diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index 5c73fdd..b2fcf10 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -8,7 +8,6 @@ events { worker_connections ${worker_connections}; } - http { include /etc/nginx/mime.types; default_type application/octet-stream; @@ -31,5 +30,10 @@ http { client_max_body_size 8m; large_client_header_buffers 2 1k; + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + include /etc/nginx/sites/*; } diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index 48b3bc6..ad7af96 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -17,9 +17,12 @@ server { ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=31104000; preload"; + +% if not do_not_set_content_security_headers: add_header Referrer-Policy same-origin; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; +% endif location /.well-known/acme-challenge/ { alias /var/lib/dehydrated/acme-challenges/; diff --git a/data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu b/data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu new file mode 100644 index 0000000..c7d7a2c --- /dev/null +++ b/data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu @@ -0,0 +1,8 @@ + location / { + proxy_pass http://localhost:5232/; + proxy_set_header X-Script-Name /; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Remote-User $remote_user; + auth_basic "bleps :o"; + auth_basic_user_file /etc/radicale/htpasswd; + } diff --git a/data/nginx/files/extras/htz.ex42-1048908/dimension.franzi.business b/data/nginx/files/extras/htz.ex42-1048908/dimension.franzi.business new file mode 100644 index 0000000..05e631b --- /dev/null +++ b/data/nginx/files/extras/htz.ex42-1048908/dimension.franzi.business @@ -0,0 +1,8 @@ + add_header Content-Security-Policy "frame-ancestors 'self' chat.franzi.business matrix.nyantec.com"; + + client_max_body_size 50M; + + location /.well-known/matrix/ { + alias /etc/matrix-synapse/wellknown/; + add_header Access-Control-Allow-Origin *; + } diff --git a/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business b/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business new file mode 100644 index 0000000..1f8fde5 --- /dev/null +++ b/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business @@ -0,0 +1,19 @@ + client_max_body_size 500M; + + location /.well-known/matrix/ { + alias /etc/matrix-synapse/wellknown/; + add_header Access-Control-Allow-Origin *; + } + + location /_matrix { + proxy_pass http://[::1]:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } + + location /_matrix/media { + proxy_read_timeout 60s; + proxy_set_header Host $host; # Make sure this matches your homeserver in media-repo.yaml + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:8010; # Point this towards media-repo + } diff --git a/data/nginx/files/extras/htz.ex42-1048908/pad.franzi.business b/data/nginx/files/extras/htz.ex42-1048908/pad.franzi.business new file mode 100644 index 0000000..4e4592d --- /dev/null +++ b/data/nginx/files/extras/htz.ex42-1048908/pad.franzi.business @@ -0,0 +1,28 @@ + keepalive_timeout 70; + sendfile on; + client_max_body_size 40m; + client_body_timeout 3600; + + location / { + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://127.0.0.1:3700; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + error_page 500 501 502 503 504 /500.html; diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 9ed99cb..2e71e36 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -53,6 +53,9 @@ nodes['htz.ex42-1048908'] = { }, 'domains': { 'part.of.the.trans-agenda.eu': set(), + 'matrix.franzi.business': { + 'franzi.business', + }, }, 'reload_after': { # TODO move to bundles @@ -86,10 +89,26 @@ nodes['htz.ex42-1048908'] = { }, 'nginx': { 'vhosts': { + # TODO maybe some of this can be moved to a bundle? + 'dav.kunsmann.eu': { + 'extras': True, + }, + 'dimension.franzi.business': { + 'extras': True, + 'do_not_set_content_security_headers': True, + 'proxy': { + '/': 'http://127.0.0.1:8184', + }, + }, 'franzi.business': { 'webroot': '/var/www/franzi.business/_site/', 'extras': True, }, + 'git.kunsmann.eu': { + 'proxy': { + '/': 'http://localhost:3000/', + }, + }, 'jenkins.kunsmann.eu': { 'proxy': { '/': 'http://localhost:9000/', @@ -99,10 +118,40 @@ nodes['htz.ex42-1048908'] = { 'kunsmann.eu': { 'extras': True, }, + 'matrix.franzi.business': { + 'extras': True, + }, + 'pad.franzi.business': { + 'extras': True, + }, 'paste.kunsmann.eu': { 'extras': True, }, + 'postfixadmin.mx0.kunbox.net': { + 'webroot': '/srv/postfixadmin/public/', + 'index': 'index.php', + 'php': True, # FIXME this assumes php 7.3 is installed and configured already + }, + 'rspamd.mx0.kunbox.net': { + 'proxy': { + '/': 'http://localhost:11334/', + }, + }, + 'rss.kunsmann.eu': { + 'proxy': { + '/': 'http://localhost:8080/', + }, + }, + 'stats.franzi.business': { + 'proxy': { + '/': 'http://[::1]:3100/', + }, + }, 'vliedel.random.franzi.business': {}, + 'webmail.mx0.kunbox.net': { + 'index': 'index.php', + 'php': True, + }, }, }, 'riot-web': {