diff --git a/Nginx/Server Blocks/beta.libraryofcode.org.conf b/Nginx/Server Blocks/beta.libraryofcode.org.conf new file mode 100644 index 0000000..5d9990d --- /dev/null +++ b/Nginx/Server Blocks/beta.libraryofcode.org.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name beta.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://localhost:3000; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3000 https://beta.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/commshop.libraryofcode.org.conf b/Nginx/Server Blocks/commshop.libraryofcode.org.conf new file mode 100644 index 0000000..8e8586b --- /dev/null +++ b/Nginx/Server Blocks/commshop.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name commshop.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:7890; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:7890 https://commshop.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/crs.ins.conf b/Nginx/Server Blocks/crs.ins.conf new file mode 100644 index 0000000..37e7499 --- /dev/null +++ b/Nginx/Server Blocks/crs.ins.conf @@ -0,0 +1,42 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name cr.ins; + + ssl_certificate /etc/nginx/ssl/cr-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/cr-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://10.8.0.1:3891; + + proxy_read_timeout 90; + + proxy_redirect http://10.8.0.1:3891 https://cr.ins; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/data.ins.conf b/Nginx/Server Blocks/data.ins.conf new file mode 100644 index 0000000..fa3baff --- /dev/null +++ b/Nginx/Server Blocks/data.ins.conf @@ -0,0 +1,44 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name data.ins; + + ssl_certificate /etc/nginx/ssl/data-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/data-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://10.8.0.1:19999; + + proxy_read_timeout 90; + + proxy_redirect http://10.8.0.1:19999 https://data.ins; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/default.libraryofcode.conf b/Nginx/Server Blocks/default.libraryofcode.conf new file mode 100644 index 0000000..d5ca385 --- /dev/null +++ b/Nginx/Server Blocks/default.libraryofcode.conf @@ -0,0 +1,728 @@ +server { + +listen 80; + +return 301 https://$host$request_uri; + +} +#server { +# listen 443 ssl http2 default_server; +# listen [::]:443 ssl http2 default_server; +# server_name _; +# ssl_protocols TLSv1.2; + #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-R$ +# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +# ssl_certificate /etc/nginx/ssl/org.chain.crt; +# ssl_certificate_key /etc/nginx/ssl/org.key.pem; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #return 404; +#} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name certificates.libraryofcode.us; + ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass https://localhost:8080/; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:8080 https://certificates.libraryofcode.us; + + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name staff.libraryofcode.us; + ssl_certificate /etc/nginx/ssl/staff.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/staff.key.pem; +#ssl_session_cache builtin:1000 shared:SSL:10m; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; +ssl_prefer_server_ciphers on; +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass https://localhost:8082/; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:8082 https://staff.libraryofcode.us; + + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name status.libraryofcode.us; + ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass http://localhost:8787; + +proxy_read_timeout 90; + +proxy_redirect http://localhost:8787 https://status.libraryofcode.us; + + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name www.securesign.org; + ssl_certificate /etc/nginx/ssl/digicert.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/digicert.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass https://localhost:8081/; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:8081 https://www.securesign.org; + + } +} + +#server { +# listen 443 ssl; +# listen [::]:443 ssl; +# +# server_name test.securesign.org; +# ssl_certificate /etc/nginx/ssl/securesign-site.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/securesign-site.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass https://localhost:8080/; + +#proxy_read_timeout 90; + +#proxy_redirect https://localhost:8080 https://test.securesign.org; + +# } +#} + +#server { +# listen 443 ssl; +# listen [::]:443 ssl; + +# server_name system.securesign.org; +# ssl_certificate /etc/nginx/ssl/ov.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/digicert.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://sendgrid.net; + +#proxy_read_timeout 90; + +#proxy_redirect http://sendgrid.net https://system.securesign.org; + +# } +#} + +#server { +# listen 443 ssl; +# listen [::]:443 ssl; + +# server_name modmail.staff.libraryofcode.us; +# ssl_certificate /etc/nginx/ssl/modmail.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/modmail.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_ciphers HIGH:!aNULL:!MD5; +# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass https://localhost:8001; + +#proxy_read_timeout 90; + +#proxy_redirect https://localhost:8001 https://modmail.staff.libraryofcode.us; + +# } +#} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name api.securesign.org; + ssl_certificate /etc/letsencrypt/live/api.securesign.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/api.securesign.org/privkey.pem; # managed by Certbot + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass https://localhost:8055; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:8055 https://api.securesign.org; + + } + +} + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name support.libraryofcode.us; +# ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; +#ssl_session_cache builtin:1000 shared:SSL:10m; +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; +#ssl_prefer_server_ciphers on; +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://localhost:3000/; + +#proxy_read_timeout 90; + +#proxy_redirect http://localhost:3000 https://support.libraryofcode.us; + +# } +#} + + +upstream zammad-railsserver { + server 127.0.0.1:3001; +} + +upstream zammad-websocket { + server 127.0.0.1:6042; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # replace 'localhost' with your fqdn if you want to use zammad from remote + server_name support.libraryofcode.us; + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; +ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; +#ssl_session_cache builtin:1000 shared:SSL:10m; +ssl_protocols TLSv1.2; +ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; +ssl_prefer_server_ciphers on; +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name vault.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; +ssl_protocols TLSv1.2; + +ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +ssl_prefer_server_ciphers on; + +#ssl_stapling on; +#ssl_stapling_verify on; + +#limit_req zone=one burst=5; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass http://localhost:8200; + +proxy_read_timeout 90; + +proxy_redirect http://localhost:8200 https://vault.libraryofcode.org; + + } +} + +upstream gitlab-workhorse { + server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; +} + + +## HTTPS host +server { + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2; + server_name gitlab.libraryofcode.org; ## Replace this with something like gitlab.example.com + root /opt/gitlab/embedded/service/gitlab-rails/public; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs + #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + + ## See app/controllers/application_controller.rb for headers set + + ## [Optional] Enable HTTP Strict Transport Security + ## HSTS is a feature improving protection against MITM attacks + ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + add_header Strict-Transport-Security "max-age=31536000; preload"; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + + ## Individual nginx logs for this GitLab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } +} + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name libraryofcode.org; +# ssl_certificate /etc/nginx/ssl/org.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem; +# ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://localhost:4567; + +#proxy_read_timeout 90; + +#proxy_redirect https://www.libraryofcode.us/ https://libraryofcode.org; + +# } +#} + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name www.libraryofcode.org; +# ssl_certificate /etc/nginx/ssl/org.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem; +# ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://localhost:4567; + +#proxy_read_timeout 90; + +#proxy_redirect http://localhost:4567 https://www.libraryofcode.org; + +# } +#} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ecm.libraryofcode.us; + ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; + +proxy_pass https://localhost:7150; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:7150 https://ecm.libraryofcode.us; + + } +} + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name directory.libraryofcode.us; +# ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +#ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +#ssl_dhparam /etc/nginx/dhparam.pem; +#ssl_ecdh_curve secp384r1; + +#location /lam { +# index index.html; +# alias /usr/share/ldap-account-manager; +# autoindex off; +# +# location ~ \.php$ { +# fastcgi_split_path_info ^(.+\.php)(/.+)$; +# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; +# fastcgi_index index.php; +# include fastcgi_params; +# } +# +# location ~ /lam/(tmp/internal|sess|config|lib|help|locale) { +# deny all; +# return 403; +# } +# +#} +#} \ No newline at end of file diff --git a/Nginx/Server Blocks/directory.libraryofcode.org.conf b/Nginx/Server Blocks/directory.libraryofcode.org.conf new file mode 100644 index 0000000..1ce9d25 --- /dev/null +++ b/Nginx/Server Blocks/directory.libraryofcode.org.conf @@ -0,0 +1,21 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name directory.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + root /var/www/int; + index index.html; +} \ No newline at end of file diff --git a/Nginx/Server Blocks/dns.libraryofcode.org.conf b/Nginx/Server Blocks/dns.libraryofcode.org.conf new file mode 100644 index 0000000..15248b5 --- /dev/null +++ b/Nginx/Server Blocks/dns.libraryofcode.org.conf @@ -0,0 +1,52 @@ +server { + listen 10.8.0.1:443 ssl http2; + server_name dns.ins; + + ssl_certificate /etc/nginx/ssl/dns.chain.crt; + ssl_certificate_key /etc/nginx/ssl/dns.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + index index.html index.htm index.php; + root /opt/powerdns-admin; + access_log /var/log/nginx/powerdns-admin.local.access.log combined; + error_log /var/log/nginx/powerdns-admin.local.error.log; + + client_max_body_size 10m; + client_body_buffer_size 128k; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffers 32 4k; + proxy_buffer_size 8k; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_headers_hash_bucket_size 64; + + location ~ ^/static/ { + include /etc/nginx/mime.types; + root /opt/powerdns-admin/powerdnsadmin; + + location ~* \.(jpg|jpeg|png|gif)$ { + expires 365d; + } + + location ~* ^.+.(css|js)$ { + expires 7d; + } + } + + location / { + proxy_pass http://unix:/run/powerdns-admin/socket; + proxy_read_timeout 120; + proxy_connect_timeout 120; + proxy_redirect off; + } + +} \ No newline at end of file diff --git a/Nginx/Server Blocks/docker.libraryofcode.org.conf b/Nginx/Server Blocks/docker.libraryofcode.org.conf new file mode 100644 index 0000000..db79b9b --- /dev/null +++ b/Nginx/Server Blocks/docker.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name docker.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 1G; + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:5000; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:5000 https://docker.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/drive.libraryofcode.org.conf b/Nginx/Server Blocks/drive.libraryofcode.org.conf new file mode 100644 index 0000000..90585bb --- /dev/null +++ b/Nginx/Server Blocks/drive.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 1G; + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:6123; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:6123 https://drive.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/drive.old.1.libraryofcode.org.conf b/Nginx/Server Blocks/drive.old.1.libraryofcode.org.conf new file mode 100644 index 0000000..a151acc --- /dev/null +++ b/Nginx/Server Blocks/drive.old.1.libraryofcode.org.conf @@ -0,0 +1,114 @@ +upstream php-handler { + #server 127.0.0.1:9000; + server unix:/var/run/php/php7.2-fpm.sock; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + fastcgi_read_timeout 300; + proxy_read_timeout 300; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + index index.php index.html /index.php$request_uri; + + # Default Cache-Control policy + expires 1m; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + try_files $uri $uri/ =404; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/drive.old.libraryofcode.org.conf b/Nginx/Server Blocks/drive.old.libraryofcode.org.conf new file mode 100644 index 0000000..73be463 --- /dev/null +++ b/Nginx/Server Blocks/drive.old.libraryofcode.org.conf @@ -0,0 +1,140 @@ +upstream php-handler { + #server 127.0.0.1:9000; + server unix:/var/run/php/php7.2-fpm.sock; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + fastcgi_read_timeout 300; + proxy_read_timeout 300; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/eds.libraryofcode.org.conf b/Nginx/Server Blocks/eds.libraryofcode.org.conf new file mode 100644 index 0000000..c174ac3 --- /dev/null +++ b/Nginx/Server Blocks/eds.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name eds.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:7101; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:7101 https://eds.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/edu.libraryofcode.org.conf b/Nginx/Server Blocks/edu.libraryofcode.org.conf new file mode 100644 index 0000000..cc5c3d8 --- /dev/null +++ b/Nginx/Server Blocks/edu.libraryofcode.org.conf @@ -0,0 +1,32 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name edu.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + root /opt/canvas/public; + charset utf-8; + include mime.types; + client_max_body_size 5000M; + default_type application/octet-stream; + access_log /var/log/nginx/canvas.access.log; + error_log /var/log/nginx/canvas.error.log; + passenger_ruby /usr/local/bin/ruby2.4; + passenger_load_shell_envvars off; + #passenger_log_level 4; + passenger_start_timeout 300; + passenger_enabled on; + rails_env production; +} \ No newline at end of file diff --git a/Nginx/Server Blocks/firewall.ins.conf b/Nginx/Server Blocks/firewall.ins.conf new file mode 100644 index 0000000..55f85ea --- /dev/null +++ b/Nginx/Server Blocks/firewall.ins.conf @@ -0,0 +1,44 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name firewall.ins; + + ssl_certificate /etc/nginx/ssl/firewall-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/firewall-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://192.168.56.1:80; + + proxy_read_timeout 90; + + proxy_redirect http://192.168.56.1:80 https://firewall.ins; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/forms.libraryofcode.org.conf b/Nginx/Server Blocks/forms.libraryofcode.org.conf new file mode 100644 index 0000000..debf91d --- /dev/null +++ b/Nginx/Server Blocks/forms.libraryofcode.org.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name forms.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + + root /var/www/forms; + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + try_files $uri.html $uri/ $uri =404; +} \ No newline at end of file diff --git a/Nginx/Server Blocks/gocrypt.libraryofcode.org.conf b/Nginx/Server Blocks/gocrypt.libraryofcode.org.conf new file mode 100644 index 0000000..003b455 --- /dev/null +++ b/Nginx/Server Blocks/gocrypt.libraryofcode.org.conf @@ -0,0 +1,29 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name gocrypt.libraryofcode.org; + +ssl_certificate /etc/nginx/ssl/org.chain.crt; +ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +ssl_session_cache builtin:1000 shared:SSL:10m; +#include /etc/nginx/error/502; +#include /etc/nginx/error/504; +#include /etc/nginx/error/500; +ssl_protocols TLSv1.2; + +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + +ssl_prefer_server_ciphers on; + +ssl_stapling on; +ssl_stapling_verify on; + +#limit_req zone=one burst=5; +root /var/www/gocryptdoc; +index index.html; + location / { + try_files $uri $uri/index.html =404; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/hrm.libraryofcode.org.conf b/Nginx/Server Blocks/hrm.libraryofcode.org.conf new file mode 100644 index 0000000..0cb3788 --- /dev/null +++ b/Nginx/Server Blocks/hrm.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name hrm.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + # ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + #root /var/www/orangehrm; + #index index.php index.html index.htm; + #client_max_body_size 100M; + #proxy_connect_timeout 1800s; + #proxy_send_timeout 1800s; + #proxy_read_timeout 1800s; + #fastcgi_send_timeout 1800s; + #fastcgi_read_timeout 1800s; + location / { + #try_files $uri $uri/ /index.php?$uri&$args; + proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass http://localhost:6969; + +proxy_read_timeout 90; + +proxy_redirect http://localhost:6969 https://hrm.libraryofcode.org; + } + + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; + # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # include fastcgi_params; + #} +} \ No newline at end of file diff --git a/Nginx/Server Blocks/inbox.old.1.roundcube.libraryofcode.org.conf b/Nginx/Server Blocks/inbox.old.1.roundcube.libraryofcode.org.conf new file mode 100644 index 0000000..b1b20f7 --- /dev/null +++ b/Nginx/Server Blocks/inbox.old.1.roundcube.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name inbox.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:4061; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:4061 https://inbox.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/inbox.old.libraryofcode.org.conf b/Nginx/Server Blocks/inbox.old.libraryofcode.org.conf new file mode 100644 index 0000000..a151acc --- /dev/null +++ b/Nginx/Server Blocks/inbox.old.libraryofcode.org.conf @@ -0,0 +1,114 @@ +upstream php-handler { + #server 127.0.0.1:9000; + server unix:/var/run/php/php7.2-fpm.sock; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name drive.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + fastcgi_read_timeout 300; + proxy_read_timeout 300; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + index index.php index.html /index.php$request_uri; + + # Default Cache-Control policy + expires 1m; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + try_files $uri $uri/ =404; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/ins-test.libraryofcode.org.conf b/Nginx/Server Blocks/ins-test.libraryofcode.org.conf new file mode 100644 index 0000000..23e76b1 --- /dev/null +++ b/Nginx/Server Blocks/ins-test.libraryofcode.org.conf @@ -0,0 +1,30 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ins-test.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/ins-test.chain.crt; + ssl_certificate_key /etc/nginx/ssl/ins-test.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #ssl_protocols TLSv1.2; + + #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify off; + + root /var/www/content; + location / { + autoindex on; + } + location /sec { + autoindex on; + auth_basic "Secure Area"; + auth_basic_user_file /etc/nginx/htpasswd; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/keys.libraryofcode.org.conf b/Nginx/Server Blocks/keys.libraryofcode.org.conf new file mode 100644 index 0000000..256e4c5 --- /dev/null +++ b/Nginx/Server Blocks/keys.libraryofcode.org.conf @@ -0,0 +1,23 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name keys.ins; + + ssl_certificate /etc/nginx/ssl/keys-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/keys-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + root /var/www/keys; + location / { + autoindex on; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/libraryofcode.org.conf b/Nginx/Server Blocks/libraryofcode.org.conf new file mode 100644 index 0000000..f33cb6d --- /dev/null +++ b/Nginx/Server Blocks/libraryofcode.org.conf @@ -0,0 +1,507 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name certificates.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass https://localhost:8080/; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:8080 https://certificates.libraryofcode.org; + + } +} + +#server { +# listen 443 ssl; +# listen [::]:443 ssl; + +# server_name staff.libraryofcode.org; + +# ssl_certificate /etc/nginx/ssl/staff.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/staff.key.pem; +#ssl_session_cache builtin:1000 shared:SSL:10m; +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +#ssl_prefer_server_ciphers on; +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass https://localhost:8082/; + +#proxy_read_timeout 90; + +#proxy_redirect https://localhost:8082 https://staff.libraryofcode.org; + +# } +#} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name status.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass http://localhost:8787; + +proxy_read_timeout 90; + +proxy_redirect http://localhost:8787 https://status.libraryofcode.org; + + } +} + + +#server { + # listen 443 ssl; + # listen [::]:443 ssl; + + # server_name modmail.libraryofcode.org; + # ssl_certificate /etc/nginx/ssl/org.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://localhost:8001; + +#proxy_read_timeout 90; + +#proxy_redirect http://localhost:8001 https://modmail.libraryofcode.org; + +# } +#} + +#upstream zammad-railsserver { +# server 127.0.0.1:3001; +#} + +#upstream zammad-websocket { +# server 127.0.0.1:6042; +#} + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# + # # replace 'localhost' with your fqdn if you want to use zammad from remote + # server_name support.libraryofcode.org; +# + # root /opt/zammad/public; + + # access_log /var/log/nginx/zammad.access.log; + # error_log /var/log/nginx/zammad.error.log; + + #client_max_body_size 50M; +#ssl_certificate /etc/nginx/ssl/org.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/org.key.pem; +#ssl_session_cache builtin:1000 shared:SSL:10m; +#ssl_protocols TLSv1.2; +#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +#ssl_prefer_server_ciphers on; +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +#ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + + # location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { + # expires max; + # } + + #location /ws { + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + # proxy_set_header CLIENT_IP $remote_addr; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Proto $scheme; + #proxy_read_timeout 86400; + #proxy_pass http://zammad-websocket; + #} + + #location / { + # proxy_set_header Host $http_host; + # proxy_set_header CLIENT_IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Proto $scheme; + #proxy_read_timeout 300; + #proxy_pass http://zammad-railsserver; + + #gzip on; + #gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + #gzip_proxied any; + #} +#} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name vault.staff.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/vault.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/vault.key.pem; + +ssl_session_cache builtin:1000 shared:SSL:10m; +ssl_protocols TLSv1.2; + +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + +ssl_prefer_server_ciphers on; + + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; + +proxy_pass http://localhost:8200; + +proxy_read_timeout 90; + +proxy_redirect http://localhost:8200 https://vault.staff.libraryofcode.org; + + } +} + +#upstream gitlab-workhorse { +# server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0; +#} + + +## HTTPS host +server { + listen 0.0.0.0:443 ssl http2; + server_name gitlab.libraryofcode.us; ## Replace this with something like gitlab.example.com + root /opt/gitlab/embedded/service/gitlab-rails/public; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; + + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + + ## See app/controllers/application_controller.rb for headers set + + ## [Optional] Enable HTTP Strict Transport Security + ## HSTS is a feature improving protection against MITM attacks + ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + add_header Strict-Transport-Security "max-age=31536000; preload"; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + + ## Individual nginx logs for this GitLab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name www.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; +#if ($request_filename ~ /*){ +# rewrite ^/$ https://loc.sh/discord redirect; +#} +ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; +# location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; + +#proxy_pass http://localhost:4567; + +#proxy_read_timeout 90; + +#proxy_redirect http://localhost:4567 https://www.libraryofcode.org; + +# } +root /var/www/wordpress; +index index.php; + +location ~ \.php$ { +include snippets/fastcgi-php.conf; +fastcgi_pass unix:/run/php/php7.2-fpm.sock; +} +location / { +try_files $uri $uri/ /index.php?$args; +} +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ecm.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + location / { + +proxy_set_header Host $host; + +proxy_set_header X-Real-IP $remote_addr; + +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "upgrade"; + +proxy_pass https://localhost:7150; + +proxy_read_timeout 90; + +proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org; + + } +} + + +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; + +# server_name ldap.libraryofcode.org; +# ssl_certificate /etc/nginx/ssl/org.chain.crt; + +#ssl_certificate_key /etc/nginx/ssl/org.key.pem; + +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; +#ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +# ssl_dhparam /etc/nginx/dhparam.pem; +# ssl_ecdh_curve secp384r1; +#include /etc/ldap-account-manager/nginx.conf; + # location / { + +#proxy_set_header Host $host; + +#proxy_set_header X-Real-IP $remote_addr; + +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +#proxy_set_header X-Forwarded-Proto $scheme; +#proxy_set_header Upgrade $http_upgrade; +#proxy_set_header Connection "upgrade"; + +#proxy_pass https://localhost:7150; + +#proxy_read_timeout 90; + +#proxy_redirect https://localhost:7150 https://ecm.libraryofcode.org; + + #} +#} + + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name keys.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + root /var/www/html/sks; + error_page 404 /404.html; + + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + location ~ (.git|LICENSE|readme.md) { + deny all; + return 404; + } + + location /pks { + proxy_pass http://127.0.0.1:11371; + proxy_pass_header Server; + } + +} \ No newline at end of file diff --git a/Nginx/Server Blocks/lists.libraryofcode.org.conf b/Nginx/Server Blocks/lists.libraryofcode.org.conf new file mode 100644 index 0000000..528b785 --- /dev/null +++ b/Nginx/Server Blocks/lists.libraryofcode.org.conf @@ -0,0 +1,47 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name lists.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 1G; + #limit_req zone=one burst=15; + + +location / { + return 307 $scheme://lists.libraryofcode.org/cgi-bin/mailman/listinfo; +} +location /cgi-bin/mailman { + root /usr/lib/; + fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + fastcgi_intercept_errors on; + fastcgi_pass unix:/var/run/fcgiwrap.socket; +} +location /images/mailman { + alias /usr/share/images/mailman; +} +location /pipermail { + alias /var/lib/mailman/archives/public; + autoindex on; +} +} \ No newline at end of file diff --git a/Nginx/Server Blocks/locsh.libraryofcode.org.conf b/Nginx/Server Blocks/locsh.libraryofcode.org.conf new file mode 100644 index 0000000..9ee4c02 --- /dev/null +++ b/Nginx/Server Blocks/locsh.libraryofcode.org.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name loc.sh; + ssl_certificate /etc/letsencrypt/live/loc.sh-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/loc.sh-0001/privkey.pem; # managed by Certbot + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://localhost:3890; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3890 https://loc.sh; + + } + +} \ No newline at end of file diff --git a/Nginx/Server Blocks/modmail.ins.conf b/Nginx/Server Blocks/modmail.ins.conf new file mode 100644 index 0000000..6245a6b --- /dev/null +++ b/Nginx/Server Blocks/modmail.ins.conf @@ -0,0 +1,44 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name modmail.ins; + + ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://10.8.0.1:5478; + + proxy_read_timeout 90; + + proxy_redirect http://10.8.0.1:5478 https://modmail.ins; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/payments.libraryofcode.org.conf b/Nginx/Server Blocks/payments.libraryofcode.org.conf new file mode 100644 index 0000000..3a56fb9 --- /dev/null +++ b/Nginx/Server Blocks/payments.libraryofcode.org.conf @@ -0,0 +1,29 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name payments.libraryofcode.org; + ssl_certificate /etc/nginx/ssl/org.chain.crt; + + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_ecdh_curve secp384r1; + + root /var/www/opencart; + + index index.php index.html index.htm; + + location / { + try_files $uri $uri/ =404; + } + + location ~ [^/]\.php(/|$) { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/pbx.libraryofcode.org.conf b/Nginx/Server Blocks/pbx.libraryofcode.org.conf new file mode 100644 index 0000000..070b09b --- /dev/null +++ b/Nginx/Server Blocks/pbx.libraryofcode.org.conf @@ -0,0 +1,49 @@ +server { + listen 10.8.0.1:443 ssl http2; + listen [::]:443 ssl http2; + server_name pbx.ins; + + ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 230M; + client_body_timeout 1h; + #limit_req zone=one burst=15; + root /var/www/html; + + index index.html index.htm index.php; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; # server defaults are good + fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock; + fastcgi_param HTACCESS on; # disables FreePBX htaccess warning + proxy_read_timeout 800; + } + + # disallows the things that the FreePBX .htaccess files disallow + location ~ (/\.ht|/\.git|\.ini$|/libraries|/helpers|/i18n|/node|/views/.+php$) { + deny all; + } + + # from the api module .htaccess file + rewrite ^/admin/api/([^/]*)/([^/]*)/?(.*)?$ /admin/api/api.php?module=$1&command=$2&route=$3 last; + +} \ No newline at end of file diff --git a/Nginx/Server Blocks/report.libraryofcode.org.conf b/Nginx/Server Blocks/report.libraryofcode.org.conf new file mode 100644 index 0000000..0561179 --- /dev/null +++ b/Nginx/Server Blocks/report.libraryofcode.org.conf @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name report.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + root /var/www/report; + index public/index.html; + + location /assets { + alias /var/www/report/assets/; + #root /var/www/report/assets; + #try_files /var/www/report/assets/$uri /var/www/report/assets/$uri/ =404; + try_files $uri $uri/ =404; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/search.libraryofcode.org.conf b/Nginx/Server Blocks/search.libraryofcode.org.conf new file mode 100644 index 0000000..919eaff --- /dev/null +++ b/Nginx/Server Blocks/search.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name search.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:8090; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:8090 https://search.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/servicedesk.libraryofcode.org.conf b/Nginx/Server Blocks/servicedesk.libraryofcode.org.conf new file mode 100644 index 0000000..4523fe9 --- /dev/null +++ b/Nginx/Server Blocks/servicedesk.libraryofcode.org.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name staff.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://localhost:3020; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3020 https://staff.libraryofcode.org; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/static.libraryofcode.org.conf b/Nginx/Server Blocks/static.libraryofcode.org.conf new file mode 100644 index 0000000..829134a --- /dev/null +++ b/Nginx/Server Blocks/static.libraryofcode.org.conf @@ -0,0 +1,23 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name static.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + root /var/www/static; + location / { + autoindex on; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/support.libraryofcode.us.conf b/Nginx/Server Blocks/support.libraryofcode.us.conf new file mode 100644 index 0000000..c46da3f --- /dev/null +++ b/Nginx/Server Blocks/support.libraryofcode.us.conf @@ -0,0 +1,73 @@ +# +# this is the nginx config for zammad +# + +upstream zammad-railsserver { + server 127.0.0.1:3000; +} + +upstream zammad-websocket { + server 127.0.0.1:6042; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # replace 'localhost' with your fqdn if you want to use zammad from remote + server_name support.libraryofcode.us; + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; +ssl_certificate /etc/nginx/ssl/globalsign.chain.crt; + +ssl_certificate_key /etc/nginx/ssl/globalsign.key.pem; +#ssl_session_cache builtin:1000 shared:SSL:10m; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; +ssl_prefer_server_ciphers on; +#ssl_session_cache builtin:1000 shared:SSL:10m; + +#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + +#ssl_prefer_server_ciphers on; + +ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE +# ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m; +# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_dhparam /etc/nginx/dhparam.pem;ssl_ecdh_curve secp384r1; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/test.ins.conf b/Nginx/Server Blocks/test.ins.conf new file mode 100644 index 0000000..6245a6b --- /dev/null +++ b/Nginx/Server Blocks/test.ins.conf @@ -0,0 +1,44 @@ +server { + listen 10.8.0.1:443 ssl http2; + #listen [::]:443 ssl http2; + server_name modmail.ins; + + ssl_certificate /etc/nginx/ssl/modmail-ins.chain.crt; + ssl_certificate_key /etc/nginx/ssl/modmail-ins.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://10.8.0.1:5478; + + proxy_read_timeout 90; + + proxy_redirect http://10.8.0.1:5478 https://modmail.ins; + + } +} \ No newline at end of file diff --git a/Nginx/Server Blocks/wiki.libraryofcode.org.conf b/Nginx/Server Blocks/wiki.libraryofcode.org.conf new file mode 100644 index 0000000..642402c --- /dev/null +++ b/Nginx/Server Blocks/wiki.libraryofcode.org.conf @@ -0,0 +1,44 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name wiki.libraryofcode.org; + + ssl_certificate /etc/nginx/ssl/org.chain.crt; + ssl_certificate_key /etc/nginx/ssl/org.key.pem; + + ssl_session_cache builtin:1000 shared:SSL:10m; + #include /etc/nginx/error/502; + #include /etc/nginx/error/504; + #include /etc/nginx/error/500; + #include /etc/nginx/error/404; + #include /etc/nginx/error/429; + ssl_protocols TLSv1.2; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 1G; + #limit_req zone=one burst=15; + location / { + + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://localhost:3000; + + proxy_read_timeout 90; + + proxy_redirect http://localhost:3000 https://wiki.libraryofcode.org; + + } +} \ No newline at end of file