# pour l'utilisation de certificats dynamique user root; events { worker_connections 1000000; } http { resolver 127.0.0.11 ipv6=off; server_tokens off; ######################################## #### autoriser des uploads de 50Mo max #### pour tous les sites ### sinon placer la variable dans chaque server{} client_max_body_size 1024M; add_header Set-Cookie lang="fr"; ######################################## #### redirection http vers https include includes/redirect; map $ssl_early_data $tls1_3_early_data { "~." $ssl_early_data; default ""; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } map $ssl_server_name $ssl_local_cert { volatile; hostnames; ~^(?.*\.)__DOMAIN__$ __DOMAIN__; default $ssl_server_name; } ######################################## #### Default {{web # ######################################## # #### Autoconfig pour thunderbird server { server_name autoconfig.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location /mail/config-v1.1.xml { proxy_pass http://__DOMAIN__/mail/config-v1.1.xml; } } # merci de ne pas effacer server { server_name autoconfig.bodamcity.fr; include includes/port; ssl_certificate /etc/letsencrypt/live/autoconfig.bodamcity.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/autoconfig.bodamcity.fr/privkey.pem; include includes/proxy_params; include includes/allow_ip; location / { proxy_pass http://kaz.bzh; } } # merci de ne pas effacer server { server_name autoconfig.legrandmechantlude.org; include includes/port; ssl_certificate /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/autoconfig.legrandmechantlude.org/privkey.pem; include includes/proxy_params; include includes/allow_ip; location / { proxy_pass http://kaz.bzh; } } # merci de ne pas effacer server { server_name autoconfig.lbrondel-psychotherapie.fr; include includes/port; ssl_certificate /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/autoconfig.lbrondel-psychotherapie.fr/privkey.pem; include includes/proxy_params; include includes/allow_ip; location / { proxy_pass http://kaz.bzh; } } server { server_name __DOMAIN__ www.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/www.__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.__DOMAIN__/privkey.pem; include includes/proxy_params; include includes/allow_ip; # XXX >>> # A concerver jusqu'en juin 2021 location /email.css { proxy_pass http://__DOMAIN__/m/email.css; } location /kaz-50.png { proxy_pass http://__DOMAIN__/m/logo.png; } location /kaz-du-libre-23.png { proxy_pass http://__DOMAIN__/m/coche.png; } # <<< location / { proxy_pass http://__DOMAIN__; } } }} ######################################## #### Jirafeau (filesender) {{jirafeau server { server_name __FILE_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location /admin.php { include allow_admin_ip; proxy_pass http://__FILE_HOST__.__DOMAIN__; } location / { include includes/allow_ip; proxy_pass http://__FILE_HOST__.__DOMAIN__; } } }} ######################################## #### CALC {{ethercalc server { server_name __CALC_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__CALC_HOST__.__DOMAIN__:8000; } } }} ######################################## #### YAKFORMS {{yakforms server { server_name __YAKFORMS_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__YAKFORMS_HOST__.__DOMAIN__; } } }} ######################################## #### PAD {{etherpad server { server_name __PAD_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location /admin/ { include allow_admin_ip; proxy_pass http://__PAD_HOST__.__DOMAIN__:9001; } location / { include includes/allow_ip; proxy_pass http://__PAD_HOST__.__DOMAIN__:9001; } } }} ######################################## #### roundcube {{roundcube server { server_name __WEBMAIL_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__WEBMAIL_HOST__.__DOMAIN__; } } }} ######################################## #### Framadate {{framadate server { server_name __DATE_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location /admin/ { include allow_admin_ip; proxy_pass http://__DATE_HOST__.__DOMAIN__; } location / { include includes/allow_ip; proxy_pass http://__DATE_HOST__.__DOMAIN__; } } }} ######################################## #### LDAP {{ldap server { server_name __LDAPUI_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__LDAPUI_HOST__.__DOMAIN__; } } }} ######################################## #### Mobilizon {{mobilizon server { server_name __MOBILIZON_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__MOBILIZON_HOST__.__DOMAIN__; } } }} ######################################## #### paheko kaz {{paheko # map $http_host $paheko_kaz_map { # hostnames; # # déclaration des domaines extérieurs vers un paheko local # include includes/paheko_kaz_map; # } server { # XXX dans __DOMAIN__ il faudrait remplacer le . par \. # mais c'est pas grave pour nous. Il n'y a pas de domaine kazXbzh à la racine du NIC server_name ~^(?.+)-__PAHEKO_HOST__\.__DOMAIN__$; include includes/port; ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__PAHEKO_HOST__.__DOMAIN__; } } }} ############################################# # dokuwiki kaz {{dokuwiki server { server_name __DOKUWIKI_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__DOKUWIKI_HOST__.__DOMAIN__; } } }} ############################################# # gitea kaz {{gitea server { server_name __GIT_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__GIT_HOST__.__DOMAIN__:3000; } } }} ############################################# # vaultwarden {{vaultwarden server { server_name __VAULTWARDEN_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__VAULTWARDEN_HOST__.__DOMAIN__:80; } } }} ############################################# # imapsync {{imapsync server { server_name __IMAPSYNC_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__IMAPSYNC_HOST__.__DOMAIN__:8080; } } }} ############################################# # castopod {{castopod server { server_name __CASTOPOD_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__CASTOPOD_HOST__.__DOMAIN__:8000; } } }} ######################################## #### mattermost {{mattermost server { server_name __MATTER_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; include includes/allow_ip; ssl_ecdh_curve prime256v1:secp384r1:secp521r1; # test add_header X-Early-Data $tls1_3_early_data; location ~ /api/v[0-9]+/(users/)?websocket$ { proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000; # test proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #test proxy_set_header Connection $connection_upgrade; client_body_timeout 60; send_timeout 300; lingering_timeout 5; proxy_connect_timeout 90; proxy_send_timeout 300; proxy_read_timeout 90s; # test proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # test proxy_set_header Proxy ""; rewrite ^/(.+)$ /$1 break; } location / { proxy_pass http://__MATTER_HOST__.__DOMAIN__:8000; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_read_timeout 600s; # proxy_cache mattermost_cache; # test # proxy_cache_lock on; # test # proxy_cache_min_uses 2; # test # proxy_cache_revalidate on; # test # proxy_cache_use_stale timeout; # test proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } }} ######################################## #### nextcloud / collabora {{cloud server { server_name __CLOUD_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://__CLOUD_HOST__.__DOMAIN__; } } }} {{collabora server { server_name __OFFICE_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; proxy_set_header Host $http_host; # static files location ^~ /loleaflet { include includes/allow_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; } location ^~ /browser { include includes/allow_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; } # WOPI discovery URL location ^~ /hosting/discovery { include includes/allow_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; } # Capabilities location ^~ /hosting/capabilities { include includes/allow_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; } # main websocket location ~ ^/(.|l)ool/(.*)/ws$ { include includes/allow_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ ^/(c|l)ool { include includes/allow_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; } # Admin Console websocket location ^~ /(c|l)ool/adminws { include allow_admin_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_read_timeout 36000s; } location / { include includes/allow_ip; proxy_pass http://__OFFICE_HOST__.__DOMAIN__:9980; } } }} ######################################## #### association {{orga map $http_host $cloud_kaz_map { hostnames; include includes/cloud_kaz_map; } map $http_host $agora_kaz_map { hostnames; include includes/agora_kaz_map; } map $http_host $wiki_kaz_map { hostnames; include includes/wiki_kaz_map; } map $http_host $wp_kaz_map { hostnames; include includes/wp_kaz_map; } map $http_host $pod_kaz_map { hostnames; include includes/pod_kaz_map; } server { server_name ~^(?.+)-__CASTOPOD_HOST__\.__DOMAIN__$; include includes/pod_kaz_name; if ($asso = '') { set $asso $pod_kaz_map; } include includes/port; ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://$asso-__CASTOPOD_HOST__.__DOMAIN__:8000; } } server { server_name ~^(?.+)-__CLOUD_HOST__\.__DOMAIN__$; include includes/cloud_kaz_name; if ($asso = '') { set $asso $cloud_kaz_map; } include includes/port; ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://$asso-__CLOUD_HOST__.__DOMAIN__; } } server { server_name ~^(?.+)-__OFFICE_HOST__\.__DOMAIN__$; include includes/port; ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; include includes/proxy_params; proxy_set_header Host $http_host; # static files location ^~ /loleaflet { include includes/allow_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; } location ^~ /browser { include includes/allow_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; } # WOPI discovery URL location ^~ /hosting/discovery { include includes/allow_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; } # Capabilities location ^~ /hosting/capabilities { include includes/allow_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; } # main websocket location ~ ^/(c|l)ool/(.*)/ws$ { include includes/allow_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ ^/(c|l)ool { include includes/allow_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; } # Admin Console websocket location ^~ /(c|l)ool/adminws { include allow_admin_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_read_timeout 36000s; } location / { include includes/allow_ip; proxy_pass http://$asso-__OFFICE_HOST__.__DOMAIN__:9980; } } server { server_name ~^(?.+)-__MATTER_HOST__\.__DOMAIN__$; include includes/agora_kaz_name; if ($asso = '') { set $asso $agora_kaz_map; } include includes/port; ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; include includes/proxy_params; include includes/allow_ip; ssl_ecdh_curve prime256v1:secp384r1:secp521r1; add_header X-Early-Data $tls1_3_early_data; location ~ /api/v[0-9]+/(users/)?websocket$ { proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000; proxy_set_header Connection "upgrade"; # test # test proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; # test proxy_set_header Connection $connection_upgrade; client_body_timeout 60; send_timeout 300; lingering_timeout 5; proxy_connect_timeout 90; proxy_send_timeout 300; proxy_read_timeout 90s; # test proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # test proxy_set_header Proxy ""; rewrite ^/(.+)$ /$1 break; } location / { proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_read_timeout 600s; # proxy_cache mattermost_cache; # test # proxy_cache_lock on; # test # proxy_cache_min_uses 2; # test # proxy_cache_revalidate on; # test # proxy_cache_use_stale timeout; # test proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { server_name ~^(?.+)-__DOKUWIKI_HOST__\.__DOMAIN__$; include includes/wiki_kaz_name; if ($asso = '') { set $asso $wiki_kaz_map; } include includes/port; ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://$asso-__DOKUWIKI_HOST__.__DOMAIN__; } } server { server_name ~^(?.+)-__WORDPRESS_HOST__\.__DOMAIN__$; include includes/wp_kaz_name; if ($asso = '') { set $asso $wp_kaz_map; } include includes/port; ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem; include includes/proxy_params; location / { include includes/allow_ip; proxy_pass http://$asso-__WORDPRESS_HOST__.__DOMAIN__; } } }} ######################################## #### vigilo kaz {{vigilo server { server_name __VIGILO_HOST__.__DOMAIN__; include includes/port; ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; include includes/proxy_params; proxy_set_header X-Real-IP $remote_addr; location / { include includes/allow_ip; proxy_pass http://__VIGILO_HOST__.__DOMAIN__; proxy_hide_header 'x-frame-options'; #proxy_set_header x-frame-options allowall; #add_header X-Frame-Options "ALLOW-FROM *"; add_header X-Frame-Options "ALLOWALL"; if ($request_method = OPTIONS) { add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE"; add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept"; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } } } }} ######################################## }