KAZ
/
kaz
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Ensemble des services de KAZ
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
372 Commits
2 Branches
0 Tags
44 MiB
 
 
 
 
 
 
Tree: e63a0e78b3
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e63a0e78b3'
${ noResults }
kaz/dockers/proxy/config/nginx.tmpl.conf

624 lines
18 KiB
Raw Blame History

# pour l'utilisation de certificats dynamique
user root;
events {
worker_connections 1000000;
}
http {
resolver 127.0.0.11 ipv6=off;
server_tokens off;
########################################
#### autoriser des uploads de 50Mo max
#### pour tous les sites
### sinon placer la variable dans chaque server{}
client_max_body_size 1024M;
add_header Set-Cookie lang="fr";
########################################
#### redirection http vers https
include includes/redirect;
map $ssl_early_data $tls1_3_early_data {
"~." $ssl_early_data;
default "";
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $ssl_server_name $ssl_local_cert {
volatile;
hostnames;
~^(?<sub_dom>.*\.)__DOMAIN__$ __DOMAIN__;
default $ssl_server_name;
}
########################################
#### Default
{{web
server {
server_name __DOMAIN__ www.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
include includes/allow_ip;
# XXX >>>
# A concerver jusqu'en juin 2021
location /email.css {
proxy_pass http://__DOMAIN__/m/email.css;
}
location /kaz-50.png {
proxy_pass http://__DOMAIN__/m/logo.png;
}
location /kaz-du-libre-23.png {
proxy_pass http://__DOMAIN__/m/coche.png;
}
# <<<
location / {
proxy_pass http://__DOMAIN__;
}
}
}}
########################################
#### Jirafeau (filesender)
{{jirafeau
server {
server_name __FILE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin.php {
include allow_admin_ip;
proxy_pass http://__FILE_HOST__.__DOMAIN__;
}
location / {
include includes/allow_ip;
proxy_pass http://__FILE_HOST__.__DOMAIN__;
}
}
}}
########################################
#### CALC
{{ethercalc
server {
server_name __CALC_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CALC_HOST__.__DOMAIN__:8000;
}
}
}}
########################################
#### PAD
{{etherpad
server {
server_name __PAD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin/ {
include allow_admin_ip;
proxy_pass http://__PAD_HOST__.__DOMAIN__:9001;
}
location / {
include includes/allow_ip;
proxy_pass http://__PAD_HOST__.__DOMAIN__:9001;
}
}
}}
########################################
#### roundcube
{{roundcube
server {
server_name __WEBMAIL_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__WEBMAIL_HOST__.__DOMAIN__;
}
}
}}
########################################
#### Framadate
{{framadate
server {
server_name __DATE_HOST__.__DOMAIN__;
# pb nom en dur
server_name kazdate.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location /admin/ {
include allow_admin_ip;
proxy_pass http://__DATE_HOST__.__DOMAIN__;
}
location / {
include includes/allow_ip;
proxy_pass http://__DATE_HOST__.__DOMAIN__;
}
}
}}
########################################
#### LDAP
{{ldap
server {
server_name __LDAPUI_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__LDAPUI_HOST__.__DOMAIN__;
}
}
}}
########################################
#### Mobilizon
{{mobilizon
server {
server_name __MOBILIZON_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__MOBILIZON_HOST__.__DOMAIN__;
}
}
}}
########################################
#### garradin kaz
{{garradin
# map $http_host $garradin_kaz_map {
# hostnames;
# # déclaration des domaines extérieurs vers un garradin local
# include includes/garradin_kaz_map;
# }
server {
# XXX dans __DOMAIN__ il faudrait remplacer le . par \.
# mais c'est pas grave pour nous. Il n'y a pas de domaine kazXbzh à la racine du NIC
server_name ~^(?<asso>.+)-__GAR_HOST__\.__DOMAIN__$;
# # capture des docmaine extérieur vers des garradin locaux
# include includes/garradin_kaz_name;
# if ($asso = '') {
# set $asso $garradin_kaz_map;
# # XXX a tester
# #set $http_host $asso;
# }
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__GAR_HOST__.__DOMAIN__;
}
}
}}
#############################################
# dokuwiki kaz
{{dokuwiki
server {
server_name __DOKUWIKI_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__DOKUWIKI_HOST__.__DOMAIN__;
}
}
}}
#############################################
# gitea kaz
{{gitea
server {
server_name __GIT_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__GIT_HOST__.__DOMAIN__:3000;
}
}
}}
#############################################
# vaultwarden
{{vaultwarden
server {
server_name __VAULTWARDEN_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__VAULTWARDEN_HOST__.__DOMAIN__:80;
}
}
}}
########################################
#### mattermost
{{mattermost
server {
server_name __MATTER_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
# test add_header X-Early-Data $tls1_3_early_data;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_pass http://__MATTER_HOST__.__DOMAIN__:8065;
# test proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#test proxy_set_header Connection $connection_upgrade;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
# test proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# test proxy_set_header Proxy "";
rewrite ^/(.+)$ /$1 break;
}
location / {
proxy_pass http://__MATTER_HOST__.__DOMAIN__:8065;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 600s;
# proxy_cache mattermost_cache; # test
# proxy_cache_lock on; # test
# proxy_cache_min_uses 2; # test
# proxy_cache_revalidate on; # test
# proxy_cache_use_stale timeout; # test
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}}
########################################
#### nextcloud / collabora
{{cloud
server {
server_name __CLOUD_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://__CLOUD_HOST__.__DOMAIN__;
}
}
}}
{{collabora
server {
server_name __OFFICE_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
proxy_set_header Host $http_host;
# static files
location ^~ /loleaflet {
include includes/allow_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
}
location ^~ /browser {
include includes/allow_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
include includes/allow_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
}
# Capabilities
location ^~ /hosting/capabilities {
include includes/allow_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
}
# main websocket
location ~ ^/(.|l)ool/(.*)/ws$ {
include includes/allow_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
include includes/allow_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
}
# Admin Console websocket
location ^~ /(c|l)ool/adminws {
include allow_admin_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
location / {
include includes/allow_ip;
proxy_pass https://__OFFICE_HOST__.__DOMAIN__:9980;
}
}
}}
########################################
#### association
{{orga
map $http_host $cloud_kaz_map {
hostnames;
include includes/cloud_kaz_map;
}
map $http_host $agora_kaz_map {
hostnames;
include includes/agora_kaz_map;
}
map $http_host $wiki_kaz_map {
hostnames;
include includes/wiki_kaz_map;
}
map $http_host $wp_kaz_map {
hostnames;
include includes/wp_kaz_map;
}
server {
server_name ~^(?<asso>.+)-__CLOUD_HOST__\.__DOMAIN__$;
include includes/cloud_kaz_name;
if ($asso = '') {
set $asso $cloud_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__CLOUD_HOST__.__DOMAIN__;
}
}
server {
server_name ~^(?<asso>.+)-__OFFICE_HOST__\.__DOMAIN__$;
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
proxy_set_header Host $http_host;
# static files
location ^~ /loleaflet {
include includes/allow_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
location ^~ /browser {
include includes/allow_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
include includes/allow_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# Capabilities
location ^~ /hosting/capabilities {
include includes/allow_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# main websocket
location ~ ^/(c|l)ool/(.*)/ws$ {
include includes/allow_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
include includes/allow_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
# Admin Console websocket
location ^~ /(c|l)ool/adminws {
include allow_admin_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 36000s;
}
location / {
include includes/allow_ip;
proxy_pass https://$asso-__OFFICE_HOST__.__DOMAIN__:9980;
}
}
server {
server_name ~^(?<asso>.+)-__MATTER_HOST__\.__DOMAIN__$;
include includes/agora_kaz_name;
if ($asso = '') {
set $asso $agora_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
include includes/allow_ip;
ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
add_header X-Early-Data $tls1_3_early_data;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000;
proxy_set_header Connection "upgrade"; # test
# test proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
# test proxy_set_header Connection $connection_upgrade;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
# test proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# test proxy_set_header Proxy "";
rewrite ^/(.+)$ /$1 break;
}
location / {
proxy_pass http://$asso-__MATTER_HOST__.__DOMAIN__:8000;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 600s;
# proxy_cache mattermost_cache; # test
# proxy_cache_lock on; # test
# proxy_cache_min_uses 2; # test
# proxy_cache_revalidate on; # test
# proxy_cache_use_stale timeout; # test
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
server_name ~^(?<asso>.+)-__DOKUWIKI_HOST__\.__DOMAIN__$;
include includes/wiki_kaz_name;
if ($asso = '') {
set $asso $wiki_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__DOKUWIKI_HOST__.__DOMAIN__;
}
}
server {
server_name ~^(?<asso>.+)-__WORDPRESS_HOST__\.__DOMAIN__$;
include includes/wp_kaz_name;
if ($asso = '') {
set $asso $wp_kaz_map;
}
include includes/port;
ssl_certificate /etc/letsencrypt/live/$ssl_local_cert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_local_cert/privkey.pem;
include includes/proxy_params;
location / {
include includes/allow_ip;
proxy_pass http://$asso-__WORDPRESS_HOST__.__DOMAIN__;
}
}
}}
########################################
#### vigilo kaz
{{vigilo
server {
server_name __VIGILO_HOST__.__DOMAIN__;
include includes/port;
ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
include includes/proxy_params;
proxy_set_header X-Real-IP $remote_addr;
location / {
include includes/allow_ip;
proxy_pass http://__VIGILO_HOST__.__DOMAIN__;
proxy_hide_header 'x-frame-options';
#proxy_set_header x-frame-options allowall;
#add_header X-Frame-Options "ALLOW-FROM *";
add_header X-Frame-Options "ALLOWALL";
if ($request_method = OPTIONS) {
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
}
}}
########################################
}