diff --git a/nginx/etc/nginx/conf.d/global.conf b/nginx/etc/nginx/conf.d/global.conf new file mode 100644 index 0000000..fc3c8fa --- /dev/null +++ b/nginx/etc/nginx/conf.d/global.conf @@ -0,0 +1,252 @@ +server { + listen 80; + + location / { + # lighttpd + proxy_pass http://host:80; + include /etc/nginx/conf/proxy.conf; + } + location /transmission { + # transmission + proxy_pass http://host:9091; + include /etc/nginx/conf/proxy.conf; + } + location /jackett { + # jackett + proxy_pass http://host:9117; + include /etc/nginx/conf/proxy.conf; + } + location /radarr { + # radarr + proxy_pass http://host:17878; + include /etc/nginx/conf/proxy.conf; + } + location /sonarr { + # sonarr + proxy_pass http://host:18989; + include /etc/nginx/conf/proxy.conf; + } + location /bazarr { + # bazarr + proxy_pass http://host:16767; + include /etc/nginx/conf/proxy.conf; + } + location /jellyseerr { + # jellyseerr + proxy_pass http://host:15055; + include /etc/nginx/conf/proxy.conf; + } + location /jellyfin { + # jellyfin + proxy_pass http://host:8097; + include /etc/nginx/conf/proxy.conf; + } + location /droppy/ { + # droppy + proxy_pass http://host:8989/; + include /etc/nginx/conf/proxy.conf; + } + location /filebrowser/ { + # filebrowser + proxy_pass http://host:8002/; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # dsmr + listen 80; + + server_name dsmr.rik.veenboer.xyz; + location / { + proxy_pass http://host:8888; + rewrite ^/dsmr(.*)$ $1 break; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # homeassistant + listen 80; + + server_name ha.rik.veenboer.xyz; + location / { + proxy_pass http://host:8123; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # homeassistant + listen 80; + + server_name ha-loazrzzxydfxopwi.rik.veenboer.xyz; + location / { + proxy_pass http://host:8123; + include /etc/nginx/conf/proxy.conf; + proxy_set_header X-Forwarded-Preferred-Username rik; + } +} + +server { + # esphome + listen 80; + + server_name esp.rik.veenboer.xyz; + location / { + proxy_pass http://host:6052; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # homarr + listen 80; + server_name homarr.rik.veenboer.xyz; + location / { + proxy_pass http://host:17575; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # jellyseerr + listen 80; + server_name jellyseerr.rik.veenboer.xyz; + location / { + proxy_pass http://host:15055; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # minio + listen 80; + server_name minio.rik.veenboer.xyz; + location / { + proxy_pass http://host:9000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + } +} + +server { + # minio + listen 80; + server_name minio-console.rik.veenboer.xyz; + location / { + proxy_pass http://host:9001; + include /etc/nginx/conf/proxy.conf; + } + +} + +server { + # jupyter + listen 80; + server_name jupyter.rik.veenboer.xyz; + location / { + proxy_pass http://host:9999; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # seafile + listen 80; + server_name seafile.rik.veenboer.xyz; + location / { + proxy_pass http://host:8100; + include /etc/nginx/conf/proxy.conf; + } + location /seafhttp { + # seafile + rewrite ^/seafhttp(.*)$ $1 break; + proxy_pass http://host:8182; + client_max_body_size 0; + } + location /seafdav { + proxy_pass http://host:8180; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # grafana + listen 80; + server_name grafana.rik.veenboer.xyz; + location / { + proxy_pass http://host:3333; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # qbittorrent + listen 80; + server_name qbittorrent.rik.veenboer.xyz; + location / { + proxy_pass http://host:9092; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # photoprism + listen 80; + server_name photoprism.rik.veenboer.xyz; + location / { + proxy_pass http://host:2342; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # pgadmin + listen 80; + server_name pgadmin.rik.veenboer.xyz; + location / { + proxy_pass http://host:5050/; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # dagster + listen 80; + server_name dagster.rik.veenboer.xyz; + location / { + proxy_pass http://host:3000; + include /etc/nginx/conf/proxy.conf; + + # auth_basic "Private"; + # auth_basic_user_file /host/etc/.htpasswd; + + include /etc/nginx/conf/headers.conf; + } + include /etc/nginx/conf/vouch.conf; +} + +server { + # test + listen 80; + server_name test.rik.veenboer.xyz; + location / { + proxy_pass http://host:12345; + include /etc/nginx/conf/proxy.conf; + include /etc/nginx/conf/headers.conf; + } + include /etc/nginx/conf/vouch.conf; +} + +server { + # vouch + listen 80; + server_name vouch.rik.veenboer.xyz; + location / { + proxy_pass http://host:9090; + include /etc/nginx/conf/proxy.conf; + } +} diff --git a/nginx/etc/nginx/conf.d/unused.conf.disabled b/nginx/etc/nginx/conf.d/unused.conf.disabled new file mode 100644 index 0000000..8305f16 --- /dev/null +++ b/nginx/etc/nginx/conf.d/unused.conf.disabled @@ -0,0 +1,108 @@ +server { + listen 80; + location /facette/ { + + # facette + proxy_pass http://host:2003; + include /etc/nginx/conf/proxy.conf; + } + location /dagster { + + # dagster + proxy_pass http://host:3000; + include /etc/nginx/conf/proxy.conf; + } + location /app { + # app + proxy_pass http://host:4567/; + include /etc/nginx/conf/proxy.conf; + } + location /pgadmin/ { + # pgadmin + proxy_pass http://host:5050/; + include /etc/nginx/conf/proxy.conf; + proxy_set_header X-Script-Name /pgadmin; + } +} + +server { + # dagster + listen 80; + server_name dagster.rik.veenboer.xyz; + location / { + proxy_pass http://host:3000; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # app + listen 80; + server_name app.rik.veenboer.xyz; + location / { + proxy_pass http://host:4567; + include /etc/nginx/conf/proxy.conf; + include /etc/nginx/conf/proxy-headers.conf; + + proxy_set_header X-Domain app; + } + include /etc/nginx/conf/vouch.conf; +} + +server { + # other-app + listen 80; + server_name other-app.rik.veenboer.xyz; + location / { + auth_request /vouch/validate; + proxy_pass http://host:4567; + include /etc/nginx/conf/proxy.conf; + include /etc/nginx/conf/proxy-headers.conf; + + proxy_set_header X-Domain other-app; + } + + include /etc/nginx/conf/vouch-path.conf; + + # If the user is not logged in, redirect them to Vouch's login URL + location @error401 { + return 302 https://other-app.rik.veenboer.xyz/vouch/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; + } +} + +server { + # vouch + listen 80; + server_name vouch.rik.veenboer.xyz; + location / { + proxy_pass http://host:9090; + include /etc/nginx/conf/proxy.conf; + } +} + +server { + # keycloak + listen 80; + server_name keycloak.rik.veenboer.xyz; + location / { + proxy_pass http://host:18080/; + include /etc/nginx/conf/proxy.conf; + proxy_hide_header Content-Security-Policy; + proxy_set_header Content-Security-Policy upgrade-insecure-requests; + #proxy_set_header Host $host; + #proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Proto $scheme; + } +} + + +server { + # aim + listen 80; + server_name aim.rik.veenboer.xyz; + location / { + proxy_pass http://host:43800; + include /etc/nginx/conf/proxy.conf; + } +} diff --git a/nginx/etc/nginx/conf/headers.conf b/nginx/etc/nginx/conf/headers.conf new file mode 100644 index 0000000..5739273 --- /dev/null +++ b/nginx/etc/nginx/conf/headers.conf @@ -0,0 +1,13 @@ +auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; +auth_request_set $sub $upstream_http_x_vouch_idp_claims_sub; +auth_request_set $name $upstream_http_x_vouch_idp_claims_name; +auth_request_set $email $upstream_http_x_vouch_idp_claims_email; +auth_request_set $email_verified $upstream_http_x_vouch_idp_claims_email_verified; +auth_request_set $preferred_username $upstream_http_x_vouch_idp_claims_preferred_username; + +proxy_set_header X-Forwarded-User $auth_resp_x_vouch_user; +proxy_set_header X-Forwarded-Sub $sub; +proxy_set_header X-Forwarded-Name $name; +proxy_set_header X-Forwarded-Email $email; +proxy_set_header X-Forwarded-Email-Verified $email_verified; +proxy_set_header X-Forwarded-Preferred-Username $preferred_username; diff --git a/nginx/etc/nginx/conf/proxy.conf b/nginx/etc/nginx/conf/proxy.conf new file mode 100644 index 0000000..78a948d --- /dev/null +++ b/nginx/etc/nginx/conf/proxy.conf @@ -0,0 +1,10 @@ +# Proxy +proxy_redirect off; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Ssl on; + +# Websocket +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $http_connection; diff --git a/nginx/etc/nginx/conf/ssl.conf b/nginx/etc/nginx/conf/ssl.conf new file mode 100644 index 0000000..debf64c --- /dev/null +++ b/nginx/etc/nginx/conf/ssl.conf @@ -0,0 +1,20 @@ +# Enable SSL +ssl_certificate /host/etc/certs/certificate+intermediate.pem; +ssl_certificate_key /host/etc/certs/key.pem; +ssl_dhparam /host/etc/certs/dh.pem; + +# Increased security, from https://cipherli.st/ +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver_timeout 5s; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; + +# Redirect HTTP trafic +error_page 497 https://$host:$server_port$request_uri; \ No newline at end of file diff --git a/nginx/etc/nginx/conf/vouch-path.conf b/nginx/etc/nginx/conf/vouch-path.conf new file mode 100644 index 0000000..48874dd --- /dev/null +++ b/nginx/etc/nginx/conf/vouch-path.conf @@ -0,0 +1,14 @@ +location /vouch { # vouch + proxy_pass http://host:9093; # must not! have a slash at the end + proxy_set_header Host $http_host; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + + # these return values are used by the @error401 call + auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; + auth_request_set $auth_resp_err $upstream_http_x_vouch_err; + auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; +} + +# if /vouch/validate returns `401 not authorized` then forward the request to the error401block +error_page 401 = @error401; diff --git a/nginx/etc/nginx/conf/vouch.conf b/nginx/etc/nginx/conf/vouch.conf new file mode 100644 index 0000000..499679c --- /dev/null +++ b/nginx/etc/nginx/conf/vouch.conf @@ -0,0 +1,31 @@ +# Any request to this server will first be sent to this URL +auth_request /vouch-validate; + +# Get the authorized user name (email address) +auth_request_set $auth_user $upstream_http_x_vouch_user; + +location = /vouch-validate { + internal; + + # This address is where Vouch will be listening on + proxy_pass http://host:9090/validate; + proxy_pass_request_body off; # no need to send the POST body + + proxy_set_header Content-Length ""; + proxy_set_header Host $http_host; # This is required according to the Vouch-Proxy official example + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # These return values are passed to the @error401 call + auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; + auth_request_set $auth_resp_err $upstream_http_x_vouch_err; + auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; +} + +error_page 401 = @error401; + +# If the user is not logged in, redirect them to Vouch's login URL +location @error401 { + return 302 https://vouch.rik.veenboer.xyz/login?url=https://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; +} diff --git a/nginx/etc/nginx/nginx.conf b/nginx/etc/nginx/nginx.conf new file mode 100644 index 0000000..6726aec --- /dev/null +++ b/nginx/etc/nginx/nginx.conf @@ -0,0 +1,33 @@ +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + client_max_body_size 500M; + + server_tokens off; + error_page 401 403 404 /404.html; + include /etc/nginx/conf.d/*.conf; +}