diff --git a/consul-template.d/conf/faktory.conf b/consul-template.d/conf/faktory.conf deleted file mode 100644 index a449b55..0000000 --- a/consul-template.d/conf/faktory.conf +++ /dev/null @@ -1,15 +0,0 @@ -consul { - address = "localhost:8500" - - retry { - enabled = true - attempts = 12 - backoff = "250ms" - } -} -template { - source = "/etc/consul-template.d/templates/faktory.tmpl" - destination = "/etc/nginx/sites-enabled/faktory" - perms = 0660 - command = "systemctl reload nginx" -} diff --git a/consul-template.d/conf/gotosocial.conf b/consul-template.d/conf/gotosocial.conf deleted file mode 100644 index 8bc7715..0000000 --- a/consul-template.d/conf/gotosocial.conf +++ /dev/null @@ -1,15 +0,0 @@ -consul { - address = "localhost:8500" - - retry { - enabled = true - attempts = 12 - backoff = "250ms" - } -} -template { - source = "/etc/consul-template.d/templates/gotosocial.tmpl" - destination = "/etc/nginx/sites-enabled/gotosocial" - perms = 0660 - command = "systemctl reload nginx" -} diff --git a/consul-template.d/conf/grafana.conf b/consul-template.d/conf/grafana.conf deleted file mode 100644 index 28451a5..0000000 --- a/consul-template.d/conf/grafana.conf +++ /dev/null @@ -1,15 +0,0 @@ -consul { - address = "localhost:8500" - - retry { - enabled = true - attempts = 12 - backoff = "250ms" - } -} -template { - source = "/etc/consul-template.d/templates/grafana.tmpl" - destination = "/etc/nginx/sites-enabled/grafana" - perms = 0660 - command = "systemctl reload nginx" -} diff --git a/consul-template.d/conf/pocket.conf b/consul-template.d/conf/pocket.conf deleted file mode 100644 index 01781bf..0000000 --- a/consul-template.d/conf/pocket.conf +++ /dev/null @@ -1,15 +0,0 @@ -consul { - address = "localhost:8500" - - retry { - enabled = true - attempts = 12 - backoff = "250ms" - } -} -template { - source = "/etc/consul-template.d/templates/pocket.tmpl" - destination = "/etc/nginx/sites-enabled/pocket" - perms = 0660 - command = "systemctl reload nginx" -} diff --git a/consul-template.d/templates/drone.tmpl b/consul-template.d/templates/drone.tmpl index aa7e9d3..e6f53da 100644 --- a/consul-template.d/templates/drone.tmpl +++ b/consul-template.d/templates/drone.tmpl @@ -1,5 +1,8 @@ server { - listen 443 ssl http2; + listen 443 quic; + listen 443 ssl; + http2 on; + http3 on; server_name drone.kazu634.com; ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; @@ -39,7 +42,6 @@ server { client_max_body_size 1024m; - location / { proxy_pass http://drone/; } diff --git a/consul-template.d/templates/faktory.tmpl b/consul-template.d/templates/faktory.tmpl deleted file mode 100644 index 2ddf3d9..0000000 --- a/consul-template.d/templates/faktory.tmpl +++ /dev/null @@ -1,46 +0,0 @@ -server { - listen 443 ssl http2; - server_name faktory.kazu634.com; - - ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; - ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; - ssl_dhparam /etc/lego/dhparams_4096.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:3m; - ssl_buffer_size 4k; - ssl_session_tickets off; - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.4.4 8.8.8.8 valid=300s; - resolver_timeout 10s; - - # Enable HSTS (HTTP Strict Transport Security) - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - - access_log /var/log/nginx/faktory.access.log json; - error_log /var/log/nginx/faktory.error.log; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location / { - proxy_pass http://faktory/; - } -} - -upstream faktory { -{{ range service "faktory-front" }} - server {{ .Address }}:{{ .Port }}; -{{else}} - server 127.0.0.1:60000; -{{ end }} -} diff --git a/consul-template.d/templates/gitea.tmpl b/consul-template.d/templates/gitea.tmpl index a5ef648..9e474c7 100644 --- a/consul-template.d/templates/gitea.tmpl +++ b/consul-template.d/templates/gitea.tmpl @@ -1,5 +1,8 @@ server { - listen 443 ssl http2; + listen 443 quic; + listen 443 ssl; + http2 on; + http3 on; server_name gitea.kazu634.com; ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; @@ -39,7 +42,6 @@ server { client_max_body_size 1024m; - location / { proxy_pass http://gitea/; } diff --git a/consul-template.d/templates/gotosocial.tmpl b/consul-template.d/templates/gotosocial.tmpl deleted file mode 100644 index 480a0c4..0000000 --- a/consul-template.d/templates/gotosocial.tmpl +++ /dev/null @@ -1,58 +0,0 @@ -server { - listen 443 ssl http2; - server_name social.kazu634.com; - - ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; - ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; - ssl_dhparam /etc/lego/dhparams_4096.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:3m; - ssl_buffer_size 4k; - ssl_session_tickets off; - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.4.4 8.8.8.8 valid=300s; - resolver_timeout 10s; - - # Enable HSTS (HTTP Strict Transport Security) - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - - access_log /var/log/nginx/social.access.log json; - error_log /var/log/nginx/social.error.log; - - send_timeout 180; - proxy_connect_timeout 600; - proxy_read_timeout 600; - proxy_send_timeout 600; - - client_max_body_size 1024m; - - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location / { - proxy_pass http://social/; - } -} - -upstream social { -{{ range service "gotosocial" }} - server {{ .Address }}:{{ .Port }}; -{{else}} - server 127.0.0.1:60000; -{{ end }} -} diff --git a/consul-template.d/templates/grafana.tmpl b/consul-template.d/templates/grafana.tmpl deleted file mode 100644 index e84ad5f..0000000 --- a/consul-template.d/templates/grafana.tmpl +++ /dev/null @@ -1,46 +0,0 @@ -server { - listen 443 ssl http2; - server_name grafana.kazu634.com; - - ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; - ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; - ssl_dhparam /etc/lego/dhparams_4096.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:3m; - ssl_buffer_size 4k; - ssl_session_tickets off; - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.4.4 8.8.8.8 valid=300s; - resolver_timeout 10s; - - # Enable HSTS (HTTP Strict Transport Security) - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - - access_log /var/log/nginx/grafana.access.log json; - error_log /var/log/nginx/grafana.error.log; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location / { - proxy_pass http://grafana/; - } -} - -upstream grafana { -{{ range service "grafana" }} - server {{ .Address }}:{{ .Port }}; -{{else}} - server 127.0.0.1:60000; -{{ end }} -} diff --git a/consul-template.d/templates/pocket.tmpl b/consul-template.d/templates/pocket.tmpl deleted file mode 100644 index 47ec99e..0000000 --- a/consul-template.d/templates/pocket.tmpl +++ /dev/null @@ -1,46 +0,0 @@ -server { - listen 443 ssl http2; - server_name pocket.kazu634.com; - - ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; - ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; - ssl_dhparam /etc/lego/dhparams_4096.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:3m; - ssl_buffer_size 4k; - ssl_session_tickets off; - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.4.4 8.8.8.8 valid=300s; - resolver_timeout 10s; - - # Enable HSTS (HTTP Strict Transport Security) - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - - access_log /var/log/nginx/pocket.access.log json; - error_log /var/log/nginx/pocket.error.log; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location / { - proxy_pass http://pocket; - } -} - -upstream pocket { -{{ range service "archive-article" }} - server {{ .Address }}:{{ .Port }}; -{{else}} - server 127.0.0.1:60000; -{{ end }} -} diff --git a/sites-available/blog b/sites-available/blog index 5def715..f0d917a 100644 --- a/sites-available/blog +++ b/sites-available/blog @@ -1,7 +1,8 @@ server { - # allow access from localhost - listen 443 quic reuseport backlog=1024; - listen 443 http2 ssl backlog=1024; + listen 443 quic reuseport; + listen 443 ssl backlog=1024; + http2 on; + http3 on; server_name blog.kazu634.com; ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; @@ -31,33 +32,10 @@ server { access_log /var/log/nginx/blog.access.log json; error_log /var/log/nginx/blog.error.log; + large_client_header_buffers 8 32k; + location / { - # http2 server push: - http2_push_preload on; - - http2_push /apple-touch-icon.png; - http2_push /lib/normalize/normalize.min.css; - http2_push /css/style.min.css; - http2_push /lib/lightgallery/lightgallery.min.css; - http2_push /lib/katex/katex.min.css; - http2_push /lib/katex/copy-tex.min.css; - http2_push /lib/mapbox-gl/mapbox-gl.min.css; - http2_push /lib/smooth-scroll/smooth-scroll.min.js; - http2_push /lib/lazysizes/lazysizes.min.js; - http2_push /lib/twemoji/twemoji.min.js; - http2_push /lib/lightgallery/lightgallery.min.js; - http2_push /lib/lightgallery/lg-zoom.min.js; - http2_push /lib/clipboard/clipboard.min.js; - http2_push /lib/sharer/sharer.min.js; - http2_push /lib/katex/katex.min.js; - http2_push /lib/katex/auto-render.min.js; - http2_push /lib/katex/copy-tex.min.js; - http2_push /lib/katex/mhchem.min.js; - http2_push /js/theme.min.js; - http2_push https://embedr.flickr.com/assets/client-code.js; - http2_push https://platform.twitter.com/widgets.js; - - # used to advertise the availability of HTTP/3 + # used to advertise the availability of HTTP/3 add_header Alt-Svc 'h3=":443"; ma=86400'; if (-e "/tmp/maintenance") { diff --git a/sites-available/blog-staging b/sites-available/blog-staging index b3068cd..7db04c9 100644 --- a/sites-available/blog-staging +++ b/sites-available/blog-staging @@ -1,6 +1,8 @@ server { - # allow access from localhost - listen 443 ssl http2; + listen 443 quic reuseport; + listen 443 ssl; + http2 on; + http3 on; server_name test.kazu634.com; ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; @@ -30,88 +32,12 @@ server { access_log /var/log/nginx/stag.access.log json; error_log /var/log/nginx/stag.error.log; - http2_max_field_size 256k; - http2_max_header_size 256k; - - location /oauth2/ { - proxy_pass http://127.0.0.1:4180; - - # Configure proxying to auth - # proxy_pass_request_body off; - # proxy_set_header Content-Length ""; - proxy_set_header Host $host; - # proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - # proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $request_uri; - # proxy_http_version 1.1; - # proxy_ssl_server_name on; - # proxy_pass_request_headers on; - # client_max_body_size "1m"; - - proxy_buffering on; - proxy_buffer_size 256k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - } - - location = /oauth2/auth { - proxy_pass http://127.0.0.1:4180; - - # Configure proxying to auth - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - proxy_set_header Host $host; - # proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - # proxy_set_header X-Original-Method $request_method; - # proxy_set_header X-Auth-Request-Redirect $request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - client_max_body_size "1m"; - - proxy_buffering on; - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - } + large_client_header_buffers 8 32k; location / { - auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; + auth_basic "限定公開中なのでユーザー名とパスワードを入れてください"; + auth_basic_user_file "/etc/nginx/basic-auth"; try_files $uri $uri/ /index.html; - - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --pass-access-token, this will pass the token to the backend - auth_request_set $token $upstream_http_x_auth_request_access_token; - proxy_set_header X-Access-Token $token; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - - # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb - # limit and so the OAuth2 Proxy splits these into multiple parts. - # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, - # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. - auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; - - # Extract the Cookie attributes from the first Set-Cookie header and append them - # to the second part ($upstream_cookie_* variables only contain the raw cookie content) - if ($auth_cookie ~* "(; .*)") { - set $auth_cookie_name_0 $auth_cookie; - set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; - } - - # Send both Set-Cookie headers now if there was a second part - if ($auth_cookie_name_upstream_1) { - add_header Set-Cookie $auth_cookie_name_0; - add_header Set-Cookie $auth_cookie_name_1; - } } } diff --git a/sites-available/drone b/sites-available/drone deleted file mode 100644 index 14e985d..0000000 --- a/sites-available/drone +++ /dev/null @@ -1,38 +0,0 @@ -server { - listen 443 ssl http2; - server_name drone.kazu634.com; - - ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; - ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; - ssl_dhparam /etc/lego/dhparams_4096.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:3m; - ssl_buffer_size 4k; - ssl_session_tickets off; - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_stapling on; - ssl_stapling_verify on; - - resolver 8.8.4.4 8.8.8.8 valid=300s; - resolver_timeout 10s; - - # Enable HSTS (HTTP Strict Transport Security) - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; - - access_log /var/log/nginx/drone.access.log json; - error_log /var/log/nginx/drone.error.log; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - location / { - proxy_pass http://192.168.10.245/; - } -} diff --git a/sites-available/everun b/sites-available/everun index caebab8..665f8d6 100644 --- a/sites-available/everun +++ b/sites-available/everun @@ -1,7 +1,8 @@ server { - # allow access from localhost listen 443 quic; - listen 443 http2 ssl; + listen 443 ssl; + http2 on; + http3 on; server_name www.everun.club; ssl_certificate /etc/lego/.lego/certificates/_.everun.club.crt; @@ -46,8 +47,10 @@ server { } server { - # allow access from localhost - listen 443 ssl http2; + listen 443 quic; + listen 443 ssl; + http3 on; + http2 on; server_name everun.club; ssl_certificate /etc/lego/.lego/certificates/_.everun.club.crt; diff --git a/sites-available/everun-staging b/sites-available/everun-staging index 9d2efb7..51ca882 100644 --- a/sites-available/everun-staging +++ b/sites-available/everun-staging @@ -1,6 +1,8 @@ server { - # allow access from localhost - listen 443 ssl http2; + listen 443 quic; + listen 443 ssl; + http2 on; + http3 on; server_name staging.everun.club; ssl_certificate /etc/lego/.lego/certificates/_.everun.club.crt; diff --git a/stream-available/.gitkeep b/stream-available/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/stream-available/gitea b/stream-available/gitea deleted file mode 100644 index fc6159c..0000000 --- a/stream-available/gitea +++ /dev/null @@ -1,13 +0,0 @@ -proxy_protocol on; -error_log /var/log/nginx/stream.log info; - -upstream gitea-backend { - - server 127.0.0.1:60000; - -} - -server { - listen 0.0.0.0:50022; - proxy_pass gitea-backend; -}