KAZ/KazV2
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
89662f28cf
KazV2/dockers/proxy/config/nginx.tmpl.conf

735 lines
20 KiB
Plaintext
Raw Normal View History

first commit
2024-06-03 18:43:35 +02:00
# pour l'utilisation de certificats dynamique
user root;
events {
worker_connections 1000000;
}
http {
resolver 127.0.0.11 ipv6=off;
server_tokens off;
########################################
#### autoriser des uploads de 50Mo max
#### pour tous les sites
### sinon placer la variable dans chaque server{}
client_max_body_size 1024M;
add_header Set-Cookie lang="fr";
########################################
#### redirection http vers https
include includes/redirect;
map $ssl_early_data $tls1_3_early_data {
"~." $ssl_early_data;
default "";
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $ssl_server_name $ssl_local_cert {
volatile;
hostnames;
~^(?<sub_dom>.*\.)__DOMAIN__$ __DOMAIN__;
default $ssl_server_name;
}
########################################
#### Default
{{web
# ########################################
# #### Autoconfig pour thunderbird
server {
server_name autoconfig.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /mail/config-v1.1.xml {
proxy_pass http://__DOMAIN__/mail/config-v1.1.xml;
}
}
# merci de ne pas effacer
server {
server_name autoconfig.bodamcity.fr;
include includes/port;
ssl_certificate /etc/letsencrypt/live/autoconfig.bodamcity.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autoconfig.bodamcity.fr/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
location / {
proxy_pass http://kaz.bzh;
}
}
# merci de ne pas effacer
server {
server_name autoconfig.legrandmechantlude.org;
include includes/port;
ssl_certificate /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
location / {
proxy_pass http://kaz.bzh;
}
}
# merci de ne pas effacer
server {
server_name autoconfig.lbrondel-psychotherapie.fr;
include includes/port;
ssl_certificate /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
location / {
proxy_pass http://kaz.bzh;
}
}
server {
server_name __DOMAIN__ www.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/www.__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.__DOMAIN__/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
# XXX >>>
# A concerver jusqu'en juin 2021
location /email.css {
proxy_pass http://__DOMAIN__/m/email.css;
}
location /kaz-50.png {
proxy_pass http://__DOMAIN__/m/logo.png;
}
location /kaz-du-libre-23.png {
proxy_pass http://__DOMAIN__/m/coche.png;
}
# <<<
location / {
proxy_pass http://__DOMAIN__;
}
}
}}
########################################
#### Jirafeau (filesender)
{{jirafeau
server {
server_name __FILE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin.php {
include allow_admin_ip;
proxy_pass http://__FILE_HOST__.__DOMAIN__;
}
location / {
include includes/allow_ip;
proxy_pass http://__FILE_HOST__.__DOMAIN__;
}
}
}}
########################################
#### CALC
{{ethercalc
server {
server_name __CALC_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CALC_HOST__.__DOMAIN__:8000;
}
}
}}
########################################
#### YAKFORMS
{{yakforms
server {
server_name __YAKFORMS_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__YAKFORMS_HOST__.__DOMAIN__;
}
}
}}
########################################
#### PAD
{{etherpad
server {
server_name __PAD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin/ {
include allow_admin_ip;
proxy_pass http://__PAD_HOST__.__DOMAIN__:9001;
}
location / {
include includes/allow_ip;
proxy_pass http://__PAD_HOST__.__DOMAIN__:9001;
}
}
}}
########################################
#### roundcube
{{roundcube
server {
server_name __WEBMAIL_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__WEBMAIL_HOST__.__DOMAIN__;
}
}
}}
########################################
#### Framadate
{{framadate
server {
server_name __DATE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin/ {
include allow_admin_ip;
proxy_pass http://__DATE_HOST__.__DOMAIN__;
}
location / {
include includes/allow_ip;
proxy_pass http://__DATE_HOST__.__DOMAIN__;
}
}
}}
########################################
#### LDAP
{{ldap
server {
server_name __LDAPUI_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__LDAPUI_HOST__.__DOMAIN__;
}
}
}}
########################################
#### Mobilizon
{{mobilizon
server {
server_name __MOBILIZON_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__MOBILIZON_HOST__.__DOMAIN__;
}
}
}}
########################################
#### paheko kaz
{{paheko
# map $http_host $paheko_kaz_map {
# hostnames;
# # déclaration des domaines extérieurs vers un paheko local
# include includes/paheko_kaz_map;
# }
server {
# XXX dans __DOMAIN__ il faudrait remplacer le . par \.
# mais c'est pas grave pour nous. Il n'y a pas de domaine kazXbzh à la racine du NIC
server_name ~^(?<asso>.+)-__PAHEKO_HOST__\.__DOMAIN__$;
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__PAHEKO_HOST__.__DOMAIN__;
}
}
}}
#############################################
# dokuwiki kaz
{{dokuwiki
server {
server_name __DOKUWIKI_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__DOKUWIKI_HOST__.__DOMAIN__;
}
}
}}
#############################################
# gitea kaz
{{gitea
server {
server_name __GIT_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__GIT_HOST__.__DOMAIN__:3000;
}
}
}}
#############################################
# vaultwarden
{{vaultwarden
server {
server_name __VAULTWARDEN_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__VAULTWARDEN_HOST__.__DOMAIN__:80;
}
}
}}
#############################################
# imapsync
{{imapsync
server {
server_name __IMAPSYNC_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__IMAPSYNC_HOST__.__DOMAIN__:8080;
}
}
}}
#############################################
# castopod
{{castopod
server {
server_name __CASTOPOD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CASTOPOD_HOST__.__DOMAIN__:8000;
}
}
}}
########################################
#### mattermost
{{mattermost
server {
server_name __MATTER_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
# test add_header X-Early-Data $tls1_3_early_data;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000;
# test proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#test proxy_set_header Connection $connection_upgrade;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
# test proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# test proxy_set_header Proxy "";
rewrite ^/(.+)$ /$1 break;
}
location / {
proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 600s;
# proxy_cache mattermost_cache; # test
# proxy_cache_lock on; # test
# proxy_cache_min_uses 2; # test
# proxy_cache_revalidate on; # test
# proxy_cache_use_stale timeout; # test
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}}
########################################
#### nextcloud / collabora
{{cloud
server {
server_name __CLOUD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CLOUD_HOST__.__DOMAIN__;
}
}
}}
{{collabora
server {
server_name __OFFICE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
proxy_set_header Host $http_host;
# static files
location ^~ /loleaflet {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
location ^~ /browser {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# Capabilities
location ^~ /hosting/capabilities {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# main websocket
location ~ ^/(.|l)ool/(.*)/ws$ {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# Admin Console websocket
location ^~ /(c|l)ool/adminws {
include allow_admin_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
location / {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
}
}}
########################################
#### association
{{orga
map $http_host $cloud_kaz_map {
hostnames;
include includes/cloud_kaz_map;
}
map $http_host $agora_kaz_map {
hostnames;
include includes/agora_kaz_map;
}
map $http_host $wiki_kaz_map {
hostnames;
include includes/wiki_kaz_map;
}
map $http_host $wp_kaz_map {
hostnames;
include includes/wp_kaz_map;
}
map $http_host $pod_kaz_map {
hostnames;
include includes/pod_kaz_map;
}
server {
server_name ~^(?<asso>.+)-__CASTOPOD_HOST__\.__DOMAIN__$;
include includes/pod_kaz_name;
if ($asso = '') {
set $asso $pod_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__CASTOPOD_HOST__.__DOMAIN__:8000;
}
}
server {
server_name ~^(?<asso>.+)-__CLOUD_HOST__\.__DOMAIN__$;
include includes/cloud_kaz_name;
if ($asso = '') {
set $asso $cloud_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__CLOUD_HOST__.__DOMAIN__;
}
}
server {
server_name ~^(?<asso>.+)-__OFFICE_HOST__\.__DOMAIN__$;
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
proxy_set_header Host $http_host;
# static files
location ^~ /loleaflet {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
location ^~ /browser {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# Capabilities
location ^~ /hosting/capabilities {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# main websocket
location ~ ^/(c|l)ool/(.*)/ws$ {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# Admin Console websocket
location ^~ /(c|l)ool/adminws {
include allow_admin_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
location / {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
}
server {
server_name ~^(?<asso>.+)-__MATTER_HOST__\.__DOMAIN__$;
include includes/agora_kaz_name;
if ($asso = '') {
set $asso $agora_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
add_header X-Early-Data $tls1_3_early_data;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000;
proxy_set_header Connection "upgrade"; # test
# test proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
# test proxy_set_header Connection $connection_upgrade;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
# test proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# test proxy_set_header Proxy "";
rewrite ^/(.+)$ /$1 break;
}
location / {
proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 600s;
# proxy_cache mattermost_cache; # test
# proxy_cache_lock on; # test
# proxy_cache_min_uses 2; # test
# proxy_cache_revalidate on; # test
# proxy_cache_use_stale timeout; # test
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
server_name ~^(?<asso>.+)-__DOKUWIKI_HOST__\.__DOMAIN__$;
include includes/wiki_kaz_name;
if ($asso = '') {
set $asso $wiki_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__DOKUWIKI_HOST__.__DOMAIN__;
}
}
server {
server_name ~^(?<asso>.+)-__WORDPRESS_HOST__\.__DOMAIN__$;
include includes/wp_kaz_name;
if ($asso = '') {
set $asso $wp_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__WORDPRESS_HOST__.__DOMAIN__;
}
}
}}
########################################
#### vigilo kaz
{{vigilo
server {
server_name __VIGILO_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
proxy_set_header X-Real-IP $remote_addr;
location / {
include includes/allow_ip;
proxy_pass http://__VIGILO_HOST__.__DOMAIN__;
proxy_hide_header 'x-frame-options';
#proxy_set_header x-frame-options allowall;
#add_header X-Frame-Options "ALLOW-FROM *";
add_header X-Frame-Options "ALLOWALL";
if ($request_method = OPTIONS) {
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
}
}}
########################################
}
Reference in New Issue Copy Permalink