diff --git a/nginx/.env.example b/nginx/.env.example new file mode 100644 index 0000000..445e483 --- /dev/null +++ b/nginx/.env.example @@ -0,0 +1,12 @@ +# Main domain; also name of certificate +MAIN_DOMAIN= + +# Comma-separated list of other domains which also arrive here +DOMAINS= + +# Admin email; used for certificates +EMAIL= + +# HTTP(S) Port +HTTP_PORT=80 +HTTPS_PORT=443 diff --git a/nginx/build/entrypoint.sh b/nginx/build/entrypoint.sh index ede0c39..14ca52a 100644 --- a/nginx/build/entrypoint.sh +++ b/nginx/build/entrypoint.sh @@ -1,4 +1,4 @@ #!/usr/bin/env sh -certbot certonly --standalone -d "$DOMAINS" --email "$EMAIL" -n --agree-tos --expand +certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand /usr/sbin/nginx -g "daemon off;" diff --git a/nginx/conf.d/http.conf b/nginx/conf.d/http.conf deleted file mode 100644 index c92194d..0000000 --- a/nginx/conf.d/http.conf +++ /dev/null @@ -1,35 +0,0 @@ -http { - # SSL CONFIGURATION - # Key locations - ssl_certificate /etc/letsencrypt/live/your.domain.here/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/your.domain.here/privkey.pem; - - # Allowed protocols - ssl_protocols TLSv1.2; - - # Allowed cyphers - # ssl_ciphers EECDH+CHACHA20:EECDH+AES; - - # Cache settings - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - # Still gotta figure out what these do - # ssl_session_tickets off; - # ssl_prefer_server_ciphers on; - # ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; - - - # Auto-route all HTTP requests to HTTPS - server { - listen 80; - listen [::]:80; - server_name _; - - return 301 https://$host:443$request_uri; - } - - - # LOAD SITES - include sites_enabled/*.conf; -} diff --git a/nginx/docker-compose.yml b/nginx/docker-compose.yml index 7b758df..c8e51f1 100644 --- a/nginx/docker-compose.yml +++ b/nginx/docker-compose.yml @@ -4,17 +4,22 @@ services: build: './build' image: 'nginx-certbot:stable-alpine' - env_file: - - 'nginx.env.example' + environment: + - 'DOMAINS' + - 'EMAIL' + - 'HTTPS_PORT' + - 'HTTP_PORT' + - 'MAIN_DOMAIN' networks: - 'nginx' ports: - - '80:80' - - '443:443' + - '$HTTP_PORT:$HTTP_PORT' + - '$HTTPS_PORT:$HTTPS_PORT' volumes: - - 'certs:/etc/letsencrypt' - './nginx.conf:/etc/nginx/nginx.conf' - - './conf.d:/etc/nginx/conf.d' + - './sites-enabled:/etc/nginx/sites-enabled' + - './templates:/etc/nginx/templates' + - 'certs:/etc/letsencrypt' networks: nginx: diff --git a/nginx/nginx.env.example b/nginx/nginx.env.example deleted file mode 100644 index b807d76..0000000 --- a/nginx/nginx.env.example +++ /dev/null @@ -1,5 +0,0 @@ -# Comma-separated list of domains -DOMAINS= - -# Admin email; used for certificates -EMAIL= diff --git a/nginx/sites-available/nextcloud.conf b/nginx/sites-available/nextcloud.conf new file mode 100644 index 0000000..e36549d --- /dev/null +++ b/nginx/sites-available/nextcloud.conf @@ -0,0 +1,55 @@ +server { + listen 443 ssl; + listen [::]:443 ssl http2; + server_name DOMAIN; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Allow unlimited download size + client_max_body_size 0; + + fastcgi_buffers 64 4K; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Recommended in Nextcloud overview + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location / { + proxy_pass http://nextcloud_app_1:80/; + + proxy_pass_request_headers on; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # All recommended in security overview + proxy_set_header Referrer-Policy "no-referrer" ; + proxy_set_header X-Content-Type-Options "nosniff" ; + proxy_set_header X-Download-Options "noopen" ; + proxy_set_header X-Frame-Options "SAMEORIGIN" ; + proxy_set_header X-Permitted-Cross-Domain-Policies "none" ; + proxy_set_header X-Robots-Tag "none" ; + proxy_set_header X-XSS-Protection "1; mode=block" ; + } + + + # Needed to make CalDAV and CardDAV work properly + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } +} diff --git a/nginx/conf.d/events.conf b/nginx/templates/events.conf.template similarity index 100% rename from nginx/conf.d/events.conf rename to nginx/templates/events.conf.template diff --git a/nginx/templates/http.conf.template b/nginx/templates/http.conf.template new file mode 100644 index 0000000..5f20a03 --- /dev/null +++ b/nginx/templates/http.conf.template @@ -0,0 +1,35 @@ +http { + # SSL CONFIGURATION + # Key locations + ssl_certificate /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem; + + # Allowed protocols + ssl_protocols TLSv1.2; + + # Allowed cyphers + # ssl_ciphers EECDH+CHACHA20:EECDH+AES; + + # Cache settings + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Still gotta figure out what these do + ssl_session_tickets off; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; + + + # Auto-route all HTTP requests to HTTPS + server { + listen ${HTTP_PORT}; + listen [::]:${HTTP_PORT}; + server_name _; + + return 301 https://$host:${HTTPS_PORT}$request_uri; + } + + + # LOAD SITES + include sites-enabled/*.conf; +}