shore.co.il.conf b/conf.d/www.shore.co.il.conf new file mode 100644 index 0000000000000000000000000000000000000000..7200f5ae04bb3b63278417c3366531e904940ee3 --- /dev/null +++ b/conf.d/www.shore.co.il.conf @@ -0,0 +1,73 @@ +map $host $lam { default ldap-account-manager; } +map $host $kodi { default kodi.shore.co.il; } + +server { + listen 80; + listen [::]:80; + server_name www.shore.co.il; + include snippets/robots-allow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + location = / { return 301 https://$host/blog/; } + location /repo/ { + root /var/www/www.shore.co.il/; + autoindex on; + } + location / { return 301 https://$host$request_uri; } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name www.shore.co.il; + include snippets/robots-allow-all.conf; + include snippets/ads-txt.conf; + include snippets/security-txt.conf; + include snippets/ssl.conf; + root /var/www/www.shore.co.il/; + error_page 404 /; + + location /repo/ { autoindex on; } + location = /resume { try_files $uri /resume/resume.html; } + location = /resume/ { index resume.html; } + + location = / { return 301 https://$host/blog/; } + location /about { return 301 https://$host/blog/pages/about-me.html; } + location /spam { return 301 https://$host/blog/pages/spam.html; } + location = /blog { + try_files $uri /blog/index.html; + charset UTF-8; + } + + location /cgit { return 301 https://git.shore.co.il/explore; } + location /cgit/ { return 301 https://git.shore.co.il/explore; } + location /git { return 301 https://git.shore.co.il/explore; } + location /git/ { return 301 https://git.shore.co.il/explore; } + + location /lam { + proxy_pass http://$lam$request_uri; + proxy_http_version 1.1; + include snippets/proxy-headers.conf; + include snippets/allow-private-ips.conf; + } + + location /jellyfin { return 302 $scheme://$host/jellyfin/; } + location /jellyfin/ { + proxy_pass http://$kodi:8096/jellyfin/; + proxy_http_version 1.1; + include snippets/proxy-headers.conf; + include snippets/common-headers.conf; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + } + + location /TRANSMISSION/ { + proxy_pass http://kodi.shore.co.il:9091/; + proxy_http_version 1.1; + include snippets/proxy-headers.conf; + } +} diff --git a/docker-compose.yml b/docker-compose.yml index a38aa2db2d4d138aafc5d600f49799887c083192..d801a62f511a0277e781f958ca0e4c7342931aad 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,21 +3,30 @@ version: '3.5' services: proxy: build: + args: + TRANSMISSION: "${TRANSMISSION}" context: ./ # command: ["nginx", "-g", "daemon off;"] - hostname: &hostname shore.co.il + hostname: &hostname www.shore.co.il networks: default: aliases: - *hostname + - nextcloud.shore.co.il + - git.shore.co.il ports: - '80:80' - '443:443' restart: always volumes: - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro' + - '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro' + - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro' + - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro' - '/var/ssl/site.key:/var/ssl/site.key:ro' - '/var/ssl/site.crt:/var/ssl/site.crt:ro' + - '/var/ssl/mail.key:/var/ssl/mail.key:ro' + - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro' - '/var/ssl/dhparams:/var/ssl/dhparams:ro' vouch: diff --git a/snippets/nextcloud-well-known.conf b/snippets/nextcloud-well-known.conf new file mode 100644 index 0000000000000000000000000000000000000000..f615565196d8cdaf782f460030ec1514fa4c232a --- /dev/null +++ b/snippets/nextcloud-well-known.conf @@ -0,0 +1,11 @@ +location /.well-known/caldav { + return 301 https://nextcloud.shore.co.il/remote.php/dav; +} + +location /.well-known/carddav { + return 301 https://nextcloud.shore.co.il/remote.php/dav; +} + +location /.well-known/webfinger { + return 301 https://nextcloud.shore.co.il/public.php?service=webfinger; +} diff --git a/snippets/z-push.conf b/snippets/z-push.conf new file mode 100644 index 0000000000000000000000000000000000000000..85a21d6b1f3a1ec8f2ee0c14e23ad8608663c46c --- /dev/null +++ b/snippets/z-push.conf @@ -0,0 +1,19 @@ +location /AutoDiscover/ { + proxy_pass http://$z_push$request_uri; + include snippets/proxy-headers.conf; +} + +location /Autodiscover/ { + proxy_pass http://$z_push$request_uri; + include snippets/proxy-headers.conf; +} + +location /autodiscover/ { + proxy_pass http://$z_push$request_uri; + include snippets/proxy-headers.conf; +} + +location /Microsoft-Server-ActiveSync { + proxy_pass http://$z_push$request_uri; + include snippets/proxy-headers.conf; +} diff --git a/www/mail.shore.co.il/.well-known/mta-sts.txt b/www/mail.shore.co.il/.well-known/mta-sts.txt new file mode 100644 index 0000000000000000000000000000000000000000..d81ad3bd1d3e08fc496eb36c44c38c3605ced45a --- /dev/null +++ b/www/mail.shore.co.il/.well-known/mta-sts.txt @@ -0,0 +1,4 @@ +version: STSv1 +mode: testing +mx: smtp.shore.co.il +max_age: 86400 diff --git a/www/www.shore.co.il/google88c23a5c89fa3cb3.html b/www/www.shore.co.il/google88c23a5c89fa3cb3.html new file mode 100644 index 0000000000000000000000000000000000000000..ceace0b5e9d1937c18b05816d6ec871e20bb5afa --- /dev/null +++ b/www/www.shore.co.il/google88c23a5c89fa3cb3.html @@ -0,0 +1 @@ +google-site-verification: google88c23a5c89fa3cb3.html \ No newline at end of file