add nginx configuration

2024-11-14 14:11:14 +01:00
parent db4b2a372c
commit 95302bad46
8 changed files with 481 additions and 0 deletions
--- a/nginx/etc/nginx/conf.d/global.conf
+++ b/nginx/etc/nginx/conf.d/global.conf
@@ -0,0 +1,252 @@
+server {
+    listen 80;
+
+    location / {
+        # lighttpd
+        proxy_pass http://host:80;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /transmission {
+        # transmission
+        proxy_pass http://host:9091;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /jackett {
+        # jackett
+        proxy_pass http://host:9117;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /radarr {
+        # radarr
+        proxy_pass http://host:17878;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /sonarr {
+        # sonarr
+        proxy_pass http://host:18989;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /bazarr {
+        # bazarr
+        proxy_pass http://host:16767;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /jellyseerr {
+        # jellyseerr
+        proxy_pass http://host:15055;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /jellyfin {
+        # jellyfin
+        proxy_pass http://host:8097;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /droppy/ {
+        # droppy
+        proxy_pass http://host:8989/;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /filebrowser/ {
+        # filebrowser
+        proxy_pass http://host:8002/;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # dsmr
+    listen 80;
+
+    server_name dsmr.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:8888;
+        rewrite ^/dsmr(.*)$ $1 break;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # homeassistant
+    listen 80;
+
+    server_name ha.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:8123;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # homeassistant
+    listen 80;
+
+    server_name ha-loazrzzxydfxopwi.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:8123;
+        include /etc/nginx/conf/proxy.conf;
+        proxy_set_header X-Forwarded-Preferred-Username rik;
+    }
+}
+
+server {
+    # esphome
+    listen 80;
+
+    server_name esp.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:6052;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # homarr
+    listen 80;
+    server_name homarr.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:17575;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # jellyseerr
+    listen 80;
+    server_name jellyseerr.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:15055;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # minio
+    listen 80;
+    server_name minio.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:9000;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+    }
+}
+
+server {
+    # minio
+    listen 80;
+    server_name minio-console.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:9001;
+        include /etc/nginx/conf/proxy.conf;
+    }
+
+}
+
+server {
+    # jupyter
+    listen 80;
+    server_name jupyter.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:9999;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # seafile
+    listen 80;
+    server_name seafile.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:8100;
+        include /etc/nginx/conf/proxy.conf;
+    }
+    location /seafhttp {
+        # seafile
+        rewrite ^/seafhttp(.*)$ $1 break;
+        proxy_pass http://host:8182;
+        client_max_body_size 0;
+    }
+    location /seafdav {
+        proxy_pass http://host:8180;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # grafana
+    listen 80;
+    server_name grafana.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:3333;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # qbittorrent
+    listen 80;
+    server_name qbittorrent.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:9092;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # photoprism
+    listen 80;
+    server_name photoprism.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:2342;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # pgadmin
+    listen 80;
+    server_name pgadmin.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:5050/;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # dagster
+    listen 80;
+    server_name dagster.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:3000;
+        include /etc/nginx/conf/proxy.conf;
+
+        # auth_basic           "Private";
+        # auth_basic_user_file /host/etc/.htpasswd;
+
+        include /etc/nginx/conf/headers.conf;
+    }
+    include /etc/nginx/conf/vouch.conf;
+}
+
+server {
+    # test
+    listen 80;
+    server_name test.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:12345;
+        include /etc/nginx/conf/proxy.conf;
+        include /etc/nginx/conf/headers.conf;
+    }
+    include /etc/nginx/conf/vouch.conf;
+}
+
+server {
+    # vouch
+    listen 80;
+    server_name vouch.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:9090;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
--- a/nginx/etc/nginx/conf.d/unused.conf.disabled
+++ b/nginx/etc/nginx/conf.d/unused.conf.disabled
@@ -0,0 +1,108 @@
+server {
+  listen 80;
+  location /facette/ {
+
+      # facette
+      proxy_pass http://host:2003;
+      include /etc/nginx/conf/proxy.conf;
+  }
+  location /dagster {
+
+      # dagster
+      proxy_pass http://host:3000;
+      include /etc/nginx/conf/proxy.conf;
+  }
+  location /app {
+      # app
+      proxy_pass http://host:4567/;
+      include /etc/nginx/conf/proxy.conf;
+  }
+  location /pgadmin/ {
+      # pgadmin
+      proxy_pass http://host:5050/;
+      include /etc/nginx/conf/proxy.conf;
+      proxy_set_header X-Script-Name /pgadmin;
+  }
+}
+
+server {
+    # dagster
+    listen 80;
+    server_name dagster.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:3000;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # app
+    listen 80;
+    server_name app.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:4567;
+        include /etc/nginx/conf/proxy.conf;
+        include /etc/nginx/conf/proxy-headers.conf;
+
+        proxy_set_header X-Domain app;
+    }
+    include /etc/nginx/conf/vouch.conf;
+}
+
+server {
+    # other-app
+    listen 80;
+    server_name other-app.rik.veenboer.xyz;
+    location / {
+        auth_request /vouch/validate;
+        proxy_pass http://host:4567;
+        include /etc/nginx/conf/proxy.conf;
+        include /etc/nginx/conf/proxy-headers.conf;
+
+        proxy_set_header X-Domain other-app;
+    }
+
+    include /etc/nginx/conf/vouch-path.conf;
+
+    # If the user is not logged in, redirect them to Vouch's login URL
+    location @error401 {
+        return 302 https://other-app.rik.veenboer.xyz/vouch/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+    }
+}
+
+server {
+    # vouch
+    listen 80;
+    server_name vouch.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:9090;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
+
+server {
+    # keycloak
+    listen 80;
+    server_name keycloak.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:18080/;
+        include /etc/nginx/conf/proxy.conf;
+        proxy_hide_header Content-Security-Policy;
+        proxy_set_header Content-Security-Policy upgrade-insecure-requests;
+        #proxy_set_header Host $host;
+        #proxy_set_header X-Real-IP $remote_addr;
+        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+
+server {
+    # aim
+    listen 80;
+    server_name aim.rik.veenboer.xyz;
+    location / {
+        proxy_pass http://host:43800;
+        include /etc/nginx/conf/proxy.conf;
+    }
+}
--- a/nginx/etc/nginx/conf/headers.conf
+++ b/nginx/etc/nginx/conf/headers.conf
@@ -0,0 +1,13 @@
+auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+auth_request_set $sub                    $upstream_http_x_vouch_idp_claims_sub;
+auth_request_set $name                   $upstream_http_x_vouch_idp_claims_name;
+auth_request_set $email                  $upstream_http_x_vouch_idp_claims_email;
+auth_request_set $email_verified         $upstream_http_x_vouch_idp_claims_email_verified;
+auth_request_set $preferred_username     $upstream_http_x_vouch_idp_claims_preferred_username;
+
+proxy_set_header X-Forwarded-User               $auth_resp_x_vouch_user;
+proxy_set_header X-Forwarded-Sub                $sub;
+proxy_set_header X-Forwarded-Name               $name;
+proxy_set_header X-Forwarded-Email              $email;
+proxy_set_header X-Forwarded-Email-Verified     $email_verified;
+proxy_set_header X-Forwarded-Preferred-Username $preferred_username;
--- a/nginx/etc/nginx/conf/proxy.conf
+++ b/nginx/etc/nginx/conf/proxy.conf
@@ -0,0 +1,10 @@
+# Proxy
+proxy_redirect off;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Ssl on;
+
+# Websocket
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $http_connection;
--- a/nginx/etc/nginx/conf/ssl.conf
+++ b/nginx/etc/nginx/conf/ssl.conf
@@ -0,0 +1,20 @@
+# Enable SSL
+ssl_certificate /host/etc/certs/certificate+intermediate.pem;
+ssl_certificate_key /host/etc/certs/key.pem;
+ssl_dhparam /host/etc/certs/dh.pem;
+
+# Increased security, from https://cipherli.st/
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver_timeout 5s;
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+# Redirect HTTP trafic
+error_page 497 https://$host:$server_port$request_uri;
--- a/nginx/etc/nginx/conf/vouch-path.conf
+++ b/nginx/etc/nginx/conf/vouch-path.conf
@@ -0,0 +1,14 @@
+location /vouch { # vouch
+    proxy_pass http://host:9093; # must not! have a slash at the end
+    proxy_set_header Host $http_host;
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+
+    # these return values are used by the @error401 call
+    auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+    auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+    auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+}
+
+# if /vouch/validate returns `401 not authorized` then forward the request to the error401block
+error_page 401 = @error401;
--- a/nginx/etc/nginx/conf/vouch.conf
+++ b/nginx/etc/nginx/conf/vouch.conf
@@ -0,0 +1,31 @@
+# Any request to this server will first be sent to this URL
+auth_request /vouch-validate;
+
+# Get the authorized user name (email address)
+auth_request_set $auth_user $upstream_http_x_vouch_user;
+
+location = /vouch-validate {
+    internal;
+
+    # This address is where Vouch will be listening on
+    proxy_pass http://host:9090/validate;
+    proxy_pass_request_body off; # no need to send the POST body
+
+    proxy_set_header Content-Length "";
+    proxy_set_header Host $http_host; # This is required according to the Vouch-Proxy official example
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # These return values are passed to the @error401 call
+    auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+    auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+    auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+}
+
+error_page 401 = @error401;
+
+# If the user is not logged in, redirect them to Vouch's login URL
+location @error401 {
+    return 302 https://vouch.rik.veenboer.xyz/login?url=https://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+}
--- a/nginx/etc/nginx/nginx.conf
+++ b/nginx/etc/nginx/nginx.conf
@@ -0,0 +1,33 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    client_max_body_size 500M;
+
+    server_tokens off;
+    error_page 401 403 404 /404.html;
+    include /etc/nginx/conf.d/*.conf;
+}