Nginx now uses template syntax for easier config

pull/3/head
Jef Roosens 2021-01-09 15:15:22 +01:00
parent 69fadcbbed
commit 929d1e2cf4
8 changed files with 114 additions and 47 deletions

12
nginx/.env.example 100644
View File

@ -0,0 +1,12 @@
# Main domain; also name of certificate
MAIN_DOMAIN=
# Comma-separated list of other domains which also arrive here
DOMAINS=
# Admin email; used for certificates
EMAIL=
# HTTP(S) Port
HTTP_PORT=80
HTTPS_PORT=443

View File

@ -1,4 +1,4 @@
#!/usr/bin/env sh #!/usr/bin/env sh
certbot certonly --standalone -d "$DOMAINS" --email "$EMAIL" -n --agree-tos --expand certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
/usr/sbin/nginx -g "daemon off;" /usr/sbin/nginx -g "daemon off;"

View File

@ -1,35 +0,0 @@
http {
# SSL CONFIGURATION
# Key locations
ssl_certificate /etc/letsencrypt/live/your.domain.here/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.domain.here/privkey.pem;
# Allowed protocols
ssl_protocols TLSv1.2;
# Allowed cyphers
# ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# Cache settings
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Still gotta figure out what these do
# ssl_session_tickets off;
# ssl_prefer_server_ciphers on;
# ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
# Auto-route all HTTP requests to HTTPS
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$host:443$request_uri;
}
# LOAD SITES
include sites_enabled/*.conf;
}

View File

@ -4,17 +4,22 @@ services:
build: './build' build: './build'
image: 'nginx-certbot:stable-alpine' image: 'nginx-certbot:stable-alpine'
env_file: environment:
- 'nginx.env.example' - 'DOMAINS'
- 'EMAIL'
- 'HTTPS_PORT'
- 'HTTP_PORT'
- 'MAIN_DOMAIN'
networks: networks:
- 'nginx' - 'nginx'
ports: ports:
- '80:80' - '$HTTP_PORT:$HTTP_PORT'
- '443:443' - '$HTTPS_PORT:$HTTPS_PORT'
volumes: volumes:
- 'certs:/etc/letsencrypt'
- './nginx.conf:/etc/nginx/nginx.conf' - './nginx.conf:/etc/nginx/nginx.conf'
- './conf.d:/etc/nginx/conf.d' - './sites-enabled:/etc/nginx/sites-enabled'
- './templates:/etc/nginx/templates'
- 'certs:/etc/letsencrypt'
networks: networks:
nginx: nginx:

View File

@ -1,5 +0,0 @@
# Comma-separated list of domains
DOMAINS=
# Admin email; used for certificates
EMAIL=

View File

@ -0,0 +1,55 @@
server {
listen 443 ssl;
listen [::]:443 ssl http2;
server_name DOMAIN;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Allow unlimited download size
client_max_body_size 0;
fastcgi_buffers 64 4K;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Recommended in Nextcloud overview
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
proxy_pass http://nextcloud_app_1:80/;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# All recommended in security overview
proxy_set_header Referrer-Policy "no-referrer" ;
proxy_set_header X-Content-Type-Options "nosniff" ;
proxy_set_header X-Download-Options "noopen" ;
proxy_set_header X-Frame-Options "SAMEORIGIN" ;
proxy_set_header X-Permitted-Cross-Domain-Policies "none" ;
proxy_set_header X-Robots-Tag "none" ;
proxy_set_header X-XSS-Protection "1; mode=block" ;
}
# Needed to make CalDAV and CardDAV work properly
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
}

View File

@ -0,0 +1,35 @@
http {
# SSL CONFIGURATION
# Key locations
ssl_certificate /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem;
# Allowed protocols
ssl_protocols TLSv1.2;
# Allowed cyphers
# ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# Cache settings
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Still gotta figure out what these do
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
# Auto-route all HTTP requests to HTTPS
server {
listen ${HTTP_PORT};
listen [::]:${HTTP_PORT};
server_name _;
return 301 https://$host:${HTTPS_PORT}$request_uri;
}
# LOAD SITES
include sites-enabled/*.conf;
}