Skip to content
Commits on Source (37)
Hide whitespace changes
Inline Side-by-side
Dockerfile
View file @ b79704b9
......@@ -16,8 +16,10 @@ RUN rm -rf /etc/nginx/conf./* && \
-nodes \
-out /var/ssl/site.crt \
-batch && \
cp /var/ssl/site.crt /var/ssl/mail.crt && \
cp /var/ssl/site.key /var/ssl/mail.key && \
setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
chown nginx /var/ssl/site.*
chown nginx /var/ssl/site.* /var/ssl/mail.*
COPY www/ /var/www/
COPY conf.d/ /etc/nginx/conf.d/
COPY snippets/ /etc/nginx/snippets/
......
README.md
View file @ b79704b9
......@@ -4,11 +4,6 @@
> Web proxy Dockerized setup.
## Branches
The `master` branch doesn't have any configuration in it. The `ns4` and `host01`
branches have configuration for those hoss.
## License
This software is licensed under the MIT license (see `LICENSE.txt`).
......
conf.d/auth.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $auth { default auth; }
limit_req_zone $binary_remote_addr zone=ldap_auth:2m rate=2r/s;
limit_req_status 429;
server {
listen 80;
listen [::]:80;
server_name auth.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name auth.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
location / {
proxy_pass http://$auth:8080$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
include snippets/allow-shore-ips.conf;
limit_req zone=ldap_auth burst=10 delay=2;
}
}
conf.d/code.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $code { default code; }
server {
listen 80;
listen [::]:80;
server_name code.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name code.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
# The following was copied (and modified) from
# https://www.collaboraoffice.com/code/nginx-reverse-proxy/.
# static files
location ^~ /loleaflet {
proxy_pass http://$code:9980$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://$code:9980$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://$code:9980$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass http://$code:9980$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
include snippets/websockets.conf;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass http://$code:9980$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass http://$code:9980$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
include snippets/websockets.conf;
}
}
conf.d/git.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $git { default gitlab; }
server {
listen 80;
listen [::]:80;
server_name git.shore.co.il;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name git.shore.co.il;
include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
location / {
proxy_pass http://$git$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
proxy_set_header X-Forwarded-Ssl on;
client_max_body_size 512m;
}
}
conf.d/lam.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $lam { default ldap-account-manager; }
server {
listen 80;
listen [::]:80;
server_name lam.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name lam.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
location / {
proxy_pass http://$lam$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
proxy_hide_header X-Frame-Options;
include snippets/allow-private-ips.conf;
}
}
conf.d/mail.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
server {
listen 80;
listen [::]:80;
server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il mta-sts.nehe.sr;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mta-sts.shore.co.il mta-sts.nehe.sr;
root /var/www/mail.shore.co.il/;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
# Copied from snippetes/ssl.conf.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
include snippets/common-headers.conf;
ssl_certificate /var/ssl/mail.crt;
ssl_certificate_key /var/ssl/mail.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ocsp.pem;
}
conf.d/nextcloud.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $nextcloud { default nextcloud; }
server {
listen 80;
listen [::]:80;
server_name nextcloud.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nextcloud.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
include snippets/nextcloud-well-known.conf;
location / {
proxy_pass http://$nextcloud$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
proxy_hide_header X-Frame-Options;
client_max_body_size 512m;
}
}
conf.d/notify.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $notify { default notifier; }
server {
listen 80;
listen [::]:80;
server_name notify.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name notify.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
location / {
proxy_pass http://$notify:8080$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
}
conf.d/sogo.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $sogo { default sogo; }
server {
listen 80;
listen [::]:80;
server_name sogo.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sogo.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
location / { return 301 https://$host/SOGo/; }
location /SOGo { return 301 https://$host/SOGo/; }
location /SOGo/ {
proxy_pass http://$sogo:20000$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
proxy_hide_header X-Frame-Options;
include snippets/allow-private-ips.conf;
# Copied from http://wiki.sogo.nu/nginxSettings
proxy_set_header x-webobjects-server-protocol HTTP/1.1;
proxy_set_header x-webobjects-remote-host $sogo;
proxy_set_header x-webobjects-server-name $server_name;
proxy_set_header x-webobjects-server-url $scheme://$host;
proxy_set_header x-webobjects-server-port $server_port;
}
}
conf.d/vouch.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
# The $vouch variable is defined in global.conf, it's needed by other servers
# and deployments.
server {
listen 80;
listen [::]:80;
server_name vouch.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vouch.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
location / {
proxy_pass http://$vouch:9090;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
}
conf.d/zpush.shore.co.il.conf 0 → 100644
View file @ b79704b9
# vim: ft=nginx
map $host $zpush { default z-push; }
server {
listen 80;
listen [::]:80;
server_name zpush.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name zpush.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-legacy.conf;
location / {
proxy_pass http://$zpush;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
}
}
docker-compose.yml
View file @ b79704b9
......@@ -5,11 +5,20 @@ services:
build:
context: ./
# command: ["nginx", "-g", "daemon off;"]
hostname: &hostname shore.co.il
hostname: &hostname nextcloud.shore.co.il
networks:
default:
aliases:
- *hostname
- code.shore.co.il
- elasticsearch.shore.co.il
- git.shore.co.il
- kibana.shore.co.il
- lam.shore.co.il
- mta-sts.shore.co.il
- sogo.shore.co.il
- vouch.shore.co.il
- zpush.shore.co.il
ports:
- '80:80'
- '443:443'
......@@ -18,6 +27,8 @@ services:
- '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
- '/var/ssl/site.key:/var/ssl/site.key:ro'
- '/var/ssl/site.crt:/var/ssl/site.crt:ro'
- '/var/ssl/mail.key:/var/ssl/mail.key:ro'
- '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
- '/var/ssl/dhparams:/var/ssl/dhparams:ro'
vouch:
......
snippets/nextcloud-well-known.conf 0 → 100644
View file @ b79704b9
location /.well-known/caldav {
return 301 https://nextcloud.shore.co.il/remote.php/dav;
}
location /.well-known/carddav {
return 301 https://nextcloud.shore.co.il/remote.php/dav;
}
location /.well-known/webfinger {
return 301 https://nextcloud.shore.co.il/public.php?service=webfinger;
}
snippets/ssl-modern.conf
View file @ b79704b9
# vim: ft=nginx
include snippets/ssl-common.conf;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers CHACHA20:DHE:ECDHE:!NULL:!AES128:!ARIA128:!CAMELLIA128:!SHA1:!kRSA;
ssl_ciphers HIGH:!NULL:!AES128:!ARIA128:!CAMELLIA:!SHA1:!kRSA:!DHE+SHA256:!ECDHE+SHA256;
www/mail.shore.co.il/.well-known/mta-sts.txt 0 → 100644
View file @ b79704b9
version: STSv1
mode: testing
mx: smtp.shore.co.il
max_age: 86400