additions or whateva

merge-requests/2/head
Matthew 2021-05-01 15:13:49 -04:00
parent f127dd6253
commit 6f4266f5b6
No known key found for this signature in database
GPG Key ID: 210AF32ADE3B5C4B
38 changed files with 855 additions and 1471 deletions

View File

@ -0,0 +1,23 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ats.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
root /var/www/opencats;
index index.html index.htm index.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param HTACCESS on;
proxy_read_timeout 800;
}
}

View File

@ -6,16 +6,6 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
root /var/binary; root /var/binary;
location / { location / {
autoindex on; autoindex on;

View File

@ -6,22 +6,6 @@ server {
ssl_certificate /etc/nginx/ssl/board-ins.chain.crt; ssl_certificate /etc/nginx/ssl/board-ins.chain.crt;
ssl_certificate_key /etc/nginx/ssl/board-ins.key.pem; ssl_certificate_key /etc/nginx/ssl/board-ins.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;

View File

@ -6,22 +6,6 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;

View File

@ -6,24 +6,6 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 1G;
#limit_req zone=one burst=15;
location / { location / {
return 307 $scheme://www.libraryofcode.org/; return 307 $scheme://www.libraryofcode.org/;
} }

View File

@ -6,22 +6,6 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;

View File

@ -6,22 +6,6 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;

View File

@ -6,17 +6,8 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
root /var/www/content; root /var/www/content;
location / { location / {
autoindex on; autoindex on;
} }

View File

@ -6,37 +6,21 @@ server {
ssl_certificate /etc/nginx/ssl/cr-ins.chain.crt; ssl_certificate /etc/nginx/ssl/cr-ins.chain.crt;
ssl_certificate_key /etc/nginx/ssl/cr-ins.key.pem; ssl_certificate_key /etc/nginx/ssl/cr-ins.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.8.0.1:3891; proxy_pass http://10.8.0.1:3891;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://10.8.0.1:3891 https://cr.ins; proxy_redirect http://10.8.0.1:3891 https://cr.ins;
} }
} }

View File

@ -6,39 +6,23 @@ server {
ssl_certificate /etc/nginx/ssl/data-ins.chain.crt; ssl_certificate /etc/nginx/ssl/data-ins.chain.crt;
ssl_certificate_key /etc/nginx/ssl/data-ins.key.pem; ssl_certificate_key /etc/nginx/ssl/data-ins.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://10.8.0.1:19999; proxy_pass http://10.8.0.1:19999;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://10.8.0.1:19999 https://data.ins; proxy_redirect http://10.8.0.1:19999 https://data.ins;
} }
} }

View File

@ -1,21 +1,11 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name directory.libraryofcode.org; server_name directory.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; root /var/www/int;
ssl_protocols TLSv1.2; index index.html;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
root /var/www/int;
index index.html;
} }

View File

@ -5,48 +5,43 @@ server {
ssl_certificate /etc/nginx/ssl/dns.chain.crt; ssl_certificate /etc/nginx/ssl/dns.chain.crt;
ssl_certificate_key /etc/nginx/ssl/dns.key.pem; ssl_certificate_key /etc/nginx/ssl/dns.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; index index.html index.htm index.php;
root /opt/powerdns-admin;
access_log /var/log/nginx/powerdns-admin.local.access.log combined;
error_log /var/log/nginx/powerdns-admin.local.error.log;
index index.html index.htm index.php; client_max_body_size 10m;
root /opt/powerdns-admin; client_body_buffer_size 128k;
access_log /var/log/nginx/powerdns-admin.local.access.log combined; proxy_redirect off;
error_log /var/log/nginx/powerdns-admin.local.error.log; proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_buffer_size 8k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_headers_hash_bucket_size 64;
client_max_body_size 10m; location ~ ^/static/ {
client_body_buffer_size 128k; include /etc/nginx/mime.types;
proxy_redirect off; root /opt/powerdns-admin/powerdnsadmin;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_buffer_size 8k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_headers_hash_bucket_size 64;
location ~ ^/static/ { location ~* \.(jpg|jpeg|png|gif)$ {
include /etc/nginx/mime.types; expires 365d;
root /opt/powerdns-admin/powerdnsadmin; }
location ~* \.(jpg|jpeg|png|gif)$ { location ~* ^.+.(css|js)$ {
expires 365d; expires 7d;
}
} }
location ~* ^.+.(css|js)$ { location / {
expires 7d; proxy_pass http://unix:/run/powerdns-admin/socket;
proxy_read_timeout 120;
proxy_connect_timeout 120;
proxy_redirect off;
} }
}
location / {
proxy_pass http://unix:/run/powerdns-admin/socket;
proxy_read_timeout 120;
proxy_connect_timeout 120;
proxy_redirect off;
}
} }

View File

@ -6,39 +6,25 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 1G; client_max_body_size 1G;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:5000; proxy_pass http://localhost:5000;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:5000 https://docker.libraryofcode.org; proxy_redirect http://localhost:5000 https://docker.libraryofcode.org;
} }
} }

View File

@ -6,39 +6,25 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 1G; client_max_body_size 1G;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:5608; proxy_pass http://localhost:5608;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:5608 https://drive.libraryofcode.org; proxy_redirect http://localhost:5608 https://drive.libraryofcode.org;
} }
} }

View File

@ -1,3 +1,8 @@
upstream eds-backend {
server localhost:7101;
server node2.libraryofcode.org:7101 baackup;
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -6,39 +11,21 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:7101; proxy_pass http://eds-backend;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:7101 https://eds.libraryofcode.org; }
}
} }

View File

@ -1,32 +1,23 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name edu.libraryofcode.org; server_name edu.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; root /opt/canvas/public;
charset utf-8;
ssl_prefer_server_ciphers on; include mime.types;
client_max_body_size 5000M;
ssl_stapling on; default_type application/octet-stream;
ssl_stapling_verify on; access_log /var/log/nginx/canvas.access.log;
error_log /var/log/nginx/canvas.error.log;
root /opt/canvas/public; passenger_ruby /usr/local/bin/ruby2.4;
charset utf-8; passenger_load_shell_envvars off;
include mime.types; #passenger_log_level 4;
client_max_body_size 5000M; passenger_start_timeout 300;
default_type application/octet-stream; passenger_enabled on;
access_log /var/log/nginx/canvas.access.log; rails_env production;
error_log /var/log/nginx/canvas.error.log;
passenger_ruby /usr/local/bin/ruby2.4;
passenger_load_shell_envvars off;
#passenger_log_level 4;
passenger_start_timeout 300;
passenger_enabled on;
rails_env production;
} }

View File

@ -6,39 +6,23 @@ server {
ssl_certificate /etc/nginx/ssl/firewall-ins.chain.crt; ssl_certificate /etc/nginx/ssl/firewall-ins.chain.crt;
ssl_certificate_key /etc/nginx/ssl/firewall-ins.key.pem; ssl_certificate_key /etc/nginx/ssl/firewall-ins.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://192.168.56.1:80; proxy_pass http://192.168.56.1:80;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://192.168.56.1:80 https://firewall.ins; proxy_redirect http://192.168.56.1:80 https://firewall.ins;
} }
} }

View File

@ -1,16 +1,10 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name forms.libraryofcode.org; server_name forms.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1;
root /var/www/forms; root /var/www/forms;
rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;

View File

@ -1,74 +1,74 @@
upstream gitlab-workhorse { upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
} }
## HTTPS host ## HTTPS host
server { server {
listen 0.0.0.0:443 ssl http2; listen 0.0.0.0:443 ssl http2;
listen [::]:443 ipv6only=on ssl http2; listen [::]:443 ipv6only=on ssl http2;
server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com
root /opt/gitlab/embedded/service/gitlab-rails/public; root /opt/gitlab/embedded/service/gitlab-rails/public;
## Strong SSL Security ## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on; ssl on;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
#ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
## See app/controllers/application_controller.rb for headers set ## See app/controllers/application_controller.rb for headers set
## [Optional] Enable HTTP Strict Transport Security ## [Optional] Enable HTTP Strict Transport Security
## HSTS is a feature improving protection against MITM attacks ## HSTS is a feature improving protection against MITM attacks
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000; preload"; add_header Strict-Transport-Security "max-age=31536000; preload";
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
## Replace with your ssl_trusted_certificate. For more info see: ## Replace with your ssl_trusted_certificate. For more info see:
## - https://medium.com/devops-programming/4445f4862461 ## - https://medium.com/devops-programming/4445f4862461
## - https://www.ruby-forum.com/topic/4419319 ## - https://www.ruby-forum.com/topic/4419319
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
# ssl_stapling on; # ssl_stapling on;
# ssl_stapling_verify on; # ssl_stapling_verify on;
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
# resolver_timeout 5s; # resolver_timeout 5s;
## [Optional] Generate a stronger DHE parameter: ## [Optional] Generate a stronger DHE parameter:
## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
## ##
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
## Individual nginx logs for this GitLab vhost ## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log; access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log; error_log /var/log/nginx/gitlab_error.log;
location / { location / {
client_max_body_size 0; client_max_body_size 0;
gzip off; gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694 ## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds. ## Some requests take more than 30 seconds.
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_connect_timeout 300; proxy_connect_timeout 300;
proxy_redirect off; proxy_redirect off;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse; proxy_pass http://gitlab-workhorse;
} }
} }

View File

@ -3,27 +3,13 @@ server {
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name gocrypt.libraryofcode.org; server_name gocrypt.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; root /var/www/gocryptdoc;
#include /etc/nginx/error/502; index index.html;
#include /etc/nginx/error/504; location / {
#include /etc/nginx/error/500; try_files $uri $uri/index.html =404;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; }
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=5;
root /var/www/gocryptdoc;
index index.html;
location / {
try_files $uri $uri/index.html =404;
}
} }

View File

@ -1,7 +1,7 @@
server { server {
listen 80; listen 80;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }

View File

@ -1,30 +1,30 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name ins-test.libraryofcode.org; server_name ins-test.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/ins-test.chain.crt; ssl_certificate /etc/nginx/ssl/ins-test.chain.crt;
ssl_certificate_key /etc/nginx/ssl/ins-test.key.pem; ssl_certificate_key /etc/nginx/ssl/ins-test.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1.2; #ssl_protocols TLSv1.2;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify off; ssl_stapling_verify off;
root /var/www/content; root /var/www/content;
location / { location / {
autoindex on; autoindex on;
} }
location /sec { location /sec {
autoindex on; autoindex on;
auth_basic "Secure Area"; auth_basic "Secure Area";
auth_basic_user_file /etc/nginx/htpasswd; auth_basic_user_file /etc/nginx/htpasswd;
} }
} }

View File

@ -0,0 +1,13 @@
server {
listen 10.8.0.1:443 ssl http2;
#listen [::]:443 ssl http2;
server_name keys.ins;
ssl_certificate /etc/nginx/ssl/keys-ins.chain.crt;
ssl_certificate_key /etc/nginx/ssl/keys-ins.key.pem;
root /var/www/keys;
location / {
autoindex on;
}
}

View File

@ -1,23 +1,22 @@
server { server {
listen 10.8.0.1:443 ssl http2; listen 443 ssl http2;
#listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name keys.ins;
ssl_certificate /etc/nginx/ssl/keys-ins.chain.crt; server_name keys.libraryofcode.org;
ssl_certificate_key /etc/nginx/ssl/keys-ins.key.pem; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; root /var/www/html/sks;
ssl_protocols TLSv1.2; error_page 404 /404.html;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; location ~ (.git|LICENSE|readme.md) {
deny all;
return 404;
}
ssl_prefer_server_ciphers on; location /pks {
proxy_pass http://127.0.0.1:11371;
proxy_pass_header Server;
}
ssl_stapling on;
ssl_stapling_verify on;
root /var/www/keys;
location / {
autoindex on;
}
} }

View File

@ -1,507 +1,19 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name certificates.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://localhost:8080/;
proxy_read_timeout 90;
proxy_redirect https://localhost:8080 https://certificates.libraryofcode.org;
}
}
#server {
# listen 443 ssl;
# listen [::]:443 ssl;
# server_name staff.libraryofcode.org;
# ssl_certificate /etc/nginx/ssl/staff.chain.crt;
#ssl_certificate_key /etc/nginx/ssl/staff.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_prefer_server_ciphers on;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
# location / {
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_pass https://localhost:8082/;
#proxy_read_timeout 90;
#proxy_redirect https://localhost:8082 https://staff.libraryofcode.org;
# }
#}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name status.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8787;
proxy_read_timeout 90;
proxy_redirect http://localhost:8787 https://status.libraryofcode.org;
}
}
#server {
# listen 443 ssl;
# listen [::]:443 ssl;
# server_name modmail.libraryofcode.org;
# ssl_certificate /etc/nginx/ssl/org.chain.crt;
#ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
# location / {
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_pass http://localhost:8001;
#proxy_read_timeout 90;
#proxy_redirect http://localhost:8001 https://modmail.libraryofcode.org;
# }
#}
#upstream zammad-railsserver {
# server 127.0.0.1:3001;
#}
#upstream zammad-websocket {
# server 127.0.0.1:6042;
#}
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# # replace 'localhost' with your fqdn if you want to use zammad from remote
# server_name support.libraryofcode.org;
#
# root /opt/zammad/public;
# access_log /var/log/nginx/zammad.access.log;
# error_log /var/log/nginx/zammad.error.log;
#client_max_body_size 50M;
#ssl_certificate /etc/nginx/ssl/org.chain.crt;
#ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1.2;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_prefer_server_ciphers on;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1;
# location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
# expires max;
# }
#location /ws {
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header CLIENT_IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_read_timeout 86400;
#proxy_pass http://zammad-websocket;
#}
#location / {
# proxy_set_header Host $http_host;
# proxy_set_header CLIENT_IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_read_timeout 300;
#proxy_pass http://zammad-railsserver;
#gzip on;
#gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
#gzip_proxied any;
#}
#}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vault.staff.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/vault.chain.crt;
ssl_certificate_key /etc/nginx/ssl/vault.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8200;
proxy_read_timeout 90;
proxy_redirect http://localhost:8200 https://vault.staff.libraryofcode.org;
}
}
#upstream gitlab-workhorse {
# server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
#}
## HTTPS host
server {
listen 0.0.0.0:443 ssl http2;
server_name gitlab.libraryofcode.us; ## Replace this with something like gitlab.example.com
root /opt/gitlab/embedded/service/gitlab-rails/public;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate /etc/nginx/ssl/globalsign.chain.crt;
ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem;
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
## See app/controllers/application_controller.rb for headers set
## [Optional] Enable HTTP Strict Transport Security
## HSTS is a feature improving protection against MITM attacks
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000; preload";
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
## Replace with your ssl_trusted_certificate. For more info see:
## - https://medium.com/devops-programming/4445f4862461
## - https://www.ruby-forum.com/topic/4419319
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
# resolver_timeout 5s;
## [Optional] Generate a stronger DHE parameter:
## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
##
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1;
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
}
server { server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
server_name www.libraryofcode.org; server_name www.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
#if ($request_filename ~ /*){
# rewrite ^/$ https://loc.sh/discord redirect;
#}
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1;
# location / {
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_pass http://localhost:4567;
#proxy_read_timeout 90;
#proxy_redirect http://localhost:4567 https://www.libraryofcode.org;
# }
root /var/www/wordpress;
index index.php;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ecm.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://localhost:7150;
proxy_read_timeout 90;
proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org;
}
}
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name ldap.libraryofcode.org;
# ssl_certificate /etc/nginx/ssl/org.chain.crt;
#ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# ssl_dhparam /etc/nginx/dhparam.pem;
# ssl_ecdh_curve secp384r1;
#include /etc/ldap-account-manager/nginx.conf;
# location / {
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
#proxy_pass https://localhost:7150;
#proxy_read_timeout 90;
#proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org;
#}
#}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name keys.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
root /var/www/html/sks;
error_page 404 /404.html;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1;
location ~ (.git|LICENSE|readme.md) {
deny all;
return 404;
}
location /pks { root /var/www/wordpress;
proxy_pass http://127.0.0.1:11371; index index.php;
proxy_pass_header Server;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
} }

View File

@ -6,42 +6,26 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 1G; client_max_body_size 1G;
#limit_req zone=one burst=15;
location / {
location / { return 307 $scheme://lists.libraryofcode.org/cgi-bin/mailman/listinfo;
return 307 $scheme://lists.libraryofcode.org/cgi-bin/mailman/listinfo; }
} location /cgi-bin/mailman {
location /cgi-bin/mailman { root /usr/lib/;
root /usr/lib/; fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$; include /etc/nginx/fastcgi_params;
include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_intercept_errors on;
fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_pass unix:/var/run/fcgiwrap.socket; }
} location /images/mailman {
location /images/mailman { alias /usr/share/images/mailman;
alias /usr/share/images/mailman; }
} location /pipermail {
location /pipermail { alias /var/lib/mailman/archives/public;
alias /var/lib/mailman/archives/public; autoindex on;
autoindex on; }
}
} }

View File

@ -2,41 +2,26 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name loc.sh; server_name loc.sh;
ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3890; proxy_pass http://localhost:3890;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:3890 https://loc.sh; proxy_redirect http://localhost:3890 https://loc.sh;
} }
} }

View File

@ -6,39 +6,23 @@ server {
ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt; ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt;
ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem; ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://10.8.0.1:5478; proxy_pass http://10.8.0.1:5478;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://10.8.0.1:5478 https://modmail.ins; proxy_redirect http://10.8.0.1:5478 https://modmail.ins;
} }
} }

View File

@ -6,23 +6,8 @@ server {
ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt; ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt;
ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem; ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 230M; client_max_body_size 230M;
client_body_timeout 1h; client_body_timeout 1h;
#limit_req zone=one burst=15;
root /var/www/html; root /var/www/html;
index index.html index.htm index.php; index index.html index.htm index.php;
@ -32,9 +17,9 @@ server {
} }
location ~ \.php$ { location ~ \.php$ {
include snippets/fastcgi-php.conf; # server defaults are good include snippets/fastcgi-php.conf; # server defaults are good
fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock; fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock;
fastcgi_param HTACCESS on; # disables FreePBX htaccess warning fastcgi_param HTACCESS on; # disables FreePBX htaccess warning
proxy_read_timeout 800; proxy_read_timeout 800;
} }

View File

@ -1,28 +1,18 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name report.libraryofcode.org; server_name report.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; root /var/www/report;
ssl_protocols TLSv1.2; index public/index.html;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; location /assets {
alias /var/www/report/assets/;
ssl_prefer_server_ciphers on; #root /var/www/report/assets;
#try_files /var/www/report/assets/$uri /var/www/report/assets/$uri/ =404;
ssl_stapling on; try_files $uri $uri/ =404;
ssl_stapling_verify on; }
root /var/www/report;
index public/index.html;
location /assets {
alias /var/www/report/assets/;
#root /var/www/report/assets;
#try_files /var/www/report/assets/$uri /var/www/report/assets/$uri/ =404;
try_files $uri $uri/ =404;
}
} }

View File

@ -24,19 +24,19 @@ server {
#limit_req zone=one burst=15; #limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3020; proxy_pass http://localhost:3020;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:3020 https://staff.libraryofcode.org; proxy_redirect http://localhost:3020 https://staff.libraryofcode.org;
} }
} }

View File

@ -1,23 +1,23 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name static.libraryofcode.org; server_name static.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
root /var/www/static; root /var/www/static;
location / { location / {
autoindex on; autoindex on;
} }
} }

View File

@ -6,39 +6,24 @@ server {
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502;
#include /etc/nginx/error/504;
#include /etc/nginx/error/500;
#include /etc/nginx/error/404;
#include /etc/nginx/error/429;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 1G; client_max_body_size 1G;
#limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:3000; proxy_pass http://localhost:3000;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:3000 https://wiki.libraryofcode.org; proxy_redirect http://localhost:3000 https://wiki.libraryofcode.org;
} }
} }

View File

@ -35,11 +35,14 @@ http {
# SSL Settings # SSL Settings
## ##
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem ssl_dhparam /etc/nginx/dhparam.pem
;ssl_ecdh_curve secp384r1; ssl_ecdh_curve prime256v1:secp384r1;
## ##
# Logging Settings # Logging Settings

104
Postfix/main.conf Normal file
View File

@ -0,0 +1,104 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Server Information
smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU)
myhostname = staff.libraryofcode.org
myorigin = /etc/mailname
mydestination = $myhostname, libraryofcode.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130
mail_name = Library of Code sp-us | Staff Services
# Relay Settings
relayhost =
relay_domains = lists.libraryofcode.org
# MDA & Delivery
append_dot_mydomain = no
biff = no
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 1073741824
transport_maps = hash:/etc/postfix/transport
mailbox_size_limit = 0
recipient_delimiter = +
# Authentication
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# TLS parameters
smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt
smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# RESTRICTIONS
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination,
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
permit,
smtpd_sender_restrictions =
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_sender_login_mismatch,
permit_mynetworks,
permit_sasl_authenticated,
permit,
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
check_policy_service inet:127.0.0.1:10023,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
permit,
# Local Aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
# Virtual Alises
smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_alias_maps = hash:/etc/postfix/virtual
# Network Settings & Milters
inet_interfaces = all
inet_protocols = all
milter_default_action = accept
milter_protocol = 6
smtpd_milters =
inet:localhost:8891,
local:/opendmarc/opendmarc.sock,
inet:localhost:8892
non_smtpd_milters = $smtpd_milters
# Misc
readme_directory = no
compatibility_level = 2
unknown_local_recipient_reject_code = 550
mailman_destination_recipient_limit = 1

View File

@ -1,98 +1,135 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version #
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o content_filter=spamassassin
-o syslog_name=postfix/smtp
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o cleanup_service_name=privclean
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
# Debian specific: Specifying a file name will cause the first spamassassin unix - n n - - pipe
# line of that file to be used as the name. The Debian default user=spamd argv=/usr/bin/spamc -f -e
# is /etc/mailname. /usr/sbin/sendmail -oi -f ${sender} ${recipient}
#myorigin = /etc/mailname
smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU) privclean unix n - - - 0 cleanup
biff = no -o header_checks=pcre:/etc/postfix/outgoing_headers
-o nested_header_checks=
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt
smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# RESTRICTIONS
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination,
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
permit,
smtpd_sender_restrictions =
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_sender_login_mismatch,
permit_mynetworks,
permit_sasl_authenticated,
permit,
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
check_policy_service inet:127.0.0.1:10023
permit,
myhostname = staff.libraryofcode.org
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users
myorigin = /etc/mailname
mydestination = $myhostname, libraryofcode.org, libraryofcode.us staff.libraryofcode.us, staff-libraryofcode.staff.libraryofcode.us, localhost.staff.libraryofcode.us, localhost, libraryofcode.us
relayhost =
relay_domains = lists.libraryofcode.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130
mailbox_size_limit = 0
mailbox_command = procmail -a "$EXTENSION" DEFAULT=/var/mail/$USER
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891, local:/opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters
mail_name = Library of Code sp-us | Staff Command
virtual_alias_maps = hash:/etc/postfix/virtual
#authorized_submit_users = !boss, !test, static:all
message_size_limit = 1073741824
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
mailman_destination_recipient_limit = 1
#local_recipient_maps = hash:/var/lib/mailman3/data/postfix_lmtp

6
scripts/learnspam.py Normal file
View File

@ -0,0 +1,6 @@
import os
home_directories = os.listdir("/home")
for user in home_directories:
os.system("sa-learn --spam /home/%s/mail/Junk" % user)

8
scripts/nact.sh Normal file
View File

@ -0,0 +1,8 @@
# Activate Nginx Server Blocks
if [ $# -eq 0 ]; then
echo "No arguments provided"
exit 1
fi
sudo ln -s /etc/nginx/sites-available/$1.conf /etc/nginx/sites-enabled/$1.conf