diff --git a/consul-template.d/templates/guacamole.tmpl b/consul-template.d/templates/guacamole.tmpl deleted file mode 100644 index 5729032..0000000 --- a/consul-template.d/templates/guacamole.tmpl +++ /dev/null @@ -1,103 +0,0 @@ -server { - listen 443 ssl http2; - server_name g.kazu634.com; - - ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; - ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; - ssl_dhparam /etc/lego/dhparams_4096.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:3m; - ssl_buffer_size 4k; - ssl_session_tickets off; - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.4.4 8.8.8.8 valid=300s; - resolver_timeout 10s; - - # Enable HSTS (HTTP Strict Transport Security) - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - - access_log /var/log/nginx/guacamole.access.log ltsv; - error_log /var/log/nginx/guacamole.error.log; - - send_timeout 180; - proxy_connect_timeout 600; - proxy_read_timeout 600; - proxy_send_timeout 600; - - client_max_body_size 1024m; - - http2_max_field_size 256k; - http2_max_header_size 256k; - - location / { - # oauth2-proxy here: - auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; - - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --pass-access-token, this will pass the token to the backend - auth_request_set $token $upstream_http_x_auth_request_access_token; - proxy_set_header X-Access-Token $token; - - # guacamole here: - proxy_pass http://g/guacamole/; - proxy_buffering off; - proxy_http_version 1.1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_cookie_path /guacamole/ /; - } - - - location /oauth2/ { - proxy_pass http://127.0.0.1:4181; - - # Configure proxying to auth - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $request_uri; - - proxy_buffering on; - proxy_buffer_size 256k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - } - - location = /oauth2/auth { - proxy_pass http://127.0.0.1:4181; - - # Configure proxying to auth - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - client_max_body_size "1m"; - - proxy_buffering on; - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - } -} - -upstream g { -{{ range service "guacamole-guacamole" }} - server {{ .Address }}:{{ .Port }}; -{{else}} - server 127.0.0.1:60000; -{{ end }} -} diff --git a/sites-available/everun b/sites-available/everun new file mode 100644 index 0000000..4d0510f --- /dev/null +++ b/sites-available/everun @@ -0,0 +1,80 @@ +server { + # allow access from localhost + listen 443 ssl http2; + server_name www.everun.club; + + ssl_certificate /etc/lego/.lego/certificates/_.everun.club.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.everun.club.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + root /var/www/everun; + index index.html index.htm; + + access_log /var/log/nginx/everun.access.log ltsv; + error_log /var/log/nginx/everun.error.log; + + http2_max_field_size 256k; + http2_max_header_size 256k; + + # To allow POST on static pages + error_page 405 =200 $uri; + + location / { + try_files $uri $uri/ /index.html; + } +} + +server { + # allow access from localhost + listen 443 ssl http2; + server_name everun.club; + + ssl_certificate /etc/lego/.lego/certificates/_.everun.club.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.everun.club.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/everun.access.log ltsv; + error_log /var/log/nginx/everun.error.log; + + http2_max_field_size 256k; + http2_max_header_size 256k; + + location / { + rewrite ^/$ https://www.everun.club; + } +} + diff --git a/sites-available/minio b/sites-available/everun-staging similarity index 52% rename from sites-available/minio rename to sites-available/everun-staging index fc44a9c..0503393 100644 --- a/sites-available/minio +++ b/sites-available/everun-staging @@ -1,9 +1,10 @@ server { + # allow access from localhost listen 443 ssl http2; - server_name minio.kazu634.com; + server_name staging.everun.club; - ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; - ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_certificate /etc/lego/.lego/certificates/_.everun.club.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.everun.club.key; ssl_dhparam /etc/lego/dhparams_4096.pem; ssl_session_timeout 1d; @@ -23,20 +24,22 @@ server { # Enable HSTS (HTTP Strict Transport Security) add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - access_log /var/log/nginx/minio.access.log ltsv; - error_log /var/log/nginx/minio.error.log; + root /var/www/test-everun; + index index.html index.htm; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + access_log /var/log/nginx/stag-everun.access.log ltsv; + error_log /var/log/nginx/stag-everun.error.log; - ignore_invalid_headers off; - client_max_body_size 0; + http2_max_field_size 256k; + http2_max_header_size 256k; + + # To allow POST on static pages + error_page 405 =200 $uri; location / { - proxy_pass http://192.168.10.200:9000/; + auth_basic "限定公開中なのでユーザー名とパスワードを入れてください"; + auth_basic_user_file "/etc/nginx/basic-auth"; + + try_files $uri $uri/ /index.html; } } diff --git a/stream-available/gitea b/stream-available/gitea new file mode 100644 index 0000000..fc6159c --- /dev/null +++ b/stream-available/gitea @@ -0,0 +1,13 @@ +proxy_protocol on; +error_log /var/log/nginx/stream.log info; + +upstream gitea-backend { + + server 127.0.0.1:60000; + +} + +server { + listen 0.0.0.0:50022; + proxy_pass gitea-backend; +}