KAZ/KazV2
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

supp version de chaque docker-compose et vire le proxy nginx

Browse Source
This commit is contained in:
HPL 2024-08-16 23:51:23 +02:00
parent 4366dde71a
commit 122dd57b83
32 changed files with 0 additions and 1291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
dockers/apikaz/docker-compose.yml
View File

@ -1,4 +1,3 @@
version: '3.8'
services:
api-service:
build: ./source/

2
dockers/cachet/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: "3"
services:
cachet:

2
dockers/cloud/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
cloud:

2
dockers/collabora/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
collabora:

2
dockers/dokuwiki/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '2.1'
services:
dokuwiki:

2
dockers/ethercalc/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
calc:

2
dockers/etherpad/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
pad:

2
dockers/framadate/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
framadate:

1
dockers/gitea/docker-compose.yml
View File

@ -1,4 +1,3 @@
version: '3'
services:
web:
image: gitea/gitea

2
dockers/grafana/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3'
services:
prometheus:

2
dockers/imapsync/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
imapsync:

2
dockers/jirafeau/docker-compose.yml
View File

@ -1,8 +1,6 @@
# jirafeauDir doit être déclaré dans .env qui pointe sur ../../config/docker.env
# car les variables déclarées dans env_file: ne sont pas encore connues dans volumes:
version: '3'
services:
jirafeau:
image: filekaz

1
dockers/ldap/docker-compose.yml
View File

@ -6,7 +6,6 @@
# apt install ldap-utils
# ldapsearch -x -H ldaps://kaz.local -D "cn=admin,dc=kaz,dc=local" -W
version: '2'
services:
web:

2
dockers/mattermost/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: "3"
services:
app:

2
dockers/mobilizon/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: "3.9"
services:
mobilizon:
image: framasoft/mobilizon:latest

2
dockers/paheko/docker-compose.yml.dist
View File

@ -1,5 +1,3 @@
version: '3.5'
services:
paheko:

2
dockers/postfix/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
mail:
image: postfixkaz

2
dockers/postfix2/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
mail:
image: docker.io/mailserver/docker-mailserver:latest

1
dockers/proxy/.env
View File

@ -1 +0,0 @@
../../config/dockers.env

22
dockers/proxy/Dockerfile
View File

@ -1,22 +0,0 @@
FROM nginx
########################################
# APT local cache
# work around because COPY failed if no source file
COPY .dummy .apt-mirror-confi[g] .proxy-confi[g] /
RUN cp /.proxy-config /etc/profile.d/proxy.sh 2> /dev/null || true
RUN if [ -f /.apt-mirror-config ] ; then . /.apt-mirror-config && sed -i \
-e "s/deb.debian.org/${APT_MIRROR_DEBIAN}/g" \
-e "s/security.debian.org/${APT_MIRROR_DEBIAN_SECURITY}/g" \
-e "s/archive.ubuntu.com/${APT_MIRROR_UBUNTU}/g" \
-e "s/security.ubuntu.com/${APT_MIRROR_UBUNTU_SECURITY}/g" \
/etc/apt/sources.list; fi
########################################
RUN apt-get update --quiet && apt-get upgrade -y
RUN apt install -y python3 python3-venv libaugeas0
RUN python3 -m venv /opt/certbot/
RUN /opt/certbot/bin/python -m pip install --upgrade pip
RUN /opt/certbot/bin/python -m pip install certbot certbot-nginx
RUN ln -s /opt/certbot/bin/certbot /usr/bin/certbot

43
dockers/proxy/Readme.txt
View File

@ -1,43 +0,0 @@
Pour l'installation d'un mandataire pour aiguiller les demandes web
Contenu du répertoire :
.
├── conf Paramettrage du mandataire
│   ├── allow_admin_ip Les adresses IP des administrateur pour les URI protégés
│   ├── nginx.conf La config du mandataire produite automatiquement
│   ├── nginx.conf.tmpl Modèle de config du mandataire
│   ├── proxy_params Le paramétrage de transmetre des requêtes
│   └── proxy-gen.sh Le script de production à partir du modèle
├── docker-compose.yml Scénario de lancement
└── Readme.txt Ce fichier
# cd /dockers/proxy
1) Lancement du mandataire
Dans docker-compose.yml
- il y a nommage du container
# docker-compose up -d
2) Verification
Il y a un container reverse-proxy
# docker ps | grep reverse
3) Modification de config
Il faut éditer
# cd conf
# emacs .env nginx.conf.tmpl
# ./proxy-gen.sh
4) Arrêt du mandataire
# docker-compose down
A faire:
Impose le https dans le cache du navigateur
7776000 (= 90jours)
31536000 (= 365 jours)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

11
dockers/proxy/build.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
setKazVars
printKazMsg "\n *** Création du Dockerfile proxy"
cd "${KAZ_ROOT}"
docker build -t proxykaz . -f dockers/proxy/Dockerfile

734
dockers/proxy/config/nginx.tmpl.conf
View File

@ -1,734 +0,0 @@
# pour l'utilisation de certificats dynamique
user root;
events {
worker_connections 1000000;
}
http {
resolver 127.0.0.11 ipv6=off;
server_tokens off;
########################################
#### autoriser des uploads de 50Mo max
#### pour tous les sites
### sinon placer la variable dans chaque server{}
client_max_body_size 1024M;
add_header Set-Cookie lang="fr";
########################################
#### redirection http vers https
include includes/redirect;
map $ssl_early_data $tls1_3_early_data {
"~." $ssl_early_data;
default "";
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $ssl_server_name $ssl_local_cert {
volatile;
hostnames;
~^(?<sub_dom>.*\.)__DOMAIN__$ __DOMAIN__;
default $ssl_server_name;
}
########################################
#### Default
{{web
# ########################################
# #### Autoconfig pour thunderbird
server {
server_name autoconfig.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /mail/config-v1.1.xml {
proxy_pass http://__DOMAIN__/mail/config-v1.1.xml;
}
}
# merci de ne pas effacer
server {
server_name autoconfig.bodamcity.fr;
include includes/port;
ssl_certificate /etc/letsencrypt/live/autoconfig.bodamcity.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autoconfig.bodamcity.fr/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
location / {
proxy_pass http://kaz.bzh;
}
}
# merci de ne pas effacer
server {
server_name autoconfig.legrandmechantlude.org;
include includes/port;
ssl_certificate /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
location / {
proxy_pass http://kaz.bzh;
}
}
# merci de ne pas effacer
server {
server_name autoconfig.lbrondel-psychotherapie.fr;
include includes/port;
ssl_certificate /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
location / {
proxy_pass http://kaz.bzh;
}
}
server {
server_name __DOMAIN__ www.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/www.__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.__DOMAIN__/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
# XXX >>>
# A concerver jusqu'en juin 2021
location /email.css {
proxy_pass http://__DOMAIN__/m/email.css;
}
location /kaz-50.png {
proxy_pass http://__DOMAIN__/m/logo.png;
}
location /kaz-du-libre-23.png {
proxy_pass http://__DOMAIN__/m/coche.png;
}
# <<<
location / {
proxy_pass http://__DOMAIN__;
}
}
}}
########################################
#### Jirafeau (filesender)
{{jirafeau
server {
server_name __FILE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin.php {
include allow_admin_ip;
proxy_pass http://__FILE_HOST__.__DOMAIN__;
}
location / {
include includes/allow_ip;
proxy_pass http://__FILE_HOST__.__DOMAIN__;
}
}
}}
########################################
#### CALC
{{ethercalc
server {
server_name __CALC_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CALC_HOST__.__DOMAIN__:8000;
}
}
}}
########################################
#### YAKFORMS
{{yakforms
server {
server_name __YAKFORMS_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__YAKFORMS_HOST__.__DOMAIN__;
}
}
}}
########################################
#### PAD
{{etherpad
server {
server_name __PAD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin/ {
include allow_admin_ip;
proxy_pass http://__PAD_HOST__.__DOMAIN__:9001;
}
location / {
include includes/allow_ip;
proxy_pass http://__PAD_HOST__.__DOMAIN__:9001;
}
}
}}
########################################
#### roundcube
{{roundcube
server {
server_name __WEBMAIL_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__WEBMAIL_HOST__.__DOMAIN__;
}
}
}}
########################################
#### Framadate
{{framadate
server {
server_name __DATE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin/ {
include allow_admin_ip;
proxy_pass http://__DATE_HOST__.__DOMAIN__;
}
location / {
include includes/allow_ip;
proxy_pass http://__DATE_HOST__.__DOMAIN__;
}
}
}}
########################################
#### LDAP
{{ldap
server {
server_name __LDAPUI_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__LDAPUI_HOST__.__DOMAIN__;
}
}
}}
########################################
#### Mobilizon
{{mobilizon
server {
server_name __MOBILIZON_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__MOBILIZON_HOST__.__DOMAIN__;
}
}
}}
########################################
#### paheko kaz
{{paheko
# map $http_host $paheko_kaz_map {
# hostnames;
# # déclaration des domaines extérieurs vers un paheko local
# include includes/paheko_kaz_map;
# }
server {
# XXX dans __DOMAIN__ il faudrait remplacer le . par \.
# mais c'est pas grave pour nous. Il n'y a pas de domaine kazXbzh à la racine du NIC
server_name ~^(?<asso>.+)-__PAHEKO_HOST__\.__DOMAIN__$;
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__PAHEKO_HOST__.__DOMAIN__;
}
}
}}
#############################################
# dokuwiki kaz
{{dokuwiki
server {
server_name __DOKUWIKI_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__DOKUWIKI_HOST__.__DOMAIN__;
}
}
}}
#############################################
# gitea kaz
{{gitea
server {
server_name __GIT_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__GIT_HOST__.__DOMAIN__:3000;
}
}
}}
#############################################
# vaultwarden
{{vaultwarden
server {
server_name __VAULTWARDEN_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__VAULTWARDEN_HOST__.__DOMAIN__:80;
}
}
}}
#############################################
# imapsync
{{imapsync
server {
server_name __IMAPSYNC_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__IMAPSYNC_HOST__.__DOMAIN__:8080;
}
}
}}
#############################################
# castopod
{{castopod
server {
server_name __CASTOPOD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CASTOPOD_HOST__.__DOMAIN__:8000;
}
}
}}
########################################
#### mattermost
{{mattermost
server {
server_name __MATTER_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
# test add_header X-Early-Data $tls1_3_early_data;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000;
# test proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#test proxy_set_header Connection $connection_upgrade;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
# test proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# test proxy_set_header Proxy "";
rewrite ^/(.+)$ /$1 break;
}
location / {
proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 600s;
# proxy_cache mattermost_cache; # test
# proxy_cache_lock on; # test
# proxy_cache_min_uses 2; # test
# proxy_cache_revalidate on; # test
# proxy_cache_use_stale timeout; # test
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}}
########################################
#### nextcloud / collabora
{{cloud
server {
server_name __CLOUD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CLOUD_HOST__.__DOMAIN__;
}
}
}}
{{collabora
server {
server_name __OFFICE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
proxy_set_header Host $http_host;
# static files
location ^~ /loleaflet {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
location ^~ /browser {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# Capabilities
location ^~ /hosting/capabilities {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# main websocket
location ~ ^/(.|l)ool/(.*)/ws$ {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
# Admin Console websocket
location ^~ /(c|l)ool/adminws {
include allow_admin_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
location / {
include includes/allow_ip;
proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980;
}
}
}}
########################################
#### association
{{orga
map $http_host $cloud_kaz_map {
hostnames;
include includes/cloud_kaz_map;
}
map $http_host $agora_kaz_map {
hostnames;
include includes/agora_kaz_map;
}
map $http_host $wiki_kaz_map {
hostnames;
include includes/wiki_kaz_map;
}
map $http_host $wp_kaz_map {
hostnames;
include includes/wp_kaz_map;
}
map $http_host $pod_kaz_map {
hostnames;
include includes/pod_kaz_map;
}
server {
server_name ~^(?<asso>.+)-__CASTOPOD_HOST__\.__DOMAIN__$;
include includes/pod_kaz_name;
if ($asso = '') {
set $asso $pod_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__CASTOPOD_HOST__.__DOMAIN__:8000;
}
}
server {
server_name ~^(?<asso>.+)-__CLOUD_HOST__\.__DOMAIN__$;
include includes/cloud_kaz_name;
if ($asso = '') {
set $asso $cloud_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__CLOUD_HOST__.__DOMAIN__;
}
}
server {
server_name ~^(?<asso>.+)-__OFFICE_HOST__\.__DOMAIN__$;
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
proxy_set_header Host $http_host;
# static files
location ^~ /loleaflet {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
location ^~ /browser {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# Capabilities
location ^~ /hosting/capabilities {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# main websocket
location ~ ^/(c|l)ool/(.*)/ws$ {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# Admin Console websocket
location ^~ /(c|l)ool/adminws {
include allow_admin_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
location / {
include includes/allow_ip;
proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
}
server {
server_name ~^(?<asso>.+)-__MATTER_HOST__\.__DOMAIN__$;
include includes/agora_kaz_name;
if ($asso = '') {
set $asso $agora_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
add_header X-Early-Data $tls1_3_early_data;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000;
proxy_set_header Connection "upgrade"; # test
# test proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
# test proxy_set_header Connection $connection_upgrade;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
# test proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# test proxy_set_header Proxy "";
rewrite ^/(.+)$ /$1 break;
}
location / {
proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 600s;
# proxy_cache mattermost_cache; # test
# proxy_cache_lock on; # test
# proxy_cache_min_uses 2; # test
# proxy_cache_revalidate on; # test
# proxy_cache_use_stale timeout; # test
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
server_name ~^(?<asso>.+)-__DOKUWIKI_HOST__\.__DOMAIN__$;
include includes/wiki_kaz_name;
if ($asso = '') {
set $asso $wiki_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__DOKUWIKI_HOST__.__DOMAIN__;
}
}
server {
server_name ~^(?<asso>.+)-__WORDPRESS_HOST__\.__DOMAIN__$;
include includes/wp_kaz_name;
if ($asso = '') {
set $asso $wp_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__WORDPRESS_HOST__.__DOMAIN__;
}
}
}}
########################################
#### vigilo kaz
{{vigilo
server {
server_name __VIGILO_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
proxy_set_header X-Real-IP $remote_addr;
location / {
include includes/allow_ip;
proxy_pass http://__VIGILO_HOST__.__DOMAIN__;
proxy_hide_header 'x-frame-options';
#proxy_set_header x-frame-options allowall;
#add_header X-Frame-Options "ALLOW-FROM *";
add_header X-Frame-Options "ALLOWALL";
if ($request_method = OPTIONS) {
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
}
}}
########################################
}

242
dockers/proxy/docker-compose.tmpl.yml.dist
View File

@ -1,242 +0,0 @@
# if faut définir les variables d'environnement avant
# ln -s ../dockers.env .env
version: '3.3'
services:
reverse-proxy:
image: proxykaz
container_name: ${proxyServName}
restart: ${restartPolicy}
ports:
- ${MAIN_IP}:80:80
- ${MAIN_IP}:443:443
# - 80:80
# - 443:443
external_links:
- ${proxyServName}:proxy.${domain}
{{web
- ${webServName}:${domain}
}}
{{jirafeau
- ${jirafeauServName}:${fileHost}.${domain}
}}
{{ethercalc
- ${ethercalcServName}:${calcHost}.${domain}
}}
{{etherpad
- ${etherpadServName}:${padHost}.${domain}
}}
{{framadate
- ${framadateServName}:${dateHost}.${domain}
}}
{{ldap
- ${ldapUIName}:${ldapUIHost}.${domain}
}}
{{mobilizon
- ${mobilizonServName}:${mobilizonHost}.${domain}
}}
{{cloud
- ${nextcloudServName}:${cloudHost}.${domain}
}}
{{collabora
- ${officeServName}:${site}-${officeHost}.${domain}
}}
{{paheko
- ${pahekoServName}:${pahekoHost}.${domain}
}}
{{mattermost
- ${mattermostServName}:${matterHost}.${domain}
}}
{{roundcube
- ${roundcubeServName}:${webmailHost}.${domain}
}}
{{gitea
- ${gitServName}:${gitHost}.${domain}
}}
{{dokuwiki
- ${dokuwikiServName}:${dokuwikiHost}.${domain}
}}
{{vigilo
- ${vigiloServName}:${vigiloHost}.${domain}
}}
{{postfix
- ${smtpServName}:${smtpHost}.${domain}
}}
{{vaultwarden
- ${vaultwardenServName}:${vaultwardenHost}.${domain}
}}
{{imapsync
- ${imapsyncServName}:${imapsyncHost}.${domain}
}}
{{castopod
- ${castopodServName}:${castopodHost}.${domain}
}}
#### BEGIN ORGA HOST
#### END ORGA HOST
networks:
- proxyNet
{{web
- webNet
}}
{{jirafeau
- jirafeauNet
}}
{{ethercalc
- ethercalcNet
}}
{{etherpad
- etherpadNet
}}
{{framadate
- framadateNet
}}
{{ldap
- ldapNet
}}
{{mobilizon
- mobilizonNet
}}
{{cloud
- cloudNet
}}
{{collabora
- collaboraNet
}}
{{paheko
- pahekoNet
}}
{{mattermost
- mattermostNet
}}
{{roundcube
- roundcubeNet
}}
{{gitea
- giteaNet
}}
{{dokuwiki
- dokuwikiNet
}}
{{postfix
- postfixNet
}}
{{vaultwarden
- vaultwardenNet
}}
{{imapsync
- imapsyncNet
}}
{{castopod
- castopodNet
}}
#### BEGIN ORGA USE_NET
#### END ORGA USE_NET
volumes:
- ../../config/proxy/:/etc/nginx/includes/:rw
- ../../secret/allow_admin_ip:/etc/nginx/allow_admin_ip:ro
- ./config/nginx.conf:/etc/nginx/nginx.conf:rw
- /etc/ssl:/etc/ssl:ro
- /etc/letsencrypt:/etc/letsencrypt:rw
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- /root/mkcert:/root/mkcert:ro
networks:
proxyNet:
external: true
name: proxyNet
{{web
webNet:
external: true
name: webNet
}}
{{jirafeau
jirafeauNet:
external: true
name: jirafeauNet
}}
{{ethercalc
ethercalcNet:
external: true
name: ethercalcNet
}}
{{etherpad
etherpadNet:
external: true
name: etherpadNet
}}
{{framadate
framadateNet:
external: true
name: framadateNet
}}
{{ldap
ldapNet:
external: true
name: ldapNet
}}
{{mobilizon
mobilizonNet:
external: true
name: mobilizonNet
}}
{{cloud
cloudNet:
external: true
name: cloudNet
}}
{{collabora
collaboraNet:
external: true
name: collaboraNet
}}
{{paheko
pahekoNet:
external: true
name: pahekoNet
}}
{{mattermost
mattermostNet:
external: true
name: mattermostNet
}}
{{roundcube
roundcubeNet:
external: true
name: roundcubeNet
}}
{{gitea
giteaNet:
external: true
name: giteaNet
}}
{{dokuwiki
dokuwikiNet:
external: true
name: dokuwikiNet
}}
{{postfix
postfixNet:
external: true
name: postfixNet
}}
{{vaultwarden
vaultwardenNet:
external: true
name: vaultwardenNet
}}
{{imapsync
imapsyncNet:
external: true
name: imapsyncNet
}}
{{castopod
castopodNet:
external: true
name: castopodNet
}}
#### BEGIN ORGA DEF_NET
#### END ORGA DEF_NET

127
dockers/proxy/proxy-gen.sh
View File

@ -1,127 +0,0 @@
#!/bin/bash
KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
setKazVars
. "${DOCKERS_ENV}"
printKazMsg "\n *** Proxy update config"
NGINX_TMPL=config/nginx.tmpl.conf
NGINX_CONF=config/nginx.conf
DOCKER_DIST=docker-compose.tmpl.yml.dist
DOCKER_TMPL=docker-compose.tmpl.yml
DOCKER_CONF=docker-compose.yml
for service in agora cloud paheko wiki wp pod; do
touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
done
# update port
PROXY_ALLOW_CFG="${KAZ_CONF_PROXY_DIR}/allow_ip"
if [ ! -f "${PROXY_ALLOW_CFG}" ]; then
cat > "${PROXY_ALLOW_CFG}" <<EOF
allow all;
EOF
fi
# update port
PROXY_PORT_CFG="${KAZ_CONF_PROXY_DIR}/port"
if [ ! -f "${PROXY_PORT_CFG}" ]; then
case "${domain}" in
kaz.bzh)
SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
;;
kaz.local)
SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
;;
*)
SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
;;
esac
cat > "${PROXY_PORT_CFG}" <<EOF
listen 443 ssl http2;
ssl_certificate ${SSL_CERT};
ssl_certificate_key ${SSL_KEY};
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_early_data on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
EOF
fi
# update redirect
PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
if [ ! -f "${PROXY_REDIRECT}" ]; then
cat > "${PROXY_REDIRECT}" <<EOF
server {
listen 80;
return 301 https://\$host\$request_uri;
}
# file
server {
listen 80;
server_name file.${domain};
return 301 https://depot.${domain}\$request_uri;
}
# cacl
server {
listen 80;
server_name calc.${domain};
return 301 https://tableur.${domain}\$request_uri;
}
# date
server {
listen 80;
server_name date.${domain};
return 301 https://sondage.${domain}\$request_uri;
}
# cloud
server {
listen 80;
server_name bureau.${domain};
return 301 https://cloud.${domain}\$request_uri;
}
# mattermost
server {
listen 80;
server_name mattermost.${domain};
return 301 https://agora.${domain}\$request_uri;
}
# dokuwiki
server {
listen 80;
server_name dokuwiki.${domain};
return 301 https://wiki.${domain}\$request_uri;
}
# castopod
server {
listen 80;
server_name pod.${domain};
return 301 https://pod.${domain}\$request_uri;
}
EOF
fi
cd $(dirname $0)
[[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
"${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
"${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &

3
dockers/proxy/reload.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
docker exec -i proxyServ bash -c "/etc/init.d/nginx reload"

68
dockers/proxy/todo-ssl
View File

@ -1,68 +0,0 @@
Exemple pour nginx en ssl
server {
listen 80;
listen [::]:80;
server_name your_domain www.your_domain;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name your_domain www.your_domain;
index index.php index.html index.htm;
root /var/www/html;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
<location / {
try_files $uri $uri/ /index.php$is_args$args;
}
rewrite ^/core/authorize.php/core/authorize.php(.*)$ /core/authorize.php$1;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass drupal:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}

2
dockers/quotas/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: "3.5"
services:
quotas:

1
dockers/roundcube/docker-compose.yml
View File

@ -1,4 +1,3 @@
version: '3.3'
services:
app:

2
dockers/sympa/docker-compose.yml
View File

@ -1,5 +1,3 @@
version: '3.3'
services:
mail:

1
dockers/vaultwarden/docker-compose.yml
View File

@ -1,4 +1,3 @@
version: '3.9'
services:
vaultwarden:

1
dockers/web/docker-compose.yml
View File

@ -1,4 +1,3 @@
version: '3'
services:
web:
image: nginx