From f7949783ea7b55ed7c85bfb62d1b33f2d734ab04 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sat, 28 Jan 2023 19:46:57 +0900 Subject: [PATCH] initial commit --- consul-template.d/conf/faktory.conf | 15 +++ consul-template.d/conf/gitea.conf | 15 +++ consul-template.d/conf/grafana.conf | 15 +++ consul-template.d/conf/guacamole.conf | 15 +++ consul-template.d/conf/pocket.conf | 15 +++ consul-template.d/templates/faktory.tmpl | 46 ++++++++ consul-template.d/templates/gitea.tmpl | 54 ++++++++++ consul-template.d/templates/grafana.tmpl | 46 ++++++++ consul-template.d/templates/guacamole.tmpl | 103 ++++++++++++++++++ consul-template.d/templates/pocket.tmpl | 46 ++++++++ deploy.sh | 23 ++++ sites-available/blog | 98 +++++++++++++++++ sites-available/blog-staging | 117 +++++++++++++++++++++ sites-available/default | 9 ++ sites-available/drone | 38 +++++++ sites-available/minio | 42 ++++++++ 16 files changed, 697 insertions(+) create mode 100644 consul-template.d/conf/faktory.conf create mode 100644 consul-template.d/conf/gitea.conf create mode 100644 consul-template.d/conf/grafana.conf create mode 100644 consul-template.d/conf/guacamole.conf create mode 100644 consul-template.d/conf/pocket.conf create mode 100644 consul-template.d/templates/faktory.tmpl create mode 100644 consul-template.d/templates/gitea.tmpl create mode 100644 consul-template.d/templates/grafana.tmpl create mode 100644 consul-template.d/templates/guacamole.tmpl create mode 100644 consul-template.d/templates/pocket.tmpl create mode 100755 deploy.sh create mode 100644 sites-available/blog create mode 100644 sites-available/blog-staging create mode 100644 sites-available/default create mode 100644 sites-available/drone create mode 100644 sites-available/minio diff --git a/consul-template.d/conf/faktory.conf b/consul-template.d/conf/faktory.conf new file mode 100644 index 0000000..a449b55 --- /dev/null +++ b/consul-template.d/conf/faktory.conf @@ -0,0 +1,15 @@ +consul { + address = "localhost:8500" + + retry { + enabled = true + attempts = 12 + backoff = "250ms" + } +} +template { + source = "/etc/consul-template.d/templates/faktory.tmpl" + destination = "/etc/nginx/sites-enabled/faktory" + perms = 0660 + command = "systemctl reload nginx" +} diff --git a/consul-template.d/conf/gitea.conf b/consul-template.d/conf/gitea.conf new file mode 100644 index 0000000..8a368e6 --- /dev/null +++ b/consul-template.d/conf/gitea.conf @@ -0,0 +1,15 @@ +consul { + address = "localhost:8500" + + retry { + enabled = true + attempts = 12 + backoff = "250ms" + } +} +template { + source = "/etc/consul-template.d/templates/gitea.tmpl" + destination = "/etc/nginx/sites-enabled/gitea" + perms = 0660 + command = "systemctl reload nginx" +} diff --git a/consul-template.d/conf/grafana.conf b/consul-template.d/conf/grafana.conf new file mode 100644 index 0000000..28451a5 --- /dev/null +++ b/consul-template.d/conf/grafana.conf @@ -0,0 +1,15 @@ +consul { + address = "localhost:8500" + + retry { + enabled = true + attempts = 12 + backoff = "250ms" + } +} +template { + source = "/etc/consul-template.d/templates/grafana.tmpl" + destination = "/etc/nginx/sites-enabled/grafana" + perms = 0660 + command = "systemctl reload nginx" +} diff --git a/consul-template.d/conf/guacamole.conf b/consul-template.d/conf/guacamole.conf new file mode 100644 index 0000000..a456627 --- /dev/null +++ b/consul-template.d/conf/guacamole.conf @@ -0,0 +1,15 @@ +consul { + address = "localhost:8500" + + retry { + enabled = true + attempts = 12 + backoff = "250ms" + } +} +template { + source = "/etc/consul-template.d/templates/guacamole.tmpl" + destination = "/etc/nginx/sites-enabled/guacamole" + perms = 0660 + command = "systemctl reload nginx" +} diff --git a/consul-template.d/conf/pocket.conf b/consul-template.d/conf/pocket.conf new file mode 100644 index 0000000..01781bf --- /dev/null +++ b/consul-template.d/conf/pocket.conf @@ -0,0 +1,15 @@ +consul { + address = "localhost:8500" + + retry { + enabled = true + attempts = 12 + backoff = "250ms" + } +} +template { + source = "/etc/consul-template.d/templates/pocket.tmpl" + destination = "/etc/nginx/sites-enabled/pocket" + perms = 0660 + command = "systemctl reload nginx" +} diff --git a/consul-template.d/templates/faktory.tmpl b/consul-template.d/templates/faktory.tmpl new file mode 100644 index 0000000..8b1f96b --- /dev/null +++ b/consul-template.d/templates/faktory.tmpl @@ -0,0 +1,46 @@ +server { + listen 443 ssl http2; + server_name faktory.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/faktory.access.log ltsv; + error_log /var/log/nginx/faktory.error.log; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://faktory/; + } +} + +upstream faktory { +{{ range service "faktory-front" }} + server {{ .Address }}:{{ .Port }}; +{{else}} + server 127.0.0.1:60000; +{{ end }} +} diff --git a/consul-template.d/templates/gitea.tmpl b/consul-template.d/templates/gitea.tmpl new file mode 100644 index 0000000..32c51cb --- /dev/null +++ b/consul-template.d/templates/gitea.tmpl @@ -0,0 +1,54 @@ +server { + listen 443 ssl http2; + server_name gitea.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/gitea.access.log ltsv; + error_log /var/log/nginx/gitea.error.log; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + send_timeout 180; + proxy_connect_timeout 600; + proxy_read_timeout 600; + proxy_send_timeout 600; + + client_max_body_size 1024m; + + + location / { + proxy_pass http://gitea/; + } +} + +upstream gitea { +{{ range service "gitea" }} + server {{ .Address }}:{{ .Port }}; +{{else}} + server 127.0.0.1:60000; +{{ end }} +} diff --git a/consul-template.d/templates/grafana.tmpl b/consul-template.d/templates/grafana.tmpl new file mode 100644 index 0000000..2b9c928 --- /dev/null +++ b/consul-template.d/templates/grafana.tmpl @@ -0,0 +1,46 @@ +server { + listen 443 ssl http2; + server_name grafana.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/grafana.access.log ltsv; + error_log /var/log/nginx/grafana.error.log; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://grafana/; + } +} + +upstream grafana { +{{ range service "grafana" }} + server {{ .Address }}:{{ .Port }}; +{{else}} + server 127.0.0.1:60000; +{{ end }} +} diff --git a/consul-template.d/templates/guacamole.tmpl b/consul-template.d/templates/guacamole.tmpl new file mode 100644 index 0000000..5729032 --- /dev/null +++ b/consul-template.d/templates/guacamole.tmpl @@ -0,0 +1,103 @@ +server { + listen 443 ssl http2; + server_name g.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/guacamole.access.log ltsv; + error_log /var/log/nginx/guacamole.error.log; + + send_timeout 180; + proxy_connect_timeout 600; + proxy_read_timeout 600; + proxy_send_timeout 600; + + client_max_body_size 1024m; + + http2_max_field_size 256k; + http2_max_header_size 256k; + + location / { + # oauth2-proxy here: + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --pass-access-token, this will pass the token to the backend + auth_request_set $token $upstream_http_x_auth_request_access_token; + proxy_set_header X-Access-Token $token; + + # guacamole here: + proxy_pass http://g/guacamole/; + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_cookie_path /guacamole/ /; + } + + + location /oauth2/ { + proxy_pass http://127.0.0.1:4181; + + # Configure proxying to auth + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $request_uri; + + proxy_buffering on; + proxy_buffer_size 256k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } + + location = /oauth2/auth { + proxy_pass http://127.0.0.1:4181; + + # Configure proxying to auth + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Scheme $scheme; + client_max_body_size "1m"; + + proxy_buffering on; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } +} + +upstream g { +{{ range service "guacamole-guacamole" }} + server {{ .Address }}:{{ .Port }}; +{{else}} + server 127.0.0.1:60000; +{{ end }} +} diff --git a/consul-template.d/templates/pocket.tmpl b/consul-template.d/templates/pocket.tmpl new file mode 100644 index 0000000..760acbd --- /dev/null +++ b/consul-template.d/templates/pocket.tmpl @@ -0,0 +1,46 @@ +server { + listen 443 ssl http2; + server_name pocket.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/pocket.access.log ltsv; + error_log /var/log/nginx/pocket.error.log; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://pocket; + } +} + +upstream pocket { +{{ range service "archive-article" }} + server {{ .Address }}:{{ .Port }}; +{{else}} + server 127.0.0.1:60000; +{{ end }} +} diff --git a/deploy.sh b/deploy.sh new file mode 100755 index 0000000..95938f0 --- /dev/null +++ b/deploy.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +CUR=`pwd` + +for CONF in `find ${CUR}/sites-available/ -type f` ; do + ln -f -s ${CONF} /etc/nginx/sites-enabled/ +done + +for CONF in `find ${CUR}/stream-available/ -type f` ; do + ln -f -s ${CONF} /etc/nginx/sites-enabled/ +done + +for CONF in `find ${CUR}/consul-template.d/conf/ -type f -name "*.conf"` ; do + ln -f -s ${CONF} /etc/consul-template.d/conf/ +done + +for TMPL in `find ${CUR}/consul-template.d/templates/ -type f -name "*.tmpl"` ; do + ln -f -s ${TMPL} /etc/consul-template.d/templates/ +done + +exit 0 diff --git a/sites-available/blog b/sites-available/blog new file mode 100644 index 0000000..291c93f --- /dev/null +++ b/sites-available/blog @@ -0,0 +1,98 @@ +server { + # allow access from localhost + listen 80 reuseport backlog=1024; + listen 443 ssl http2 backlog=1024; + server_name blog.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + root /var/www/blog; + index index.html index.htm; + + access_log /var/log/nginx/blog.access.log ltsv; + error_log /var/log/nginx/blog.error.log; + + location / { + # http2 server push: + http2_push_preload on; + + http2_push /apple-touch-icon.png; + http2_push /lib/normalize/normalize.min.css; + http2_push /css/style.min.css; + http2_push /lib/lightgallery/lightgallery.min.css; + http2_push /lib/katex/katex.min.css; + http2_push /lib/katex/copy-tex.min.css; + http2_push /lib/mapbox-gl/mapbox-gl.min.css; + http2_push /lib/smooth-scroll/smooth-scroll.min.js; + http2_push /lib/lazysizes/lazysizes.min.js; + http2_push /lib/twemoji/twemoji.min.js; + http2_push /lib/lightgallery/lightgallery.min.js; + http2_push /lib/lightgallery/lg-zoom.min.js; + http2_push /lib/clipboard/clipboard.min.js; + http2_push /lib/sharer/sharer.min.js; + http2_push /lib/katex/katex.min.js; + http2_push /lib/katex/auto-render.min.js; + http2_push /lib/katex/copy-tex.min.js; + http2_push /lib/katex/mhchem.min.js; + http2_push /js/theme.min.js; + http2_push https://embedr.flickr.com/assets/client-code.js; + http2_push https://platform.twitter.com/widgets.js; + + if (-e "/tmp/maintenance") { + return 503; + } + + location /feed { + return 301 http://blog.kazu634.com/index.xml; + } + + location /wp-content { + return 404; + } + + location ~* \.css { + gzip_static always; + + expires max; + } + + location ~* \.js { + gzip_static always; + + expires max; + } + + location /images { + gzip_static always; + + expires max; + } + + location = /favicon.ico { + access_log off; + empty_gif; + expires max; + } + + try_files $uri $uri/ /index.html; + } +} diff --git a/sites-available/blog-staging b/sites-available/blog-staging new file mode 100644 index 0000000..9600e71 --- /dev/null +++ b/sites-available/blog-staging @@ -0,0 +1,117 @@ +server { + # allow access from localhost + listen 443 ssl http2; + server_name test.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + root /var/www/test; + index index.html index.htm; + + access_log /var/log/nginx/stag.access.log ltsv; + error_log /var/log/nginx/stag.error.log; + + http2_max_field_size 256k; + http2_max_header_size 256k; + + location /oauth2/ { + proxy_pass http://127.0.0.1:4180; + + # Configure proxying to auth + # proxy_pass_request_body off; + # proxy_set_header Content-Length ""; + proxy_set_header Host $host; + # proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + # proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $request_uri; + # proxy_http_version 1.1; + # proxy_ssl_server_name on; + # proxy_pass_request_headers on; + # client_max_body_size "1m"; + + proxy_buffering on; + proxy_buffer_size 256k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } + + location = /oauth2/auth { + proxy_pass http://127.0.0.1:4180; + + # Configure proxying to auth + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header Host $host; + # proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + # proxy_set_header X-Original-Method $request_method; + # proxy_set_header X-Auth-Request-Redirect $request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Scheme $scheme; + client_max_body_size "1m"; + + proxy_buffering on; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } + + location / { + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + try_files $uri $uri/ /index.html; + + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --pass-access-token, this will pass the token to the backend + auth_request_set $token $upstream_http_x_auth_request_access_token; + proxy_set_header X-Access-Token $token; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb + # limit and so the OAuth2 Proxy splits these into multiple parts. + # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, + # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. + auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; + + # Extract the Cookie attributes from the first Set-Cookie header and append them + # to the second part ($upstream_cookie_* variables only contain the raw cookie content) + if ($auth_cookie ~* "(; .*)") { + set $auth_cookie_name_0 $auth_cookie; + set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; + } + + # Send both Set-Cookie headers now if there was a second part + if ($auth_cookie_name_upstream_1) { + add_header Set-Cookie $auth_cookie_name_0; + add_header Set-Cookie $auth_cookie_name_1; + } + } +} diff --git a/sites-available/default b/sites-available/default new file mode 100644 index 0000000..2aea57b --- /dev/null +++ b/sites-available/default @@ -0,0 +1,9 @@ +# Denies the access without the pre-defined virtual host. +server { + listen 80 default_server; + server_name _; + + location / { + return 444; + } +} diff --git a/sites-available/drone b/sites-available/drone new file mode 100644 index 0000000..9c0ff29 --- /dev/null +++ b/sites-available/drone @@ -0,0 +1,38 @@ +server { + listen 443 ssl http2; + server_name drone.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/drone.access.log ltsv; + error_log /var/log/nginx/drone.error.log; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location / { + proxy_pass http://192.168.10.245/; + } +} diff --git a/sites-available/minio b/sites-available/minio new file mode 100644 index 0000000..fc44a9c --- /dev/null +++ b/sites-available/minio @@ -0,0 +1,42 @@ +server { + listen 443 ssl http2; + server_name minio.kazu634.com; + + ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt; + ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key; + ssl_dhparam /etc/lego/dhparams_4096.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:3m; + ssl_buffer_size 4k; + ssl_session_tickets off; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 10s; + + # Enable HSTS (HTTP Strict Transport Security) + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + + access_log /var/log/nginx/minio.access.log ltsv; + error_log /var/log/nginx/minio.error.log; + + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + ignore_invalid_headers off; + client_max_body_size 0; + + location / { + proxy_pass http://192.168.10.200:9000/; + } +}