Nginx now uses template syntax for easier config
parent
69fadcbbed
commit
929d1e2cf4
|
@ -0,0 +1,12 @@
|
|||
# Main domain; also name of certificate
|
||||
MAIN_DOMAIN=
|
||||
|
||||
# Comma-separated list of other domains which also arrive here
|
||||
DOMAINS=
|
||||
|
||||
# Admin email; used for certificates
|
||||
EMAIL=
|
||||
|
||||
# HTTP(S) Port
|
||||
HTTP_PORT=80
|
||||
HTTPS_PORT=443
|
|
@ -1,4 +1,4 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
certbot certonly --standalone -d "$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
|
||||
certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
|
||||
/usr/sbin/nginx -g "daemon off;"
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
http {
|
||||
# SSL CONFIGURATION
|
||||
# Key locations
|
||||
ssl_certificate /etc/letsencrypt/live/your.domain.here/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/your.domain.here/privkey.pem;
|
||||
|
||||
# Allowed protocols
|
||||
ssl_protocols TLSv1.2;
|
||||
|
||||
# Allowed cyphers
|
||||
# ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
||||
|
||||
# Cache settings
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# Still gotta figure out what these do
|
||||
# ssl_session_tickets off;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
# ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||
|
||||
|
||||
# Auto-route all HTTP requests to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name _;
|
||||
|
||||
return 301 https://$host:443$request_uri;
|
||||
}
|
||||
|
||||
|
||||
# LOAD SITES
|
||||
include sites_enabled/*.conf;
|
||||
}
|
|
@ -4,17 +4,22 @@ services:
|
|||
build: './build'
|
||||
image: 'nginx-certbot:stable-alpine'
|
||||
|
||||
env_file:
|
||||
- 'nginx.env.example'
|
||||
environment:
|
||||
- 'DOMAINS'
|
||||
- 'EMAIL'
|
||||
- 'HTTPS_PORT'
|
||||
- 'HTTP_PORT'
|
||||
- 'MAIN_DOMAIN'
|
||||
networks:
|
||||
- 'nginx'
|
||||
ports:
|
||||
- '80:80'
|
||||
- '443:443'
|
||||
- '$HTTP_PORT:$HTTP_PORT'
|
||||
- '$HTTPS_PORT:$HTTPS_PORT'
|
||||
volumes:
|
||||
- 'certs:/etc/letsencrypt'
|
||||
- './nginx.conf:/etc/nginx/nginx.conf'
|
||||
- './conf.d:/etc/nginx/conf.d'
|
||||
- './sites-enabled:/etc/nginx/sites-enabled'
|
||||
- './templates:/etc/nginx/templates'
|
||||
- 'certs:/etc/letsencrypt'
|
||||
|
||||
networks:
|
||||
nginx:
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
# Comma-separated list of domains
|
||||
DOMAINS=
|
||||
|
||||
# Admin email; used for certificates
|
||||
EMAIL=
|
|
@ -0,0 +1,55 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name DOMAIN;
|
||||
|
||||
# Enable gzip but do not remove ETag headers
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
# Allow unlimited download size
|
||||
client_max_body_size 0;
|
||||
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
# Recommended in Nextcloud overview
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://nextcloud_app_1:80/;
|
||||
|
||||
proxy_pass_request_headers on;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# All recommended in security overview
|
||||
proxy_set_header Referrer-Policy "no-referrer" ;
|
||||
proxy_set_header X-Content-Type-Options "nosniff" ;
|
||||
proxy_set_header X-Download-Options "noopen" ;
|
||||
proxy_set_header X-Frame-Options "SAMEORIGIN" ;
|
||||
proxy_set_header X-Permitted-Cross-Domain-Policies "none" ;
|
||||
proxy_set_header X-Robots-Tag "none" ;
|
||||
proxy_set_header X-XSS-Protection "1; mode=block" ;
|
||||
}
|
||||
|
||||
|
||||
# Needed to make CalDAV and CardDAV work properly
|
||||
location /.well-known/carddav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
|
||||
location /.well-known/caldav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
http {
|
||||
# SSL CONFIGURATION
|
||||
# Key locations
|
||||
ssl_certificate /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem;
|
||||
|
||||
# Allowed protocols
|
||||
ssl_protocols TLSv1.2;
|
||||
|
||||
# Allowed cyphers
|
||||
# ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
||||
|
||||
# Cache settings
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# Still gotta figure out what these do
|
||||
ssl_session_tickets off;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||
|
||||
|
||||
# Auto-route all HTTP requests to HTTPS
|
||||
server {
|
||||
listen ${HTTP_PORT};
|
||||
listen [::]:${HTTP_PORT};
|
||||
server_name _;
|
||||
|
||||
return 301 https://$host:${HTTPS_PORT}$request_uri;
|
||||
}
|
||||
|
||||
|
||||
# LOAD SITES
|
||||
include sites-enabled/*.conf;
|
||||
}
|
Reference in New Issue