From f127dd62536852f9bd55f6c00b4f62a3f1824ad4 Mon Sep 17 00:00:00 2001 From: Matthew R Date: Wed, 14 Apr 2021 22:57:08 -0400 Subject: [PATCH] add script to auto symlink nginx conf files --- Docker/README.md | 0 Makefile | 4 + .../auth.libraryofcode.org.conf | 0 .../beta.libraryofcode.org.conf | 82 +- .../commshop.libraryofcode.org.conf | 86 +-- Nginx/Old/default.libraryofcode.conf | 158 ++++ .../drive.old.1.libraryofcode.org.conf | 226 +++--- .../drive.old.libraryofcode.org.conf | 278 +++---- .../hrm.libraryofcode.org.conf | 86 +-- ...box.old.1.roundcube.libraryofcode.org.conf | 86 +-- .../inbox.old.libraryofcode.org.conf | 226 +++--- .../payments.libraryofcode.org.conf | 56 +- .../search.libraryofcode.org.conf | 86 +-- .../Server Blocks/default.libraryofcode.conf | 728 ------------------ .../drive.libraryofcode.org.conf | 6 +- .../gitlab.libraryofcode.org.conf | 74 ++ Nginx/Server Blocks/http-redirect.conf | 7 + ...csh.libraryofcode.org.conf => loc.sh.conf} | 82 +- ...bx.libraryofcode.org.conf => pbx.ins.conf} | 96 +-- ....org.conf => staff.libraryofcode.org.conf} | 82 +- .../support.libraryofcode.us.conf | 73 -- Nginx/Server Blocks/test.ins.conf | 44 -- scripts/nginxsymlinks.py | 30 + 23 files changed, 1012 insertions(+), 1584 deletions(-) create mode 100644 Docker/README.md rename Nginx/{Server Blocks => Old}/auth.libraryofcode.org.conf (100%) rename Nginx/{Server Blocks => Old}/beta.libraryofcode.org.conf (96%) rename Nginx/{Server Blocks => Old}/commshop.libraryofcode.org.conf (96%) create mode 100644 Nginx/Old/default.libraryofcode.conf rename Nginx/{Server Blocks => Old}/drive.old.1.libraryofcode.org.conf (97%) rename Nginx/{Server Blocks => Old}/drive.old.libraryofcode.org.conf (97%) rename Nginx/{Server Blocks => Old}/hrm.libraryofcode.org.conf (97%) rename Nginx/{Server Blocks => Old}/inbox.old.1.roundcube.libraryofcode.org.conf (96%) rename Nginx/{Server Blocks => Old}/inbox.old.libraryofcode.org.conf (97%) rename Nginx/{Server Blocks => Old}/payments.libraryofcode.org.conf (97%) rename Nginx/{Server Blocks => Old}/search.libraryofcode.org.conf (96%) delete mode 100644 Nginx/Server Blocks/default.libraryofcode.conf create mode 100644 Nginx/Server Blocks/gitlab.libraryofcode.org.conf create mode 100644 Nginx/Server Blocks/http-redirect.conf rename Nginx/Server Blocks/{locsh.libraryofcode.org.conf => loc.sh.conf} (96%) rename Nginx/Server Blocks/{pbx.libraryofcode.org.conf => pbx.ins.conf} (97%) rename Nginx/Server Blocks/{servicedesk.libraryofcode.org.conf => staff.libraryofcode.org.conf} (96%) delete mode 100644 Nginx/Server Blocks/support.libraryofcode.us.conf delete mode 100644 Nginx/Server Blocks/test.ins.conf create mode 100644 scripts/nginxsymlinks.py diff --git a/Docker/README.md b/Docker/README.md new file mode 100644 index 0000000..e69de29 diff --git a/Makefile b/Makefile index f5546f2..a3b1cef 100644 --- a/Makefile +++ b/Makefile @@ -3,3 +3,7 @@ nginx_server_blocks := $(shell ./scripts/listnginxserverblocks.sh) # Formats Nginx configuration files nginxfmt: ./scripts/nginxfmt.py ${nginx_server_blocks} + +# Creates Symlinks for Nginx files, /etc/nginx/sites-available +nginxsym: + ./scripts/nginxsymlinks.py diff --git a/Nginx/Server Blocks/auth.libraryofcode.org.conf b/Nginx/Old/auth.libraryofcode.org.conf similarity index 100% rename from Nginx/Server Blocks/auth.libraryofcode.org.conf rename to Nginx/Old/auth.libraryofcode.org.conf diff --git a/Nginx/Server Blocks/beta.libraryofcode.org.conf b/Nginx/Old/beta.libraryofcode.org.conf similarity index 96% rename from Nginx/Server Blocks/beta.libraryofcode.org.conf rename to Nginx/Old/beta.libraryofcode.org.conf index 5d9990d..3f3e0c8 100644 --- a/Nginx/Server Blocks/beta.libraryofcode.org.conf +++ b/Nginx/Old/beta.libraryofcode.org.conf @@ -1,42 +1,42 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name beta.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://localhost:3000; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:3000 https://beta.libraryofcode.org; - - } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name beta.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://localhost:3000; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3000 https://beta.libraryofcode.org; + + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/commshop.libraryofcode.org.conf b/Nginx/Old/commshop.libraryofcode.org.conf similarity index 96% rename from Nginx/Server Blocks/commshop.libraryofcode.org.conf rename to Nginx/Old/commshop.libraryofcode.org.conf index 8e8586b..d739101 100644 --- a/Nginx/Server Blocks/commshop.libraryofcode.org.conf +++ b/Nginx/Old/commshop.libraryofcode.org.conf @@ -1,44 +1,44 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name commshop.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://localhost:7890; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:7890 https://commshop.libraryofcode.org; - - } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name commshop.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:7890; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:7890 https://commshop.libraryofcode.org; + + } } \ No newline at end of file diff --git a/Nginx/Old/default.libraryofcode.conf b/Nginx/Old/default.libraryofcode.conf new file mode 100644 index 0000000..cd06cf8 --- /dev/null +++ b/Nginx/Old/default.libraryofcode.conf @@ -0,0 +1,158 @@ + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name libraryofcode.org; +# ssl_certificate /etc/nginx/ssl/org.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem; +# ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://localhost:4567; + +#proxy_read_timeout 90; + +#proxy_redirect https://www.libraryofcode.us/ https://libraryofcode.org; + +# } +#} + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name www.libraryofcode.org; +# ssl_certificate /etc/nginx/ssl/org.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem; +# ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://localhost:4567; + +#proxy_read_timeout 90; + +#proxy_redirect http://localhost:4567 https://www.libraryofcode.org; + +# } +#} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ecm.libraryofcode.us; + ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; + +proxy_pass https://localhost:7150; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:7150 https://ecm.libraryofcode.us; + + } +} + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name directory.libraryofcode.us; +# ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +#ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +#ssl_dhparam /etc/nginx/dhparam.pem; +#ssl_ecdh_curve secp384r1; + +#location /lam { +# index index.html; +# alias /usr/share/ldap-account-manager; +# autoindex off; +# +# location ~ \.php$ { +# fastcgi_split_path_info ^(.+\.php)(/.+)$; +# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; +# fastcgi_index index.php; +# include fastcgi_params; +# } +# +# location ~ /lam/(tmp/internal|sess|config|lib|help|locale) { +# deny all; +# return 403; +# } +# +#} +#} diff --git a/Nginx/Server Blocks/drive.old.1.libraryofcode.org.conf b/Nginx/Old/drive.old.1.libraryofcode.org.conf similarity index 97% rename from Nginx/Server Blocks/drive.old.1.libraryofcode.org.conf rename to Nginx/Old/drive.old.1.libraryofcode.org.conf index a151acc..f701769 100644 --- a/Nginx/Server Blocks/drive.old.1.libraryofcode.org.conf +++ b/Nginx/Old/drive.old.1.libraryofcode.org.conf @@ -1,114 +1,114 @@ -upstream php-handler { - #server 127.0.0.1:9000; - server unix:/var/run/php/php7.2-fpm.sock; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name drive.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - fastcgi_read_timeout 300; - proxy_read_timeout 300; - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/nextcloud; - - index index.php index.html /index.php$request_uri; - - # Default Cache-Control policy - expires 1m; - - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; - rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; - rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - - try_files $uri $uri/ =404; - } - - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - - try_files $fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ \.(?:css|js|svg|gif)$ { - try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location ~ \.woff2?$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location / { - try_files $uri $uri/ /index.php$request_uri; - } +upstream php-handler { + #server 127.0.0.1:9000; + server unix:/var/run/php/php7.2-fpm.sock; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + fastcgi_read_timeout 300; + proxy_read_timeout 300; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + index index.php index.html /index.php$request_uri; + + # Default Cache-Control policy + expires 1m; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + try_files $uri $uri/ =404; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/drive.old.libraryofcode.org.conf b/Nginx/Old/drive.old.libraryofcode.org.conf similarity index 97% rename from Nginx/Server Blocks/drive.old.libraryofcode.org.conf rename to Nginx/Old/drive.old.libraryofcode.org.conf index 73be463..b45dcec 100644 --- a/Nginx/Server Blocks/drive.old.libraryofcode.org.conf +++ b/Nginx/Old/drive.old.libraryofcode.org.conf @@ -1,140 +1,140 @@ -upstream php-handler { - #server 127.0.0.1:9000; - server unix:/var/run/php/php7.2-fpm.sock; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name drive.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - fastcgi_read_timeout 300; - proxy_read_timeout 300; - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/nextcloud; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - # The following rule is only needed for the Social app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; - - location = /.well-known/carddav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - # Enable pretty urls - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } +upstream php-handler { + #server 127.0.0.1:9000; + server unix:/var/run/php/php7.2-fpm.sock; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + fastcgi_read_timeout 300; + proxy_read_timeout 300; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/hrm.libraryofcode.org.conf b/Nginx/Old/hrm.libraryofcode.org.conf similarity index 97% rename from Nginx/Server Blocks/hrm.libraryofcode.org.conf rename to Nginx/Old/hrm.libraryofcode.org.conf index 0cb3788..26124b6 100644 --- a/Nginx/Server Blocks/hrm.libraryofcode.org.conf +++ b/Nginx/Old/hrm.libraryofcode.org.conf @@ -1,44 +1,44 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name hrm.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_protocols TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - # ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - #root /var/www/orangehrm; - #index index.php index.html index.htm; - #client_max_body_size 100M; - #proxy_connect_timeout 1800s; - #proxy_send_timeout 1800s; - #proxy_read_timeout 1800s; - #fastcgi_send_timeout 1800s; - #fastcgi_read_timeout 1800s; - location / { - #try_files $uri $uri/ /index.php?$uri&$args; - proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass http://localhost:6969; - -proxy_read_timeout 90; - -proxy_redirect http://localhost:6969 https://hrm.libraryofcode.org; - } - - #location ~ \.php$ { - # include snippets/fastcgi-php.conf; - # fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; - # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # include fastcgi_params; - #} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name hrm.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + # ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + #root /var/www/orangehrm; + #index index.php index.html index.htm; + #client_max_body_size 100M; + #proxy_connect_timeout 1800s; + #proxy_send_timeout 1800s; + #proxy_read_timeout 1800s; + #fastcgi_send_timeout 1800s; + #fastcgi_read_timeout 1800s; + location / { + #try_files $uri $uri/ /index.php?$uri&$args; + proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass http://localhost:6969; + +proxy_read_timeout 90; + +proxy_redirect http://localhost:6969 https://hrm.libraryofcode.org; + } + + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; + # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # include fastcgi_params; + #} } \ No newline at end of file diff --git a/Nginx/Server Blocks/inbox.old.1.roundcube.libraryofcode.org.conf b/Nginx/Old/inbox.old.1.roundcube.libraryofcode.org.conf similarity index 96% rename from Nginx/Server Blocks/inbox.old.1.roundcube.libraryofcode.org.conf rename to Nginx/Old/inbox.old.1.roundcube.libraryofcode.org.conf index b1b20f7..446725f 100644 --- a/Nginx/Server Blocks/inbox.old.1.roundcube.libraryofcode.org.conf +++ b/Nginx/Old/inbox.old.1.roundcube.libraryofcode.org.conf @@ -1,44 +1,44 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name inbox.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://localhost:4061; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:4061 https://inbox.libraryofcode.org; - - } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name inbox.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:4061; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:4061 https://inbox.libraryofcode.org; + + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/inbox.old.libraryofcode.org.conf b/Nginx/Old/inbox.old.libraryofcode.org.conf similarity index 97% rename from Nginx/Server Blocks/inbox.old.libraryofcode.org.conf rename to Nginx/Old/inbox.old.libraryofcode.org.conf index a151acc..f701769 100644 --- a/Nginx/Server Blocks/inbox.old.libraryofcode.org.conf +++ b/Nginx/Old/inbox.old.libraryofcode.org.conf @@ -1,114 +1,114 @@ -upstream php-handler { - #server 127.0.0.1:9000; - server unix:/var/run/php/php7.2-fpm.sock; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name drive.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - fastcgi_read_timeout 300; - proxy_read_timeout 300; - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/nextcloud; - - index index.php index.html /index.php$request_uri; - - # Default Cache-Control policy - expires 1m; - - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; - rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; - rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - - try_files $uri $uri/ =404; - } - - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - - try_files $fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ \.(?:css|js|svg|gif)$ { - try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location ~ \.woff2?$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location / { - try_files $uri $uri/ /index.php$request_uri; - } +upstream php-handler { + #server 127.0.0.1:9000; + server unix:/var/run/php/php7.2-fpm.sock; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + fastcgi_read_timeout 300; + proxy_read_timeout 300; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + index index.php index.html /index.php$request_uri; + + # Default Cache-Control policy + expires 1m; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + try_files $uri $uri/ =404; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/payments.libraryofcode.org.conf b/Nginx/Old/payments.libraryofcode.org.conf similarity index 97% rename from Nginx/Server Blocks/payments.libraryofcode.org.conf rename to Nginx/Old/payments.libraryofcode.org.conf index 3a56fb9..a31a334 100644 --- a/Nginx/Server Blocks/payments.libraryofcode.org.conf +++ b/Nginx/Old/payments.libraryofcode.org.conf @@ -1,29 +1,29 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name payments.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - - root /var/www/opencart; - - index index.php index.html index.htm; - - location / { - try_files $uri $uri/ =404; - } - - location ~ [^/]\.php(/|$) { - include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include fastcgi_params; - } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name payments.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + + root /var/www/opencart; + + index index.php index.html index.htm; + + location / { + try_files $uri $uri/ =404; + } + + location ~ [^/]\.php(/|$) { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/search.libraryofcode.org.conf b/Nginx/Old/search.libraryofcode.org.conf similarity index 96% rename from Nginx/Server Blocks/search.libraryofcode.org.conf rename to Nginx/Old/search.libraryofcode.org.conf index 919eaff..00ba219 100644 --- a/Nginx/Server Blocks/search.libraryofcode.org.conf +++ b/Nginx/Old/search.libraryofcode.org.conf @@ -1,44 +1,44 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name search.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://localhost:8090; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:8090 https://search.libraryofcode.org; - - } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name search.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:8090; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:8090 https://search.libraryofcode.org; + + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/default.libraryofcode.conf b/Nginx/Server Blocks/default.libraryofcode.conf deleted file mode 100644 index d5ca385..0000000 --- a/Nginx/Server Blocks/default.libraryofcode.conf +++ /dev/null @@ -1,728 +0,0 @@ -server { - -listen 80; - -return 301 https://$host$request_uri; - -} -#server { -# listen 443 ssl http2 default_server; -# listen [::]:443 ssl http2 default_server; -# server_name _; -# ssl_protocols TLSv1.2; - #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-R$ -# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -# ssl_certificate /etc/nginx/ssl/org.chain.crt; -# ssl_certificate_key /etc/nginx/ssl/org.key.pem; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #return 404; -#} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name certificates.libraryofcode.us; - ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass https://localhost:8080/; - -proxy_read_timeout 90; - -proxy_redirect https://localhost:8080 https://certificates.libraryofcode.us; - - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name staff.libraryofcode.us; - ssl_certificate /etc/nginx/ssl/staff.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/staff.key.pem; -#ssl_session_cache builtin:1000 shared:SSL:10m; -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; -ssl_prefer_server_ciphers on; -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass https://localhost:8082/; - -proxy_read_timeout 90; - -proxy_redirect https://localhost:8082 https://staff.libraryofcode.us; - - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name status.libraryofcode.us; - ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass http://localhost:8787; - -proxy_read_timeout 90; - -proxy_redirect http://localhost:8787 https://status.libraryofcode.us; - - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name www.securesign.org; - ssl_certificate /etc/nginx/ssl/digicert.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/digicert.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass https://localhost:8081/; - -proxy_read_timeout 90; - -proxy_redirect https://localhost:8081 https://www.securesign.org; - - } -} - -#server { -# listen 443 ssl; -# listen [::]:443 ssl; -# -# server_name test.securesign.org; -# ssl_certificate /etc/nginx/ssl/securesign-site.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/securesign-site.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass https://localhost:8080/; - -#proxy_read_timeout 90; - -#proxy_redirect https://localhost:8080 https://test.securesign.org; - -# } -#} - -#server { -# listen 443 ssl; -# listen [::]:443 ssl; - -# server_name system.securesign.org; -# ssl_certificate /etc/nginx/ssl/ov.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/digicert.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass http://sendgrid.net; - -#proxy_read_timeout 90; - -#proxy_redirect http://sendgrid.net https://system.securesign.org; - -# } -#} - -#server { -# listen 443 ssl; -# listen [::]:443 ssl; - -# server_name modmail.staff.libraryofcode.us; -# ssl_certificate /etc/nginx/ssl/modmail.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/modmail.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -# ssl_ciphers HIGH:!aNULL:!MD5; -# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass https://localhost:8001; - -#proxy_read_timeout 90; - -#proxy_redirect https://localhost:8001 https://modmail.staff.libraryofcode.us; - -# } -#} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name api.securesign.org; - ssl_certificate /etc/letsencrypt/live/api.securesign.org/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/api.securesign.org/privkey.pem; # managed by Certbot - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass https://localhost:8055; - -proxy_read_timeout 90; - -proxy_redirect https://localhost:8055 https://api.securesign.org; - - } - -} - -#server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; - -# server_name support.libraryofcode.us; -# ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; -#ssl_session_cache builtin:1000 shared:SSL:10m; -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; -#ssl_prefer_server_ciphers on; -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass http://localhost:3000/; - -#proxy_read_timeout 90; - -#proxy_redirect http://localhost:3000 https://support.libraryofcode.us; - -# } -#} - - -upstream zammad-railsserver { - server 127.0.0.1:3001; -} - -upstream zammad-websocket { - server 127.0.0.1:6042; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - # replace 'localhost' with your fqdn if you want to use zammad from remote - server_name support.libraryofcode.us; - - root /opt/zammad/public; - - access_log /var/log/nginx/zammad.access.log; - error_log /var/log/nginx/zammad.error.log; - - client_max_body_size 50M; -ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; -#ssl_session_cache builtin:1000 shared:SSL:10m; -ssl_protocols TLSv1.2; -ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; -ssl_prefer_server_ciphers on; -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - - location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { - expires max; - } - - location /ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 86400; - proxy_pass http://zammad-websocket; - } - - location / { - proxy_set_header Host $http_host; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 300; - proxy_pass http://zammad-railsserver; - - gzip on; - gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; - gzip_proxied any; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name vault.libraryofcode.org; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; -ssl_protocols TLSv1.2; - -ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -ssl_prefer_server_ciphers on; - -#ssl_stapling on; -#ssl_stapling_verify on; - -#limit_req zone=one burst=5; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; - -proxy_pass http://localhost:8200; - -proxy_read_timeout 90; - -proxy_redirect http://localhost:8200 https://vault.libraryofcode.org; - - } -} - -upstream gitlab-workhorse { - server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; -} - - -## HTTPS host -server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2; - server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com - root /opt/gitlab/embedded/service/gitlab-rails/public; - - ## Strong SSL Security - ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ - ssl on; - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs - #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_protocols TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; - - ## See app/controllers/application_controller.rb for headers set - - ## [Optional] Enable HTTP Strict Transport Security - ## HSTS is a feature improving protection against MITM attacks - ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ - add_header Strict-Transport-Security "max-age=31536000; preload"; - - ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. - ## Replace with your ssl_trusted_certificate. For more info see: - ## - https://medium.com/devops-programming/4445f4862461 - ## - https://www.ruby-forum.com/topic/4419319 - ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; - - ## [Optional] Generate a stronger DHE parameter: - ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 - ## - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - - ## Individual nginx logs for this GitLab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; - - location / { - client_max_body_size 0; - gzip off; - - ## https://github.com/gitlabhq/gitlabhq/issues/694 - ## Some requests take more than 30 seconds. - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - - proxy_http_version 1.1; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://gitlab-workhorse; - } -} - -#server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; - -# server_name libraryofcode.org; -# ssl_certificate /etc/nginx/ssl/org.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem; -# ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass http://localhost:4567; - -#proxy_read_timeout 90; - -#proxy_redirect https://www.libraryofcode.us/ https://libraryofcode.org; - -# } -#} - -#server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; - -# server_name www.libraryofcode.org; -# ssl_certificate /etc/nginx/ssl/org.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/org.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -# ssl_dhparam /etc/nginx/dhparam.pem; -# ssl_ecdh_curve secp384r1; -# location / { - -#proxy_set_header Host $host; - -#proxy_set_header X-Real-IP $remote_addr; - -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -#proxy_set_header X-Forwarded-Proto $scheme; - -#proxy_pass http://localhost:4567; - -#proxy_read_timeout 90; - -#proxy_redirect http://localhost:4567 https://www.libraryofcode.org; - -# } -#} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name ecm.libraryofcode.us; - ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; - -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; -ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_ecdh_curve secp384r1; - location / { - -proxy_set_header Host $host; - -proxy_set_header X-Real-IP $remote_addr; - -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - -proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header Upgrade $http_upgrade; -proxy_set_header Connection "upgrade"; - -proxy_pass https://localhost:7150; - -proxy_read_timeout 90; - -proxy_redirect https://localhost:7150 https://ecm.libraryofcode.us; - - } -} - -#server { -# listen 443 ssl http2; -# listen [::]:443 ssl http2; - -# server_name directory.libraryofcode.us; -# ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - -#ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; -#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE -#ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; -#ssl_dhparam /etc/nginx/dhparam.pem; -#ssl_ecdh_curve secp384r1; - -#location /lam { -# index index.html; -# alias /usr/share/ldap-account-manager; -# autoindex off; -# -# location ~ \.php$ { -# fastcgi_split_path_info ^(.+\.php)(/.+)$; -# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; -# fastcgi_index index.php; -# include fastcgi_params; -# } -# -# location ~ /lam/(tmp/internal|sess|config|lib|help|locale) { -# deny all; -# return 403; -# } -# -#} -#} \ No newline at end of file diff --git a/Nginx/Server Blocks/drive.libraryofcode.org.conf b/Nginx/Server Blocks/drive.libraryofcode.org.conf index 90585bb..4259361 100644 --- a/Nginx/Server Blocks/drive.libraryofcode.org.conf +++ b/Nginx/Server Blocks/drive.libraryofcode.org.conf @@ -34,11 +34,11 @@ server { proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_pass http://localhost:6123; + proxy_pass http://localhost:5608; proxy_read_timeout 90; - proxy_redirect http://localhost:6123 https://drive.libraryofcode.org; + proxy_redirect http://localhost:5608 https://drive.libraryofcode.org; } -} \ No newline at end of file +} diff --git a/Nginx/Server Blocks/gitlab.libraryofcode.org.conf b/Nginx/Server Blocks/gitlab.libraryofcode.org.conf new file mode 100644 index 0000000..85dc29d --- /dev/null +++ b/Nginx/Server Blocks/gitlab.libraryofcode.org.conf @@ -0,0 +1,74 @@ +upstream gitlab-workhorse { + server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; +} + + +## HTTPS host +server { + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2; + server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com + root /opt/gitlab/embedded/service/gitlab-rails/public; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs + #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + + ## See app/controllers/application_controller.rb for headers set + + ## [Optional] Enable HTTP Strict Transport Security + ## HSTS is a feature improving protection against MITM attacks + ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + add_header Strict-Transport-Security "max-age=31536000; preload"; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + + ## Individual nginx logs for this GitLab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } +} diff --git a/Nginx/Server Blocks/http-redirect.conf b/Nginx/Server Blocks/http-redirect.conf new file mode 100644 index 0000000..a72a53a --- /dev/null +++ b/Nginx/Server Blocks/http-redirect.conf @@ -0,0 +1,7 @@ +server { + +listen 80; + +return 301 https://$host$request_uri; + +} diff --git a/Nginx/Server Blocks/locsh.libraryofcode.org.conf b/Nginx/Server Blocks/loc.sh.conf similarity index 96% rename from Nginx/Server Blocks/locsh.libraryofcode.org.conf rename to Nginx/Server Blocks/loc.sh.conf index 9ee4c02..d3ecae7 100644 --- a/Nginx/Server Blocks/locsh.libraryofcode.org.conf +++ b/Nginx/Server Blocks/loc.sh.conf @@ -1,42 +1,42 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name loc.sh; - ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://localhost:3890; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:3890 https://loc.sh; - - } - +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name loc.sh; + ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://localhost:3890; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3890 https://loc.sh; + + } + } \ No newline at end of file diff --git a/Nginx/Server Blocks/pbx.libraryofcode.org.conf b/Nginx/Server Blocks/pbx.ins.conf similarity index 97% rename from Nginx/Server Blocks/pbx.libraryofcode.org.conf rename to Nginx/Server Blocks/pbx.ins.conf index 070b09b..ea8aff1 100644 --- a/Nginx/Server Blocks/pbx.libraryofcode.org.conf +++ b/Nginx/Server Blocks/pbx.ins.conf @@ -1,49 +1,49 @@ -server { - listen 10.8.0.1:443 ssl http2; - listen [::]:443 ssl http2; - server_name pbx.ins; - - ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt; - ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - client_max_body_size 230M; - client_body_timeout 1h; - #limit_req zone=one burst=15; - root /var/www/html; - - index index.html index.htm index.php; - - location / { - try_files $uri $uri/ =404; - } - - location ~ \.php$ { - include snippets/fastcgi-php.conf; # server defaults are good - fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock; - fastcgi_param HTACCESS on; # disables FreePBX htaccess warning - proxy_read_timeout 800; - } - - # disallows the things that the FreePBX .htaccess files disallow - location ~ (/\.ht|/\.git|\.ini$|/libraries|/helpers|/i18n|/node|/views/.+php$) { - deny all; - } - - # from the api module .htaccess file - rewrite ^/admin/api/([^/]*)/([^/]*)/?(.*)?$ /admin/api/api.php?module=$1&command=$2&route=$3 last; - +server { + listen 10.8.0.1:443 ssl http2; + listen [::]:443 ssl http2; + server_name pbx.ins; + + ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 230M; + client_body_timeout 1h; + #limit_req zone=one burst=15; + root /var/www/html; + + index index.html index.htm index.php; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; # server defaults are good + fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock; + fastcgi_param HTACCESS on; # disables FreePBX htaccess warning + proxy_read_timeout 800; + } + + # disallows the things that the FreePBX .htaccess files disallow + location ~ (/\.ht|/\.git|\.ini$|/libraries|/helpers|/i18n|/node|/views/.+php$) { + deny all; + } + + # from the api module .htaccess file + rewrite ^/admin/api/([^/]*)/([^/]*)/?(.*)?$ /admin/api/api.php?module=$1&command=$2&route=$3 last; + } \ No newline at end of file diff --git a/Nginx/Server Blocks/servicedesk.libraryofcode.org.conf b/Nginx/Server Blocks/staff.libraryofcode.org.conf similarity index 96% rename from Nginx/Server Blocks/servicedesk.libraryofcode.org.conf rename to Nginx/Server Blocks/staff.libraryofcode.org.conf index 4523fe9..b760201 100644 --- a/Nginx/Server Blocks/servicedesk.libraryofcode.org.conf +++ b/Nginx/Server Blocks/staff.libraryofcode.org.conf @@ -1,42 +1,42 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name staff.libraryofcode.org; - - ssl_certificate /etc/nginx/ssl/org.chain.crt; - ssl_certificate_key /etc/nginx/ssl/org.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://localhost:3020; - - proxy_read_timeout 90; - - proxy_redirect http://localhost:3020 https://staff.libraryofcode.org; - - } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name staff.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://localhost:3020; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3020 https://staff.libraryofcode.org; + + } } \ No newline at end of file diff --git a/Nginx/Server Blocks/support.libraryofcode.us.conf b/Nginx/Server Blocks/support.libraryofcode.us.conf deleted file mode 100644 index c46da3f..0000000 --- a/Nginx/Server Blocks/support.libraryofcode.us.conf +++ /dev/null @@ -1,73 +0,0 @@ -# -# this is the nginx config for zammad -# - -upstream zammad-railsserver { - server 127.0.0.1:3000; -} - -upstream zammad-websocket { - server 127.0.0.1:6042; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - # replace 'localhost' with your fqdn if you want to use zammad from remote - server_name support.libraryofcode.us; - - root /opt/zammad/public; - - access_log /var/log/nginx/zammad.access.log; - error_log /var/log/nginx/zammad.error.log; - - client_max_body_size 50M; -ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; - -ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; -#ssl_session_cache builtin:1000 shared:SSL:10m; -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; -ssl_prefer_server_ciphers on; -#ssl_session_cache builtin:1000 shared:SSL:10m; - -#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - -#ssl_prefer_server_ciphers on; - -ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE -# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; -# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; - ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; - - location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { - expires max; - } - - location /ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 86400; - proxy_pass http://zammad-websocket; - } - - location / { - proxy_set_header Host $http_host; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 300; - proxy_pass http://zammad-railsserver; - - gzip on; - gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; - gzip_proxied any; - } -} \ No newline at end of file diff --git a/Nginx/Server Blocks/test.ins.conf b/Nginx/Server Blocks/test.ins.conf deleted file mode 100644 index 6245a6b..0000000 --- a/Nginx/Server Blocks/test.ins.conf +++ /dev/null @@ -1,44 +0,0 @@ -server { - listen 10.8.0.1:443 ssl http2; - #listen [::]:443 ssl http2; - server_name modmail.ins; - - ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt; - ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem; - - ssl_session_cache builtin:1000 shared:SSL:10m; - #include /etc/nginx/error/502; - #include /etc/nginx/error/504; - #include /etc/nginx/error/500; - #include /etc/nginx/error/404; - #include /etc/nginx/error/429; - ssl_protocols TLSv1.2; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers on; - - ssl_stapling on; - ssl_stapling_verify on; - - #limit_req zone=one burst=15; - location / { - - proxy_set_header Host $host; - - proxy_set_header X-Real-IP $remote_addr; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://10.8.0.1:5478; - - proxy_read_timeout 90; - - proxy_redirect http://10.8.0.1:5478 https://modmail.ins; - - } -} \ No newline at end of file diff --git a/scripts/nginxsymlinks.py b/scripts/nginxsymlinks.py new file mode 100644 index 0000000..cbee031 --- /dev/null +++ b/scripts/nginxsymlinks.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python +""" + + Copyright (C) 2021 Library of Code sp-us, Department of Engineering + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +""" + +import os + +blocks = os.listdir("Nginx/Server Blocks") +old_blocks = os.listdir("/etc/nginx/sites-available") +path = os.path.abspath("Nginx/Server Blocks") + +for block in blocks: + os.symlink("%s/%s" % (path, block), "/etc/nginx/sites-available/%s" % block) + +for block in old_blocks: + os.unlink("/etc/nginx/sites-available/%s" % block)