diff --git a/Nginx/Server Blocks/ats.libraryofcode.org.conf b/Nginx/Server Blocks/ats.libraryofcode.org.conf new file mode 100644 index 0000000..448ad73 --- /dev/null +++ b/Nginx/Server Blocks/ats.libraryofcode.org.conf @@ -0,0 +1,23 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ats.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + root /var/www/opencats; + + index index.html index.htm index.php; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php7.0-fpm.sock; + fastcgi_param HTACCESS on; + proxy_read_timeout 800; + } +} diff --git a/Nginx/Server Blocks/bin.libraryofcode.org.conf b/Nginx/Server Blocks/bin.libraryofcode.org.conf index 82ca340..038350a 100644 --- a/Nginx/Server Blocks/bin.libraryofcode.org.conf +++ b/Nginx/Server Blocks/bin.libraryofcode.org.conf @@ -6,16 +6,6 @@ server { ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - root /var/binary; location / { autoindex on; diff --git a/Nginx/Server Blocks/board.ins.conf b/Nginx/Server Blocks/board.ins.conf index ebc1a33..d88aad5 100644 --- a/Nginx/Server Blocks/board.ins.conf +++ b/Nginx/Server Blocks/board.ins.conf @@ -6,22 +6,6 @@ server { ssl_certificate /etc/nginx/ssl/board-ins.chain.crt; ssl_certificate_key /etc/nginx/ssl/board-ins.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; location / { proxy_set_header Host $host; diff --git a/Nginx/Server Blocks/certapi.libraryofcode.org.conf b/Nginx/Server Blocks/certapi.libraryofcode.org.conf index 3eda767..60ba00d 100644 --- a/Nginx/Server Blocks/certapi.libraryofcode.org.conf +++ b/Nginx/Server Blocks/certapi.libraryofcode.org.conf @@ -6,22 +6,6 @@ server { ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; location / { proxy_set_header Host $host; diff --git a/Nginx/Server Blocks/cloud.libraryofcode.org.conf b/Nginx/Server Blocks/cloud.libraryofcode.org.conf index 259e5ac..2b511eb 100644 --- a/Nginx/Server Blocks/cloud.libraryofcode.org.conf +++ b/Nginx/Server Blocks/cloud.libraryofcode.org.conf @@ -6,24 +6,6 @@ server { ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - client_max_body_size 1G; - #limit_req zone=one burst=15; - - location / { return 307 $scheme://www.libraryofcode.org/; } diff --git a/Nginx/Server Blocks/comm.libraryofcode.org.conf b/Nginx/Server Blocks/comm.libraryofcode.org.conf index c6cb42e..4e71fae 100644 --- a/Nginx/Server Blocks/comm.libraryofcode.org.conf +++ b/Nginx/Server Blocks/comm.libraryofcode.org.conf @@ -6,22 +6,6 @@ server { ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; location / { proxy_set_header Host $host; diff --git a/Nginx/Server Blocks/confluence.libraryofcode.org.conf b/Nginx/Server Blocks/confluence.libraryofcode.org.conf index a4fdbeb..615a02a 100644 --- a/Nginx/Server Blocks/confluence.libraryofcode.org.conf +++ b/Nginx/Server Blocks/confluence.libraryofcode.org.conf @@ -6,22 +6,6 @@ server { ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; location / { proxy_set_header Host $host; diff --git a/Nginx/Server Blocks/content.libraryofcode.org.conf b/Nginx/Server Blocks/content.libraryofcode.org.conf index b78f26d..0e8bb52 100644 --- a/Nginx/Server Blocks/content.libraryofcode.org.conf +++ b/Nginx/Server Blocks/content.libraryofcode.org.conf @@ -6,17 +6,8 @@ server { ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - root /var/www/content; + location / { autoindex on; } diff --git a/Nginx/Server Blocks/crs.ins.conf b/Nginx/Server Blocks/crs.ins.conf index 37e7499..bb087ef 100644 --- a/Nginx/Server Blocks/crs.ins.conf +++ b/Nginx/Server Blocks/crs.ins.conf @@ -1,42 +1,26 @@ -server { - listen 10.8.0.1:443 ssl http2; - #listen [::]:443 ssl http2; - server_name cr.ins; - - ssl_certificate /etc/nginx/ssl/cr-ins.chain.crt; - ssl_certificate_key /etc/nginx/ssl/cr-ins.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://10.8.0.1:3891; - - proxy_read_timeout 90; - - proxy_redirect http://10.8.0.1:3891 https://cr.ins; - - } -} \ No newline at end of file +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name cr.ins; + + ssl_certificate /etc/nginx/ssl/cr-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/cr-ins.key.pem; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://10.8.0.1:3891; + + proxy_read_timeout 90; + + proxy_redirect http://10.8.0.1:3891 https://cr.ins; + + } +} diff --git a/Nginx/Server Blocks/data.ins.conf b/Nginx/Server Blocks/data.ins.conf index fa3baff..3032710 100644 --- a/Nginx/Server Blocks/data.ins.conf +++ b/Nginx/Server Blocks/data.ins.conf @@ -1,44 +1,28 @@ -server { - listen 10.8.0.1:443 ssl http2; - #listen [::]:443 ssl http2; - server_name data.ins; - - ssl_certificate /etc/nginx/ssl/data-ins.chain.crt; - ssl_certificate_key /etc/nginx/ssl/data-ins.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://10.8.0.1:19999; - - proxy_read_timeout 90; - - proxy_redirect http://10.8.0.1:19999 https://data.ins; - - } -} \ No newline at end of file +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name data.ins; + + ssl_certificate /etc/nginx/ssl/data-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/data-ins.key.pem; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://10.8.0.1:19999; + + proxy_read_timeout 90; + + proxy_redirect http://10.8.0.1:19999 https://data.ins; + + } +} diff --git a/Nginx/Server Blocks/directory.libraryofcode.org.conf b/Nginx/Server Blocks/directory.libraryofcode.org.conf index 1ce9d25..6ee19da 100644 --- a/Nginx/Server Blocks/directory.libraryofcode.org.conf +++ b/Nginx/Server Blocks/directory.libraryofcode.org.conf @@ -1,21 +1,11 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name directory.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - root /var/www/int; - index index.html; -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name directory.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + root /var/www/int; + index index.html; +} diff --git a/Nginx/Server Blocks/dns.libraryofcode.org.conf b/Nginx/Server Blocks/dns.libraryofcode.org.conf index 15248b5..353e611 100644 --- a/Nginx/Server Blocks/dns.libraryofcode.org.conf +++ b/Nginx/Server Blocks/dns.libraryofcode.org.conf @@ -1,52 +1,47 @@ -server { - listen 10.8.0.1:443 ssl http2; - server_name dns.ins; - - ssl_certificate /etc/nginx/ssl/dns.chain.crt; - ssl_certificate_key /etc/nginx/ssl/dns.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - index index.html index.htm index.php; - root /opt/powerdns-admin; - access_log /var/log/nginx/powerdns-admin.local.access.log combined; - error_log /var/log/nginx/powerdns-admin.local.error.log; - - client_max_body_size 10m; - client_body_buffer_size 128k; - proxy_redirect off; - proxy_connect_timeout 90; - proxy_send_timeout 90; - proxy_read_timeout 90; - proxy_buffers 32 4k; - proxy_buffer_size 8k; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_headers_hash_bucket_size 64; - - location ~ ^/static/ { - include /etc/nginx/mime.types; - root /opt/powerdns-admin/powerdnsadmin; - - location ~* \.(jpg|jpeg|png|gif)$ { - expires 365d; - } - - location ~* ^.+.(css|js)$ { - expires 7d; - } - } - - location / { - proxy_pass http://unix:/run/powerdns-admin/socket; - proxy_read_timeout 120; - proxy_connect_timeout 120; - proxy_redirect off; - } - -} \ No newline at end of file +server { + listen 10.8.0.1:443 ssl http2; + server_name dns.ins; + + ssl_certificate /etc/nginx/ssl/dns.chain.crt; + ssl_certificate_key /etc/nginx/ssl/dns.key.pem; + + + index index.html index.htm index.php; + root /opt/powerdns-admin; + access_log /var/log/nginx/powerdns-admin.local.access.log combined; + error_log /var/log/nginx/powerdns-admin.local.error.log; + + client_max_body_size 10m; + client_body_buffer_size 128k; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffers 32 4k; + proxy_buffer_size 8k; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_headers_hash_bucket_size 64; + + location ~ ^/static/ { + include /etc/nginx/mime.types; + root /opt/powerdns-admin/powerdnsadmin; + + location ~* \.(jpg|jpeg|png|gif)$ { + expires 365d; + } + + location ~* ^.+.(css|js)$ { + expires 7d; + } + } + + location / { + proxy_pass http://unix:/run/powerdns-admin/socket; + proxy_read_timeout 120; + proxy_connect_timeout 120; + proxy_redirect off; + } + +} diff --git a/Nginx/Server Blocks/docker.libraryofcode.org.conf b/Nginx/Server Blocks/docker.libraryofcode.org.conf index db79b9b..25e1843 100644 --- a/Nginx/Server Blocks/docker.libraryofcode.org.conf +++ b/Nginx/Server Blocks/docker.libraryofcode.org.conf @@ -1,44 +1,30 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name docker.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - client_max_body_size 1G; - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://localhost:5000; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:5000 https://docker.libraryofcode.org; - - } -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name docker.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + client_max_body_size 1G; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:5000; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:5000 https://docker.libraryofcode.org; + + } +} diff --git a/Nginx/Server Blocks/drive.libraryofcode.org.conf b/Nginx/Server Blocks/drive.libraryofcode.org.conf index 4259361..6d60d97 100644 --- a/Nginx/Server Blocks/drive.libraryofcode.org.conf +++ b/Nginx/Server Blocks/drive.libraryofcode.org.conf @@ -1,44 +1,30 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name drive.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - client_max_body_size 1G; - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://localhost:5608; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:5608 https://drive.libraryofcode.org; - - } -} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + client_max_body_size 1G; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:5608; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:5608 https://drive.libraryofcode.org; + + } +} diff --git a/Nginx/Server Blocks/eds.libraryofcode.org.conf b/Nginx/Server Blocks/eds.libraryofcode.org.conf index c174ac3..aed9035 100644 --- a/Nginx/Server Blocks/eds.libraryofcode.org.conf +++ b/Nginx/Server Blocks/eds.libraryofcode.org.conf @@ -1,44 +1,31 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name eds.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://localhost:7101; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:7101 https://eds.libraryofcode.org; - - } -} \ No newline at end of file +upstream eds-backend { + server localhost:7101; + server node2.libraryofcode.org:7101 baackup; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name eds.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://eds-backend; + + proxy_read_timeout 90; + + } +} diff --git a/Nginx/Server Blocks/edu.libraryofcode.org.conf b/Nginx/Server Blocks/edu.libraryofcode.org.conf index cc5c3d8..44cb390 100644 --- a/Nginx/Server Blocks/edu.libraryofcode.org.conf +++ b/Nginx/Server Blocks/edu.libraryofcode.org.conf @@ -1,32 +1,23 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name edu.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - root /opt/canvas/public; - charset utf-8; - include mime.types; - client_max_body_size 5000M; - default_type application/octet-stream; - access_log /var/log/nginx/canvas.access.log; - error_log /var/log/nginx/canvas.error.log; - passenger_ruby /usr/local/bin/ruby2.4; - passenger_load_shell_envvars off; - #passenger_log_level 4; - passenger_start_timeout 300; - passenger_enabled on; - rails_env production; -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name edu.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + + root /opt/canvas/public; + charset utf-8; + include mime.types; + client_max_body_size 5000M; + default_type application/octet-stream; + access_log /var/log/nginx/canvas.access.log; + error_log /var/log/nginx/canvas.error.log; + passenger_ruby /usr/local/bin/ruby2.4; + passenger_load_shell_envvars off; + #passenger_log_level 4; + passenger_start_timeout 300; + passenger_enabled on; + rails_env production; +} diff --git a/Nginx/Server Blocks/firewall.ins.conf b/Nginx/Server Blocks/firewall.ins.conf index 55f85ea..a868e12 100644 --- a/Nginx/Server Blocks/firewall.ins.conf +++ b/Nginx/Server Blocks/firewall.ins.conf @@ -1,44 +1,28 @@ -server { - listen 10.8.0.1:443 ssl http2; - #listen [::]:443 ssl http2; - server_name firewall.ins; - - ssl_certificate /etc/nginx/ssl/firewall-ins.chain.crt; - ssl_certificate_key /etc/nginx/ssl/firewall-ins.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://192.168.56.1:80; - - proxy_read_timeout 90; - - proxy_redirect http://192.168.56.1:80 https://firewall.ins; - - } -} \ No newline at end of file +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name firewall.ins; + + ssl_certificate /etc/nginx/ssl/firewall-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/firewall-ins.key.pem; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://192.168.56.1:80; + + proxy_read_timeout 90; + + proxy_redirect http://192.168.56.1:80 https://firewall.ins; + + } +} diff --git a/Nginx/Server Blocks/forms.libraryofcode.org.conf b/Nginx/Server Blocks/forms.libraryofcode.org.conf index debf91d..b063408 100644 --- a/Nginx/Server Blocks/forms.libraryofcode.org.conf +++ b/Nginx/Server Blocks/forms.libraryofcode.org.conf @@ -1,18 +1,12 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name forms.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - - root /var/www/forms; - rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; - try_files $uri.html $uri/ $uri =404; -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name forms.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + root /var/www/forms; + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + try_files $uri.html $uri/ $uri =404; +} diff --git a/Nginx/Server Blocks/gitlab.libraryofcode.org.conf b/Nginx/Server Blocks/gitlab.libraryofcode.org.conf index 85dc29d..36cf2f2 100644 --- a/Nginx/Server Blocks/gitlab.libraryofcode.org.conf +++ b/Nginx/Server Blocks/gitlab.libraryofcode.org.conf @@ -1,74 +1,74 @@ upstream gitlab-workhorse { - server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; + server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; } ## HTTPS host server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2; - server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com - root /opt/gitlab/embedded/service/gitlab-rails/public; + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2; + server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com + root /opt/gitlab/embedded/service/gitlab-rails/public; - ## Strong SSL Security - ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ - ssl on; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; - # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs - #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_protocols TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs + #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; - ## See app/controllers/application_controller.rb for headers set + ## See app/controllers/application_controller.rb for headers set - ## [Optional] Enable HTTP Strict Transport Security - ## HSTS is a feature improving protection against MITM attacks - ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ - add_header Strict-Transport-Security "max-age=31536000; preload"; + ## [Optional] Enable HTTP Strict Transport Security + ## HSTS is a feature improving protection against MITM attacks + ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + add_header Strict-Transport-Security "max-age=31536000; preload"; - ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. - ## Replace with your ssl_trusted_certificate. For more info see: - ## - https://medium.com/devops-programming/4445f4862461 - ## - https://www.ruby-forum.com/topic/4419319 - ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; - ## [Optional] Generate a stronger DHE parameter: - ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 - ## - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; - ## Individual nginx logs for this GitLab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; + ## Individual nginx logs for this GitLab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; - location / { - client_max_body_size 0; - gzip off; + location / { + client_max_body_size 0; + gzip off; - ## https://github.com/gitlabhq/gitlabhq/issues/694 - ## Some requests take more than 30 seconds. - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; - proxy_http_version 1.1; + proxy_http_version 1.1; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://gitlab-workhorse; - } + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } } diff --git a/Nginx/Server Blocks/gocrypt.libraryofcode.org.conf b/Nginx/Server Blocks/gocrypt.libraryofcode.org.conf index 003b455..1d3caba 100644 --- a/Nginx/Server Blocks/gocrypt.libraryofcode.org.conf +++ b/Nginx/Server Blocks/gocrypt.libraryofcode.org.conf @@ -1,29 +1,15 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gocrypt.libraryofcode.org; - -ssl_certificate /etc/nginx/ssl/org.chain.crt; -ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -ssl_session_cache builtin:1000 shared:SSL:10m; -#include /etc/nginx/error/502; -#include /etc/nginx/error/504; -#include /etc/nginx/error/500; -ssl_protocols TLSv1.2; - -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - -ssl_prefer_server_ciphers on; - -ssl_stapling on; -ssl_stapling_verify on; - -#limit_req zone=one burst=5; -root /var/www/gocryptdoc; -index index.html; - location / { - try_files $uri $uri/index.html =404; - - } -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name gocrypt.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + root /var/www/gocryptdoc; + index index.html; + location / { + try_files $uri $uri/index.html =404; + + } +} diff --git a/Nginx/Server Blocks/http-redirect.conf b/Nginx/Server Blocks/http-redirect.conf index a72a53a..d3c2517 100644 --- a/Nginx/Server Blocks/http-redirect.conf +++ b/Nginx/Server Blocks/http-redirect.conf @@ -1,7 +1,7 @@ server { -listen 80; + listen 80; -return 301 https://$host$request_uri; + return 301 https://$host$request_uri; } diff --git a/Nginx/Server Blocks/ins-test.libraryofcode.org.conf b/Nginx/Server Blocks/ins-test.libraryofcode.org.conf index 23e76b1..5162522 100644 --- a/Nginx/Server Blocks/ins-test.libraryofcode.org.conf +++ b/Nginx/Server Blocks/ins-test.libraryofcode.org.conf @@ -1,30 +1,30 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ins-test.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/ins-test.chain.crt; - ssl_certificate_key /etc/nginx/ssl/ins-test.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #ssl_protocols TLSv1.2; - - #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_protocols TLSv1.2; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify off; - - root /var/www/content; - location / { - autoindex on; - } - location /sec { - autoindex on; - auth_basic "Secure Area"; - auth_basic_user_file /etc/nginx/htpasswd; - } -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ins-test.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/ins-test.chain.crt; + ssl_certificate_key /etc/nginx/ssl/ins-test.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #ssl_protocols TLSv1.2; + + #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify off; + + root /var/www/content; + location / { + autoindex on; + } + location /sec { + autoindex on; + auth_basic "Secure Area"; + auth_basic_user_file /etc/nginx/htpasswd; + } +} diff --git a/Nginx/Server Blocks/keys.ins.conf b/Nginx/Server Blocks/keys.ins.conf new file mode 100644 index 0000000..fcb5981 --- /dev/null +++ b/Nginx/Server Blocks/keys.ins.conf @@ -0,0 +1,13 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name keys.ins; + + ssl_certificate /etc/nginx/ssl/keys-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/keys-ins.key.pem; + + root /var/www/keys; + location / { + autoindex on; + } +} diff --git a/Nginx/Server Blocks/keys.libraryofcode.org.conf b/Nginx/Server Blocks/keys.libraryofcode.org.conf index 256e4c5..814fda9 100644 --- a/Nginx/Server Blocks/keys.libraryofcode.org.conf +++ b/Nginx/Server Blocks/keys.libraryofcode.org.conf @@ -1,23 +1,22 @@ -server { - listen 10.8.0.1:443 ssl http2; - #listen [::]:443 ssl http2; - server_name keys.ins; - - ssl_certificate /etc/nginx/ssl/keys-ins.chain.crt; - ssl_certificate_key /etc/nginx/ssl/keys-ins.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - root /var/www/keys; - location / { - autoindex on; - } -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name keys.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + root /var/www/html/sks; + error_page 404 /404.html; + + location ~ (.git|LICENSE|readme.md) { + deny all; + return 404; + } + + location /pks { + proxy_pass http://127.0.0.1:11371; + proxy_pass_header Server; + } + +} diff --git a/Nginx/Server Blocks/libraryofcode.org.conf b/Nginx/Server Blocks/libraryofcode.org.conf index f33cb6d..b1b4256 100644 --- a/Nginx/Server Blocks/libraryofcode.org.conf +++ b/Nginx/Server Blocks/libraryofcode.org.conf @@ -1,507 +1,19 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name certificates.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass https://localhost:8080/; - -proxy_read_timeout 90; - -proxy_redirect https://localhost:8080 https://certificates.libraryofcode.org; - - } -} - -#server { -# listen 443 ssl; -# listen [::]:443 ssl; - -# server_name staff.libraryofcode.org; - -# ssl_certificate /etc/nginx/ssl/staff.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/staff.key.pem; -#ssl_session_cache builtin:1000 shared:SSL:10m; -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -#ssl_prefer_server_ciphers on; -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass https://localhost:8082/; - -#proxy_read_timeout 90; - -#proxy_redirect https://localhost:8082 https://staff.libraryofcode.org; - -# } -#} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name status.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass http://localhost:8787; - -proxy_read_timeout 90; - -proxy_redirect http://localhost:8787 https://status.libraryofcode.org; - - } -} - - -#server { - # listen 443 ssl; - # listen [::]:443 ssl; - - # server_name modmail.libraryofcode.org; - # ssl_certificate /etc/nginx/ssl/org.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass http://localhost:8001; - -#proxy_read_timeout 90; - -#proxy_redirect http://localhost:8001 https://modmail.libraryofcode.org; - -# } -#} - -#upstream zammad-railsserver { -# server 127.0.0.1:3001; -#} - -#upstream zammad-websocket { -# server 127.0.0.1:6042; -#} - -#server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; -# - # # replace 'localhost' with your fqdn if you want to use zammad from remote - # server_name support.libraryofcode.org; -# - # root /opt/zammad/public; - - # access_log /var/log/nginx/zammad.access.log; - # error_log /var/log/nginx/zammad.error.log; - - #client_max_body_size 50M; -#ssl_certificate /etc/nginx/ssl/org.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/org.key.pem; -#ssl_session_cache builtin:1000 shared:SSL:10m; -#ssl_protocols TLSv1.2; -#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -#ssl_prefer_server_ciphers on; -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - - # location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { - # expires max; - # } - - #location /ws { - # proxy_http_version 1.1; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "Upgrade"; - # proxy_set_header CLIENT_IP $remote_addr; - #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - #proxy_set_header X-Forwarded-Proto $scheme; - #proxy_read_timeout 86400; - #proxy_pass http://zammad-websocket; - #} - - #location / { - # proxy_set_header Host $http_host; - # proxy_set_header CLIENT_IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - #proxy_set_header X-Forwarded-Proto $scheme; - #proxy_read_timeout 300; - #proxy_pass http://zammad-railsserver; - - #gzip on; - #gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; - #gzip_proxied any; - #} -#} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name vault.staff.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/vault.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/vault.key.pem; - -ssl_session_cache builtin:1000 shared:SSL:10m; -ssl_protocols TLSv1.2; - -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - -ssl_prefer_server_ciphers on; - - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass http://localhost:8200; - -proxy_read_timeout 90; - -proxy_redirect http://localhost:8200 https://vault.staff.libraryofcode.org; - - } -} - -#upstream gitlab-workhorse { -# server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0; -#} - - -## HTTPS host -server { - listen 0.0.0.0:443 ssl http2; - server_name gitlab.libraryofcode.us; ## Replace this with something like gitlab.example.com - root /opt/gitlab/embedded/service/gitlab-rails/public; - - ## Strong SSL Security - ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ - ssl on; - ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; - - # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_protocols TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; - - ## See app/controllers/application_controller.rb for headers set - - ## [Optional] Enable HTTP Strict Transport Security - ## HSTS is a feature improving protection against MITM attacks - ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ - add_header Strict-Transport-Security "max-age=31536000; preload"; - - ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. - ## Replace with your ssl_trusted_certificate. For more info see: - ## - https://medium.com/devops-programming/4445f4862461 - ## - https://www.ruby-forum.com/topic/4419319 - ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; - - ## [Optional] Generate a stronger DHE parameter: - ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 - ## - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - - ## Individual nginx logs for this GitLab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; - - location / { - client_max_body_size 0; - gzip off; - - ## https://github.com/gitlabhq/gitlabhq/issues/694 - ## Some requests take more than 30 seconds. - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - - proxy_http_version 1.1; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://gitlab-workhorse; - } -} - -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - server_name www.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; -#if ($request_filename ~ /*){ -# rewrite ^/$ https://loc.sh/discord redirect; -#} -ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass http://localhost:4567; - -#proxy_read_timeout 90; - -#proxy_redirect http://localhost:4567 https://www.libraryofcode.org; - -# } -root /var/www/wordpress; -index index.php; - -location ~ \.php$ { -include snippets/fastcgi-php.conf; -fastcgi_pass unix:/run/php/php7.2-fpm.sock; -} -location / { -try_files $uri $uri/ /index.php?$args; -} -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name ecm.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header Upgrade $http_upgrade; -proxy_set_header Connection "upgrade"; - -proxy_pass https://localhost:7150; - -proxy_read_timeout 90; - -proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org; - - } -} - - -#server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; - -# server_name ldap.libraryofcode.org; -# ssl_certificate /etc/nginx/ssl/org.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem; -# ssl_ecdh_curve secp384r1; -#include /etc/ldap-account-manager/nginx.conf; - # location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; -#proxy_set_header Upgrade $http_upgrade; -#proxy_set_header Connection "upgrade"; - -#proxy_pass https://localhost:7150; - -#proxy_read_timeout 90; - -#proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org; - - #} -#} - - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name keys.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - root /var/www/html/sks; - error_page 404 /404.html; - - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - location ~ (.git|LICENSE|readme.md) { - deny all; - return 404; - } - - location /pks { - proxy_pass http://127.0.0.1:11371; - proxy_pass_header Server; - } - -} \ No newline at end of file +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + server_name www.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + root /var/www/wordpress; + index index.php; + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php7.2-fpm.sock; + } + location / { + try_files $uri $uri/ /index.php?$args; + } +} diff --git a/Nginx/Server Blocks/lists.libraryofcode.org.conf b/Nginx/Server Blocks/lists.libraryofcode.org.conf index 528b785..6258817 100644 --- a/Nginx/Server Blocks/lists.libraryofcode.org.conf +++ b/Nginx/Server Blocks/lists.libraryofcode.org.conf @@ -1,47 +1,31 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name lists.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - client_max_body_size 1G; - #limit_req zone=one burst=15; - - -location / { - return 307 $scheme://lists.libraryofcode.org/cgi-bin/mailman/listinfo; -} -location /cgi-bin/mailman { - root /usr/lib/; - fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; - fastcgi_intercept_errors on; - fastcgi_pass unix:/var/run/fcgiwrap.socket; -} -location /images/mailman { - alias /usr/share/images/mailman; -} -location /pipermail { - alias /var/lib/mailman/archives/public; - autoindex on; -} -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name lists.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + client_max_body_size 1G; + + location / { + return 307 $scheme://lists.libraryofcode.org/cgi-bin/mailman/listinfo; + } + location /cgi-bin/mailman { + root /usr/lib/; + fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + fastcgi_intercept_errors on; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + location /images/mailman { + alias /usr/share/images/mailman; + } + location /pipermail { + alias /var/lib/mailman/archives/public; + autoindex on; + } +} diff --git a/Nginx/Server Blocks/loc.sh.conf b/Nginx/Server Blocks/loc.sh.conf index d3ecae7..8a4d36f 100644 --- a/Nginx/Server Blocks/loc.sh.conf +++ b/Nginx/Server Blocks/loc.sh.conf @@ -2,41 +2,26 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name loc.sh; + ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; location / { - proxy_set_header Host $host; + proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:3890; + proxy_pass http://localhost:3890; - proxy_read_timeout 90; + proxy_read_timeout 90; - proxy_redirect http://localhost:3890 https://loc.sh; + proxy_redirect http://localhost:3890 https://loc.sh; - } + } -} \ No newline at end of file +} diff --git a/Nginx/Server Blocks/modmail.ins.conf b/Nginx/Server Blocks/modmail.ins.conf index 6245a6b..11be8c5 100644 --- a/Nginx/Server Blocks/modmail.ins.conf +++ b/Nginx/Server Blocks/modmail.ins.conf @@ -1,44 +1,28 @@ -server { - listen 10.8.0.1:443 ssl http2; - #listen [::]:443 ssl http2; - server_name modmail.ins; - - ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt; - ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://10.8.0.1:5478; - - proxy_read_timeout 90; - - proxy_redirect http://10.8.0.1:5478 https://modmail.ins; - - } -} \ No newline at end of file +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name modmail.ins; + + ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem; + + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://10.8.0.1:5478; + + proxy_read_timeout 90; + + proxy_redirect http://10.8.0.1:5478 https://modmail.ins; + + } +} diff --git a/Nginx/Server Blocks/pbx.ins.conf b/Nginx/Server Blocks/pbx.ins.conf index ea8aff1..80137d2 100644 --- a/Nginx/Server Blocks/pbx.ins.conf +++ b/Nginx/Server Blocks/pbx.ins.conf @@ -6,23 +6,8 @@ server { ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt; ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem; - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; client_max_body_size 230M; client_body_timeout 1h; - #limit_req zone=one burst=15; root /var/www/html; index index.html index.htm index.php; @@ -32,9 +17,9 @@ server { } location ~ \.php$ { - include snippets/fastcgi-php.conf; # server defaults are good + include snippets/fastcgi-php.conf; # server defaults are good fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock; - fastcgi_param HTACCESS on; # disables FreePBX htaccess warning + fastcgi_param HTACCESS on; # disables FreePBX htaccess warning proxy_read_timeout 800; } @@ -46,4 +31,4 @@ server { # from the api module .htaccess file rewrite ^/admin/api/([^/]*)/([^/]*)/?(.*)?$ /admin/api/api.php?module=$1&command=$2&route=$3 last; -} \ No newline at end of file +} diff --git a/Nginx/Server Blocks/report.libraryofcode.org.conf b/Nginx/Server Blocks/report.libraryofcode.org.conf index 0561179..a040267 100644 --- a/Nginx/Server Blocks/report.libraryofcode.org.conf +++ b/Nginx/Server Blocks/report.libraryofcode.org.conf @@ -1,28 +1,18 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name report.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - root /var/www/report; - index public/index.html; - - location /assets { - alias /var/www/report/assets/; - #root /var/www/report/assets; - #try_files /var/www/report/assets/$uri /var/www/report/assets/$uri/ =404; - try_files $uri $uri/ =404; - } -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name report.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + root /var/www/report; + index public/index.html; + + location /assets { + alias /var/www/report/assets/; + #root /var/www/report/assets; + #try_files /var/www/report/assets/$uri /var/www/report/assets/$uri/ =404; + try_files $uri $uri/ =404; + } +} diff --git a/Nginx/Server Blocks/staff.libraryofcode.org.conf b/Nginx/Server Blocks/staff.libraryofcode.org.conf index b760201..739dc23 100644 --- a/Nginx/Server Blocks/staff.libraryofcode.org.conf +++ b/Nginx/Server Blocks/staff.libraryofcode.org.conf @@ -24,19 +24,19 @@ server { #limit_req zone=one burst=15; location / { - proxy_set_header Host $host; + proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:3020; + proxy_pass http://localhost:3020; - proxy_read_timeout 90; + proxy_read_timeout 90; - proxy_redirect http://localhost:3020 https://staff.libraryofcode.org; + proxy_redirect http://localhost:3020 https://staff.libraryofcode.org; - } -} \ No newline at end of file + } +} diff --git a/Nginx/Server Blocks/static.libraryofcode.org.conf b/Nginx/Server Blocks/static.libraryofcode.org.conf index 829134a..f74267f 100644 --- a/Nginx/Server Blocks/static.libraryofcode.org.conf +++ b/Nginx/Server Blocks/static.libraryofcode.org.conf @@ -1,23 +1,23 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name static.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - root /var/www/static; - location / { - autoindex on; - } -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name static.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + root /var/www/static; + location / { + autoindex on; + } +} diff --git a/Nginx/Server Blocks/wiki.libraryofcode.org.conf b/Nginx/Server Blocks/wiki.libraryofcode.org.conf index 642402c..f122ec1 100644 --- a/Nginx/Server Blocks/wiki.libraryofcode.org.conf +++ b/Nginx/Server Blocks/wiki.libraryofcode.org.conf @@ -1,44 +1,29 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name wiki.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - client_max_body_size 1G; - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://localhost:3000; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:3000 https://wiki.libraryofcode.org; - - } -} \ No newline at end of file +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name wiki.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + client_max_body_size 1G; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:3000; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3000 https://wiki.libraryofcode.org; + + } +} diff --git a/Nginx/nginx.conf b/Nginx/nginx.conf index 91d6218..3e9937a 100644 --- a/Nginx/nginx.conf +++ b/Nginx/nginx.conf @@ -35,11 +35,14 @@ http { # SSL Settings ## - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_dhparam /etc/nginx/dhparam.pem - ;ssl_ecdh_curve secp384r1; + ssl_ecdh_curve prime256v1:secp384r1; ## # Logging Settings diff --git a/Postfix/main.conf b/Postfix/main.conf new file mode 100644 index 0000000..c5f1fe7 --- /dev/null +++ b/Postfix/main.conf @@ -0,0 +1,104 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + +# Server Information +smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU) +myhostname = staff.libraryofcode.org +myorigin = /etc/mailname +mydestination = $myhostname, libraryofcode.org +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130 +mail_name = Library of Code sp-us | Staff Services + + +# Relay Settings +relayhost = +relay_domains = lists.libraryofcode.org + + +# MDA & Delivery +append_dot_mydomain = no +biff = no +mailbox_transport = lmtp:unix:private/dovecot-lmtp +message_size_limit = 1073741824 +transport_maps = hash:/etc/postfix/transport +mailbox_size_limit = 0 +recipient_delimiter = + + + +# Authentication +smtpd_sasl_auth_enable = yes +broken_sasl_auth_clients = yes + + +# TLS parameters +smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt +smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_security_level = may +smtpd_tls_security_level = may +smtp_tls_note_starttls_offer = yes +smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_tls_session_cache_timeout = 3600s +tls_random_source = dev:/dev/urandom + + +# RESTRICTIONS +smtpd_relay_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + defer_unauth_destination, +smtpd_helo_restrictions = + permit_mynetworks, + reject_non_fqdn_helo_hostname, + reject_invalid_helo_hostname, + reject_unknown_helo_hostname, + permit, +smtpd_sender_restrictions = + reject_unknown_sender_domain, + reject_unknown_reverse_client_hostname, + reject_unknown_client_hostname, + reject_sender_login_mismatch, + permit_mynetworks, + permit_sasl_authenticated, + permit, +smtpd_recipient_restrictions = + reject_unauth_pipelining, + reject_non_fqdn_recipient, + reject_unknown_recipient_domain, + permit_mynetworks, + check_policy_service inet:127.0.0.1:10023, + reject_rbl_client sbl.spamhaus.org, + reject_rbl_client xbl.spamhaus.org, + permit, + + +# Local Aliases +alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases +alias_database = hash:/etc/aliases + + +# Virtual Alises +smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users +virtual_alias_maps = hash:/etc/postfix/virtual + + +# Network Settings & Milters +inet_interfaces = all +inet_protocols = all +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = + inet:localhost:8891, + local:/opendmarc/opendmarc.sock, + inet:localhost:8892 +non_smtpd_milters = $smtpd_milters + + +# Misc +readme_directory = no +compatibility_level = 2 +unknown_local_recipient_reject_code = 550 +mailman_destination_recipient_limit = 1 diff --git a/Postfix/master.conf b/Postfix/master.conf index 7864480..08b7bd8 100644 --- a/Postfix/master.conf +++ b/Postfix/master.conf @@ -1,98 +1,135 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd + -o content_filter=spamassassin + -o syslog_name=postfix/smtp +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no + -o smtpd_client_restrictions=$mua_client_restrictions + -o smtpd_helo_restrictions=$mua_helo_restrictions + -o smtpd_sender_restrictions=$mua_sender_restrictions + -o smtpd_recipient_restrictions= + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + -o cleanup_service_name=privclean +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no + -o smtpd_client_restrictions=$mua_client_restrictions + -o smtpd_helo_restrictions=$mua_helo_restrictions + -o smtpd_sender_restrictions=$mua_sender_restrictions + -o smtpd_recipient_restrictions= + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname +spamassassin unix - n n - - pipe + user=spamd argv=/usr/bin/spamc -f -e + /usr/sbin/sendmail -oi -f ${sender} ${recipient} -smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU) -biff = no - -# appending .domain is the MUA's job. -append_dot_mydomain = no - -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - -readme_directory = no - -# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on -# fresh installs. -compatibility_level = 2 - -# TLS parameters -smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt -smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -smtp_tls_security_level = may -smtpd_tls_security_level = may -smtp_tls_note_starttls_offer = yes -smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt -smtpd_tls_loglevel = 1 -smtpd_tls_received_header = yes -smtpd_tls_session_cache_timeout = 3600s -tls_random_source = dev:/dev/urandom - -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -# RESTRICTIONS -smtpd_relay_restrictions = - permit_mynetworks, - permit_sasl_authenticated, - defer_unauth_destination, -smtpd_helo_restrictions = - permit_mynetworks, - reject_non_fqdn_helo_hostname, - reject_invalid_helo_hostname, - reject_unknown_helo_hostname, - permit, -smtpd_sender_restrictions = - reject_unknown_sender_domain, - reject_unknown_reverse_client_hostname, - reject_unknown_client_hostname, - reject_sender_login_mismatch, - permit_mynetworks, - permit_sasl_authenticated, - permit, -smtpd_recipient_restrictions = - reject_unauth_pipelining, - reject_non_fqdn_recipient, - reject_unknown_recipient_domain, - permit_mynetworks, - check_policy_service inet:127.0.0.1:10023 - permit, - -myhostname = staff.libraryofcode.org -alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases -alias_database = hash:/etc/aliases -smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users - -myorigin = /etc/mailname -mydestination = $myhostname, libraryofcode.org, libraryofcode.us staff.libraryofcode.us, staff-libraryofcode.staff.libraryofcode.us, localhost.staff.libraryofcode.us, localhost, libraryofcode.us -relayhost = -relay_domains = lists.libraryofcode.org -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130 -mailbox_size_limit = 0 -mailbox_command = procmail -a "$EXTENSION" DEFAULT=/var/mail/$USER -recipient_delimiter = + -inet_interfaces = all -inet_protocols = all -smtpd_sasl_auth_enable = yes -broken_sasl_auth_clients = yes -milter_default_action = accept -milter_protocol = 6 -smtpd_milters = inet:localhost:8891, local:/opendmarc/opendmarc.sock -non_smtpd_milters = $smtpd_milters -mail_name = Library of Code sp-us | Staff Command -virtual_alias_maps = hash:/etc/postfix/virtual - -#authorized_submit_users = !boss, !test, static:all -message_size_limit = 1073741824 -transport_maps = hash:/etc/postfix/transport -unknown_local_recipient_reject_code = 550 -mailman_destination_recipient_limit = 1 -#local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp +privclean unix n - - - 0 cleanup + -o header_checks=pcre:/etc/postfix/outgoing_headers + -o nested_header_checks= diff --git a/scripts/learnspam.py b/scripts/learnspam.py new file mode 100644 index 0000000..0dfb9db --- /dev/null +++ b/scripts/learnspam.py @@ -0,0 +1,6 @@ +import os + +home_directories = os.listdir("/home") + +for user in home_directories: + os.system("sa-learn --spam /home/%s/mail/Junk" % user) diff --git a/scripts/nact.sh b/scripts/nact.sh new file mode 100644 index 0000000..a2236a6 --- /dev/null +++ b/scripts/nact.sh @@ -0,0 +1,8 @@ +# Activate Nginx Server Blocks + +if [ $# -eq 0 ]; then + echo "No arguments provided" + exit 1 +fi + +sudo ln -s /etc/nginx/sites-available/$1.conf /etc/nginx/sites-enabled/$1.conf