engineering
/
configurations
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add auth file

merge-requests/2/head
Matthew 2021-05-29 21:39:14 -04:00
parent 0f1588e246
commit f64b538e84
14 changed files with 943 additions and 924 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Docker/Composer/FreeIPA/docker-compose.yml
View File

@ -1,23 +1,23 @@
version: "3.9" version: "3.9"
services: services:
freeipa: freeipa:
image: "freeipa/freeipa-server:centos-8" image: "freeipa/freeipa-server:centos-8"
restart: "unless-stopped" restart: "unless-stopped"
privileged: true privileged: true
read_only: true read_only: true
volumes: volumes:
- "/var/lib/ipa-data:/data:Z" - "/var/lib/ipa-data:/data:Z"
- "/var/lib/ipa-data/z/tmp:/tmp" - "/var/lib/ipa-data/z/tmp:/tmp"
- "/sys/fs/cgroup:/sys/fs/cgroup:ro" - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
hostname: id.libraryofcode.org hostname: id.libraryofcode.org
sysctls: sysctls:
- net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.disable_ipv6=0
ports: ports:
- "7810:80/tcp" - "7810:80/tcp"
- "7811:88/tcp" - "7811:88/tcp"
- "7812:389/tcp" - "7812:389/tcp"
- "7813:443/tcp" - "7813:443/tcp"
- "7814:123/udp" - "7814:123/udp"
- "7815:464/tcp" - "7815:464/tcp"
- "7816:636/udp" - "7816:636/udp"
- "7817:464/udp" - "7817:464/udp"

82
Nginx/Old/beta.libraryofcode.org.conf
View File

@ -1,42 +1,42 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name beta.libraryofcode.org; server_name beta.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502; #include /etc/nginx/error/502;
#include /etc/nginx/error/504; #include /etc/nginx/error/504;
#include /etc/nginx/error/500; #include /etc/nginx/error/500;
#include /etc/nginx/error/404; #include /etc/nginx/error/404;
#include /etc/nginx/error/429; #include /etc/nginx/error/429;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
#limit_req zone=one burst=15; #limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3000; proxy_pass http://localhost:3000;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:3000 https://beta.libraryofcode.org; proxy_redirect http://localhost:3000 https://beta.libraryofcode.org;
} }
} }

86
Nginx/Old/commshop.libraryofcode.org.conf
View File

@ -1,44 +1,44 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name commshop.libraryofcode.org; server_name commshop.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502; #include /etc/nginx/error/502;
#include /etc/nginx/error/504; #include /etc/nginx/error/504;
#include /etc/nginx/error/500; #include /etc/nginx/error/500;
#include /etc/nginx/error/404; #include /etc/nginx/error/404;
#include /etc/nginx/error/429; #include /etc/nginx/error/429;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
#limit_req zone=one burst=15; #limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:7890; proxy_pass http://localhost:7890;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:7890 https://commshop.libraryofcode.org; proxy_redirect http://localhost:7890 https://commshop.libraryofcode.org;
} }
} }

316
Nginx/Old/default.libraryofcode.conf
View File

@ -1,158 +1,158 @@
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# server_name libraryofcode.org; # server_name libraryofcode.org;
# ssl_certificate /etc/nginx/ssl/org.chain.crt; # ssl_certificate /etc/nginx/ssl/org.chain.crt;
#ssl_certificate_key /etc/nginx/ssl/org.key.pem; #ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m; #ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; #ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on; #ssl_prefer_server_ciphers on;
#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE #ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; # ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# ssl_dhparam /etc/nginx/dhparam.pem; # ssl_dhparam /etc/nginx/dhparam.pem;
# ssl_ecdh_curve secp384r1; # ssl_ecdh_curve secp384r1;
# location / { # location / {
#proxy_set_header Host $host; #proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme; #proxy_set_header X-Forwarded-Proto $scheme;
#proxy_pass http://localhost:4567; #proxy_pass http://localhost:4567;
#proxy_read_timeout 90; #proxy_read_timeout 90;
#proxy_redirect https://www.libraryofcode.us/ https://libraryofcode.org; #proxy_redirect https://www.libraryofcode.us/ https://libraryofcode.org;
# } # }
#} #}
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# server_name www.libraryofcode.org; # server_name www.libraryofcode.org;
# ssl_certificate /etc/nginx/ssl/org.chain.crt; # ssl_certificate /etc/nginx/ssl/org.chain.crt;
#ssl_certificate_key /etc/nginx/ssl/org.key.pem; #ssl_certificate_key /etc/nginx/ssl/org.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m; #ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; #ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on; #ssl_prefer_server_ciphers on;
#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE #ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; # ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# ssl_dhparam /etc/nginx/dhparam.pem; # ssl_dhparam /etc/nginx/dhparam.pem;
# ssl_ecdh_curve secp384r1; # ssl_ecdh_curve secp384r1;
# location / { # location / {
#proxy_set_header Host $host; #proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme; #proxy_set_header X-Forwarded-Proto $scheme;
#proxy_pass http://localhost:4567; #proxy_pass http://localhost:4567;
#proxy_read_timeout 90; #proxy_read_timeout 90;
#proxy_redirect http://localhost:4567 https://www.libraryofcode.org; #proxy_redirect http://localhost:4567 https://www.libraryofcode.org;
# } # }
#} #}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name ecm.libraryofcode.us; server_name ecm.libraryofcode.us;
ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; ssl_certificate /etc/nginx/ssl/globalsign.chain.crt;
ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem;
#ssl_session_cache builtin:1000 shared:SSL:10m; #ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; #ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on; #ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_pass https://localhost:7150; proxy_pass https://localhost:7150;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect https://localhost:7150 https://ecm.libraryofcode.us; proxy_redirect https://localhost:7150 https://ecm.libraryofcode.us;
} }
} }
#server { #server {
# listen 443 ssl http2; # listen 443 ssl http2;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
# server_name directory.libraryofcode.us; # server_name directory.libraryofcode.us;
# ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; # ssl_certificate /etc/nginx/ssl/globalsign.chain.crt;
#ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; #ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem;
#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE #ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
#ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; #ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
#ssl_dhparam /etc/nginx/dhparam.pem; #ssl_dhparam /etc/nginx/dhparam.pem;
#ssl_ecdh_curve secp384r1; #ssl_ecdh_curve secp384r1;
#location /lam { #location /lam {
# index index.html; # index index.html;
# alias /usr/share/ldap-account-manager; # alias /usr/share/ldap-account-manager;
# autoindex off; # autoindex off;
# #
# location ~ \.php$ { # location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$; # fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; # fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# fastcgi_index index.php; # fastcgi_index index.php;
# include fastcgi_params; # include fastcgi_params;
# } # }
# #
# location ~ /lam/(tmp/internal|sess|config|lib|help|locale) { # location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
# deny all; # deny all;
# return 403; # return 403;
# } # }
# #
#} #}
#} #}

226
Nginx/Old/drive.old.1.libraryofcode.org.conf
View File

@ -1,114 +1,114 @@
upstream php-handler { upstream php-handler {
#server 127.0.0.1:9000; #server 127.0.0.1:9000;
server unix:/var/run/php/php7.2-fpm.sock; server unix:/var/run/php/php7.2-fpm.sock;
} }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name drive.libraryofcode.org; server_name drive.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
fastcgi_read_timeout 300; fastcgi_read_timeout 300;
proxy_read_timeout 300; proxy_read_timeout 300;
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak # Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
# Path to the root of your installation # Path to the root of your installation
root /var/www/nextcloud; root /var/www/nextcloud;
index index.php index.html /index.php$request_uri; index index.php index.html /index.php$request_uri;
# Default Cache-Control policy # Default Cache-Control policy
expires 1m; expires 1m;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / { location = / {
if ( $http_user_agent ~ ^DavClnt ) { if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args; return 302 /remote.php/webdav/$is_args$args;
} }
} }
location = /robots.txt { location = /robots.txt {
allow all; allow all;
log_not_found off; log_not_found off;
access_log off; access_log off;
} }
# Make a regex exception for `/.well-known` so that clients can still # Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule # access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests # `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`. # for `/.well-known`.
location ^~ /.well-known { location ^~ /.well-known {
# The following 6 rules are borrowed from `.htaccess` # The following 6 rules are borrowed from `.htaccess`
rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last;
rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; rewrite ^/\.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; rewrite ^/\.well-known/webfinger /public.php?service=webfinger last;
rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last;
location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; }
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
# Rules borrowed from `.htaccess` to hide certain paths from clients # Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks # Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first, # which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response. # to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) { location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info; set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404; try_files $fastcgi_script_name =404;
include fastcgi_params; include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info; fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on; fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler; fastcgi_pass php-handler;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_request_buffering off; fastcgi_request_buffering off;
} }
location ~ \.(?:css|js|svg|gif)$ { location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess` expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets access_log off; # Optional: Don't log access to assets
} }
location ~ \.woff2?$ { location ~ \.woff2?$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess` expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets access_log off; # Optional: Don't log access to assets
} }
location / { location / {
try_files $uri $uri/ /index.php$request_uri; try_files $uri $uri/ /index.php$request_uri;
} }
} }

278
Nginx/Old/drive.old.libraryofcode.org.conf
View File

@ -1,140 +1,140 @@
upstream php-handler { upstream php-handler {
#server 127.0.0.1:9000; #server 127.0.0.1:9000;
server unix:/var/run/php/php7.2-fpm.sock; server unix:/var/run/php/php7.2-fpm.sock;
} }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name drive.libraryofcode.org; server_name drive.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
fastcgi_read_timeout 300; fastcgi_read_timeout 300;
proxy_read_timeout 300; proxy_read_timeout 300;
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak # Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
# Path to the root of your installation # Path to the root of your installation
root /var/www/nextcloud; root /var/www/nextcloud;
location = /robots.txt { location = /robots.txt {
allow all; allow all;
log_not_found off; log_not_found off;
access_log off; access_log off;
} }
# The following 2 rules are only needed for the user_webfinger app. # The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app. # Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
# The following rule is only needed for the Social app. # The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app. # Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last; #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav { location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav; return 301 $scheme://$host:$server_port/remote.php/dav;
} }
location = /.well-known/caldav { location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav; return 301 $scheme://$host:$server_port/remote.php/dav;
} }
# set max upload size # set max upload size
client_max_body_size 512M; client_max_body_size 512M;
fastcgi_buffers 64 4K; fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers # Enable gzip but do not remove ETag headers
gzip on; gzip on;
gzip_vary on; gzip_vary on;
gzip_comp_level 4; gzip_comp_level 4;
gzip_min_length 256; gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module # Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported. # This module is currently not supported.
#pagespeed off; #pagespeed off;
location / { location / {
rewrite ^ /index.php; rewrite ^ /index.php;
} }
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all; deny all;
} }
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all; deny all;
} }
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info; set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404; try_files $fastcgi_script_name =404;
include fastcgi_params; include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info; fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on; fastcgi_param HTTPS on;
# Avoid sending the security headers twice # Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true; fastcgi_param modHeadersAvailable true;
# Enable pretty urls # Enable pretty urls
fastcgi_param front_controller_active true; fastcgi_param front_controller_active true;
fastcgi_pass php-handler; fastcgi_pass php-handler;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_request_buffering off; fastcgi_request_buffering off;
} }
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404; try_files $uri/ =404;
index index.php; index index.php;
} }
# Adding the cache control header for js, css and map files # Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block # Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ { location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463"; add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to # Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above) # have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into # Before enabling Strict-Transport-Security headers please read into
# this topic first. # this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# #
# WARNING: Only add the preload option once you read about # WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option # the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped # will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list # in all major browsers and getting removed from this list
# could take several months. # could take several months.
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets # Optional: Don't log access to assets
access_log off; access_log off;
} }
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets # Optional: Don't log access to other assets
access_log off; access_log off;
} }
} }

86
Nginx/Old/hrm.libraryofcode.org.conf
View File

@ -1,44 +1,44 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name hrm.libraryofcode.org; server_name hrm.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# ssl_dhparam /etc/nginx/dhparam.pem; # ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
#root /var/www/orangehrm; #root /var/www/orangehrm;
#index index.php index.html index.htm; #index index.php index.html index.htm;
#client_max_body_size 100M; #client_max_body_size 100M;
#proxy_connect_timeout 1800s; #proxy_connect_timeout 1800s;
#proxy_send_timeout 1800s; #proxy_send_timeout 1800s;
#proxy_read_timeout 1800s; #proxy_read_timeout 1800s;
#fastcgi_send_timeout 1800s; #fastcgi_send_timeout 1800s;
#fastcgi_read_timeout 1800s; #fastcgi_read_timeout 1800s;
location / { location / {
#try_files $uri $uri/ /index.php?$uri&$args; #try_files $uri $uri/ /index.php?$uri&$args;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:6969; proxy_pass http://localhost:6969;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:6969 https://hrm.libraryofcode.org; proxy_redirect http://localhost:6969 https://hrm.libraryofcode.org;
} }
#location ~ \.php$ { #location ~ \.php$ {
# include snippets/fastcgi-php.conf; # include snippets/fastcgi-php.conf;
# fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; # fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params; # include fastcgi_params;
#} #}
} }

86
Nginx/Old/inbox.old.1.roundcube.libraryofcode.org.conf
View File

@ -1,44 +1,44 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name inbox.libraryofcode.org; server_name inbox.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502; #include /etc/nginx/error/502;
#include /etc/nginx/error/504; #include /etc/nginx/error/504;
#include /etc/nginx/error/500; #include /etc/nginx/error/500;
#include /etc/nginx/error/404; #include /etc/nginx/error/404;
#include /etc/nginx/error/429; #include /etc/nginx/error/429;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
#limit_req zone=one burst=15; #limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:4061; proxy_pass http://localhost:4061;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:4061 https://inbox.libraryofcode.org; proxy_redirect http://localhost:4061 https://inbox.libraryofcode.org;
} }
} }

226
Nginx/Old/inbox.old.libraryofcode.org.conf
View File

@ -1,114 +1,114 @@
upstream php-handler { upstream php-handler {
#server 127.0.0.1:9000; #server 127.0.0.1:9000;
server unix:/var/run/php/php7.2-fpm.sock; server unix:/var/run/php/php7.2-fpm.sock;
} }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name drive.libraryofcode.org; server_name drive.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
fastcgi_read_timeout 300; fastcgi_read_timeout 300;
proxy_read_timeout 300; proxy_read_timeout 300;
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak # Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
# Path to the root of your installation # Path to the root of your installation
root /var/www/nextcloud; root /var/www/nextcloud;
index index.php index.html /index.php$request_uri; index index.php index.html /index.php$request_uri;
# Default Cache-Control policy # Default Cache-Control policy
expires 1m; expires 1m;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / { location = / {
if ( $http_user_agent ~ ^DavClnt ) { if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args; return 302 /remote.php/webdav/$is_args$args;
} }
} }
location = /robots.txt { location = /robots.txt {
allow all; allow all;
log_not_found off; log_not_found off;
access_log off; access_log off;
} }
# Make a regex exception for `/.well-known` so that clients can still # Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule # access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests # `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`. # for `/.well-known`.
location ^~ /.well-known { location ^~ /.well-known {
# The following 6 rules are borrowed from `.htaccess` # The following 6 rules are borrowed from `.htaccess`
rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last;
rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; rewrite ^/\.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; rewrite ^/\.well-known/webfinger /public.php?service=webfinger last;
rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last;
location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; }
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
# Rules borrowed from `.htaccess` to hide certain paths from clients # Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks # Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first, # which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response. # to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) { location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info; set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404; try_files $fastcgi_script_name =404;
include fastcgi_params; include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info; fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on; fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler; fastcgi_pass php-handler;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_request_buffering off; fastcgi_request_buffering off;
} }
location ~ \.(?:css|js|svg|gif)$ { location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess` expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets access_log off; # Optional: Don't log access to assets
} }
location ~ \.woff2?$ { location ~ \.woff2?$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess` expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets access_log off; # Optional: Don't log access to assets
} }
location / { location / {
try_files $uri $uri/ /index.php$request_uri; try_files $uri $uri/ /index.php$request_uri;
} }
} }

56
Nginx/Old/payments.libraryofcode.org.conf
View File

@ -1,29 +1,29 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name payments.libraryofcode.org; server_name payments.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
root /var/www/opencart; root /var/www/opencart;
index index.php index.html index.htm; index index.php index.html index.htm;
location / { location / {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
location ~ [^/]\.php(/|$) { location ~ [^/]\.php(/|$) {
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params; include fastcgi_params;
} }
} }

86
Nginx/Old/search.libraryofcode.org.conf
View File

@ -1,44 +1,44 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name search.libraryofcode.org; server_name search.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt; ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem; ssl_certificate_key /etc/nginx/ssl/org.key.pem;
ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache builtin:1000 shared:SSL:10m;
#include /etc/nginx/error/502; #include /etc/nginx/error/502;
#include /etc/nginx/error/504; #include /etc/nginx/error/504;
#include /etc/nginx/error/500; #include /etc/nginx/error/500;
#include /etc/nginx/error/404; #include /etc/nginx/error/404;
#include /etc/nginx/error/429; #include /etc/nginx/error/429;
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
#limit_req zone=one burst=15; #limit_req zone=one burst=15;
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:8090; proxy_pass http://localhost:8090;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_redirect http://localhost:8090 https://search.libraryofcode.org; proxy_redirect http://localhost:8090 https://search.libraryofcode.org;
} }
} }

19
Nginx/Server Blocks/auth.libraryofcode.org.conf Normal file
View File

@ -0,0 +1,19 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name certapi.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
location / {
proxy_pass https://libraryofcode-cd-pbipdifect6vowsp.edge.tenants.us.auth0.com/;
proxy_set_header cname-api-key "ca65ccfade6e79f0ea1339259a32882a90fdb11eef10c8df6323133cb607a483";
proxy_pass_header Set-Cookie;
proxy_pass_header User-Agent;
proxy_pass_header Origin;
proxy_pass_header Referer;
}
}

214
Postfix/main.conf
View File

@ -1,107 +1,107 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Server Information # Server Information
smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU) smtpd_banner = $myhostname Library of Code sp-us Staff Services | ESMTP (Debian/GNU)
myhostname = staff.libraryofcode.org myhostname = staff.libraryofcode.org
myorigin = /etc/mailname myorigin = /etc/mailname
mydestination = $myhostname, libraryofcode.org mydestination = $myhostname, libraryofcode.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 63.141.252.130
mail_name = Library of Code sp-us | Staff Services mail_name = Library of Code sp-us | Staff Services
# Relay Settings # Relay Settings
relayhost = relayhost =
relay_domains = lists.libraryofcode.org relay_domains = lists.libraryofcode.org
# MDA & Delivery # MDA & Delivery
append_dot_mydomain = no append_dot_mydomain = no
biff = no biff = no
mailbox_transport = lmtp:unix:private/dovecot-lmtp mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 1073741824 message_size_limit = 1073741824
transport_maps = hash:/etc/postfix/transport transport_maps = hash:/etc/postfix/transport
mailbox_size_limit = 0 mailbox_size_limit = 0
recipient_delimiter = + recipient_delimiter = +
# Authentication # Authentication
smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes broken_sasl_auth_clients = yes
# TLS parameters # TLS parameters
smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt
smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem
smtpd_use_tls=yes smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may smtp_tls_security_level = may
smtpd_tls_security_level = may smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt
smtpd_tls_loglevel = 1 smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom tls_random_source = dev:/dev/urandom
# RESTRICTIONS # RESTRICTIONS
smtpd_relay_restrictions = smtpd_relay_restrictions =
permit_mynetworks, permit_mynetworks,
permit_sasl_authenticated, permit_sasl_authenticated,
defer_unauth_destination, defer_unauth_destination,
smtpd_helo_restrictions = smtpd_helo_restrictions =
permit_mynetworks, permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, reject_invalid_helo_hostname,
reject_unknown_helo_hostname, reject_unknown_helo_hostname,
permit, permit,
smtpd_sender_restrictions = smtpd_sender_restrictions =
reject_unknown_sender_domain, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname, reject_unknown_client_hostname,
reject_sender_login_mismatch, reject_sender_login_mismatch,
permit_mynetworks, permit_mynetworks,
permit_sasl_authenticated, permit_sasl_authenticated,
permit, permit,
smtpd_recipient_restrictions = smtpd_recipient_restrictions =
reject_unauth_pipelining, reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unknown_recipient_domain,
permit_mynetworks, permit_mynetworks,
check_policy_service inet:127.0.0.1:10023, check_policy_service inet:127.0.0.1:10023,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org,
permit, permit,
# Local Aliases # Local Aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases alias_database = hash:/etc/aliases
# Virtual Alises # Virtual Alises
smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users smtpd_sender_login_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual
# Network Settings & Milters # Network Settings & Milters
inet_interfaces = all inet_interfaces = all
inet_protocols = all inet_protocols = all
milter_default_action = accept milter_default_action = accept
milter_protocol = 6 milter_protocol = 6
smtpd_milters = smtpd_milters =
## OpenDKIM ## OpenDKIM
inet:localhost:8891, inet:localhost:8891,
## OpenDMARC ## OpenDMARC
local:/opendmarc/opendmarc.sock, local:/opendmarc/opendmarc.sock,
## ClamAV ## ClamAV
#inet:localhost:8892 #inet:localhost:8892
non_smtpd_milters = $smtpd_milters non_smtpd_milters = $smtpd_milters
# Misc # Misc
readme_directory = no readme_directory = no
compatibility_level = 2 compatibility_level = 2
unknown_local_recipient_reject_code = 550 unknown_local_recipient_reject_code = 550
mailman_destination_recipient_limit = 1 mailman_destination_recipient_limit = 1

60
scripts/nginxsymlinks.py
View File

@ -1,30 +1,30 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
<one line to give the program's name and a brief idea of what it does.> <one line to give the program's name and a brief idea of what it does.>
Copyright (C) 2021 Library of Code sp-us, Department of Engineering Copyright (C) 2021 Library of Code sp-us, Department of Engineering
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
""" """
import os import os
blocks = os.listdir("Nginx/Server Blocks") blocks = os.listdir("Nginx/Server Blocks")
old_blocks = os.listdir("/etc/nginx/sites-available") old_blocks = os.listdir("/etc/nginx/sites-available")
path = os.path.abspath("Nginx/Server Blocks") path = os.path.abspath("Nginx/Server Blocks")
for block in blocks: for block in blocks:
os.symlink("%s/%s" % (path, block), "/etc/nginx/sites-available/%s" % block) os.symlink("%s/%s" % (path, block), "/etc/nginx/sites-available/%s" % block)
for block in old_blocks: for block in old_blocks:
os.unlink("/etc/nginx/sites-available/%s" % block) os.unlink("/etc/nginx/sites-available/%s" % block)