jean-cloud-services/services/nuage.jean-cloud.net/nginx_server.conf
2024-01-02 17:50:14 +01:00

220 lines
8.3 KiB
Plaintext
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# inspired from
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html?highlight=nginx
# 2021 05 25
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
root $DATA_DIR/app;
limit_req zone=defaultlimit burst=500 nodelay;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Frame-Options "SAMEORIGIN";
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# TODO is it needed? Is it buggy?
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass $NET.100:9000;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
proxy_cache_path /var/www/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
proxy_temp_path /var/www/cache/tmp;
server {
listen 443 ssl;
large_client_header_buffers 32 64k;
root /usr/share/nginx/www;
index index.html index.htm;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name calc.nuage.jean-cloud.net;
location ~* (\.(css|png|gif|svg|ico|txt)|static/.*\.js(on)?|manifest\.(appcache|webapp|json)|browserconfig\.xml)$ {
root /data/proxy/nuage.jean-cloud.net/ethercalc/;
expires 24h;
add_header Cache-Control public;
}
location ~* "(?:[.]|/_/[^/]+/)(?:html|csv|csv\.json)$" {
proxy_pass http://$NET.102:8000;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_read_timeout 31536000;
proxy_buffers 32 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security max-age=31536000;
include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
}
location / {
gzip on;
gzip_min_length 1000;
gzip_proxied any;
proxy_pass http://$NET.102:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_read_timeout 31536000;
proxy_set_header Connection $connection_upgrade;
# prevents 502 bad gateway error
proxy_buffers 32 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security max-age=31536000;
include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name pad.nuage.jean-cloud.net;
location / {
proxy_pass http://$NET.104:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass these headers etc too.
#proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
#proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}