additions or whateva
parent
f127dd6253
commit
6f4266f5b6
|
@ -0,0 +1,23 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
server_name ats.libraryofcode.org;
|
||||||
|
|
||||||
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
|
root /var/www/opencats;
|
||||||
|
|
||||||
|
index index.html index.htm index.php;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
|
||||||
|
fastcgi_param HTACCESS on;
|
||||||
|
proxy_read_timeout 800;
|
||||||
|
}
|
||||||
|
}
|
|
@ -6,16 +6,6 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
root /var/binary;
|
root /var/binary;
|
||||||
location / {
|
location / {
|
||||||
autoindex on;
|
autoindex on;
|
||||||
|
|
|
@ -6,22 +6,6 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/board-ins.chain.crt;
|
ssl_certificate /etc/nginx/ssl/board-ins.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/board-ins.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/board-ins.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
@ -6,22 +6,6 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
@ -6,24 +6,6 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
client_max_body_size 1G;
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 307 $scheme://www.libraryofcode.org/;
|
return 307 $scheme://www.libraryofcode.org/;
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,22 +6,6 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
@ -6,22 +6,6 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
@ -6,17 +6,8 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
root /var/www/content;
|
root /var/www/content;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
autoindex on;
|
autoindex on;
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,37 +6,21 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/cr-ins.chain.crt;
|
ssl_certificate /etc/nginx/ssl/cr-ins.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/cr-ins.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/cr-ins.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_pass http://10.8.0.1:3891;
|
proxy_pass http://10.8.0.1:3891;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://10.8.0.1:3891 https://cr.ins;
|
proxy_redirect http://10.8.0.1:3891 https://cr.ins;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -6,39 +6,23 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/data-ins.chain.crt;
|
ssl_certificate /etc/nginx/ssl/data-ins.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/data-ins.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/data-ins.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
proxy_pass http://10.8.0.1:19999;
|
proxy_pass http://10.8.0.1:19999;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://10.8.0.1:19999 https://data.ins;
|
proxy_redirect http://10.8.0.1:19999 https://data.ins;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -1,21 +1,11 @@
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name directory.libraryofcode.org;
|
server_name directory.libraryofcode.org;
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
root /var/www/int;
|
||||||
ssl_protocols TLSv1.2;
|
index index.html;
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
root /var/www/int;
|
|
||||||
index index.html;
|
|
||||||
}
|
}
|
|
@ -5,48 +5,43 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/dns.chain.crt;
|
ssl_certificate /etc/nginx/ssl/dns.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/dns.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/dns.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
index index.html index.htm index.php;
|
||||||
|
root /opt/powerdns-admin;
|
||||||
|
access_log /var/log/nginx/powerdns-admin.local.access.log combined;
|
||||||
|
error_log /var/log/nginx/powerdns-admin.local.error.log;
|
||||||
|
|
||||||
index index.html index.htm index.php;
|
client_max_body_size 10m;
|
||||||
root /opt/powerdns-admin;
|
client_body_buffer_size 128k;
|
||||||
access_log /var/log/nginx/powerdns-admin.local.access.log combined;
|
proxy_redirect off;
|
||||||
error_log /var/log/nginx/powerdns-admin.local.error.log;
|
proxy_connect_timeout 90;
|
||||||
|
proxy_send_timeout 90;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
proxy_buffers 32 4k;
|
||||||
|
proxy_buffer_size 8k;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_headers_hash_bucket_size 64;
|
||||||
|
|
||||||
client_max_body_size 10m;
|
location ~ ^/static/ {
|
||||||
client_body_buffer_size 128k;
|
include /etc/nginx/mime.types;
|
||||||
proxy_redirect off;
|
root /opt/powerdns-admin/powerdnsadmin;
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_send_timeout 90;
|
|
||||||
proxy_read_timeout 90;
|
|
||||||
proxy_buffers 32 4k;
|
|
||||||
proxy_buffer_size 8k;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_headers_hash_bucket_size 64;
|
|
||||||
|
|
||||||
location ~ ^/static/ {
|
location ~* \.(jpg|jpeg|png|gif)$ {
|
||||||
include /etc/nginx/mime.types;
|
expires 365d;
|
||||||
root /opt/powerdns-admin/powerdnsadmin;
|
}
|
||||||
|
|
||||||
location ~* \.(jpg|jpeg|png|gif)$ {
|
location ~* ^.+.(css|js)$ {
|
||||||
expires 365d;
|
expires 7d;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~* ^.+.(css|js)$ {
|
location / {
|
||||||
expires 7d;
|
proxy_pass http://unix:/run/powerdns-admin/socket;
|
||||||
|
proxy_read_timeout 120;
|
||||||
|
proxy_connect_timeout 120;
|
||||||
|
proxy_redirect off;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://unix:/run/powerdns-admin/socket;
|
|
||||||
proxy_read_timeout 120;
|
|
||||||
proxy_connect_timeout 120;
|
|
||||||
proxy_redirect off;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
|
@ -6,39 +6,25 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
client_max_body_size 1G;
|
client_max_body_size 1G;
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
proxy_pass http://localhost:5000;
|
proxy_pass http://localhost:5000;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://localhost:5000 https://docker.libraryofcode.org;
|
proxy_redirect http://localhost:5000 https://docker.libraryofcode.org;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -6,39 +6,25 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
client_max_body_size 1G;
|
client_max_body_size 1G;
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
proxy_pass http://localhost:5608;
|
proxy_pass http://localhost:5608;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://localhost:5608 https://drive.libraryofcode.org;
|
proxy_redirect http://localhost:5608 https://drive.libraryofcode.org;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,3 +1,8 @@
|
||||||
|
upstream eds-backend {
|
||||||
|
server localhost:7101;
|
||||||
|
server node2.libraryofcode.org:7101 baackup;
|
||||||
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
@ -6,39 +11,21 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
proxy_pass http://localhost:7101;
|
proxy_pass http://eds-backend;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://localhost:7101 https://eds.libraryofcode.org;
|
}
|
||||||
|
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -1,32 +1,23 @@
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name edu.libraryofcode.org;
|
server_name edu.libraryofcode.org;
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
root /opt/canvas/public;
|
||||||
|
charset utf-8;
|
||||||
ssl_prefer_server_ciphers on;
|
include mime.types;
|
||||||
|
client_max_body_size 5000M;
|
||||||
ssl_stapling on;
|
default_type application/octet-stream;
|
||||||
ssl_stapling_verify on;
|
access_log /var/log/nginx/canvas.access.log;
|
||||||
|
error_log /var/log/nginx/canvas.error.log;
|
||||||
root /opt/canvas/public;
|
passenger_ruby /usr/local/bin/ruby2.4;
|
||||||
charset utf-8;
|
passenger_load_shell_envvars off;
|
||||||
include mime.types;
|
#passenger_log_level 4;
|
||||||
client_max_body_size 5000M;
|
passenger_start_timeout 300;
|
||||||
default_type application/octet-stream;
|
passenger_enabled on;
|
||||||
access_log /var/log/nginx/canvas.access.log;
|
rails_env production;
|
||||||
error_log /var/log/nginx/canvas.error.log;
|
|
||||||
passenger_ruby /usr/local/bin/ruby2.4;
|
|
||||||
passenger_load_shell_envvars off;
|
|
||||||
#passenger_log_level 4;
|
|
||||||
passenger_start_timeout 300;
|
|
||||||
passenger_enabled on;
|
|
||||||
rails_env production;
|
|
||||||
}
|
}
|
|
@ -6,39 +6,23 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/firewall-ins.chain.crt;
|
ssl_certificate /etc/nginx/ssl/firewall-ins.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/firewall-ins.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/firewall-ins.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
proxy_pass http://192.168.56.1:80;
|
proxy_pass http://192.168.56.1:80;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://192.168.56.1:80 https://firewall.ins;
|
proxy_redirect http://192.168.56.1:80 https://firewall.ins;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -1,16 +1,10 @@
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name forms.libraryofcode.org;
|
server_name forms.libraryofcode.org;
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
|
|
||||||
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
ssl_protocols TLSv1.1 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
|
|
||||||
root /var/www/forms;
|
root /var/www/forms;
|
||||||
rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
|
rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
|
||||||
|
|
|
@ -1,74 +1,74 @@
|
||||||
upstream gitlab-workhorse {
|
upstream gitlab-workhorse {
|
||||||
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
|
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
## HTTPS host
|
## HTTPS host
|
||||||
server {
|
server {
|
||||||
listen 0.0.0.0:443 ssl http2;
|
listen 0.0.0.0:443 ssl http2;
|
||||||
listen [::]:443 ipv6only=on ssl http2;
|
listen [::]:443 ipv6only=on ssl http2;
|
||||||
server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com
|
server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com
|
||||||
root /opt/gitlab/embedded/service/gitlab-rails/public;
|
root /opt/gitlab/embedded/service/gitlab-rails/public;
|
||||||
|
|
||||||
## Strong SSL Security
|
## Strong SSL Security
|
||||||
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
|
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
|
||||||
#ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
#ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols TLSv1.2;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_cache shared:SSL:10m;
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
## See app/controllers/application_controller.rb for headers set
|
## See app/controllers/application_controller.rb for headers set
|
||||||
|
|
||||||
## [Optional] Enable HTTP Strict Transport Security
|
## [Optional] Enable HTTP Strict Transport Security
|
||||||
## HSTS is a feature improving protection against MITM attacks
|
## HSTS is a feature improving protection against MITM attacks
|
||||||
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
add_header Strict-Transport-Security "max-age=31536000; preload";
|
||||||
|
|
||||||
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
|
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
|
||||||
## Replace with your ssl_trusted_certificate. For more info see:
|
## Replace with your ssl_trusted_certificate. For more info see:
|
||||||
## - https://medium.com/devops-programming/4445f4862461
|
## - https://medium.com/devops-programming/4445f4862461
|
||||||
## - https://www.ruby-forum.com/topic/4419319
|
## - https://www.ruby-forum.com/topic/4419319
|
||||||
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
|
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
|
||||||
# ssl_stapling on;
|
# ssl_stapling on;
|
||||||
# ssl_stapling_verify on;
|
# ssl_stapling_verify on;
|
||||||
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
||||||
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
|
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
|
||||||
# resolver_timeout 5s;
|
# resolver_timeout 5s;
|
||||||
|
|
||||||
## [Optional] Generate a stronger DHE parameter:
|
## [Optional] Generate a stronger DHE parameter:
|
||||||
## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
|
## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
|
||||||
##
|
##
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||||
ssl_ecdh_curve secp384r1;
|
ssl_ecdh_curve secp384r1;
|
||||||
|
|
||||||
## Individual nginx logs for this GitLab vhost
|
## Individual nginx logs for this GitLab vhost
|
||||||
access_log /var/log/nginx/gitlab_access.log;
|
access_log /var/log/nginx/gitlab_access.log;
|
||||||
error_log /var/log/nginx/gitlab_error.log;
|
error_log /var/log/nginx/gitlab_error.log;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 0;
|
client_max_body_size 0;
|
||||||
gzip off;
|
gzip off;
|
||||||
|
|
||||||
## https://github.com/gitlabhq/gitlabhq/issues/694
|
## https://github.com/gitlabhq/gitlabhq/issues/694
|
||||||
## Some requests take more than 30 seconds.
|
## Some requests take more than 30 seconds.
|
||||||
proxy_read_timeout 300;
|
proxy_read_timeout 300;
|
||||||
proxy_connect_timeout 300;
|
proxy_connect_timeout 300;
|
||||||
proxy_redirect off;
|
proxy_redirect off;
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Ssl on;
|
proxy_set_header X-Forwarded-Ssl on;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_pass http://gitlab-workhorse;
|
proxy_pass http://gitlab-workhorse;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,27 +3,13 @@ server {
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name gocrypt.libraryofcode.org;
|
server_name gocrypt.libraryofcode.org;
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
root /var/www/gocryptdoc;
|
||||||
#include /etc/nginx/error/502;
|
index index.html;
|
||||||
#include /etc/nginx/error/504;
|
location / {
|
||||||
#include /etc/nginx/error/500;
|
try_files $uri $uri/index.html =404;
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
}
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=5;
|
|
||||||
root /var/www/gocryptdoc;
|
|
||||||
index index.html;
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/index.html =404;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -1,7 +1,7 @@
|
||||||
server {
|
server {
|
||||||
|
|
||||||
listen 80;
|
listen 80;
|
||||||
|
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,30 +1,30 @@
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name ins-test.libraryofcode.org;
|
server_name ins-test.libraryofcode.org;
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/ins-test.chain.crt;
|
ssl_certificate /etc/nginx/ssl/ins-test.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/ins-test.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/ins-test.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||||
#ssl_protocols TLSv1.2;
|
#ssl_protocols TLSv1.2;
|
||||||
|
|
||||||
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols TLSv1.2;
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify off;
|
ssl_stapling_verify off;
|
||||||
|
|
||||||
root /var/www/content;
|
root /var/www/content;
|
||||||
location / {
|
location / {
|
||||||
autoindex on;
|
autoindex on;
|
||||||
}
|
}
|
||||||
location /sec {
|
location /sec {
|
||||||
autoindex on;
|
autoindex on;
|
||||||
auth_basic "Secure Area";
|
auth_basic "Secure Area";
|
||||||
auth_basic_user_file /etc/nginx/htpasswd;
|
auth_basic_user_file /etc/nginx/htpasswd;
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
server {
|
||||||
|
listen 10.8.0.1:443 ssl http2;
|
||||||
|
#listen [::]:443 ssl http2;
|
||||||
|
server_name keys.ins;
|
||||||
|
|
||||||
|
ssl_certificate /etc/nginx/ssl/keys-ins.chain.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/keys-ins.key.pem;
|
||||||
|
|
||||||
|
root /var/www/keys;
|
||||||
|
location / {
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,23 +1,22 @@
|
||||||
server {
|
server {
|
||||||
listen 10.8.0.1:443 ssl http2;
|
listen 443 ssl http2;
|
||||||
#listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name keys.ins;
|
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/keys-ins.chain.crt;
|
server_name keys.libraryofcode.org;
|
||||||
ssl_certificate_key /etc/nginx/ssl/keys-ins.key.pem;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
root /var/www/html/sks;
|
||||||
ssl_protocols TLSv1.2;
|
error_page 404 /404.html;
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
location ~ (.git|LICENSE|readme.md) {
|
||||||
|
deny all;
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
location /pks {
|
||||||
|
proxy_pass http://127.0.0.1:11371;
|
||||||
|
proxy_pass_header Server;
|
||||||
|
}
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
root /var/www/keys;
|
|
||||||
location / {
|
|
||||||
autoindex on;
|
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -1,507 +1,19 @@
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
server_name certificates.libraryofcode.org;
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
|
||||||
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
|
|
||||||
location / {
|
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_pass https://localhost:8080/;
|
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
|
||||||
|
|
||||||
proxy_redirect https://localhost:8080 https://certificates.libraryofcode.org;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 443 ssl;
|
|
||||||
# listen [::]:443 ssl;
|
|
||||||
|
|
||||||
# server_name staff.libraryofcode.org;
|
|
||||||
|
|
||||||
# ssl_certificate /etc/nginx/ssl/staff.chain.crt;
|
|
||||||
|
|
||||||
#ssl_certificate_key /etc/nginx/ssl/staff.key.pem;
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
|
||||||
# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
|
|
||||||
# location / {
|
|
||||||
|
|
||||||
#proxy_set_header Host $host;
|
|
||||||
|
|
||||||
#proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
#proxy_pass https://localhost:8082/;
|
|
||||||
|
|
||||||
#proxy_read_timeout 90;
|
|
||||||
|
|
||||||
#proxy_redirect https://localhost:8082 https://staff.libraryofcode.org;
|
|
||||||
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
server_name status.libraryofcode.org;
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
|
||||||
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
|
|
||||||
location / {
|
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_pass http://localhost:8787;
|
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
|
||||||
|
|
||||||
proxy_redirect http://localhost:8787 https://status.libraryofcode.org;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 443 ssl;
|
|
||||||
# listen [::]:443 ssl;
|
|
||||||
|
|
||||||
# server_name modmail.libraryofcode.org;
|
|
||||||
# ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
|
|
||||||
#ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
|
||||||
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
|
||||||
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
|
|
||||||
# location / {
|
|
||||||
|
|
||||||
#proxy_set_header Host $host;
|
|
||||||
|
|
||||||
#proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
#proxy_pass http://localhost:8001;
|
|
||||||
|
|
||||||
#proxy_read_timeout 90;
|
|
||||||
|
|
||||||
#proxy_redirect http://localhost:8001 https://modmail.libraryofcode.org;
|
|
||||||
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
||||||
#upstream zammad-railsserver {
|
|
||||||
# server 127.0.0.1:3001;
|
|
||||||
#}
|
|
||||||
|
|
||||||
#upstream zammad-websocket {
|
|
||||||
# server 127.0.0.1:6042;
|
|
||||||
#}
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 443 ssl http2;
|
|
||||||
# listen [::]:443 ssl http2;
|
|
||||||
#
|
|
||||||
# # replace 'localhost' with your fqdn if you want to use zammad from remote
|
|
||||||
# server_name support.libraryofcode.org;
|
|
||||||
#
|
|
||||||
# root /opt/zammad/public;
|
|
||||||
|
|
||||||
# access_log /var/log/nginx/zammad.access.log;
|
|
||||||
# error_log /var/log/nginx/zammad.error.log;
|
|
||||||
|
|
||||||
#client_max_body_size 50M;
|
|
||||||
#ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
|
|
||||||
#ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#ssl_protocols TLSv1.2;
|
|
||||||
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
|
||||||
# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
|
|
||||||
|
|
||||||
# location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
|
|
||||||
# expires max;
|
|
||||||
# }
|
|
||||||
|
|
||||||
#location /ws {
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# proxy_set_header Upgrade $http_upgrade;
|
|
||||||
# proxy_set_header Connection "Upgrade";
|
|
||||||
# proxy_set_header CLIENT_IP $remote_addr;
|
|
||||||
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
#proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
#proxy_read_timeout 86400;
|
|
||||||
#proxy_pass http://zammad-websocket;
|
|
||||||
#}
|
|
||||||
|
|
||||||
#location / {
|
|
||||||
# proxy_set_header Host $http_host;
|
|
||||||
# proxy_set_header CLIENT_IP $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
#proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
#proxy_read_timeout 300;
|
|
||||||
#proxy_pass http://zammad-railsserver;
|
|
||||||
|
|
||||||
#gzip on;
|
|
||||||
#gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
|
|
||||||
#gzip_proxied any;
|
|
||||||
#}
|
|
||||||
#}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
server_name vault.staff.libraryofcode.org;
|
|
||||||
ssl_certificate /etc/nginx/ssl/vault.chain.crt;
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/vault.key.pem;
|
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_pass http://localhost:8200;
|
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
|
||||||
|
|
||||||
proxy_redirect http://localhost:8200 https://vault.staff.libraryofcode.org;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#upstream gitlab-workhorse {
|
|
||||||
# server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
|
|
||||||
#}
|
|
||||||
|
|
||||||
|
|
||||||
## HTTPS host
|
|
||||||
server {
|
|
||||||
listen 0.0.0.0:443 ssl http2;
|
|
||||||
server_name gitlab.libraryofcode.us; ## Replace this with something like gitlab.example.com
|
|
||||||
root /opt/gitlab/embedded/service/gitlab-rails/public;
|
|
||||||
|
|
||||||
## Strong SSL Security
|
|
||||||
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
|
||||||
ssl on;
|
|
||||||
ssl_certificate /etc/nginx/ssl/globalsign.chain.crt;
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem;
|
|
||||||
|
|
||||||
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_session_timeout 5m;
|
|
||||||
|
|
||||||
## See app/controllers/application_controller.rb for headers set
|
|
||||||
|
|
||||||
## [Optional] Enable HTTP Strict Transport Security
|
|
||||||
## HSTS is a feature improving protection against MITM attacks
|
|
||||||
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
|
|
||||||
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
|
|
||||||
## Replace with your ssl_trusted_certificate. For more info see:
|
|
||||||
## - https://medium.com/devops-programming/4445f4862461
|
|
||||||
## - https://www.ruby-forum.com/topic/4419319
|
|
||||||
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
|
|
||||||
# ssl_stapling on;
|
|
||||||
# ssl_stapling_verify on;
|
|
||||||
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
|
||||||
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
|
|
||||||
# resolver_timeout 5s;
|
|
||||||
|
|
||||||
## [Optional] Generate a stronger DHE parameter:
|
|
||||||
## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
|
|
||||||
##
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
|
|
||||||
## Individual nginx logs for this GitLab vhost
|
|
||||||
access_log /var/log/nginx/gitlab_access.log;
|
|
||||||
error_log /var/log/nginx/gitlab_error.log;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
client_max_body_size 0;
|
|
||||||
gzip off;
|
|
||||||
|
|
||||||
## https://github.com/gitlabhq/gitlabhq/issues/694
|
|
||||||
## Some requests take more than 30 seconds.
|
|
||||||
proxy_read_timeout 300;
|
|
||||||
proxy_connect_timeout 300;
|
|
||||||
proxy_redirect off;
|
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Ssl on;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_pass http://gitlab-workhorse;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2 default_server;
|
listen 443 ssl http2 default_server;
|
||||||
listen [::]:443 ssl http2 default_server;
|
listen [::]:443 ssl http2 default_server;
|
||||||
|
|
||||||
server_name www.libraryofcode.org;
|
server_name www.libraryofcode.org;
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
#if ($request_filename ~ /*){
|
|
||||||
# rewrite ^/$ https://loc.sh/discord redirect;
|
|
||||||
#}
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
|
||||||
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
# location / {
|
|
||||||
|
|
||||||
#proxy_set_header Host $host;
|
|
||||||
|
|
||||||
#proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
#proxy_pass http://localhost:4567;
|
|
||||||
|
|
||||||
#proxy_read_timeout 90;
|
|
||||||
|
|
||||||
#proxy_redirect http://localhost:4567 https://www.libraryofcode.org;
|
|
||||||
|
|
||||||
# }
|
|
||||||
root /var/www/wordpress;
|
|
||||||
index index.php;
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
include snippets/fastcgi-php.conf;
|
|
||||||
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php?$args;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name ecm.libraryofcode.org;
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
|
||||||
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
location / {
|
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
|
|
||||||
proxy_pass https://localhost:7150;
|
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
|
||||||
|
|
||||||
proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 443 ssl http2;
|
|
||||||
# listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
# server_name ldap.libraryofcode.org;
|
|
||||||
# ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
|
|
||||||
#ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
|
||||||
|
|
||||||
#ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
|
|
||||||
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
|
|
||||||
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
|
|
||||||
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
# ssl_dhparam /etc/nginx/dhparam.pem;
|
|
||||||
# ssl_ecdh_curve secp384r1;
|
|
||||||
#include /etc/ldap-account-manager/nginx.conf;
|
|
||||||
# location / {
|
|
||||||
|
|
||||||
#proxy_set_header Host $host;
|
|
||||||
|
|
||||||
#proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
#proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
#proxy_set_header Upgrade $http_upgrade;
|
|
||||||
#proxy_set_header Connection "upgrade";
|
|
||||||
|
|
||||||
#proxy_pass https://localhost:7150;
|
|
||||||
|
|
||||||
#proxy_read_timeout 90;
|
|
||||||
|
|
||||||
#proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org;
|
|
||||||
|
|
||||||
#}
|
|
||||||
#}
|
|
||||||
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name keys.libraryofcode.org;
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
|
||||||
root /var/www/html/sks;
|
|
||||||
error_page 404 /404.html;
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
||||||
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
location ~ (.git|LICENSE|readme.md) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /pks {
|
root /var/www/wordpress;
|
||||||
proxy_pass http://127.0.0.1:11371;
|
index index.php;
|
||||||
proxy_pass_header Server;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
|
||||||
|
}
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$args;
|
||||||
|
}
|
||||||
}
|
}
|
|
@ -6,42 +6,26 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
client_max_body_size 1G;
|
client_max_body_size 1G;
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
|
|
||||||
|
location / {
|
||||||
location / {
|
return 307 $scheme://lists.libraryofcode.org/cgi-bin/mailman/listinfo;
|
||||||
return 307 $scheme://lists.libraryofcode.org/cgi-bin/mailman/listinfo;
|
}
|
||||||
}
|
location /cgi-bin/mailman {
|
||||||
location /cgi-bin/mailman {
|
root /usr/lib/;
|
||||||
root /usr/lib/;
|
fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
|
||||||
fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
|
include /etc/nginx/fastcgi_params;
|
||||||
include /etc/nginx/fastcgi_params;
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
|
||||||
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
|
fastcgi_intercept_errors on;
|
||||||
fastcgi_intercept_errors on;
|
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
||||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
}
|
||||||
}
|
location /images/mailman {
|
||||||
location /images/mailman {
|
alias /usr/share/images/mailman;
|
||||||
alias /usr/share/images/mailman;
|
}
|
||||||
}
|
location /pipermail {
|
||||||
location /pipermail {
|
alias /var/lib/mailman/archives/public;
|
||||||
alias /var/lib/mailman/archives/public;
|
autoindex on;
|
||||||
autoindex on;
|
}
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -2,41 +2,26 @@ server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name loc.sh;
|
server_name loc.sh;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot
|
ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot
|
||||||
ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot
|
ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_pass http://localhost:3890;
|
proxy_pass http://localhost:3890;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://localhost:3890 https://loc.sh;
|
proxy_redirect http://localhost:3890 https://loc.sh;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
|
@ -6,39 +6,23 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt;
|
ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
proxy_pass http://10.8.0.1:5478;
|
proxy_pass http://10.8.0.1:5478;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://10.8.0.1:5478 https://modmail.ins;
|
proxy_redirect http://10.8.0.1:5478 https://modmail.ins;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -6,23 +6,8 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt;
|
ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
client_max_body_size 230M;
|
client_max_body_size 230M;
|
||||||
client_body_timeout 1h;
|
client_body_timeout 1h;
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
|
|
||||||
index index.html index.htm index.php;
|
index index.html index.htm index.php;
|
||||||
|
@ -32,9 +17,9 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
include snippets/fastcgi-php.conf; # server defaults are good
|
include snippets/fastcgi-php.conf; # server defaults are good
|
||||||
fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock;
|
fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock;
|
||||||
fastcgi_param HTACCESS on; # disables FreePBX htaccess warning
|
fastcgi_param HTACCESS on; # disables FreePBX htaccess warning
|
||||||
proxy_read_timeout 800;
|
proxy_read_timeout 800;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,28 +1,18 @@
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name report.libraryofcode.org;
|
server_name report.libraryofcode.org;
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
root /var/www/report;
|
||||||
ssl_protocols TLSv1.2;
|
index public/index.html;
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
location /assets {
|
||||||
|
alias /var/www/report/assets/;
|
||||||
ssl_prefer_server_ciphers on;
|
#root /var/www/report/assets;
|
||||||
|
#try_files /var/www/report/assets/$uri /var/www/report/assets/$uri/ =404;
|
||||||
ssl_stapling on;
|
try_files $uri $uri/ =404;
|
||||||
ssl_stapling_verify on;
|
}
|
||||||
|
|
||||||
root /var/www/report;
|
|
||||||
index public/index.html;
|
|
||||||
|
|
||||||
location /assets {
|
|
||||||
alias /var/www/report/assets/;
|
|
||||||
#root /var/www/report/assets;
|
|
||||||
#try_files /var/www/report/assets/$uri /var/www/report/assets/$uri/ =404;
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -24,19 +24,19 @@ server {
|
||||||
#limit_req zone=one burst=15;
|
#limit_req zone=one burst=15;
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_pass http://localhost:3020;
|
proxy_pass http://localhost:3020;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://localhost:3020 https://staff.libraryofcode.org;
|
proxy_redirect http://localhost:3020 https://staff.libraryofcode.org;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -1,23 +1,23 @@
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name static.libraryofcode.org;
|
server_name static.libraryofcode.org;
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols TLSv1.2;
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
root /var/www/static;
|
root /var/www/static;
|
||||||
location / {
|
location / {
|
||||||
autoindex on;
|
autoindex on;
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -6,39 +6,24 @@ server {
|
||||||
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
ssl_certificate /etc/nginx/ssl/org.chain.crt;
|
||||||
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
|
||||||
|
|
||||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
||||||
#include /etc/nginx/error/502;
|
|
||||||
#include /etc/nginx/error/504;
|
|
||||||
#include /etc/nginx/error/500;
|
|
||||||
#include /etc/nginx/error/404;
|
|
||||||
#include /etc/nginx/error/429;
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
client_max_body_size 1G;
|
client_max_body_size 1G;
|
||||||
#limit_req zone=one burst=15;
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
proxy_pass http://localhost:3000;
|
proxy_pass http://localhost:3000;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
proxy_redirect http://localhost:3000 https://wiki.libraryofcode.org;
|
proxy_redirect http://localhost:3000 https://wiki.libraryofcode.org;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -35,11 +35,14 @@ http {
|
||||||
# SSL Settings
|
# SSL Settings
|
||||||
##
|
##
|
||||||
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem
|
ssl_dhparam /etc/nginx/dhparam.pem
|
||||||
;ssl_ecdh_curve secp384r1;
|
ssl_ecdh_curve prime256v1:secp384r1;
|
||||||
|
|
||||||
##
|
##
|
||||||
# Logging Settings
|
# Logging Settings
|
||||||
|
|
|
@ -0,0 +1,104 @@
|
||||||
|
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||||
|
|
||||||
|
# Server Information
|
||||||
|
smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU)
|
||||||
|
myhostname = staff.libraryofcode.org
|
||||||
|
myorigin = /etc/mailname
|
||||||
|
mydestination = $myhostname, libraryofcode.org
|
||||||
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130
|
||||||
|
mail_name = Library of Code sp-us | Staff Services
|
||||||
|
|
||||||
|
|
||||||
|
# Relay Settings
|
||||||
|
relayhost =
|
||||||
|
relay_domains = lists.libraryofcode.org
|
||||||
|
|
||||||
|
|
||||||
|
# MDA & Delivery
|
||||||
|
append_dot_mydomain = no
|
||||||
|
biff = no
|
||||||
|
mailbox_transport = lmtp:unix:private/dovecot-lmtp
|
||||||
|
message_size_limit = 1073741824
|
||||||
|
transport_maps = hash:/etc/postfix/transport
|
||||||
|
mailbox_size_limit = 0
|
||||||
|
recipient_delimiter = +
|
||||||
|
|
||||||
|
|
||||||
|
# Authentication
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
broken_sasl_auth_clients = yes
|
||||||
|
|
||||||
|
|
||||||
|
# TLS parameters
|
||||||
|
smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt
|
||||||
|
smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem
|
||||||
|
smtpd_use_tls=yes
|
||||||
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
smtp_tls_security_level = may
|
||||||
|
smtpd_tls_security_level = may
|
||||||
|
smtp_tls_note_starttls_offer = yes
|
||||||
|
smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt
|
||||||
|
smtpd_tls_loglevel = 1
|
||||||
|
smtpd_tls_received_header = yes
|
||||||
|
smtpd_tls_session_cache_timeout = 3600s
|
||||||
|
tls_random_source = dev:/dev/urandom
|
||||||
|
|
||||||
|
|
||||||
|
# RESTRICTIONS
|
||||||
|
smtpd_relay_restrictions =
|
||||||
|
permit_mynetworks,
|
||||||
|
permit_sasl_authenticated,
|
||||||
|
defer_unauth_destination,
|
||||||
|
smtpd_helo_restrictions =
|
||||||
|
permit_mynetworks,
|
||||||
|
reject_non_fqdn_helo_hostname,
|
||||||
|
reject_invalid_helo_hostname,
|
||||||
|
reject_unknown_helo_hostname,
|
||||||
|
permit,
|
||||||
|
smtpd_sender_restrictions =
|
||||||
|
reject_unknown_sender_domain,
|
||||||
|
reject_unknown_reverse_client_hostname,
|
||||||
|
reject_unknown_client_hostname,
|
||||||
|
reject_sender_login_mismatch,
|
||||||
|
permit_mynetworks,
|
||||||
|
permit_sasl_authenticated,
|
||||||
|
permit,
|
||||||
|
smtpd_recipient_restrictions =
|
||||||
|
reject_unauth_pipelining,
|
||||||
|
reject_non_fqdn_recipient,
|
||||||
|
reject_unknown_recipient_domain,
|
||||||
|
permit_mynetworks,
|
||||||
|
check_policy_service inet:127.0.0.1:10023,
|
||||||
|
reject_rbl_client sbl.spamhaus.org,
|
||||||
|
reject_rbl_client xbl.spamhaus.org,
|
||||||
|
permit,
|
||||||
|
|
||||||
|
|
||||||
|
# Local Aliases
|
||||||
|
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
|
||||||
|
alias_database = hash:/etc/aliases
|
||||||
|
|
||||||
|
|
||||||
|
# Virtual Alises
|
||||||
|
smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users
|
||||||
|
virtual_alias_maps = hash:/etc/postfix/virtual
|
||||||
|
|
||||||
|
|
||||||
|
# Network Settings & Milters
|
||||||
|
inet_interfaces = all
|
||||||
|
inet_protocols = all
|
||||||
|
milter_default_action = accept
|
||||||
|
milter_protocol = 6
|
||||||
|
smtpd_milters =
|
||||||
|
inet:localhost:8891,
|
||||||
|
local:/opendmarc/opendmarc.sock,
|
||||||
|
inet:localhost:8892
|
||||||
|
non_smtpd_milters = $smtpd_milters
|
||||||
|
|
||||||
|
|
||||||
|
# Misc
|
||||||
|
readme_directory = no
|
||||||
|
compatibility_level = 2
|
||||||
|
unknown_local_recipient_reject_code = 550
|
||||||
|
mailman_destination_recipient_limit = 1
|
|
@ -1,98 +1,135 @@
|
||||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
#
|
||||||
|
# Postfix master process configuration file. For details on the format
|
||||||
|
# of the file, see the master(5) manual page (command: "man 5 master" or
|
||||||
|
# on-line: http://www.postfix.org/master.5.html).
|
||||||
|
#
|
||||||
|
# Do not forget to execute "postfix reload" after editing this file.
|
||||||
|
#
|
||||||
|
# ==========================================================================
|
||||||
|
# service type private unpriv chroot wakeup maxproc command + args
|
||||||
|
# (yes) (yes) (no) (never) (100)
|
||||||
|
# ==========================================================================
|
||||||
|
smtp inet n - y - - smtpd
|
||||||
|
-o content_filter=spamassassin
|
||||||
|
-o syslog_name=postfix/smtp
|
||||||
|
#smtp inet n - y - 1 postscreen
|
||||||
|
#smtpd pass - - y - - smtpd
|
||||||
|
#dnsblog unix - - y - 0 dnsblog
|
||||||
|
#tlsproxy unix - - y - 0 tlsproxy
|
||||||
|
|
||||||
|
submission inet n - y - - smtpd
|
||||||
|
-o syslog_name=postfix/submission
|
||||||
|
-o smtpd_tls_security_level=encrypt
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
|
-o smtpd_reject_unlisted_recipient=no
|
||||||
|
-o smtpd_client_restrictions=$mua_client_restrictions
|
||||||
|
-o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||||
|
-o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||||
|
-o smtpd_recipient_restrictions=
|
||||||
|
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||||
|
-o milter_macro_daemon_name=ORIGINATING
|
||||||
|
-o cleanup_service_name=privclean
|
||||||
|
smtps inet n - y - - smtpd
|
||||||
|
-o syslog_name=postfix/smtps
|
||||||
|
-o smtpd_tls_wrappermode=yes
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
|
-o smtpd_reject_unlisted_recipient=no
|
||||||
|
-o smtpd_client_restrictions=$mua_client_restrictions
|
||||||
|
-o smtpd_helo_restrictions=$mua_helo_restrictions
|
||||||
|
-o smtpd_sender_restrictions=$mua_sender_restrictions
|
||||||
|
-o smtpd_recipient_restrictions=
|
||||||
|
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||||||
|
-o milter_macro_daemon_name=ORIGINATING
|
||||||
|
#628 inet n - y - - qmqpd
|
||||||
|
pickup unix n - y 60 1 pickup
|
||||||
|
cleanup unix n - y - 0 cleanup
|
||||||
|
qmgr unix n - n 300 1 qmgr
|
||||||
|
#qmgr unix n - n 300 1 oqmgr
|
||||||
|
tlsmgr unix - - y 1000? 1 tlsmgr
|
||||||
|
rewrite unix - - y - - trivial-rewrite
|
||||||
|
bounce unix - - y - 0 bounce
|
||||||
|
defer unix - - y - 0 bounce
|
||||||
|
trace unix - - y - 0 bounce
|
||||||
|
verify unix - - y - 1 verify
|
||||||
|
flush unix n - y 1000? 0 flush
|
||||||
|
proxymap unix - - n - - proxymap
|
||||||
|
proxywrite unix - - n - 1 proxymap
|
||||||
|
smtp unix - - y - - smtp
|
||||||
|
relay unix - - y - - smtp
|
||||||
|
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||||
|
showq unix n - y - - showq
|
||||||
|
error unix - - y - - error
|
||||||
|
retry unix - - y - - error
|
||||||
|
discard unix - - y - - discard
|
||||||
|
local unix - n n - - local
|
||||||
|
virtual unix - n n - - virtual
|
||||||
|
lmtp unix - - y - - lmtp
|
||||||
|
anvil unix - - y - 1 anvil
|
||||||
|
scache unix - - y - 1 scache
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||||
|
# pages of the non-Postfix software to find out what options it wants.
|
||||||
|
#
|
||||||
|
# Many of the following services use the Postfix pipe(8) delivery
|
||||||
|
# agent. See the pipe(8) man page for information about ${recipient}
|
||||||
|
# and other message envelope options.
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||||
|
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
maildrop unix - n n - - pipe
|
||||||
|
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||||
|
#
|
||||||
|
# Specify in cyrus.conf:
|
||||||
|
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||||
|
#
|
||||||
|
# Specify in main.cf one or more of the following:
|
||||||
|
# mailbox_transport = lmtp:inet:localhost
|
||||||
|
# virtual_transport = lmtp:inet:localhost
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Cyrus 2.1.5 (Amos Gouaux)
|
||||||
|
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
#cyrus unix - n n - - pipe
|
||||||
|
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Old example of delivery via Cyrus.
|
||||||
|
#
|
||||||
|
#old-cyrus unix - n n - - pipe
|
||||||
|
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# See the Postfix UUCP_README file for configuration details.
|
||||||
|
#
|
||||||
|
uucp unix - n n - - pipe
|
||||||
|
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||||
|
#
|
||||||
|
# Other external delivery methods.
|
||||||
|
#
|
||||||
|
ifmail unix - n n - - pipe
|
||||||
|
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||||
|
bsmtp unix - n n - - pipe
|
||||||
|
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||||
|
scalemail-backend unix - n n - 2 pipe
|
||||||
|
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||||
|
mailman unix - n n - - pipe
|
||||||
|
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||||
|
${nexthop} ${user}
|
||||||
|
|
||||||
# Debian specific: Specifying a file name will cause the first
|
spamassassin unix - n n - - pipe
|
||||||
# line of that file to be used as the name. The Debian default
|
user=spamd argv=/usr/bin/spamc -f -e
|
||||||
# is /etc/mailname.
|
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
|
||||||
#myorigin = /etc/mailname
|
|
||||||
|
|
||||||
smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU)
|
privclean unix n - - - 0 cleanup
|
||||||
biff = no
|
-o header_checks=pcre:/etc/postfix/outgoing_headers
|
||||||
|
-o nested_header_checks=
|
||||||
# appending .domain is the MUA's job.
|
|
||||||
append_dot_mydomain = no
|
|
||||||
|
|
||||||
# Uncomment the next line to generate "delayed mail" warnings
|
|
||||||
#delay_warning_time = 4h
|
|
||||||
|
|
||||||
readme_directory = no
|
|
||||||
|
|
||||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
|
||||||
# fresh installs.
|
|
||||||
compatibility_level = 2
|
|
||||||
|
|
||||||
# TLS parameters
|
|
||||||
smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt
|
|
||||||
smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem
|
|
||||||
smtpd_use_tls=yes
|
|
||||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
||||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
|
||||||
smtp_tls_security_level = may
|
|
||||||
smtpd_tls_security_level = may
|
|
||||||
smtp_tls_note_starttls_offer = yes
|
|
||||||
smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt
|
|
||||||
smtpd_tls_loglevel = 1
|
|
||||||
smtpd_tls_received_header = yes
|
|
||||||
smtpd_tls_session_cache_timeout = 3600s
|
|
||||||
tls_random_source = dev:/dev/urandom
|
|
||||||
|
|
||||||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
|
||||||
# information on enabling SSL in the smtp client.
|
|
||||||
|
|
||||||
# RESTRICTIONS
|
|
||||||
smtpd_relay_restrictions =
|
|
||||||
permit_mynetworks,
|
|
||||||
permit_sasl_authenticated,
|
|
||||||
defer_unauth_destination,
|
|
||||||
smtpd_helo_restrictions =
|
|
||||||
permit_mynetworks,
|
|
||||||
reject_non_fqdn_helo_hostname,
|
|
||||||
reject_invalid_helo_hostname,
|
|
||||||
reject_unknown_helo_hostname,
|
|
||||||
permit,
|
|
||||||
smtpd_sender_restrictions =
|
|
||||||
reject_unknown_sender_domain,
|
|
||||||
reject_unknown_reverse_client_hostname,
|
|
||||||
reject_unknown_client_hostname,
|
|
||||||
reject_sender_login_mismatch,
|
|
||||||
permit_mynetworks,
|
|
||||||
permit_sasl_authenticated,
|
|
||||||
permit,
|
|
||||||
smtpd_recipient_restrictions =
|
|
||||||
reject_unauth_pipelining,
|
|
||||||
reject_non_fqdn_recipient,
|
|
||||||
reject_unknown_recipient_domain,
|
|
||||||
permit_mynetworks,
|
|
||||||
check_policy_service inet:127.0.0.1:10023
|
|
||||||
permit,
|
|
||||||
|
|
||||||
myhostname = staff.libraryofcode.org
|
|
||||||
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
|
|
||||||
alias_database = hash:/etc/aliases
|
|
||||||
smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users
|
|
||||||
|
|
||||||
myorigin = /etc/mailname
|
|
||||||
mydestination = $myhostname, libraryofcode.org, libraryofcode.us staff.libraryofcode.us, staff-libraryofcode.staff.libraryofcode.us, localhost.staff.libraryofcode.us, localhost, libraryofcode.us
|
|
||||||
relayhost =
|
|
||||||
relay_domains = lists.libraryofcode.org
|
|
||||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130
|
|
||||||
mailbox_size_limit = 0
|
|
||||||
mailbox_command = procmail -a "$EXTENSION" DEFAULT=/var/mail/$USER
|
|
||||||
recipient_delimiter = +
|
|
||||||
inet_interfaces = all
|
|
||||||
inet_protocols = all
|
|
||||||
smtpd_sasl_auth_enable = yes
|
|
||||||
broken_sasl_auth_clients = yes
|
|
||||||
milter_default_action = accept
|
|
||||||
milter_protocol = 6
|
|
||||||
smtpd_milters = inet:localhost:8891, local:/opendmarc/opendmarc.sock
|
|
||||||
non_smtpd_milters = $smtpd_milters
|
|
||||||
mail_name = Library of Code sp-us | Staff Command
|
|
||||||
virtual_alias_maps = hash:/etc/postfix/virtual
|
|
||||||
|
|
||||||
#authorized_submit_users = !boss, !test, static:all
|
|
||||||
message_size_limit = 1073741824
|
|
||||||
transport_maps = hash:/etc/postfix/transport
|
|
||||||
unknown_local_recipient_reject_code = 550
|
|
||||||
mailman_destination_recipient_limit = 1
|
|
||||||
#local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp
|
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
import os
|
||||||
|
|
||||||
|
home_directories = os.listdir("/home")
|
||||||
|
|
||||||
|
for user in home_directories:
|
||||||
|
os.system("sa-learn --spam /home/%s/mail/Junk" % user)
|
|
@ -0,0 +1,8 @@
|
||||||
|
# Activate Nginx Server Blocks
|
||||||
|
|
||||||
|
if [ $# -eq 0 ]; then
|
||||||
|
echo "No arguments provided"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
sudo ln -s /etc/nginx/sites-available/$1.conf /etc/nginx/sites-enabled/$1.conf
|
Loading…
Reference in New Issue