From f83660a9146d6b964a44ddedab209b38aeccc203 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Tue, 12 Jan 2021 15:13:07 +0200
Subject: [PATCH] Revert "A general master branch."
This reverts commit d4d485914fd18911fbe179570c78980ce59f5c50. I'm
reverting most of it but amending or mending a few things that I'm going
to move to ns4.
---
Dockerfile | 13 +++-
README.md | 5 --
conf.d/git.shore.co.il.conf | 30 ++++++++
conf.d/mail.shore.co.il.conf | 34 +++++++++
conf.d/nextcloud.shore.co.il.conf | 31 ++++++++
conf.d/shore.co.il.conf | 31 ++++++++
conf.d/www.shore.co.il.conf | 73 +++++++++++++++++++
docker-compose.yml | 11 ++-
snippets/nextcloud-well-known.conf | 11 +++
snippets/z-push.conf | 19 +++++
www/mail.shore.co.il/.well-known/mta-sts.txt | 4 +
.../google88c23a5c89fa3cb3.html | 1 +
12 files changed, 255 insertions(+), 8 deletions(-)
create mode 100644 conf.d/git.shore.co.il.conf
create mode 100644 conf.d/mail.shore.co.il.conf
create mode 100644 conf.d/nextcloud.shore.co.il.conf
create mode 100644 conf.d/shore.co.il.conf
create mode 100644 conf.d/www.shore.co.il.conf
create mode 100644 snippets/nextcloud-well-known.conf
create mode 100644 snippets/z-push.conf
create mode 100644 www/mail.shore.co.il/.well-known/mta-sts.txt
create mode 100644 www/www.shore.co.il/google88c23a5c89fa3cb3.html
diff --git a/Dockerfile b/Dockerfile
index 306914c..d9b29f4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,5 @@
FROM nginx:1.20.0-alpine
+ARG TRANSMISSION
# hadolint ignore=DL3018
RUN rm -rf /etc/nginx/conf./* && \
chmod 777 /run && \
@@ -15,12 +16,20 @@ RUN rm -rf /etc/nginx/conf./* && \
-keyout /var/ssl/site.key \
-nodes \
-out /var/ssl/site.crt \
- -batch && \
+ -days 2 \
+ -subj "/C=US/ST=IL/L=None/O=None/OU=None/CN=localhost/" && \
+ cp /var/ssl/site.crt /var/ssl/mail.crt && \
+ cp /var/ssl/site.key /var/ssl/mail.key && \
setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
- chown nginx /var/ssl/site.*
+ chown nginx /var/ssl/site.* /var/ssl/mail.*
COPY www/ /var/www/
COPY conf.d/ /etc/nginx/conf.d/
COPY snippets/ /etc/nginx/snippets/
+# Another option would be to copy the file to the template directory and have
+# the environment variable substitution happen in runtime, but that way would
+# miss checking the syntax during the build process.
+# hadolint ignore=SC2097,SC2098
+RUN TRANSMISSION=$TRANSMISSION sed -i "s/TRANSMISSION/$TRANSMISSION/" /etc/nginx/conf.d/www.shore.co.il.conf
USER nginx
RUN nginx -t
HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' --header "Host: status" http://localhost/ || exit 1
diff --git a/README.md b/README.md
index ec8bb8e..cefa360 100644
--- a/README.md
+++ b/README.md
@@ -4,11 +4,6 @@
> Web proxy Dockerized setup.
-## Branches
-
-The `master` branch doesn't have any configuration in it. The `ns4` and `host01`
-branches have configuration for those hoss.
-
## License
This software is licensed under the MIT license (see `LICENSE.txt`).
diff --git a/conf.d/git.shore.co.il.conf b/conf.d/git.shore.co.il.conf
new file mode 100644
index 0000000..65989ac
--- /dev/null
+++ b/conf.d/git.shore.co.il.conf
@@ -0,0 +1,30 @@
+map $host $git { default gitlab; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name git.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name git.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl.conf;
+
+ location / {
+ proxy_pass http://$git$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_set_header X-Forwarded-Ssl on;
+ client_max_body_size 512m;
+ }
+}
diff --git a/conf.d/mail.shore.co.il.conf b/conf.d/mail.shore.co.il.conf
new file mode 100644
index 0000000..40bc173
--- /dev/null
+++ b/conf.d/mail.shore.co.il.conf
@@ -0,0 +1,34 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il;
+ root /var/www/mail.shore.co.il/;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name mta-sts.shore.co.il;
+ root /var/www/mail.shore.co.il/;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+
+ # Copied from snippetes/ssl.conf.
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+ add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+ include snippets/common-headers.conf;
+ ssl_certificate /var/ssl/mail.crt;
+ ssl_certificate_key /var/ssl/mail.key;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ ssl_ciphers !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 5m;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/ocsp.pem;
+}
diff --git a/conf.d/nextcloud.shore.co.il.conf b/conf.d/nextcloud.shore.co.il.conf
new file mode 100644
index 0000000..f138c70
--- /dev/null
+++ b/conf.d/nextcloud.shore.co.il.conf
@@ -0,0 +1,31 @@
+map $host $nextcloud { default nextcloud; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name nextcloud.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name nextcloud.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl.conf;
+ include snippets/nextcloud-well-known.conf;
+
+ location / {
+ proxy_pass http://$nextcloud$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ proxy_hide_header X-Frame-Options;
+ client_max_body_size 512m;
+ }
+}
diff --git a/conf.d/shore.co.il.conf b/conf.d/shore.co.il.conf
new file mode 100644
index 0000000..48c587e
--- /dev/null
+++ b/conf.d/shore.co.il.conf
@@ -0,0 +1,31 @@
+map $host $z_push { default z-push; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ location = / { return 301 https://$host/blog/; }
+ location /repo/ {
+ root /var/www/www.shore.co.il/;
+ autoindex on;
+ }
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl.conf;
+ include snippets/nextcloud-well-known.conf;
+ include snippets/z-push.conf;
+
+ location = / { return 301 https://www.shore.co.il/blog/; }
+ location / { return 301 https://www.shore.co.il$request_uri; }
+}
diff --git a/conf.d/www.shore.co.il.conf b/conf.d/www.shore.co.il.conf
new file mode 100644
index 0000000..7200f5a
--- /dev/null
+++ b/conf.d/www.shore.co.il.conf
@@ -0,0 +1,73 @@
+map $host $lam { default ldap-account-manager; }
+map $host $kodi { default kodi.shore.co.il; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name www.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ location = / { return 301 https://$host/blog/; }
+ location /repo/ {
+ root /var/www/www.shore.co.il/;
+ autoindex on;
+ }
+ location / { return 301 https://$host$request_uri; }
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name www.shore.co.il;
+ include snippets/robots-allow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl.conf;
+ root /var/www/www.shore.co.il/;
+ error_page 404 /;
+
+ location /repo/ { autoindex on; }
+ location = /resume { try_files $uri /resume/resume.html; }
+ location = /resume/ { index resume.html; }
+
+ location = / { return 301 https://$host/blog/; }
+ location /about { return 301 https://$host/blog/pages/about-me.html; }
+ location /spam { return 301 https://$host/blog/pages/spam.html; }
+ location = /blog {
+ try_files $uri /blog/index.html;
+ charset UTF-8;
+ }
+
+ location /cgit { return 301 https://git.shore.co.il/explore; }
+ location /cgit/ { return 301 https://git.shore.co.il/explore; }
+ location /git { return 301 https://git.shore.co.il/explore; }
+ location /git/ { return 301 https://git.shore.co.il/explore; }
+
+ location /lam {
+ proxy_pass http://$lam$request_uri;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/allow-private-ips.conf;
+ }
+
+ location /jellyfin { return 302 $scheme://$host/jellyfin/; }
+ location /jellyfin/ {
+ proxy_pass http://$kodi:8096/jellyfin/;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/common-headers.conf;
+
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $http_connection;
+
+ # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+ proxy_buffering off;
+ }
+
+ location /TRANSMISSION/ {
+ proxy_pass http://kodi.shore.co.il:9091/;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/docker-compose.yml b/docker-compose.yml
index a38aa2d..d801a62 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,21 +3,30 @@ version: '3.5'
services:
proxy:
build:
+ args:
+ TRANSMISSION: "${TRANSMISSION}"
context: ./
# command: ["nginx", "-g", "daemon off;"]
- hostname: &hostname shore.co.il
+ hostname: &hostname www.shore.co.il
networks:
default:
aliases:
- *hostname
+ - nextcloud.shore.co.il
+ - git.shore.co.il
ports:
- '80:80'
- '443:443'
restart: always
volumes:
- '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+ - '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro'
+ - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
+ - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
- '/var/ssl/site.key:/var/ssl/site.key:ro'
- '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+ - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
+ - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
- '/var/ssl/dhparams:/var/ssl/dhparams:ro'
vouch:
diff --git a/snippets/nextcloud-well-known.conf b/snippets/nextcloud-well-known.conf
new file mode 100644
index 0000000..f615565
--- /dev/null
+++ b/snippets/nextcloud-well-known.conf
@@ -0,0 +1,11 @@
+location /.well-known/caldav {
+ return 301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/carddav {
+ return 301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/webfinger {
+ return 301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}
diff --git a/snippets/z-push.conf b/snippets/z-push.conf
new file mode 100644
index 0000000..85a21d6
--- /dev/null
+++ b/snippets/z-push.conf
@@ -0,0 +1,19 @@
+location /AutoDiscover/ {
+ proxy_pass http://$z_push$request_uri;
+ include snippets/proxy-headers.conf;
+}
+
+location /Autodiscover/ {
+ proxy_pass http://$z_push$request_uri;
+ include snippets/proxy-headers.conf;
+}
+
+location /autodiscover/ {
+ proxy_pass http://$z_push$request_uri;
+ include snippets/proxy-headers.conf;
+}
+
+location /Microsoft-Server-ActiveSync {
+ proxy_pass http://$z_push$request_uri;
+ include snippets/proxy-headers.conf;
+}
diff --git a/www/mail.shore.co.il/.well-known/mta-sts.txt b/www/mail.shore.co.il/.well-known/mta-sts.txt
new file mode 100644
index 0000000..d81ad3b
--- /dev/null
+++ b/www/mail.shore.co.il/.well-known/mta-sts.txt
@@ -0,0 +1,4 @@
+version: STSv1
+mode: testing
+mx: smtp.shore.co.il
+max_age: 86400
diff --git a/www/www.shore.co.il/google88c23a5c89fa3cb3.html b/www/www.shore.co.il/google88c23a5c89fa3cb3.html
new file mode 100644
index 0000000..ceace0b
--- /dev/null
+++ b/www/www.shore.co.il/google88c23a5c89fa3cb3.html
@@ -0,0 +1 @@
+google-site-verification: google88c23a5c89fa3cb3.html
\ No newline at end of file
--
GitLab