generated from nhcarrigan/template
Compare commits
27 Commits
611967fa30
..
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
f40690b574
|
|||
|
82d075e7c1
|
|||
|
6836c5bcae
|
|||
|
ca5ffe822e
|
|||
|
b3ac647b00
|
|||
|
63a008f4f2
|
|||
|
c07d24f69f
|
|||
|
5517e9d77d
|
|||
|
fb6080ae87
|
|||
|
f6c4e2dac7
|
|||
|
49fd7812dd
|
|||
|
ce7c3341b7
|
|||
|
13dc41c639
|
|||
|
c8c5b7529c
|
|||
|
823d42ad2e
|
|||
|
44502b5c52
|
|||
|
89aef0bf1a
|
|||
|
3608837aae
|
|||
|
fc252e28e2
|
|||
|
1d24a85e07
|
|||
|
7e1929f308
|
|||
|
1cfae51620
|
|||
|
4270f43d22
|
|||
|
2b8748fddb
|
|||
|
f3f65e9d92
|
|||
|
0004e5b037
|
|||
| db36f98578 |
@@ -0,0 +1,53 @@
|
|||||||
|
name: Test nginx configuration
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
pull_request:
|
||||||
|
branches: [main]
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
static-analysis:
|
||||||
|
name: Static Analysis
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Run static analysis
|
||||||
|
run: bash test.sh
|
||||||
|
|
||||||
|
syntax-check:
|
||||||
|
name: nginx Syntax Check
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Install nginx
|
||||||
|
run: |
|
||||||
|
sudo apt-get update -q
|
||||||
|
sudo apt-get install -y nginx-full
|
||||||
|
|
||||||
|
- name: Deploy config to /etc/nginx
|
||||||
|
run: sudo cp -a nginx/nginx/. /etc/nginx/
|
||||||
|
|
||||||
|
- name: Create stub SSL certificates
|
||||||
|
run: |
|
||||||
|
openssl req -x509 -newkey rsa:2048 -keyout /tmp/stub.key \
|
||||||
|
-out /tmp/stub.pem -days 1 -nodes -subj '/CN=stub'
|
||||||
|
|
||||||
|
while IFS= read -r dir; do
|
||||||
|
sudo mkdir -p "$dir"
|
||||||
|
sudo cp /tmp/stub.pem "$dir/fullchain.pem"
|
||||||
|
sudo cp /tmp/stub.key "$dir/privkey.pem"
|
||||||
|
done < <(grep -rh 'ssl_certificate ' /etc/nginx/sites-available/ \
|
||||||
|
| grep -v '#' \
|
||||||
|
| grep -oP '/etc/letsencrypt/live/[^\s/]+' \
|
||||||
|
| sort -u)
|
||||||
|
|
||||||
|
- name: Run nginx syntax check
|
||||||
|
run: sudo nginx -t
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
# NGINX Configs — Project Notes
|
||||||
|
|
||||||
|
## 404 Handling
|
||||||
|
|
||||||
|
### Global 404 redirect
|
||||||
|
Any 404 from any site is handled globally via `nginx/nginx/nginx.conf` in the `http {}` block:
|
||||||
|
|
||||||
|
```nginx
|
||||||
|
error_page 404 https://404.nhcarrigan.com;
|
||||||
|
```
|
||||||
|
|
||||||
|
This redirects (302) to `404.nhcarrigan.com` which serves `/home/naomi/404/index.html`.
|
||||||
|
No need to add `error_page` to individual server blocks — the `http {}` level default covers everything.
|
||||||
|
|
||||||
|
### 404 site config
|
||||||
|
`nginx/nginx/sites-available/404.conf` — serves the static 404 page at `/home/naomi/404`.
|
||||||
|
Requires an SSL cert at `/etc/letsencrypt/live/404.nhcarrigan.com/`.
|
||||||
|
|
||||||
|
### Catch-all server block (`catch-all.conf`)
|
||||||
|
Handles any HTTPS request for a subdomain that doesn't match any configured `server_name`.
|
||||||
|
Uses `default_server` on port 443, `server_name _`, and serves the same 404 page directly
|
||||||
|
(with `return 404` to preserve the status code, since this is the final fallback rather than a redirect).
|
||||||
|
|
||||||
|
## Adding a New Site
|
||||||
|
|
||||||
|
1. Create `nginx/nginx/sites-available/<name>.conf` with the server block.
|
||||||
|
2. Create a symlink: `ln -s ../sites-available/<name>.conf nginx/nginx/sites-enabled/<name>.conf`
|
||||||
|
3. Ensure an SSL cert exists on the server for the domain (`certbot --nginx -d <domain>`).
|
||||||
|
4. No need to add `error_page 404` — it's handled globally.
|
||||||
@@ -1,10 +1,132 @@
|
|||||||
# Nginx Configs
|
# Nginx Configs
|
||||||
|
|
||||||
This repository holds our NGINX configs and offers a basic script for pulling the latest versions from our servers.
|
This repository holds the nginx configuration for NHCarrigan's production server, with scripts for deploying and pulling changes.
|
||||||
|
|
||||||
## Live Version
|
## Directory Structure
|
||||||
|
|
||||||
These can't really be viewed live...
|
```
|
||||||
|
nginx/nginx/ # Maps directly to /etc/nginx/ on the server
|
||||||
|
├── nginx.conf # Global settings (workers, gzip, TLS, logging)
|
||||||
|
├── conf.d/
|
||||||
|
│ ├── cloudflare_ips.conf # Real-IP trust for Cloudflare ranges (auto-updated by cron)
|
||||||
|
│ ├── logging.conf # Custom log formats (custom_format + json_analytics)
|
||||||
|
│ └── tuning.conf # Performance tweaks (server_names_hash_bucket_size)
|
||||||
|
├── sites-available/ # One .conf file per logical group of sites
|
||||||
|
│ └── *.conf
|
||||||
|
├── sites-enabled/ # Symlinks to active configs in sites-available/
|
||||||
|
│ └── * -> ../sites-available/*.conf
|
||||||
|
└── ... # Standard nginx package files (mime.types, proxy_params, etc.)
|
||||||
|
```
|
||||||
|
|
||||||
|
## Adding a New Site
|
||||||
|
|
||||||
|
1. **Identify the right file.** Each `sites-available/*.conf` has a comment at the top describing what belongs there. Pick the most appropriate file, or create a new one if the site does not fit anywhere.
|
||||||
|
|
||||||
|
2. **Add the server block**, following this template for a proxied app:
|
||||||
|
```nginx
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name yourapp.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/yourapp.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/yourapp.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:<PORT>;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
Or this template for a static site:
|
||||||
|
```nginx
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name yoursite.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/yoursite.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/yoursite.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/yoursite;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
3. **Keep server blocks sorted alphabetically** by `server_name` within the file. The CI sort check will fail if they are out of order. Note that hyphenated names sort before the bare domain in C locale (e.g. `app-api` before `app`).
|
||||||
|
|
||||||
|
4. **If you created a new `.conf` file**, create the corresponding symlink in `sites-enabled/`:
|
||||||
|
```bash
|
||||||
|
cd nginx/nginx/sites-enabled
|
||||||
|
ln -s ../sites-available/newfile.conf newfile.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
5. **Get the SSL certificate** on the server before deploying:
|
||||||
|
```bash
|
||||||
|
sudo certbot certonly --nginx -d yourapp.nhcarrigan.com
|
||||||
|
```
|
||||||
|
|
||||||
|
6. **Run the tests** locally to verify everything passes:
|
||||||
|
```bash
|
||||||
|
bash test.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
7. **Deploy** (see below).
|
||||||
|
|
||||||
|
## Removing a Site
|
||||||
|
|
||||||
|
1. Delete the server block from the relevant `sites-available/*.conf` file.
|
||||||
|
2. If the entire `.conf` file is now empty, delete the file and its `sites-enabled/` symlink.
|
||||||
|
3. Run `bash test.sh` to confirm nothing is broken.
|
||||||
|
4. Deploy.
|
||||||
|
|
||||||
|
## Deploying Changes
|
||||||
|
|
||||||
|
Push the local `nginx/nginx/` directory to the server (the `--delete` flag removes any files on the server that no longer exist locally):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
bash push.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
Then reload nginx to apply the changes:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh prod "sudo systemctl reload nginx"
|
||||||
|
```
|
||||||
|
|
||||||
|
To pull the current server config back into this repository:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
bash pull.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## Testing
|
||||||
|
|
||||||
|
The test suite runs static analysis checks against the config files without requiring a live nginx instance:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
bash test.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
The following checks are run:
|
||||||
|
|
||||||
|
| # | Check |
|
||||||
|
|---|-------|
|
||||||
|
| 1 | No deprecated TLS versions (TLSv1 / TLSv1.1) |
|
||||||
|
| 2 | No duplicate `server_name` values |
|
||||||
|
| 3 | Every `sites-available/*.conf` has a `sites-enabled` symlink |
|
||||||
|
| 4 | No broken symlinks in `sites-enabled` |
|
||||||
|
| 5 | No orphaned symlinks in `sites-enabled` |
|
||||||
|
| 6 | No port-80 listeners in custom server blocks |
|
||||||
|
| 7 | `ssl_certificate` and `ssl_certificate_key` counts match per file |
|
||||||
|
| 8 | All plain-HTTP `proxy_pass` targets are local |
|
||||||
|
| 9 | All SSL cert paths use `/etc/letsencrypt/live/` |
|
||||||
|
| 10 | Certs use `fullchain.pem` / keys use `privkey.pem` |
|
||||||
|
| 11 | No raw IP addresses as `server_name` |
|
||||||
|
| 12 | `conf.d` contains only expected files |
|
||||||
|
| 13 | Server blocks are sorted alphabetically by `server_name` within each file |
|
||||||
|
|
||||||
|
CI additionally runs an nginx syntax check (`nginx -t`) using stub SSL certificates, catching any configuration errors that static analysis cannot detect.
|
||||||
|
|
||||||
## Feedback and Bugs
|
## Feedback and Bugs
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
# Auto-generated Cloudflare IP ranges
|
# Auto-generated Cloudflare IP ranges
|
||||||
# Updated: Mon Mar 2 09:45:19 PM PST 2026
|
# Updated: Wed Jun 10 10:59:21 PM PDT 2026
|
||||||
|
|
||||||
real_ip_header CF-Connecting-IP;
|
real_ip_header CF-Connecting-IP;
|
||||||
|
|
||||||
|
|||||||
@@ -1,44 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name localhost;
|
|
||||||
|
|
||||||
#access_log /var/log/nginx/host.access.log main;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /usr/share/nginx/html;
|
|
||||||
index index.html index.htm;
|
|
||||||
}
|
|
||||||
|
|
||||||
#error_page 404 /404.html;
|
|
||||||
|
|
||||||
# redirect server error pages to the static page /50x.html
|
|
||||||
#
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
|
||||||
location = /50x.html {
|
|
||||||
root /usr/share/nginx/html;
|
|
||||||
}
|
|
||||||
|
|
||||||
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
|
|
||||||
#
|
|
||||||
#location ~ \.php$ {
|
|
||||||
# proxy_pass http://127.0.0.1;
|
|
||||||
#}
|
|
||||||
|
|
||||||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
|
||||||
#
|
|
||||||
#location ~ \.php$ {
|
|
||||||
# root html;
|
|
||||||
# fastcgi_pass 127.0.0.1:9000;
|
|
||||||
# fastcgi_index index.php;
|
|
||||||
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
|
|
||||||
# include fastcgi_params;
|
|
||||||
#}
|
|
||||||
|
|
||||||
# deny access to .htaccess files, if Apache's document root
|
|
||||||
# concurs with nginx's one
|
|
||||||
#
|
|
||||||
#location ~ /\.ht {
|
|
||||||
# deny all;
|
|
||||||
#}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
log_format custom_format '$remote_addr - $remote_user [$time_local] '
|
||||||
|
'"$request" $status $body_bytes_sent '
|
||||||
|
'"$http_referer" "$http_user_agent" '
|
||||||
|
'"$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log custom_format;
|
||||||
|
|
||||||
|
log_format json_analytics escape=json '{'
|
||||||
|
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
|
||||||
|
'"connection": "$connection", ' # connection serial number
|
||||||
|
'"connection_requests": "$connection_requests", ' # number of requests made in connection
|
||||||
|
'"pid": "$pid", ' # process pid
|
||||||
|
'"request_id": "$request_id", ' # the unique request id
|
||||||
|
'"request_length": "$request_length", ' # request length (including headers and body)
|
||||||
|
'"remote_addr": "$remote_addr", ' # client IP
|
||||||
|
'"remote_user": "$remote_user", ' # client HTTP username
|
||||||
|
'"remote_port": "$remote_port", ' # client port
|
||||||
|
'"time_local": "$time_local", '
|
||||||
|
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
|
||||||
|
'"request": "$request", ' # full path no arguments if the request
|
||||||
|
'"request_uri": "$request_uri", ' # full path and arguments if the request
|
||||||
|
'"args": "$args", ' # args
|
||||||
|
'"status": "$status", ' # response status code
|
||||||
|
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
|
||||||
|
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
|
||||||
|
'"http_referer": "$http_referer", ' # HTTP referer
|
||||||
|
'"http_user_agent": "$http_user_agent", ' # user agent
|
||||||
|
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
|
||||||
|
'"http_host": "$http_host", ' # the request Host: header
|
||||||
|
'"server_name": "$server_name", ' # the name of the vhost serving the request
|
||||||
|
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
|
||||||
|
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
|
||||||
|
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
|
||||||
|
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
|
||||||
|
'"upstream_response_time": "$upstream_response_time", ' # time spent receiving upstream body
|
||||||
|
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
|
||||||
|
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
|
||||||
|
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
|
||||||
|
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
|
||||||
|
'"scheme": "$scheme", ' # http or https
|
||||||
|
'"request_method": "$request_method", ' # request method
|
||||||
|
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
|
||||||
|
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
|
||||||
|
'"gzip_ratio": "$gzip_ratio", '
|
||||||
|
'}';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/json_access.log json_analytics;
|
||||||
@@ -0,0 +1,162 @@
|
|||||||
|
# Pure-redirect virtual hosts — server blocks whose only purpose is a 301/302 to another URL.
|
||||||
|
|
||||||
|
# val.nhcarrigan.com → headpat image
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name val.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/val.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/val.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 302 https://cdn.nhcarrigan.com/val-headpat.jpg;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# assistant.nhcarrigan.com → cordelia (legacy name)
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name assistant.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/assistant.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/assistant.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://cordelia.nhcarrigan.com$uri$is_args$args;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# trans-bot.nhcarrigan.com → aria (legacy name)
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name trans-bot.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://aria.nhcarrigan.com;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# announcements.nhcarrigan.com → hikari /announcements
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name announcements.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/announcements.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/announcements.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
return 301 https://hikari.nhcarrigan.com/announcements;
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# products.nhcarrigan.com → hikari /products
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name products.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/products.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/products.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://hikari.nhcarrigan.com/products;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# hooks.nhcarrigan.com → celestine (legacy name)
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name hooks.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/hooks.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/hooks.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://celestine.nhcarrigan.com$uri$is_args$args;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# chat.nhcarrigan.com → Discord invite
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name chat.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/chat.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/chat.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://discord.gg/KKe7BaEnQB;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# forum.nhcarrigan.com → support (legacy name)
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name forum.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/forum.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/forum.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://support.nhcarrigan.com;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# cyc.nhcarrigan.com → zcal scheduling
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name cyc.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/cyc.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/cyc.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
return 301 https://zcal.co/nhcarrigan/cyc;
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# meet.nhcarrigan.com → zcal scheduling
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name meet.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/meet.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/meet.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
return 301 https://zcal.co/nhcarrigan/meet;
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# huddle.nhcarrigan.com → zcal scheduling
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name huddle.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/huddle.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/huddle.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
return 301 https://zcal.co/nhcarrigan/huddle;
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# tasks.nhcarrigan.com → melody
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name tasks.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/tasks.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/tasks.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://melody.nhcarrigan.com$uri$is_args$args;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Wildcard: *.naomi.lgbt → *.nhcarrigan.com
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name ~^(?<subdomain>.+)\.naomi\.lgbt$;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/*.naomi.lgbt/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/*.naomi.lgbt/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$subdomain.nhcarrigan.com$request_uri;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1 @@
|
|||||||
|
server_names_hash_bucket_size 128;
|
||||||
+6
-84
@@ -5,7 +5,6 @@ include /etc/nginx/modules-enabled/*.conf;
|
|||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 768;
|
worker_connections 768;
|
||||||
# multi_accept on;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
@@ -13,16 +12,11 @@ http {
|
|||||||
##
|
##
|
||||||
# Basic Settings
|
# Basic Settings
|
||||||
##
|
##
|
||||||
server_names_hash_bucket_size 128;
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 2048;
|
types_hash_max_size 2048;
|
||||||
# server_tokens off;
|
|
||||||
|
|
||||||
# server_names_hash_bucket_size 64;
|
|
||||||
# server_name_in_redirect off;
|
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
@@ -31,7 +25,7 @@ http {
|
|||||||
# SSL Settings
|
# SSL Settings
|
||||||
##
|
##
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
##
|
##
|
||||||
@@ -47,12 +41,10 @@ http {
|
|||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
|
|
||||||
# gzip_vary on;
|
##
|
||||||
# gzip_proxied any;
|
# Global Error Pages
|
||||||
# gzip_comp_level 6;
|
##
|
||||||
# gzip_buffers 16 8k;
|
error_page 404 https://404.nhcarrigan.com;
|
||||||
# gzip_http_version 1.1;
|
|
||||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
|
||||||
|
|
||||||
##
|
##
|
||||||
# Virtual Host Configs
|
# Virtual Host Configs
|
||||||
@@ -61,75 +53,5 @@ http {
|
|||||||
include /etc/nginx/sites-enabled/*;
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
|
||||||
# Look at the real IP, not the cloudflare IP.
|
# Look at the real IP, not the cloudflare IP.
|
||||||
include /etc/nginx/cloudflare_ips.conf;
|
include /etc/nginx/cloudflare_ips.conf;
|
||||||
|
|
||||||
log_format custom_format '$remote_addr - $remote_user [$time_local] '
|
|
||||||
'"$request" $status $body_bytes_sent '
|
|
||||||
'"$http_referer" "$http_user_agent" '
|
|
||||||
'"$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log custom_format;
|
|
||||||
|
|
||||||
log_format json_analytics escape=json '{'
|
|
||||||
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
|
|
||||||
'"connection": "$connection", ' # connection serial number
|
|
||||||
'"connection_requests": "$connection_requests", ' # number of requests made in connection
|
|
||||||
'"pid": "$pid", ' # process pid
|
|
||||||
'"request_id": "$request_id", ' # the unique request id
|
|
||||||
'"request_length": "$request_length", ' # request length (including headers and body)
|
|
||||||
'"remote_addr": "$remote_addr", ' # client IP
|
|
||||||
'"remote_user": "$remote_user", ' # client HTTP username
|
|
||||||
'"remote_port": "$remote_port", ' # client port
|
|
||||||
'"time_local": "$time_local", '
|
|
||||||
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
|
|
||||||
'"request": "$request", ' # full path no arguments if the request
|
|
||||||
'"request_uri": "$request_uri", ' # full path and arguments if the request
|
|
||||||
'"args": "$args", ' # args
|
|
||||||
'"status": "$status", ' # response status code
|
|
||||||
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
|
|
||||||
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
|
|
||||||
'"http_referer": "$http_referer", ' # HTTP referer
|
|
||||||
'"http_user_agent": "$http_user_agent", ' # user agent
|
|
||||||
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
|
|
||||||
'"http_host": "$http_host", ' # the request Host: header
|
|
||||||
'"server_name": "$server_name", ' # the name of the vhost serving the request
|
|
||||||
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
|
|
||||||
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
|
|
||||||
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
|
|
||||||
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
|
|
||||||
'"upstream_response_time": "$upstream_response_time", ' # time spent receiving upstream body
|
|
||||||
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
|
|
||||||
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
|
|
||||||
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
|
|
||||||
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
|
|
||||||
'"scheme": "$scheme", ' # http or https
|
|
||||||
'"request_method": "$request_method", ' # request method
|
|
||||||
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
|
|
||||||
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
|
|
||||||
'"gzip_ratio": "$gzip_ratio", '
|
|
||||||
'}';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/json_access.log json_analytics;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#mail {
|
|
||||||
# # See sample authentication script at:
|
|
||||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
|
||||||
#
|
|
||||||
# # auth_http localhost/auth.php;
|
|
||||||
# # pop3_capabilities "TOP" "USER";
|
|
||||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen localhost:110;
|
|
||||||
# protocol pop3;
|
|
||||||
# proxy on;
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen localhost:143;
|
|
||||||
# protocol imap;
|
|
||||||
# proxy on;
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# 404 error page static site.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name 404.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/404.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/404.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/404;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# AFP service proxy.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name afp.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/afp.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/afp.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:10080;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,40 @@
|
|||||||
|
# Aria bot, Cordelia AI assistant, and trans-related services.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name aria.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/aria.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/aria.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5001;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name cordelia.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/cordelia.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/cordelia.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5002;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name trans.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://0.0.0.0:5000;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,272 @@
|
|||||||
|
# Discord bots and automated services (one entry per bot, sorted alphabetically).
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name altaria.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/altaria.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/altaria.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:6022;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name amari.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/amari.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/amari.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:7044;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name becca.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/becca.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/becca.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5010;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name caelia.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/caelia.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/caelia.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:7055;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name callista.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/callista.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/callista.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:6111;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name chibika.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/chibika.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/chibika.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5018;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name gwen.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/gwen.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/gwen.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5012;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name keiko.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/keiko.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/keiko.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:3333;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name liora.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/liora.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/liora.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5022;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name maylin.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/maylin.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/maylin.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5011;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name melody.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/melody.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/melody.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5443;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name pavelle.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/pavelle.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/pavelle.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:6019;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name ruubot.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/ruubot.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/ruubot.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass https://127.0.0.1:4443;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name saisoku.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/saisoku.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/saisoku.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:9100;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name serenya.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/serenya.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/serenya.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:7066;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name sorielle.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/sorielle.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/sorielle.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5019;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name tyche.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/tyche.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/tyche.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:8123;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name umbrelle.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/umbrelle.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/umbrelle.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:6088;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name valerium.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/valerium.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/valerium.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:3443;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name veluna.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/veluna.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/veluna.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:6099;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,23 @@
|
|||||||
|
# Catch-all for unmatched subdomains - serves a 404 page.
|
||||||
|
server {
|
||||||
|
listen 443 ssl default_server;
|
||||||
|
listen [::]:443 ssl default_server;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
root /home/naomi/404;
|
||||||
|
|
||||||
|
error_page 404 /index.html;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location = /index.html {
|
||||||
|
internal;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,54 @@
|
|||||||
|
# CDN reverse proxy to Hetzner object storage, with legacy path redirects and CORS headers.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name cdn.nhcarrigan.com;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/cdn.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/cdn.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
# Catches "/new-avatars/name-full.png" and redirects to "/avatars/name.png"
|
||||||
|
location ~ ^/new-avatars/(.+)-full\.png$ {
|
||||||
|
return 301 $scheme://$host/avatars/$1.png;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Catches anything else starting with "/new-avatars/" and moves it to "/avatars/"
|
||||||
|
location ~ ^/new-avatars/(.*)$ {
|
||||||
|
return 301 $scheme://$host/avatars/$1;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Handle CORS preflight requests without the "if is evil" pattern.
|
||||||
|
location / {
|
||||||
|
if ($request_method = OPTIONS) {
|
||||||
|
add_header Access-Control-Allow-Origin "*" always;
|
||||||
|
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
|
||||||
|
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
|
||||||
|
add_header Access-Control-Max-Age 86400 always;
|
||||||
|
add_header Content-Type "text/plain; charset=utf-8";
|
||||||
|
add_header Content-Length 0;
|
||||||
|
return 204;
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_pass https://nhcarrigan.hel1.your-objectstorage.com;
|
||||||
|
proxy_set_header Host nhcarrigan.hel1.your-objectstorage.com;
|
||||||
|
|
||||||
|
proxy_ssl_server_name on;
|
||||||
|
proxy_ssl_name nhcarrigan.hel1.your-objectstorage.com;
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Connection "";
|
||||||
|
|
||||||
|
proxy_set_header Authorization "";
|
||||||
|
proxy_set_header x-amz-date "";
|
||||||
|
proxy_set_header x-amz-security-token "";
|
||||||
|
|
||||||
|
proxy_hide_header Access-Control-Allow-Origin;
|
||||||
|
|
||||||
|
add_header X-Debug-Cdn "Proxy-Active" always;
|
||||||
|
add_header Access-Control-Allow-Origin "*" always;
|
||||||
|
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
|
||||||
|
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
# Celestine webhook handler.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name celestine.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/celestine.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/celestine.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:9080;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
@@ -0,0 +1,25 @@
|
|||||||
|
# Cipher - Bluesky collections archive.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name cipher.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/cipher.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/cipher.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/cipher;
|
||||||
|
|
||||||
|
location = / {
|
||||||
|
try_files /site.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location = /data.json {
|
||||||
|
default_type application/json;
|
||||||
|
add_header Content-Type "application/json; charset=utf-8";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Everything else gets the global 404
|
||||||
|
location / {
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,148 @@
|
|||||||
|
# Static content and publishing sites: blog, books, donate, music, personality, secrets, style, testimonials.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name blog.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/blog.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/blog.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:3003;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name books.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/books.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/books.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/books;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /books.json {
|
||||||
|
try_files /books.json =404;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name donate.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/donate.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/donate.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/donate;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name grimoire.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/grimoire.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/grimoire.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/grimoire;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name memes.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/memes.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/memes.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/memes;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name music.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/music.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/music.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/music;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /songs.json {
|
||||||
|
try_files /songs.json =404;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name personality.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/personality.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/personality.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/personality/dist;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name secrets.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/secrets.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/secrets.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/secrets;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name style.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/style.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/style.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/style;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name testimonials.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/testimonials.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/testimonials.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/testimonials;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# Data service proxy.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name data.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/data.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/data.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:9999;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -1,91 +1,18 @@
|
|||||||
##
|
|
||||||
# You should look at the following URL's in order to grasp a solid understanding
|
|
||||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
|
||||||
# https://www.nginx.com/resources/wiki/start/
|
|
||||||
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
|
|
||||||
# https://wiki.debian.org/Nginx/DirectoryStructure
|
|
||||||
#
|
|
||||||
# In most cases, administrators will remove this file from sites-enabled/ and
|
|
||||||
# leave it as reference inside of sites-available where it will continue to be
|
|
||||||
# updated by the nginx packaging team.
|
|
||||||
#
|
|
||||||
# This file will automatically load configuration files provided by other
|
|
||||||
# applications, such as Drupal or Wordpress. These applications will be made
|
|
||||||
# available underneath a path with that package name, such as /drupal8.
|
|
||||||
#
|
|
||||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
|
||||||
##
|
|
||||||
|
|
||||||
# Default server configuration
|
|
||||||
#
|
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
|
|
||||||
# SSL configuration
|
|
||||||
#
|
|
||||||
# listen 443 ssl default_server;
|
|
||||||
# listen [::]:443 ssl default_server;
|
|
||||||
#
|
|
||||||
# Note: You should disable gzip for SSL traffic.
|
|
||||||
# See: https://bugs.debian.org/773332
|
|
||||||
#
|
|
||||||
# Read up on ssl_ciphers to ensure a secure configuration.
|
|
||||||
# See: https://bugs.debian.org/765782
|
|
||||||
#
|
|
||||||
# Self signed certs generated by the ssl-cert package
|
|
||||||
# Don't use them in a production server!
|
|
||||||
#
|
|
||||||
# include snippets/snakeoil.conf;
|
|
||||||
|
|
||||||
root /var/www/html;
|
|
||||||
|
|
||||||
# Add index.php to the list if you are using PHP
|
|
||||||
index index.html index.htm index.nginx-debian.html;
|
|
||||||
|
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
|
root /home/naomi/404;
|
||||||
|
|
||||||
|
error_page 404 /index.html;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# First attempt to serve request as file, then
|
return 404;
|
||||||
# as directory, then fall back to displaying a 404.
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# pass PHP scripts to FastCGI server
|
location = /index.html {
|
||||||
#
|
internal;
|
||||||
#location ~ \.php$ {
|
}
|
||||||
# include snippets/fastcgi-php.conf;
|
|
||||||
#
|
|
||||||
# # With php-fpm (or other unix sockets):
|
|
||||||
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
|
||||||
# # With php-cgi (or other tcp sockets):
|
|
||||||
# fastcgi_pass 127.0.0.1:9000;
|
|
||||||
#}
|
|
||||||
|
|
||||||
# deny access to .htaccess files, if Apache's document root
|
|
||||||
# concurs with nginx's one
|
|
||||||
#
|
|
||||||
#location ~ /\.ht {
|
|
||||||
# deny all;
|
|
||||||
#}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Virtual Host configuration for example.com
|
|
||||||
#
|
|
||||||
# You can move that to a different file under sites-available/ and symlink that
|
|
||||||
# to sites-enabled/ to enable it.
|
|
||||||
#
|
|
||||||
#server {
|
|
||||||
# listen 80;
|
|
||||||
# listen [::]:80;
|
|
||||||
#
|
|
||||||
# server_name example.com;
|
|
||||||
#
|
|
||||||
# root /var/www/example.com;
|
|
||||||
# index index.html;
|
|
||||||
#
|
|
||||||
# location / {
|
|
||||||
# try_files $uri $uri/ =404;
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|||||||
@@ -0,0 +1,70 @@
|
|||||||
|
# Documentation and informational sites: contact, docs, manual, sitemap, socials.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name contact.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/contact.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/contact.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/socials;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name docs.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/docs.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/docs.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/docs/dist;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name manual.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/manual.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/manual.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/manual;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name sitemap.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/sitemap.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/sitemap.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/sitemap;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name socials.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/socials.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/socials.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/socials;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
# Eclaire Angular SPA.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name eclaire.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/eclaire.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/eclaire.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/eclaire/dist/eclaire/browser;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
# Elowyn Angular SPA.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name elowyn.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/elowyn.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/elowyn.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/elowyn;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(js|css)$ {
|
||||||
|
try_files $uri $uri/ @rewrite;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,25 @@
|
|||||||
|
# Elysium Vite SPA and Hono API backend.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name elysium.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/elysium.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/elysium.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/elysium/apps/web/dist;
|
||||||
|
|
||||||
|
location /api/ {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:3898/;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(js|css)$ {
|
||||||
|
try_files $uri $uri/ @rewrite;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,163 @@
|
|||||||
|
# Grist forms platform (forms-api backend + forms frontend with CSS injection) and legacy form URL redirects.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name forms-api.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/forms-api.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/forms-api.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:1234;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name forms.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/forms.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/forms.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# REDIRECTS FOR OLD FORMS #
|
||||||
|
###########################
|
||||||
|
|
||||||
|
# Volunteer Application Form
|
||||||
|
location ~* ^/form/PEpB3gA79gxP8wmfEf4zou96opkpUTjssTcaeYjhoi8$ {
|
||||||
|
return 301 https://forms.nhcarrigan.com/o/docs/forms/mCxDu3snk9TzFiDjrT4Vc8/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Mentorship Application Form (now Discord self-selectable role)
|
||||||
|
location ~* ^/form/gNv4NYZmdiMWpkUcnknII2yYCvnYNGAmabG5O5He9Mo$ {
|
||||||
|
return 301 https://docs.nhcarrigan.com/about/mentorship;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Testimonials Form
|
||||||
|
location ~* ^/form/M_GrmqASymmO744axMOmu2LaMAaT5F0LmdVcU2c8-gQ$ {
|
||||||
|
return 301 https://forms.nhcarrigan.com/o/docs/forms/6kULn8zswT8vYcoC8wE1Zi/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Community Appeals Form
|
||||||
|
location ~* ^/form/l3PC15yalSWjdZASTQvGo22q_uj_7OtXAhZdcW35ev8$ {
|
||||||
|
return 301 https://forms.nhcarrigan.com/o/docs/forms/4w5VHsYiEkiS2mewvtuJYL/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Recognition/Nomination Form
|
||||||
|
location ~* ^/form/wksk-NuR3HBuovSixbXFEnkYq-3Gp-bZMH-n__PNRKw$ {
|
||||||
|
return 301 https://forms.nhcarrigan.com/o/docs/forms/to2oFocVgALyr23EC84xM9/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Community Feedback Form (now Discord forum channel)
|
||||||
|
location ~* ^/form/IDdo5e4OJS44QYFm9_aRJ36lY3Ox-BBTAM9zfnkhfoo$ {
|
||||||
|
return 301 https://docs.nhcarrigan.com/community/feedback;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Product Feedback Form (now Discord forum channel)
|
||||||
|
location ~* ^/form/jkcGg0hMIa4U0hDL2OMip5pMX2UujN5W5n4Qn8HReJ8$ {
|
||||||
|
return 301 https://docs.nhcarrigan.com/community/feedback;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Meeting Request Form (now Zcal scheduling)
|
||||||
|
location ~* ^/form/uUKZiJSDm6847iDOlpZkD5QF7cAjoTbTm0F4T0EdW0I$ {
|
||||||
|
return 301 https://zcal.co/nhcarrigan/meet;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Commission Request Form
|
||||||
|
location ~* ^/form/XRlQjeu8CbMrTA-v0IPOxlUPEPitLKXTWg70UUCIORA$ {
|
||||||
|
return 301 https://forms.nhcarrigan.com/o/docs/forms/a9K6uzJkpnTfnKgo19b4Rp/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Contact Form
|
||||||
|
location ~* ^/form/HyqoJ9Th5QDiOn_GPLNIRhe1a5ON7mDQf-O_ukM6R4g$ {
|
||||||
|
return 301 https://forms.nhcarrigan.com/o/docs/forms/8XTPmbrFtvDJAKSPgBgsvA/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Git Account Request Form (no longer available - now Discord forum channels)
|
||||||
|
location ~* ^/form/c0_N5hb-VcmC2ClzaGOvDxVirMN_coiWG7eoPhDPsZ0$ {
|
||||||
|
return 301 https://docs.nhcarrigan.com/about/contact;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Event/Publication Request Form
|
||||||
|
location ~* ^/form/Xqap3Q8hazzJd4Rrp9OOs9ip8Pa7C9zOVThlyFoPCbU$ {
|
||||||
|
return 301 https://forms.nhcarrigan.com/o/docs/forms/3xEKnDEbqQKG8GJp4kXRCs/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Match any path ending in /forms/<id>
|
||||||
|
location ~ /forms/([^/]+)(?:/(.*))?$ {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_pass http://127.0.0.1:11111;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
# Disable Gzip from upstream so nginx can inject CSS
|
||||||
|
proxy_set_header Accept-Encoding "";
|
||||||
|
|
||||||
|
# Override Grist OG image (replace the URL directly so our image wins in all three tags)
|
||||||
|
sub_filter 'https://grist-static.com/icons/opengraph-preview-image.png' 'https://cdn.nhcarrigan.com/og-image.png';
|
||||||
|
|
||||||
|
# Inject CSS and remove Grist branding
|
||||||
|
sub_filter '</body>' '<style>
|
||||||
|
/* 1. Remove the "Powered by Grist" footer */
|
||||||
|
footer[class] {
|
||||||
|
display: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* 2. Remove the Border/Shadow from the container */
|
||||||
|
.test-form-framing {
|
||||||
|
border: none !important;
|
||||||
|
box-shadow: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* 3. Remove the "Grist Form" badge (First child of framing) */
|
||||||
|
.test-form-framing > *:first-child {
|
||||||
|
display: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* 4. Style the reset button with the theme accent colour */
|
||||||
|
.test-form-reset {
|
||||||
|
background-color: #A8577E !important;
|
||||||
|
border-color: #A8577E !important;
|
||||||
|
color: #F5F5F5 !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
main {
|
||||||
|
margin-bottom: auto !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
div:has(> main:first-child) {
|
||||||
|
border-radius: 10px;
|
||||||
|
margin-bottom: 50px;
|
||||||
|
}
|
||||||
|
</style><script src="https://cdn.nhcarrigan.com/headers/index.js"></script><script>document.querySelector("footer")?.remove();</script>
|
||||||
|
</body>';
|
||||||
|
|
||||||
|
sub_filter_once off;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Upgrade websocket requests and route the api backend
|
||||||
|
location ~ ^/(api|ws)/ {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_pass http://127.0.0.1:11111;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_pass http://127.0.0.1:11111;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,202 @@
|
|||||||
|
# Games and gaming projects: beccalia, games hub, goblin, loan, lore, silly, wompwomp, yurigpt.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name beccalia.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/beccalia.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/beccalia.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/games/beccalia;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /origins {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /prologue {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name blackwood.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/blackwood.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/blackwood.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/blackwood/dist;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /assets/ {
|
||||||
|
expires max;
|
||||||
|
add_header Cache-Control "public, immutable";
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(mp3|png|gif|ico|svg|webp)$ {
|
||||||
|
expires 30d;
|
||||||
|
add_header Cache-Control "public";
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name games.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/games.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/games.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/games;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name goblin.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/goblin.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/goblin.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/games/goblin;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name loan.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/loan.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/loan.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/games/loan;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name lore.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/lore.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/lore.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/lore/dist/lore/browser;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name silly.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/silly.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/silly.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/silly;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location = / {
|
||||||
|
try_files /index.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ $uri.html $uri/index.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|otf|eot|webp)$ {
|
||||||
|
expires 30d;
|
||||||
|
add_header Cache-Control "public, immutable";
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /\.(?!well-known) {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name wompwomp.club;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/wompwomp.club/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/wompwomp.club/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5033;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name www.wompwomp.club;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/www.wompwomp.club/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/www.wompwomp.club/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5033;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name www.yurigpt.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/www.yurigpt.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/www.yurigpt.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/yurigpt/dist/yurigpt/browser;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /ads.txt {
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name yurigpt.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/yurigpt.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/yurigpt.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/yurigpt/dist/yurigpt/browser;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /ads.txt {
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# Self-hosted Gitea instance.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name git.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/git.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/git.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
client_max_body_size 5000M;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:53000;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
# Hikari desktop app (Angular SPA + API backend).
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name hikari.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/hikari.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/hikari.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/hikari/client/dist/client/browser;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location /api/ {
|
||||||
|
proxy_pass http://127.0.0.1:20000/;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header cf-connecting-ip $http_cf_connecting_ip;
|
||||||
|
proxy_set_header origin $http_origin;
|
||||||
|
|
||||||
|
# This removes /api from the forwarded URL
|
||||||
|
rewrite ^/api/(.*)$ /$1 break;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
@@ -0,0 +1,36 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name img.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/img.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/img.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
# allow large file uploads
|
||||||
|
client_max_body_size 50000M;
|
||||||
|
|
||||||
|
# disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
|
||||||
|
proxy_request_buffering off;
|
||||||
|
|
||||||
|
# increase body buffer to avoid limiting upload speed
|
||||||
|
client_body_buffer_size 1024k;
|
||||||
|
|
||||||
|
# Set headers
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
# enable websockets: http://nginx.org/en/docs/http/websocket.html
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
# set timeout
|
||||||
|
proxy_read_timeout 600s;
|
||||||
|
proxy_send_timeout 600s;
|
||||||
|
send_timeout 600s;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:2283;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name learn.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/learn.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/learn.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/learn/dist;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# Library service proxy.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name library.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/library.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/library.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:12321;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
# Lucinda full-stack app (Angular SPA + API backend).
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name lucinda.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/lucinda.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/lucinda.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/lucinda/client/dist/client/browser;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location /api/ {
|
||||||
|
proxy_pass http://127.0.0.1:12346/;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
# This removes /api from the forwarded URL
|
||||||
|
rewrite ^/api/(.*)$ /$1 break;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
# Lynira.link domain (bare + www).
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name lynira.link;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/lynira.link/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/lynira.link/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5044;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name www.lynira.link;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/www.lynira.link/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/www.lynira.link/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5044;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,42 @@
|
|||||||
|
# Mommy bot suite: mommy-bot Discord bot, mommy-slack Slack bot, mommy web front-end.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name mommy-bot.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:8009;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name mommy-slack.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:8010;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name mommy.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/mommy.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/mommy.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:8008;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,85 @@
|
|||||||
|
# Monitoring stack: analytics, incidents, logs, telemetry, uptime.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name analytics.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/analytics.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/analytics.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_pass http://127.0.0.1:11080;
|
||||||
|
}
|
||||||
|
|
||||||
|
location = /live/websocket {
|
||||||
|
proxy_pass http://127.0.0.1:11080;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "Upgrade";
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name incidents.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/incidents.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/incidents.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:3001;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name logs.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/logs.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/logs.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:9000;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto http;
|
||||||
|
proxy_redirect http:// $scheme://;
|
||||||
|
|
||||||
|
proxy_connect_timeout 1m;
|
||||||
|
proxy_send_timeout 1m;
|
||||||
|
proxy_read_timeout 1m;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name telemetry.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/telemetry.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/telemetry.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5080;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name uptime.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/uptime.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/uptime.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:3001;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
# Nails app: Angular front-end SPA and API backend.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name nails-api.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/nails-api.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/nails-api.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:1235;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name nails.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/nails.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/nails.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/nails/client/dist/client/browser;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(js|css)$ {
|
||||||
|
try_files $uri $uri/ @rewrite;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
# Nocturne static site.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name nocturne.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/nocturne.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/nocturne.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/nocturne;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name scripture.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/scripture.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/scripture.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/scripture;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,93 @@
|
|||||||
|
# SilverBullet notes instance and Planka project board.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name board.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/board.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/board.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location ~ /ws/* {
|
||||||
|
proxy_pass http://127.0.0.1:43333;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
client_max_body_size 50M;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
proxy_buffers 256 16k;
|
||||||
|
proxy_buffer_size 16k;
|
||||||
|
client_body_timeout 60;
|
||||||
|
send_timeout 300;
|
||||||
|
lingering_timeout 5;
|
||||||
|
proxy_connect_timeout 1d;
|
||||||
|
proxy_send_timeout 1d;
|
||||||
|
proxy_read_timeout 1d;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:43333;
|
||||||
|
client_max_body_size 50M;
|
||||||
|
proxy_set_header Connection "";
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
proxy_buffers 256 16k;
|
||||||
|
proxy_buffer_size 16k;
|
||||||
|
proxy_read_timeout 600s;
|
||||||
|
proxy_cache_revalidate on;
|
||||||
|
proxy_cache_min_uses 2;
|
||||||
|
proxy_cache_use_stale timeout;
|
||||||
|
proxy_cache_lock on;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name notes.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/notes.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/notes.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location ~ ^/(collab|socket\.io)(/.*)?$ {
|
||||||
|
proxy_pass http://127.0.0.1:30000;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
client_max_body_size 50M;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
proxy_buffers 256 16k;
|
||||||
|
proxy_buffer_size 16k;
|
||||||
|
client_body_timeout 60;
|
||||||
|
send_timeout 300;
|
||||||
|
lingering_timeout 5;
|
||||||
|
proxy_connect_timeout 1d;
|
||||||
|
proxy_send_timeout 1d;
|
||||||
|
proxy_read_timeout 1d;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:30000;
|
||||||
|
client_max_body_size 50M;
|
||||||
|
proxy_set_header Connection "";
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
proxy_buffers 256 16k;
|
||||||
|
proxy_buffer_size 16k;
|
||||||
|
proxy_read_timeout 600s;
|
||||||
|
proxy_cache_revalidate on;
|
||||||
|
proxy_cache_min_uses 2;
|
||||||
|
proxy_cache_use_stale timeout;
|
||||||
|
proxy_cache_lock on;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,161 @@
|
|||||||
|
# Personal portfolio and vanity domains (naomi.lgbt, naomi.party, nhcarrigan.com, nhcarrigan.link, resume).
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name naomi.lgbt;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/naomi.lgbt/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/naomi.lgbt/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/portfolio/site;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /ads.txt {
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
|
||||||
|
}
|
||||||
|
|
||||||
|
location /games {
|
||||||
|
try_files /games.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /koikatsu {
|
||||||
|
try_files /koikatsu.html =404;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name naomi.party;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/naomi.party/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/naomi.party/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/bsky;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /ads.txt {
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/portfolio/site;
|
||||||
|
|
||||||
|
location /ads.txt {
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /games {
|
||||||
|
try_files /games.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /koikatsu {
|
||||||
|
try_files /koikatsu.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /testimonials {
|
||||||
|
return 301 https://testimonials.nhcarrigan.com;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name nhcarrigan.link;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/nhcarrigan.link/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.link/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/link-redirector;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /ads.txt {
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name resume.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/resume.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/resume.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/resume/site;
|
||||||
|
|
||||||
|
location /resume.yaml {
|
||||||
|
default_type text/plain;
|
||||||
|
add_header Content-Type "text/plain; charset=utf-8";
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name www.naomi.lgbt;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/www.naomi.lgbt/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/www.naomi.lgbt/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/portfolio/site;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /games {
|
||||||
|
try_files /games.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /koikatsu {
|
||||||
|
try_files /koikatsu.html =404;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name www.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/www.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/www.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/portfolio/site;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /games {
|
||||||
|
try_files /games.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /koikatsu {
|
||||||
|
try_files /koikatsu.html =404;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
# Naomi QR code generator.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name qr.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/qr.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/qr.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:15555;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,34 @@
|
|||||||
|
# Rosalia alerting service and legacy alerts redirect.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name alerts.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/alerts.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/alerts.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
# Redirect ONLY root `/`
|
||||||
|
location = / {
|
||||||
|
return 307 https://rosalia.nhcarrigan.com;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Proxy everything else
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5003;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name rosalia.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/rosalia.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/rosalia.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:5003;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,41 @@
|
|||||||
|
# Security tooling: SonarQube code quality gate and DefectDojo vulnerability management.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name quality.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/quality.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/quality.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
client_max_body_size 1g;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:9500;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name security.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/security.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/security.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location /report {
|
||||||
|
alias /home/naomi/defectdojo;
|
||||||
|
index report.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:43434;
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
client_max_body_size 100M;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
# Speaking sites: events listing and talk companion guides.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name events.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/events.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/events.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/events;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name talks.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/talks.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/talks.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/talks;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/index.html =404;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
# Discourse community support forum.
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name support.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/support.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/support.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
|
||||||
|
client_max_body_size 20M;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:32121;
|
||||||
|
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,22 @@
|
|||||||
|
# Tarot static site.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name tarot.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/tarot.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/tarot.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/tarot;
|
||||||
|
|
||||||
|
location = / {
|
||||||
|
try_files /index.html =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.json$ {
|
||||||
|
try_files $uri =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
# Vitalia app: Angular front-end SPA and API backend.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name vitalia-api.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:12345;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name vitalia.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/vitalia/client/dist/client/browser;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(js|css)$ {
|
||||||
|
try_files $uri $uri/ @rewrite;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
# Workshops Angular SPA (companion guides for live workshops).
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name workshops.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/workshops.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/workshops.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
root /home/naomi/workshops/dist/workshops/browser;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.html;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
# wtf.naomi.lgbt personal project.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name wtf.naomi.lgbt;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/wtf.naomi.lgbt/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/wtf.naomi.lgbt/privkey.pem;
|
||||||
|
client_max_body_size 100M;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:3456;
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/404.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/afp.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/aria.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/bots.conf
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/catch-all.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/cdn.conf
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/celestine.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/cipher.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/content.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/data.conf
|
||||||
@@ -1 +1 @@
|
|||||||
/etc/nginx/sites-available/default
|
../sites-available/default
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/docs.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/eclaire.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/elowyn.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/elysium.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/forms.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/games.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/git.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/hikari.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/img.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/learn.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/library.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/lucinda.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/lynira.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/mommy.conf
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/monitoring.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/nails.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/nocturne.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/notes.conf
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/portfolio.conf
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
# Naomi QR code generator.
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name qr.nhcarrigan.com;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/qr.nhcarrigan.com/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/qr.nhcarrigan.com/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:15555;
|
||||||
|
}
|
||||||
|
include /etc/nginx/snippets/deny-dotfiles.conf;
|
||||||
|
}
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/rosalia.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/security.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/speaking.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/support.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/tarot.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/vitalia.conf
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/workshops.conf
|
||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../sites-available/wtf.conf
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
# Block requests for dotfiles (e.g. .gitconfig, .env, .git/).
|
||||||
|
location ~ /\. {
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
|
|
||||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
||||||
|
|
||||||
# Check that the PHP script exists before passing it
|
|
||||||
try_files $fastcgi_script_name =404;
|
|
||||||
|
|
||||||
# Bypass the fact that try_files resets $fastcgi_path_info
|
|
||||||
# see: http://trac.nginx.org/nginx/ticket/321
|
|
||||||
set $path_info $fastcgi_path_info;
|
|
||||||
fastcgi_param PATH_INFO $path_info;
|
|
||||||
|
|
||||||
fastcgi_index index.php;
|
|
||||||
include fastcgi.conf;
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
# Self signed certificates generated by the ssl-cert package
|
|
||||||
# Don't use them in a production server!
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
|
||||||
@@ -1,3 +1,3 @@
|
|||||||
echo "Pushing nginx to prod"
|
echo "Pushing nginx to prod"
|
||||||
rsync --archive --verbose --rsync-path="sudo rsync" nginx/nginx/ prod:/etc/nginx
|
rsync --archive --verbose --delete --rsync-path="sudo rsync" nginx/nginx/ prod:/etc/nginx
|
||||||
echo "All done!"
|
echo "All done!"
|
||||||
|
|||||||
Symlink
+1
@@ -0,0 +1 @@
|
|||||||
|
sites-available/img.conf
|
||||||
@@ -1,24 +1,260 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
CONF="configs/prod.conf"
|
# Nginx configuration static analysis test suite.
|
||||||
|
# Usage: bash test.sh [nginx-dir]
|
||||||
|
# Defaults to nginx/nginx relative to the repo root.
|
||||||
|
|
||||||
# Extract server_name values in order, ignoring commented lines
|
NGINX_DIR="${1:-nginx/nginx}"
|
||||||
mapfile -t domains < <(grep -oP '^\s*server_name\s+\K[^;]+' "$CONF")
|
PASS=0
|
||||||
|
FAIL=0
|
||||||
|
|
||||||
sorted=($(printf "%s\n" "${domains[@]}" | sort))
|
pass() {
|
||||||
|
printf " PASS: %s\n" "$1"
|
||||||
|
((PASS++))
|
||||||
|
}
|
||||||
|
|
||||||
# Print the sorted list for debugging
|
fail() {
|
||||||
echo "Auditing servers:"
|
printf " FAIL: %s\n" "$1"
|
||||||
printf "%s " "${sorted[@]}"
|
((FAIL++))
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "=== nginx config static analysis ==="
|
||||||
|
echo "Directory: $NGINX_DIR"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
for i in "${!domains[@]}"; do
|
# ──────────────────────────────────────────────────────────────────
|
||||||
if [[ "${domains[$i]}" != "${sorted[$i]}" ]]; then
|
# 1. No deprecated TLS versions
|
||||||
echo "Domain list is not sorted alphabetically."
|
# ──────────────────────────────────────────────────────────────────
|
||||||
echo "First out-of-order entry: '${domains[$i]}' (should be '${sorted[$i]}')"
|
echo "--- TLS version check ---"
|
||||||
exit 1
|
deprecated=$(grep -rnP 'TLSv1(?!\.[23])' "$NGINX_DIR" --include="*.conf" 2>/dev/null || true)
|
||||||
|
if [ -n "$deprecated" ]; then
|
||||||
|
fail "Deprecated TLS versions (TLSv1 or TLSv1.1) found:"
|
||||||
|
printf '%s\n' "$deprecated" | sed 's/^/ /'
|
||||||
|
else
|
||||||
|
pass "No deprecated TLS versions"
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 2. No duplicate literal server_name values across all site configs
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- Duplicate server_name check ---"
|
||||||
|
duplicates=$(grep -rh --include="*.conf" 'server_name' "$NGINX_DIR/sites-available/" \
|
||||||
|
| grep -v '^\s*#' \
|
||||||
|
| sed 's/.*server_name\s*//' \
|
||||||
|
| sed 's/\s*;//' \
|
||||||
|
| tr ' ' '\n' \
|
||||||
|
| grep -vP '^\s*$|^_$|^~|^\*\.' \
|
||||||
|
| sort | uniq -d)
|
||||||
|
if [ -n "$duplicates" ]; then
|
||||||
|
fail "Duplicate server_name values:"
|
||||||
|
printf '%s\n' "$duplicates" | sed 's/^/ /'
|
||||||
|
else
|
||||||
|
pass "No duplicate server_name values"
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 3. Every sites-available/*.conf has a sites-enabled symlink
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- sites-enabled coverage check ---"
|
||||||
|
missing_links=0
|
||||||
|
for conf in "$NGINX_DIR/sites-available/"*.conf; do
|
||||||
|
name=$(basename "$conf")
|
||||||
|
if [ ! -L "$NGINX_DIR/sites-enabled/$name" ]; then
|
||||||
|
fail "No sites-enabled symlink for: $name"
|
||||||
|
missing_links=1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
[ "$missing_links" -eq 0 ] && pass "All sites-available configs have sites-enabled symlinks"
|
||||||
|
echo ""
|
||||||
|
|
||||||
echo "All server_name entries are sorted alphabetically."
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 4. No broken symlinks in sites-enabled
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- Broken symlink check ---"
|
||||||
|
broken=0
|
||||||
|
for link in "$NGINX_DIR/sites-enabled/"*; do
|
||||||
|
[ -L "$link" ] || continue
|
||||||
|
if [ ! -e "$link" ]; then
|
||||||
|
fail "Broken symlink: $(basename "$link")"
|
||||||
|
broken=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[ "$broken" -eq 0 ] && pass "No broken symlinks in sites-enabled"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 5. No orphaned sites-enabled symlinks (no matching sites-available file)
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- Orphaned symlink check ---"
|
||||||
|
orphaned=0
|
||||||
|
for link in "$NGINX_DIR/sites-enabled/"*.conf; do
|
||||||
|
[ -L "$link" ] || continue
|
||||||
|
name=$(basename "$link")
|
||||||
|
if [ ! -f "$NGINX_DIR/sites-available/$name" ]; then
|
||||||
|
fail "Orphaned sites-enabled symlink: $name"
|
||||||
|
orphaned=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[ "$orphaned" -eq 0 ] && pass "No orphaned sites-enabled symlinks"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 6. No port-80 listeners in any custom server block
|
||||||
|
# (port 80 is blocked at the firewall; all traffic is HTTPS only)
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- Port 80 listener check ---"
|
||||||
|
http_blocks=$(grep -rnP 'listen\s.*\b80\b' "$NGINX_DIR/sites-available/" \
|
||||||
|
| grep -v 'sites-available/default' \
|
||||||
|
| grep -v '^\s*#' || true)
|
||||||
|
if [ -n "$http_blocks" ]; then
|
||||||
|
fail "Port 80 listeners found in custom site configs:"
|
||||||
|
printf '%s\n' "$http_blocks" | sed 's/^/ /'
|
||||||
|
else
|
||||||
|
pass "No port 80 listeners in custom server blocks"
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 7. ssl_certificate and ssl_certificate_key counts match per file
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- SSL certificate directive pairing check ---"
|
||||||
|
ssl_errors=0
|
||||||
|
for conf in "$NGINX_DIR/sites-available/"*.conf; do
|
||||||
|
certs=$(grep -cP 'ssl_certificate\b(?!_key)' "$conf" 2>/dev/null || echo 0)
|
||||||
|
keys=$(grep -c 'ssl_certificate_key' "$conf" 2>/dev/null || echo 0)
|
||||||
|
if [ "$certs" != "$keys" ]; then
|
||||||
|
fail "$(basename "$conf"): $certs ssl_certificate vs $keys ssl_certificate_key (must match)"
|
||||||
|
ssl_errors=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[ "$ssl_errors" -eq 0 ] && pass "All ssl_certificate directives are correctly paired"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 8. All plain-HTTP proxy_pass targets are local
|
||||||
|
# (https:// proxy_pass is permitted for intentional external proxying,
|
||||||
|
# e.g. CDN reverse-proxying to object storage over TLS)
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- proxy_pass locality check ---"
|
||||||
|
external=$(grep -rn 'proxy_pass\s\+http://' "$NGINX_DIR/sites-available/" \
|
||||||
|
| grep -v '#' \
|
||||||
|
| grep -vP 'proxy_pass\s+http://(127\.0\.0\.1|localhost|0\.0\.0\.0)' || true)
|
||||||
|
if [ -n "$external" ]; then
|
||||||
|
fail "Plain-HTTP proxy_pass to non-local target found:"
|
||||||
|
printf '%s\n' "$external" | sed 's/^/ /'
|
||||||
|
else
|
||||||
|
pass "All plain-HTTP proxy_pass targets are local"
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 9. All SSL cert paths use /etc/letsencrypt/live/
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- SSL certificate path convention check ---"
|
||||||
|
nonstandard_certs=$(grep -rn 'ssl_certificate' "$NGINX_DIR/sites-available/" \
|
||||||
|
| grep -v '#' \
|
||||||
|
| grep -vP '/etc/letsencrypt/live/' || true)
|
||||||
|
if [ -n "$nonstandard_certs" ]; then
|
||||||
|
fail "SSL certs not under /etc/letsencrypt/live/:"
|
||||||
|
printf '%s\n' "$nonstandard_certs" | sed 's/^/ /'
|
||||||
|
else
|
||||||
|
pass "All SSL certificate paths use /etc/letsencrypt/live/"
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 10. ssl_certificate uses fullchain.pem, ssl_certificate_key uses privkey.pem
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- SSL certificate filename convention check ---"
|
||||||
|
cert_name_errors=0
|
||||||
|
wrong_certs=$(grep -rnP 'ssl_certificate\b(?!_key)' "$NGINX_DIR/sites-available/" \
|
||||||
|
| grep -v '#' \
|
||||||
|
| grep -v 'fullchain\.pem' || true)
|
||||||
|
wrong_keys=$(grep -rn 'ssl_certificate_key' "$NGINX_DIR/sites-available/" \
|
||||||
|
| grep -v '#' \
|
||||||
|
| grep -v 'privkey\.pem' || true)
|
||||||
|
if [ -n "$wrong_certs" ]; then
|
||||||
|
fail "ssl_certificate not using fullchain.pem:"
|
||||||
|
printf '%s\n' "$wrong_certs" | sed 's/^/ /'
|
||||||
|
cert_name_errors=1
|
||||||
|
fi
|
||||||
|
if [ -n "$wrong_keys" ]; then
|
||||||
|
fail "ssl_certificate_key not using privkey.pem:"
|
||||||
|
printf '%s\n' "$wrong_keys" | sed 's/^/ /'
|
||||||
|
cert_name_errors=1
|
||||||
|
fi
|
||||||
|
[ "$cert_name_errors" -eq 0 ] && pass "All SSL certs use fullchain.pem / privkey.pem"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 11. No server_name directives use raw IP addresses
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- IP address as server_name check ---"
|
||||||
|
ip_names=$(grep -rh --include="*.conf" 'server_name' "$NGINX_DIR/sites-available/" \
|
||||||
|
| grep -v '#' \
|
||||||
|
| sed 's/.*server_name\s*//' \
|
||||||
|
| sed 's/\s*;//' \
|
||||||
|
| tr ' ' '\n' \
|
||||||
|
| grep -P '^\d{1,3}(\.\d{1,3}){3}$' || true)
|
||||||
|
if [ -n "$ip_names" ]; then
|
||||||
|
fail "server_name uses raw IP addresses:"
|
||||||
|
printf '%s\n' "$ip_names" | sed 's/^/ /'
|
||||||
|
else
|
||||||
|
pass "No server_name directives use raw IP addresses"
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 12. No conf.d files conflict with built-in nginx conf.d conventions
|
||||||
|
# (i.e. no stray default.conf or catch-all templates left over)
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- conf.d stray file check ---"
|
||||||
|
stray=$(find "$NGINX_DIR/conf.d" -name "*.conf" \
|
||||||
|
| grep -vP '/(logging|tuning|cloudflare_ips)\.conf$' || true)
|
||||||
|
if [ -n "$stray" ]; then
|
||||||
|
fail "Unexpected files in conf.d (only logging.conf, tuning.conf, cloudflare_ips.conf expected):"
|
||||||
|
printf '%s\n' "$stray" | sed 's/^/ /'
|
||||||
|
else
|
||||||
|
pass "conf.d contains only expected files"
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# 13. Server blocks within each sites-available file are sorted
|
||||||
|
# alphabetically by server_name (LC_ALL=C; regex/wildcard excluded)
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "--- Alphabetical server_name order check ---"
|
||||||
|
sort_errors=0
|
||||||
|
for conf in "$NGINX_DIR/sites-available/"*.conf; do
|
||||||
|
[ "$(basename "$conf")" = "default" ] && continue
|
||||||
|
|
||||||
|
mapfile -t actual < <(grep -P '^\s*server_name\s' "$conf" \
|
||||||
|
| grep -v '^\s*#' \
|
||||||
|
| sed 's/.*server_name\s*//' \
|
||||||
|
| sed 's/\s*;//' \
|
||||||
|
| awk '{print $1}' \
|
||||||
|
| grep -vP '^~|^\*\.|^_$')
|
||||||
|
|
||||||
|
mapfile -t expected < <(printf '%s\n' "${actual[@]}" | LC_ALL=C sort)
|
||||||
|
|
||||||
|
for ((i = 0; i < ${#actual[@]}; i++)); do
|
||||||
|
if [ "${actual[$i]}" != "${expected[$i]}" ]; then
|
||||||
|
fail "$(basename "$conf"): not sorted — found '${actual[$i]}', expected '${expected[$i]}'"
|
||||||
|
sort_errors=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
[ "$sort_errors" -eq 0 ] && pass "All sites-available files have alphabetically sorted server blocks"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
# Summary
|
||||||
|
# ──────────────────────────────────────────────────────────────────
|
||||||
|
echo "==================================="
|
||||||
|
printf "Results: %d passed, %d failed\n" "$PASS" "$FAIL"
|
||||||
|
echo "==================================="
|
||||||
|
[ "$FAIL" -gt 0 ] && exit 1
|
||||||
exit 0
|
exit 0
|
||||||
Reference in New Issue
Block a user