Compare commits

..

27 Commits

Author SHA1 Message Date
hikari f40690b574 feat: add events and talks nginx configs
Test nginx configuration / Static Analysis (push) Failing after 6s
Test nginx configuration / nginx Syntax Check (push) Failing after 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m24s
2026-06-24 20:20:29 -07:00
hikari 82d075e7c1 feat: add qr.nhcarrigan.com nginx config
Test nginx configuration / Static Analysis (push) Failing after 6s
Test nginx configuration / nginx Syntax Check (push) Failing after 22s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m41s
2026-06-24 19:02:15 -07:00
naomi 6836c5bcae feat: add huddle redirect
Test nginx configuration / Static Analysis (push) Failing after 6s
Test nginx configuration / nginx Syntax Check (push) Failing after 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m40s
2026-06-11 21:46:26 -07:00
naomi ca5ffe822e feat: cipher and workshops
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Failing after 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m43s
2026-06-06 20:24:07 -07:00
naomi b3ac647b00 chore: fix link
Security Scan and Upload / Security & DefectDojo Upload (push) Failing after 2s
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Failing after 16s
2026-05-11 17:05:35 -07:00
naomi 63a008f4f2 feat: image site
Security Scan and Upload / Security & DefectDojo Upload (push) Failing after 2s
Test nginx configuration / Static Analysis (push) Failing after 4s
Test nginx configuration / nginx Syntax Check (push) Failing after 15s
2026-05-11 16:55:46 -07:00
naomi c07d24f69f feat: new learn site
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Failing after 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m41s
2026-05-07 19:16:39 -07:00
hikari 5517e9d77d feat: add personality.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Failing after 6s
Test nginx configuration / nginx Syntax Check (push) Failing after 19s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m46s
2026-04-20 21:45:14 -07:00
hikari fb6080ae87 fix: resolve CORS header suppression on cdn.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Failing after 16s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m38s
Restructures the location block to avoid the nginx "if is evil" pattern
where add_header directives inside an if block suppress those in the
parent location context. Also adds Access-Control-Max-Age and removes
POST from allowed methods since the CDN serves static assets only.
2026-04-20 18:32:45 -07:00
naomi f6c4e2dac7 feat: grimoire and memes 2026-04-20 10:07:57 -07:00
hikari 49fd7812dd refactor: consolidate pure-redirect server blocks into conf.d/redirects.conf
Test nginx configuration / Static Analysis (push) Failing after 7s
Test nginx configuration / nginx Syntax Check (push) Failing after 19s
Security Scan and Upload / Security & DefectDojo Upload (push) Failing after 3m27s
Moves 12 redirect-only server blocks out of their mixed host files
(content, aria, hikari, celestine, support, scheduling, portfolio) and
into a dedicated redirects.conf. Deletes the now-empty scheduling.conf
and its sites-enabled symlink.
2026-04-17 16:38:12 -07:00
hikari ce7c3341b7 feat: style reset button and override OG image on forms.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Successful in 19s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m46s
- Style .test-form-reset with theme accent colour (#A8577E) for readability
- Replace Grist default OG image URL directly so all three meta tags use the nhcarrigan CDN image
2026-04-17 16:33:05 -07:00
naomi 13dc41c639 chore: sync the changes that I made live in prod
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Successful in 20s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m36s
2026-04-17 16:26:10 -07:00
hikari c8c5b7529c feat: redirect nhcarrigan.com/testimonials to testimonials.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Successful in 5s
Test nginx configuration / nginx Syntax Check (push) Successful in 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Failing after 43s
2026-04-02 20:31:45 -07:00
hikari 823d42ad2e fix: remove dotfile restriction from notes.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Successful in 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 16s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 2m33s
2026-03-23 12:57:11 -07:00
hikari 44502b5c52 fix: allow SilverBullet .client assets on notes.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Successful in 6s
Test nginx configuration / nginx Syntax Check (push) Successful in 23s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m11s
2026-03-23 12:54:09 -07:00
hikari 89aef0bf1a feat: enable catch-all site
Test nginx configuration / Static Analysis (push) Successful in 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 2m7s
2026-03-18 12:12:31 -07:00
hikari 3608837aae feat: enable tarot site
Test nginx configuration / Static Analysis (push) Failing after 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 18s
Security Scan and Upload / Security & DefectDojo Upload (push) Has been cancelled
2026-03-18 12:12:00 -07:00
hikari fc252e28e2 feat: block dotfile requests across all sites
Test nginx configuration / Static Analysis (push) Failing after 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 20s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m8s
Adds a deny-dotfiles snippet that returns 403 for any URI matching /\.
(e.g. .gitconfig, .env, .git/) and includes it in every server block.
2026-03-18 11:31:02 -07:00
hikari 1d24a85e07 feat: add nginx config for tarot static site
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Successful in 18s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m23s
Serves only index.html and cards/*.json — all other paths return 403.
2026-03-18 11:28:11 -07:00
hikari 7e1929f308 feat: complete blackwood nginx config with SPA routing and caching
Test nginx configuration / Static Analysis (push) Failing after 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 16s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 2m37s
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-11 19:27:05 -07:00
hikari 1cfae51620 docs: add CLAUDE.md with 404 handling and site setup notes
Test nginx configuration / Static Analysis (push) Failing after 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m4s
2026-03-10 12:59:07 -07:00
hikari 4270f43d22 feat: add global 404 error page redirect to 404.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Failing after 5s
Test nginx configuration / nginx Syntax Check (push) Successful in 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m18s
2026-03-10 12:49:52 -07:00
hikari 2b8748fddb feat: add catch-all server blocks for unmatched subdomains
Test nginx configuration / Static Analysis (push) Failing after 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m21s
✨ This commit was made with help from Hikari~ 🌸
2026-03-10 12:16:17 -07:00
naomi f3f65e9d92 feat: scripture page too
Test nginx configuration / Static Analysis (push) Successful in 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 17s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m11s
2026-03-10 11:57:35 -07:00
hikari 0004e5b037 feat: add nocturne.nhcarrigan.com static site config
Test nginx configuration / Static Analysis (push) Successful in 4s
Test nginx configuration / nginx Syntax Check (push) Successful in 16s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m22s
2026-03-10 11:13:27 -07:00
hikari db36f98578 refactor: restructure nginx config into per-app files (#1)
Test nginx configuration / Static Analysis (push) Successful in 5s
Test nginx configuration / nginx Syntax Check (push) Successful in 18s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 2m39s
## Summary

- Added `push.sh` script to deploy configs to prod via `sudo rsync` (with `--delete` for exact mirroring)
- Split the monolithic `conf.d/server.conf` (1,682 lines, 96 server blocks) into 28 per-app files under `sites-available/`, with corresponding symlinks in `sites-enabled/`
- Extracted custom `nginx.conf` settings (`log_format` directives, `server_names_hash_bucket_size`) into dedicated `conf.d/logging.conf` and `conf.d/tuning.conf` files, leaving `nginx.conf` as close to stock as possible

## Test plan

- [x] `sudo nginx -t` passes on prod after the sites-available restructure

✨ This PR was created with help from Hikari~ 🌸

Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com>
Reviewed-on: #1
Co-authored-by: Hikari <hikari@nhcarrigan.com>
Co-committed-by: Hikari <hikari@nhcarrigan.com>
2026-03-07 02:05:29 -08:00
101 changed files with 3293 additions and 979 deletions
+53
View File
@@ -0,0 +1,53 @@
name: Test nginx configuration
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
jobs:
static-analysis:
name: Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run static analysis
run: bash test.sh
syntax-check:
name: nginx Syntax Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install nginx
run: |
sudo apt-get update -q
sudo apt-get install -y nginx-full
- name: Deploy config to /etc/nginx
run: sudo cp -a nginx/nginx/. /etc/nginx/
- name: Create stub SSL certificates
run: |
openssl req -x509 -newkey rsa:2048 -keyout /tmp/stub.key \
-out /tmp/stub.pem -days 1 -nodes -subj '/CN=stub'
while IFS= read -r dir; do
sudo mkdir -p "$dir"
sudo cp /tmp/stub.pem "$dir/fullchain.pem"
sudo cp /tmp/stub.key "$dir/privkey.pem"
done < <(grep -rh 'ssl_certificate ' /etc/nginx/sites-available/ \
| grep -v '#' \
| grep -oP '/etc/letsencrypt/live/[^\s/]+' \
| sort -u)
- name: Run nginx syntax check
run: sudo nginx -t
+29
View File
@@ -0,0 +1,29 @@
# NGINX Configs — Project Notes
## 404 Handling
### Global 404 redirect
Any 404 from any site is handled globally via `nginx/nginx/nginx.conf` in the `http {}` block:
```nginx
error_page 404 https://404.nhcarrigan.com;
```
This redirects (302) to `404.nhcarrigan.com` which serves `/home/naomi/404/index.html`.
No need to add `error_page` to individual server blocks — the `http {}` level default covers everything.
### 404 site config
`nginx/nginx/sites-available/404.conf` — serves the static 404 page at `/home/naomi/404`.
Requires an SSL cert at `/etc/letsencrypt/live/404.nhcarrigan.com/`.
### Catch-all server block (`catch-all.conf`)
Handles any HTTPS request for a subdomain that doesn't match any configured `server_name`.
Uses `default_server` on port 443, `server_name _`, and serves the same 404 page directly
(with `return 404` to preserve the status code, since this is the final fallback rather than a redirect).
## Adding a New Site
1. Create `nginx/nginx/sites-available/<name>.conf` with the server block.
2. Create a symlink: `ln -s ../sites-available/<name>.conf nginx/nginx/sites-enabled/<name>.conf`
3. Ensure an SSL cert exists on the server for the domain (`certbot --nginx -d <domain>`).
4. No need to add `error_page 404` — it's handled globally.
+125 -3
View File
@@ -1,10 +1,132 @@
# Nginx Configs # Nginx Configs
This repository holds our NGINX configs and offers a basic script for pulling the latest versions from our servers. This repository holds the nginx configuration for NHCarrigan's production server, with scripts for deploying and pulling changes.
## Live Version ## Directory Structure
These can't really be viewed live... ```
nginx/nginx/ # Maps directly to /etc/nginx/ on the server
├── nginx.conf # Global settings (workers, gzip, TLS, logging)
├── conf.d/
│ ├── cloudflare_ips.conf # Real-IP trust for Cloudflare ranges (auto-updated by cron)
│ ├── logging.conf # Custom log formats (custom_format + json_analytics)
│ └── tuning.conf # Performance tweaks (server_names_hash_bucket_size)
├── sites-available/ # One .conf file per logical group of sites
│ └── *.conf
├── sites-enabled/ # Symlinks to active configs in sites-available/
│ └── * -> ../sites-available/*.conf
└── ... # Standard nginx package files (mime.types, proxy_params, etc.)
```
## Adding a New Site
1. **Identify the right file.** Each `sites-available/*.conf` has a comment at the top describing what belongs there. Pick the most appropriate file, or create a new one if the site does not fit anywhere.
2. **Add the server block**, following this template for a proxied app:
```nginx
server {
listen 443 ssl;
server_name yourapp.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/yourapp.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourapp.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:<PORT>;
proxy_redirect off;
}
}
```
Or this template for a static site:
```nginx
server {
listen 443 ssl;
server_name yoursite.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/yoursite.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yoursite.nhcarrigan.com/privkey.pem;
root /home/naomi/yoursite;
location / {
index index.html;
}
}
```
3. **Keep server blocks sorted alphabetically** by `server_name` within the file. The CI sort check will fail if they are out of order. Note that hyphenated names sort before the bare domain in C locale (e.g. `app-api` before `app`).
4. **If you created a new `.conf` file**, create the corresponding symlink in `sites-enabled/`:
```bash
cd nginx/nginx/sites-enabled
ln -s ../sites-available/newfile.conf newfile.conf
```
5. **Get the SSL certificate** on the server before deploying:
```bash
sudo certbot certonly --nginx -d yourapp.nhcarrigan.com
```
6. **Run the tests** locally to verify everything passes:
```bash
bash test.sh
```
7. **Deploy** (see below).
## Removing a Site
1. Delete the server block from the relevant `sites-available/*.conf` file.
2. If the entire `.conf` file is now empty, delete the file and its `sites-enabled/` symlink.
3. Run `bash test.sh` to confirm nothing is broken.
4. Deploy.
## Deploying Changes
Push the local `nginx/nginx/` directory to the server (the `--delete` flag removes any files on the server that no longer exist locally):
```bash
bash push.sh
```
Then reload nginx to apply the changes:
```bash
ssh prod "sudo systemctl reload nginx"
```
To pull the current server config back into this repository:
```bash
bash pull.sh
```
## Testing
The test suite runs static analysis checks against the config files without requiring a live nginx instance:
```bash
bash test.sh
```
The following checks are run:
| # | Check |
|---|-------|
| 1 | No deprecated TLS versions (TLSv1 / TLSv1.1) |
| 2 | No duplicate `server_name` values |
| 3 | Every `sites-available/*.conf` has a `sites-enabled` symlink |
| 4 | No broken symlinks in `sites-enabled` |
| 5 | No orphaned symlinks in `sites-enabled` |
| 6 | No port-80 listeners in custom server blocks |
| 7 | `ssl_certificate` and `ssl_certificate_key` counts match per file |
| 8 | All plain-HTTP `proxy_pass` targets are local |
| 9 | All SSL cert paths use `/etc/letsencrypt/live/` |
| 10 | Certs use `fullchain.pem` / keys use `privkey.pem` |
| 11 | No raw IP addresses as `server_name` |
| 12 | `conf.d` contains only expected files |
| 13 | Server blocks are sorted alphabetically by `server_name` within each file |
CI additionally runs an nginx syntax check (`nginx -t`) using stub SSL certificates, catching any configuration errors that static analysis cannot detect.
## Feedback and Bugs ## Feedback and Bugs
-953
View File
@@ -1,953 +0,0 @@
server {
listen 443 ssl;
server_name afp.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/afp.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/afp.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass https://127.0.0.1:10443;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name alerts.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/alerts.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alerts.nhcarrigan.com/privkey.pem;
# Redirect ONLY root `/`
location = / {
return 307 https://rosalia.nhcarrigan.com;
}
# Proxy everything else
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name analytics.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/analytics.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/analytics.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:11080;
}
location = /live/websocket {
proxy_pass http://127.0.0.1:11080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
server {
listen 443 ssl;
server_name announcements.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/announcements.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/announcements.nhcarrigan.com/privkey.pem;
return 301 https://forum.nhcarrigan.com/c/announcements/14;
}
server {
listen 443 ssl;
server_name aria.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/aria.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aria.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5001;
}
}
server {
listen 443 ssl;
server_name assistant.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/assistant.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/assistant.nhcarrigan.com/privkey.pem;
location / {
return 301 https://cordelia.nhcarrigan.com$uri$is_args$args;
}
}
server {
listen 443 ssl;
server_name beccalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/beccalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/beccalia.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/games/beccalia;
location / {
index index.html;
}
location /origins {
index index.html;
}
location /prologue {
index index.html;
}
}
server {
listen 443 ssl;
server_name becca.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/becca.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/becca.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5010;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name blog.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/blog.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3003;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name board.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/board.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/board.nhcarrigan.com/privkey.pem;
location ~ /ws/* {
proxy_pass http://127.0.0.1:8111;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 1d;
proxy_send_timeout 1d;
proxy_read_timeout 1d;
}
location / {
proxy_pass http://127.0.0.1:8111;
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
}
}
server {
listen 443 ssl;
server_name books.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/books.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/books.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/books;
location / {
index index.html;
}
location /books.json {
try_files /books.json =404;
}
}
server {
listen 443 ssl;
server_name chat.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/chat.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.nhcarrigan.com/privkey.pem;
location / {
return 301 https://discord.gg/KKe7BaEnQB;
}
}
server {
listen 443 ssl;
server_name celestine.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/celestine.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/celestine.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9080;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name contact.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/contact.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/contact.nhcarrigan.com/privkey.pem;
return 301 https://docs.nhcarrigan.com/about/contact/;
}
server {
listen 443 ssl;
server_name cordelia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cordelia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cordelia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5002;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name docs.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/docs.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/docs.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/docs/dist;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name donate.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/donate.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/donate.nhcarrigan.com/privkey.pem;
return 301 https://docs.nhcarrigan.com/about/donate/;
}
server {
listen 443 ssl;
server_name elowyn.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/elowyn.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/elowyn.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/elowyn;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
}
server {
listen 443 ssl;
server_name forms-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forms-api.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forms-api.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:1234;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name forms.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forms.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forms.nhcarrigan.com/privkey.pem;
# Upgrade websocket requests and route the api backend
location ~ ^/(api|ws)/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:11111;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:11111;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name games.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/games.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/games.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/games;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name goblin.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/goblin.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/goblin.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/games/goblin;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name gwen.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/gwen.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gwen.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5012;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name hikari.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/hikari.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hikari.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/hikari/client/dist/client/browser;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:20000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header cf-connecting-ip $http_cf_connecting_ip;
proxy_set_header origin $http_origin;
# This removes /api from the forwarded URL
rewrite ^/api/(.*)$ /$1 break;
}
location / {
try_files $uri $uri/ /index.html;
}
}
server {
listen 443 ssl;
server_name hooks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/hooks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hooks.nhcarrigan.com/privkey.pem;
location / {
return 301 https://celestine.nhcarrigan.com$uri$is_args$args;
}
}
server {
listen 443 ssl;
server_name incidents.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/incidents.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/incidents.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
}
server {
listen 443 ssl;
server_name loan.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/loan.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loan.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/games/loan;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name lucinda.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/lucinda.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lucinda.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/lucinda/client/dist/client/browser;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:12346/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# This removes /api from the forwarded URL
rewrite ^/api/(.*)$ /$1 break;
}
location / {
try_files $uri $uri/ /index.html;
}
}
server {
listen 443 ssl;
server_name manual.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/manual.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/manual.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/manual;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name maylin.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/maylin.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/maylin.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5011;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name melody.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/melody.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/melody.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5443;
}
}
server {
listen 443 ssl;
server_name mommy-bot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8009;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name mommy.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8008;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name mommy-slack.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8010;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name music.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/music.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/music.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/music;
location / {
index index.html;
}
location /songs.json {
try_files /songs.json =404;
}
}
server {
listen 443 ssl;
server_name nails-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nails-api.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nails-api.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:1235;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name nails.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nails.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nails.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/nails/client/dist/client/browser;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
}
server {
listen 443 ssl;
server_name naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/naomi.lgbt/privkey.pem;
root /home/nhcarrigan/portfolio/site;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
}
server {
listen 443 ssl;
server_name naomi.party;
ssl_certificate /etc/letsencrypt/live/naomi.party/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/naomi.party/privkey.pem;
root /home/nhcarrigan/bsky;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
}
server {
listen 443 ssl;
server_name nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/portfolio/site;
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
}
server {
listen 443 ssl;
server_name nhcarrigan.link;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.link/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.link/privkey.pem;
root /home/nhcarrigan/link-redirector;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
}
server {
listen 443 ssl;
server_name oogie.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/oogie.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oogie.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass https://127.0.0.1:3443;
}
}
server {
listen 443 ssl;
server_name products.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/products.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/products.nhcarrigan.com/privkey.pem;
location / {
return 301 https://hikari.nhcarrigan.com/products;
}
}
server {
listen 443 ssl;
server_name quality.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/quality.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/quality.nhcarrigan.com/privkey.pem;
client_max_body_size 1g;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9500;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name rosalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/rosalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rosalia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name resume.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/resume.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/resume.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/resume/site;
location /resume.yaml {
default_type text/plain;
add_header Content-Type "text/plain; charset=utf-8";
}
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
}
server {
listen 443 ssl;
server_name ruubot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/ruubot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ruubot.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass https://127.0.0.1:4443;
}
}
server {
listen 443 ssl;
server_name security.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/security.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/security.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/security;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name sitemap.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/sitemap.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitemap.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/sitemap;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name tasks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/tasks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tasks.nhcarrigan.com/privkey.pem;
location / {
return 301 https://melody.nhcarrigan.com$uri$is_args$args;
}
}
server {
listen 443 ssl;
server_name testimonials.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/testimonials.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/testimonials.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/testimonials;
location / {
index index.html;
}
}
server {
listen 443 ssl;
server_name trans-bot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
location / {
return 301 https://aria.nhcarrigan.com;
}
}
server {
listen 443 ssl;
server_name trans.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://0.0.0.0:5000;
}
}
server {
listen 443 ssl;
server_name uptime.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/uptime.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/uptime.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
}
server {
listen 443 ssl;
server_name vitalia-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:12345;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name vitalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/vitalia/client/dist/client/browser;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
}
server {
listen 443 ssl;
server_name www.naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/www.naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.naomi.lgbt/privkey.pem;
root /home/nhcarrigan/portfolio/site;
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
}
server {
listen 443 ssl;
server_name www.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/www.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.nhcarrigan.com/privkey.pem;
root /home/nhcarrigan/portfolio/site;
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
}
server {
listen 443 ssl;
server_name www.yurigpt.com;
ssl_certificate /etc/letsencrypt/live/www.yurigpt.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.yurigpt.com/privkey.pem;
root /home/nhcarrigan/yurigpt/dist/yurigpt/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
}
server {
listen 443 ssl;
server_name yurigpt.com;
ssl_certificate /etc/letsencrypt/live/yurigpt.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yurigpt.com/privkey.pem;
root /home/nhcarrigan/yurigpt/dist/yurigpt/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
}
# This MUST be at the bottom so that dedicated subdomains are parsed first!
server {
listen 443 ssl;
server_name ~^(?<subdomain>.+)\.naomi\.lgbt$;
ssl_certificate /etc/letsencrypt/live/naomi.lgbt-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/naomi.lgbt-0001/privkey.pem;
location / {
return 301 https://$subdomain.nhcarrigan.com$request_uri;
}
}
+28
View File
@@ -0,0 +1,28 @@
# Auto-generated Cloudflare IP ranges
# Updated: Wed Jun 10 10:59:21 PM PDT 2026
real_ip_header CF-Connecting-IP;
# IPv4 ranges
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
# IPv6 ranges
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
+47
View File
@@ -0,0 +1,47 @@
log_format custom_format '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_x_forwarded_for"';
access_log /var/log/nginx/access.log custom_format;
log_format json_analytics escape=json '{'
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
'"connection": "$connection", ' # connection serial number
'"connection_requests": "$connection_requests", ' # number of requests made in connection
'"pid": "$pid", ' # process pid
'"request_id": "$request_id", ' # the unique request id
'"request_length": "$request_length", ' # request length (including headers and body)
'"remote_addr": "$remote_addr", ' # client IP
'"remote_user": "$remote_user", ' # client HTTP username
'"remote_port": "$remote_port", ' # client port
'"time_local": "$time_local", '
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
'"request": "$request", ' # full path no arguments if the request
'"request_uri": "$request_uri", ' # full path and arguments if the request
'"args": "$args", ' # args
'"status": "$status", ' # response status code
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
'"http_referer": "$http_referer", ' # HTTP referer
'"http_user_agent": "$http_user_agent", ' # user agent
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"http_host": "$http_host", ' # the request Host: header
'"server_name": "$server_name", ' # the name of the vhost serving the request
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
'"upstream_response_time": "$upstream_response_time", ' # time spent receiving upstream body
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
'"scheme": "$scheme", ' # http or https
'"request_method": "$request_method", ' # request method
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"gzip_ratio": "$gzip_ratio", '
'}';
access_log /var/log/nginx/json_access.log json_analytics;
+162
View File
@@ -0,0 +1,162 @@
# Pure-redirect virtual hosts — server blocks whose only purpose is a 301/302 to another URL.
# val.nhcarrigan.com → headpat image
server {
listen 443 ssl;
server_name val.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/val.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/val.nhcarrigan.com/privkey.pem;
location / {
return 302 https://cdn.nhcarrigan.com/val-headpat.jpg;
}
}
# assistant.nhcarrigan.com → cordelia (legacy name)
server {
listen 443 ssl;
server_name assistant.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/assistant.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/assistant.nhcarrigan.com/privkey.pem;
location / {
return 301 https://cordelia.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# trans-bot.nhcarrigan.com → aria (legacy name)
server {
listen 443 ssl;
server_name trans-bot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
location / {
return 301 https://aria.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# announcements.nhcarrigan.com → hikari /announcements
server {
listen 443 ssl;
server_name announcements.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/announcements.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/announcements.nhcarrigan.com/privkey.pem;
return 301 https://hikari.nhcarrigan.com/announcements;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# products.nhcarrigan.com → hikari /products
server {
listen 443 ssl;
server_name products.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/products.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/products.nhcarrigan.com/privkey.pem;
location / {
return 301 https://hikari.nhcarrigan.com/products;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# hooks.nhcarrigan.com → celestine (legacy name)
server {
listen 443 ssl;
server_name hooks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/hooks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hooks.nhcarrigan.com/privkey.pem;
location / {
return 301 https://celestine.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# chat.nhcarrigan.com → Discord invite
server {
listen 443 ssl;
server_name chat.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/chat.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.nhcarrigan.com/privkey.pem;
location / {
return 301 https://discord.gg/KKe7BaEnQB;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# forum.nhcarrigan.com → support (legacy name)
server {
listen 443 ssl;
server_name forum.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forum.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forum.nhcarrigan.com/privkey.pem;
location / {
return 301 https://support.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# cyc.nhcarrigan.com → zcal scheduling
server {
listen 443 ssl;
server_name cyc.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cyc.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cyc.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/cyc;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# meet.nhcarrigan.com → zcal scheduling
server {
listen 443 ssl;
server_name meet.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/meet.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meet.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/meet;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# huddle.nhcarrigan.com → zcal scheduling
server {
listen 443 ssl;
server_name huddle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/huddle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/huddle.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/huddle;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# tasks.nhcarrigan.com → melody
server {
listen 443 ssl;
server_name tasks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/tasks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tasks.nhcarrigan.com/privkey.pem;
location / {
return 301 https://melody.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# Wildcard: *.naomi.lgbt → *.nhcarrigan.com
server {
listen 443 ssl;
server_name ~^(?<subdomain>.+)\.naomi\.lgbt$;
ssl_certificate /etc/letsencrypt/live/*.naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/*.naomi.lgbt/privkey.pem;
location / {
return 301 https://$subdomain.nhcarrigan.com$request_uri;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+1
View File
@@ -0,0 +1 @@
server_names_hash_bucket_size 128;
+27
View File
@@ -0,0 +1,27 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
+26
View File
@@ -0,0 +1,26 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
+109
View File
@@ -0,0 +1,109 @@
# This map is not a full koi8-r <> utf8 map: it does not contain
# box-drawing and some other characters. Besides this map contains
# several koi8-u and Byelorussian letters which are not in koi8-r.
# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
# map instead.
charset_map koi8-r utf-8 {
80 E282AC ; # euro
95 E280A2 ; # bullet
9A C2A0 ; # &nbsp;
9E C2B7 ; # &middot;
A3 D191 ; # small yo
A4 D194 ; # small Ukrainian ye
A6 D196 ; # small Ukrainian i
A7 D197 ; # small Ukrainian yi
AD D291 ; # small Ukrainian soft g
AE D19E ; # small Byelorussian short u
B0 C2B0 ; # &deg;
B3 D081 ; # capital YO
B4 D084 ; # capital Ukrainian YE
B6 D086 ; # capital Ukrainian I
B7 D087 ; # capital Ukrainian YI
B9 E28496 ; # numero sign
BD D290 ; # capital Ukrainian soft G
BE D18E ; # capital Byelorussian short U
BF C2A9 ; # (C)
C0 D18E ; # small yu
C1 D0B0 ; # small a
C2 D0B1 ; # small b
C3 D186 ; # small ts
C4 D0B4 ; # small d
C5 D0B5 ; # small ye
C6 D184 ; # small f
C7 D0B3 ; # small g
C8 D185 ; # small kh
C9 D0B8 ; # small i
CA D0B9 ; # small j
CB D0BA ; # small k
CC D0BB ; # small l
CD D0BC ; # small m
CE D0BD ; # small n
CF D0BE ; # small o
D0 D0BF ; # small p
D1 D18F ; # small ya
D2 D180 ; # small r
D3 D181 ; # small s
D4 D182 ; # small t
D5 D183 ; # small u
D6 D0B6 ; # small zh
D7 D0B2 ; # small v
D8 D18C ; # small soft sign
D9 D18B ; # small y
DA D0B7 ; # small z
DB D188 ; # small sh
DC D18D ; # small e
DD D189 ; # small shch
DE D187 ; # small ch
DF D18A ; # small hard sign
E0 D0AE ; # capital YU
E1 D090 ; # capital A
E2 D091 ; # capital B
E3 D0A6 ; # capital TS
E4 D094 ; # capital D
E5 D095 ; # capital YE
E6 D0A4 ; # capital F
E7 D093 ; # capital G
E8 D0A5 ; # capital KH
E9 D098 ; # capital I
EA D099 ; # capital J
EB D09A ; # capital K
EC D09B ; # capital L
ED D09C ; # capital M
EE D09D ; # capital N
EF D09E ; # capital O
F0 D09F ; # capital P
F1 D0AF ; # capital YA
F2 D0A0 ; # capital R
F3 D0A1 ; # capital S
F4 D0A2 ; # capital T
F5 D0A3 ; # capital U
F6 D096 ; # capital ZH
F7 D092 ; # capital V
F8 D0AC ; # capital soft sign
F9 D0AB ; # capital Y
FA D097 ; # capital Z
FB D0A8 ; # capital SH
FC D0AD ; # capital E
FD D0A9 ; # capital SHCH
FE D0A7 ; # capital CH
FF D0AA ; # capital hard sign
}
+103
View File
@@ -0,0 +1,103 @@
charset_map koi8-r windows-1251 {
80 88 ; # euro
95 95 ; # bullet
9A A0 ; # &nbsp;
9E B7 ; # &middot;
A3 B8 ; # small yo
A4 BA ; # small Ukrainian ye
A6 B3 ; # small Ukrainian i
A7 BF ; # small Ukrainian yi
AD B4 ; # small Ukrainian soft g
AE A2 ; # small Byelorussian short u
B0 B0 ; # &deg;
B3 A8 ; # capital YO
B4 AA ; # capital Ukrainian YE
B6 B2 ; # capital Ukrainian I
B7 AF ; # capital Ukrainian YI
B9 B9 ; # numero sign
BD A5 ; # capital Ukrainian soft G
BE A1 ; # capital Byelorussian short U
BF A9 ; # (C)
C0 FE ; # small yu
C1 E0 ; # small a
C2 E1 ; # small b
C3 F6 ; # small ts
C4 E4 ; # small d
C5 E5 ; # small ye
C6 F4 ; # small f
C7 E3 ; # small g
C8 F5 ; # small kh
C9 E8 ; # small i
CA E9 ; # small j
CB EA ; # small k
CC EB ; # small l
CD EC ; # small m
CE ED ; # small n
CF EE ; # small o
D0 EF ; # small p
D1 FF ; # small ya
D2 F0 ; # small r
D3 F1 ; # small s
D4 F2 ; # small t
D5 F3 ; # small u
D6 E6 ; # small zh
D7 E2 ; # small v
D8 FC ; # small soft sign
D9 FB ; # small y
DA E7 ; # small z
DB F8 ; # small sh
DC FD ; # small e
DD F9 ; # small shch
DE F7 ; # small ch
DF FA ; # small hard sign
E0 DE ; # capital YU
E1 C0 ; # capital A
E2 C1 ; # capital B
E3 D6 ; # capital TS
E4 C4 ; # capital D
E5 C5 ; # capital YE
E6 D4 ; # capital F
E7 C3 ; # capital G
E8 D5 ; # capital KH
E9 C8 ; # capital I
EA C9 ; # capital J
EB CA ; # capital K
EC CB ; # capital L
ED CC ; # capital M
EE CD ; # capital N
EF CE ; # capital O
F0 CF ; # capital P
F1 DF ; # capital YA
F2 D0 ; # capital R
F3 D1 ; # capital S
F4 D2 ; # capital T
F5 D3 ; # capital U
F6 C6 ; # capital ZH
F7 C2 ; # capital V
F8 DC ; # capital soft sign
F9 DB ; # capital Y
FA C7 ; # capital Z
FB D8 ; # capital SH
FC DD ; # capital E
FD D9 ; # capital SHCH
FE D7 ; # capital CH
FF DA ; # capital hard sign
}
+101
View File
@@ -0,0 +1,101 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-matroska mkv;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
+57
View File
@@ -0,0 +1,57 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Global Error Pages
##
error_page 404 https://404.nhcarrigan.com;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
# Look at the real IP, not the cloudflare IP.
include /etc/nginx/cloudflare_ips.conf;
}
+4
View File
@@ -0,0 +1,4 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
+17
View File
@@ -0,0 +1,17 @@
scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;
+14
View File
@@ -0,0 +1,14 @@
# 404 error page static site.
server {
listen 443 ssl;
server_name 404.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/404.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/404.nhcarrigan.com/privkey.pem;
root /home/naomi/404;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+14
View File
@@ -0,0 +1,14 @@
# AFP service proxy.
server {
listen 443 ssl;
server_name afp.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/afp.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/afp.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:10080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+40
View File
@@ -0,0 +1,40 @@
# Aria bot, Cordelia AI assistant, and trans-related services.
server {
listen 443 ssl;
server_name aria.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/aria.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aria.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name cordelia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cordelia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cordelia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5002;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name trans.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://0.0.0.0:5000;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+272
View File
@@ -0,0 +1,272 @@
# Discord bots and automated services (one entry per bot, sorted alphabetically).
server {
listen 443 ssl;
server_name altaria.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/altaria.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/altaria.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6022;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name amari.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/amari.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/amari.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:7044;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name becca.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/becca.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/becca.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5010;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name caelia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/caelia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/caelia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:7055;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name callista.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/callista.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/callista.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6111;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name chibika.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/chibika.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chibika.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5018;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name gwen.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/gwen.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gwen.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5012;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name keiko.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/keiko.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keiko.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3333;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name liora.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/liora.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liora.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5022;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name maylin.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/maylin.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/maylin.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5011;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name melody.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/melody.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/melody.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name pavelle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/pavelle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pavelle.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6019;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name ruubot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/ruubot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ruubot.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass https://127.0.0.1:4443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name saisoku.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/saisoku.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/saisoku.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9100;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name serenya.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/serenya.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/serenya.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:7066;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name sorielle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/sorielle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sorielle.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5019;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name tyche.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/tyche.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tyche.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8123;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name umbrelle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/umbrelle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/umbrelle.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6088;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name valerium.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/valerium.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/valerium.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name veluna.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/veluna.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/veluna.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6099;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -0,0 +1,23 @@
# Catch-all for unmatched subdomains - serves a 404 page.
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.com/privkey.pem;
server_name _;
root /home/naomi/404;
error_page 404 /index.html;
location / {
return 404;
}
location = /index.html {
internal;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+54
View File
@@ -0,0 +1,54 @@
# CDN reverse proxy to Hetzner object storage, with legacy path redirects and CORS headers.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name cdn.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cdn.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cdn.nhcarrigan.com/privkey.pem;
# Catches "/new-avatars/name-full.png" and redirects to "/avatars/name.png"
location ~ ^/new-avatars/(.+)-full\.png$ {
return 301 $scheme://$host/avatars/$1.png;
}
# Catches anything else starting with "/new-avatars/" and moves it to "/avatars/"
location ~ ^/new-avatars/(.*)$ {
return 301 $scheme://$host/avatars/$1;
}
# Handle CORS preflight requests without the "if is evil" pattern.
location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Access-Control-Max-Age 86400 always;
add_header Content-Type "text/plain; charset=utf-8";
add_header Content-Length 0;
return 204;
}
proxy_pass https://nhcarrigan.hel1.your-objectstorage.com;
proxy_set_header Host nhcarrigan.hel1.your-objectstorage.com;
proxy_ssl_server_name on;
proxy_ssl_name nhcarrigan.hel1.your-objectstorage.com;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Authorization "";
proxy_set_header x-amz-date "";
proxy_set_header x-amz-security-token "";
proxy_hide_header Access-Control-Allow-Origin;
add_header X-Debug-Cdn "Proxy-Active" always;
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -0,0 +1,15 @@
# Celestine webhook handler.
server {
listen 443 ssl;
server_name celestine.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/celestine.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/celestine.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+25
View File
@@ -0,0 +1,25 @@
# Cipher - Bluesky collections archive.
server {
listen 443 ssl;
server_name cipher.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cipher.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cipher.nhcarrigan.com/privkey.pem;
root /home/naomi/cipher;
location = / {
try_files /site.html =404;
}
location = /data.json {
default_type application/json;
add_header Content-Type "application/json; charset=utf-8";
}
# Everything else gets the global 404
location / {
return 404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+148
View File
@@ -0,0 +1,148 @@
# Static content and publishing sites: blog, books, donate, music, personality, secrets, style, testimonials.
server {
listen 443 ssl;
server_name blog.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/blog.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name books.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/books.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/books.nhcarrigan.com/privkey.pem;
root /home/naomi/books;
location / {
index index.html;
}
location /books.json {
try_files /books.json =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name donate.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/donate.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/donate.nhcarrigan.com/privkey.pem;
root /home/naomi/donate;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name grimoire.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/grimoire.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grimoire.nhcarrigan.com/privkey.pem;
root /home/naomi/grimoire;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name memes.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/memes.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/memes.nhcarrigan.com/privkey.pem;
root /home/naomi/memes;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name music.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/music.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/music.nhcarrigan.com/privkey.pem;
root /home/naomi/music;
location / {
index index.html;
}
location /songs.json {
try_files /songs.json =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name personality.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/personality.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/personality.nhcarrigan.com/privkey.pem;
root /home/naomi/personality/dist;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name secrets.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/secrets.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/secrets.nhcarrigan.com/privkey.pem;
root /home/naomi/secrets;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name style.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/style.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/style.nhcarrigan.com/privkey.pem;
root /home/naomi/style;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name testimonials.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/testimonials.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/testimonials.nhcarrigan.com/privkey.pem;
root /home/naomi/testimonials;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+14
View File
@@ -0,0 +1,14 @@
# Data service proxy.
server {
listen 443 ssl;
server_name data.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/data.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/data.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9999;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+18
View File
@@ -0,0 +1,18 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /home/naomi/404;
error_page 404 /index.html;
location / {
return 404;
}
location = /index.html {
internal;
}
}
+70
View File
@@ -0,0 +1,70 @@
# Documentation and informational sites: contact, docs, manual, sitemap, socials.
server {
listen 443 ssl;
server_name contact.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/contact.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/contact.nhcarrigan.com/privkey.pem;
root /home/naomi/socials;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name docs.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/docs.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/docs.nhcarrigan.com/privkey.pem;
root /home/naomi/docs/dist;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name manual.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/manual.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/manual.nhcarrigan.com/privkey.pem;
root /home/naomi/manual;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name sitemap.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/sitemap.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitemap.nhcarrigan.com/privkey.pem;
root /home/naomi/sitemap;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name socials.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/socials.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/socials.nhcarrigan.com/privkey.pem;
root /home/naomi/socials;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+15
View File
@@ -0,0 +1,15 @@
# Eclaire Angular SPA.
server {
listen 443 ssl;
server_name eclaire.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/eclaire.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/eclaire.nhcarrigan.com/privkey.pem;
root /home/naomi/eclaire/dist/eclaire/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+19
View File
@@ -0,0 +1,19 @@
# Elowyn Angular SPA.
server {
listen 443 ssl;
server_name elowyn.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/elowyn.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/elowyn.nhcarrigan.com/privkey.pem;
root /home/naomi/elowyn;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+25
View File
@@ -0,0 +1,25 @@
# Elysium Vite SPA and Hono API backend.
server {
listen 443 ssl;
server_name elysium.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/elysium.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/elysium.nhcarrigan.com/privkey.pem;
root /home/naomi/elysium/apps/web/dist;
location /api/ {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3898/;
proxy_redirect off;
}
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+163
View File
@@ -0,0 +1,163 @@
# Grist forms platform (forms-api backend + forms frontend with CSS injection) and legacy form URL redirects.
server {
listen 443 ssl;
server_name forms-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forms-api.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forms-api.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:1234;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name forms.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forms.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forms.nhcarrigan.com/privkey.pem;
###########################
# REDIRECTS FOR OLD FORMS #
###########################
# Volunteer Application Form
location ~* ^/form/PEpB3gA79gxP8wmfEf4zou96opkpUTjssTcaeYjhoi8$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/mCxDu3snk9TzFiDjrT4Vc8/4;
}
# Mentorship Application Form (now Discord self-selectable role)
location ~* ^/form/gNv4NYZmdiMWpkUcnknII2yYCvnYNGAmabG5O5He9Mo$ {
return 301 https://docs.nhcarrigan.com/about/mentorship;
}
# Testimonials Form
location ~* ^/form/M_GrmqASymmO744axMOmu2LaMAaT5F0LmdVcU2c8-gQ$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/6kULn8zswT8vYcoC8wE1Zi/4;
}
# Community Appeals Form
location ~* ^/form/l3PC15yalSWjdZASTQvGo22q_uj_7OtXAhZdcW35ev8$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/4w5VHsYiEkiS2mewvtuJYL/4;
}
# Recognition/Nomination Form
location ~* ^/form/wksk-NuR3HBuovSixbXFEnkYq-3Gp-bZMH-n__PNRKw$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/to2oFocVgALyr23EC84xM9/4;
}
# Community Feedback Form (now Discord forum channel)
location ~* ^/form/IDdo5e4OJS44QYFm9_aRJ36lY3Ox-BBTAM9zfnkhfoo$ {
return 301 https://docs.nhcarrigan.com/community/feedback;
}
# Product Feedback Form (now Discord forum channel)
location ~* ^/form/jkcGg0hMIa4U0hDL2OMip5pMX2UujN5W5n4Qn8HReJ8$ {
return 301 https://docs.nhcarrigan.com/community/feedback;
}
# Meeting Request Form (now Zcal scheduling)
location ~* ^/form/uUKZiJSDm6847iDOlpZkD5QF7cAjoTbTm0F4T0EdW0I$ {
return 301 https://zcal.co/nhcarrigan/meet;
}
# Commission Request Form
location ~* ^/form/XRlQjeu8CbMrTA-v0IPOxlUPEPitLKXTWg70UUCIORA$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/a9K6uzJkpnTfnKgo19b4Rp/4;
}
# Contact Form
location ~* ^/form/HyqoJ9Th5QDiOn_GPLNIRhe1a5ON7mDQf-O_ukM6R4g$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/8XTPmbrFtvDJAKSPgBgsvA/4;
}
# Git Account Request Form (no longer available - now Discord forum channels)
location ~* ^/form/c0_N5hb-VcmC2ClzaGOvDxVirMN_coiWG7eoPhDPsZ0$ {
return 301 https://docs.nhcarrigan.com/about/contact;
}
# Event/Publication Request Form
location ~* ^/form/Xqap3Q8hazzJd4Rrp9OOs9ip8Pa7C9zOVThlyFoPCbU$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/3xEKnDEbqQKG8GJp4kXRCs/4;
}
# Match any path ending in /forms/<id>
location ~ /forms/([^/]+)(?:/(.*))?$ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:11111;
proxy_redirect off;
# Disable Gzip from upstream so nginx can inject CSS
proxy_set_header Accept-Encoding "";
# Override Grist OG image (replace the URL directly so our image wins in all three tags)
sub_filter 'https://grist-static.com/icons/opengraph-preview-image.png' 'https://cdn.nhcarrigan.com/og-image.png';
# Inject CSS and remove Grist branding
sub_filter '</body>' '<style>
/* 1. Remove the "Powered by Grist" footer */
footer[class] {
display: none !important;
}
/* 2. Remove the Border/Shadow from the container */
.test-form-framing {
border: none !important;
box-shadow: none !important;
}
/* 3. Remove the "Grist Form" badge (First child of framing) */
.test-form-framing > *:first-child {
display: none !important;
}
/* 4. Style the reset button with the theme accent colour */
.test-form-reset {
background-color: #A8577E !important;
border-color: #A8577E !important;
color: #F5F5F5 !important;
}
main {
margin-bottom: auto !important;
}
div:has(> main:first-child) {
border-radius: 10px;
margin-bottom: 50px;
}
</style><script src="https://cdn.nhcarrigan.com/headers/index.js"></script><script>document.querySelector("footer")?.remove();</script>
</body>';
sub_filter_once off;
}
# Upgrade websocket requests and route the api backend
location ~ ^/(api|ws)/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:11111;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:11111;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+202
View File
@@ -0,0 +1,202 @@
# Games and gaming projects: beccalia, games hub, goblin, loan, lore, silly, wompwomp, yurigpt.
server {
listen 443 ssl;
server_name beccalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/beccalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/beccalia.nhcarrigan.com/privkey.pem;
root /home/naomi/games/beccalia;
location / {
index index.html;
}
location /origins {
index index.html;
}
location /prologue {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name blackwood.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/blackwood.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blackwood.nhcarrigan.com/privkey.pem;
root /home/naomi/blackwood/dist;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /assets/ {
expires max;
add_header Cache-Control "public, immutable";
access_log off;
}
location ~* \.(mp3|png|gif|ico|svg|webp)$ {
expires 30d;
add_header Cache-Control "public";
access_log off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name games.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/games.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/games.nhcarrigan.com/privkey.pem;
root /home/naomi/games;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name goblin.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/goblin.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/goblin.nhcarrigan.com/privkey.pem;
root /home/naomi/games/goblin;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name loan.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/loan.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loan.nhcarrigan.com/privkey.pem;
root /home/naomi/games/loan;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name lore.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/lore.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lore.nhcarrigan.com/privkey.pem;
root /home/naomi/lore/dist/lore/browser;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name silly.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/silly.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/silly.nhcarrigan.com/privkey.pem;
root /home/naomi/silly;
index index.html;
location = / {
try_files /index.html =404;
}
location / {
try_files $uri $uri/ $uri.html $uri/index.html =404;
}
location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|otf|eot|webp)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
location ~ /\.(?!well-known) {
deny all;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name wompwomp.club;
ssl_certificate /etc/letsencrypt/live/wompwomp.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wompwomp.club/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5033;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.wompwomp.club;
ssl_certificate /etc/letsencrypt/live/www.wompwomp.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.wompwomp.club/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5033;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.yurigpt.com;
ssl_certificate /etc/letsencrypt/live/www.yurigpt.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.yurigpt.com/privkey.pem;
root /home/naomi/yurigpt/dist/yurigpt/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name yurigpt.com;
ssl_certificate /etc/letsencrypt/live/yurigpt.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yurigpt.com/privkey.pem;
root /home/naomi/yurigpt/dist/yurigpt/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -1,3 +1,4 @@
# Self-hosted Gitea instance.
server { server {
listen 443 ssl; listen 443 ssl;
server_name git.nhcarrigan.com; server_name git.nhcarrigan.com;
@@ -5,9 +6,9 @@ server {
ssl_certificate_key /etc/letsencrypt/live/git.nhcarrigan.com/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/git.nhcarrigan.com/privkey.pem;
location / { location / {
client_max_body_size 1000M; client_max_body_size 5000M;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3000; proxy_pass http://127.0.0.1:53000;
proxy_redirect off; proxy_redirect off;
} }
} }
+29
View File
@@ -0,0 +1,29 @@
# Hikari desktop app (Angular SPA + API backend).
server {
listen 443 ssl;
server_name hikari.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/hikari.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hikari.nhcarrigan.com/privkey.pem;
root /home/naomi/hikari/client/dist/client/browser;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:20000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header cf-connecting-ip $http_cf_connecting_ip;
proxy_set_header origin $http_origin;
# This removes /api from the forwarded URL
rewrite ^/api/(.*)$ /$1 break;
}
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+36
View File
@@ -0,0 +1,36 @@
server {
listen 443 ssl;
server_name img.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/img.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/img.nhcarrigan.com/privkey.pem;
# allow large file uploads
client_max_body_size 50000M;
# disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
proxy_request_buffering off;
# increase body buffer to avoid limiting upload speed
client_body_buffer_size 1024k;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# enable websockets: http://nginx.org/en/docs/http/websocket.html
proxy_http_version 1.1;
proxy_redirect off;
# set timeout
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
location / {
proxy_pass http://127.0.0.1:2283;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
+13
View File
@@ -0,0 +1,13 @@
server {
listen 443 ssl;
server_name learn.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/learn.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/learn.nhcarrigan.com/privkey.pem;
root /home/naomi/learn/dist;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+14
View File
@@ -0,0 +1,14 @@
# Library service proxy.
server {
listen 443 ssl;
server_name library.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/library.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/library.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:12321;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+26
View File
@@ -0,0 +1,26 @@
# Lucinda full-stack app (Angular SPA + API backend).
server {
listen 443 ssl;
server_name lucinda.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/lucinda.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lucinda.nhcarrigan.com/privkey.pem;
root /home/naomi/lucinda/client/dist/client/browser;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:12346/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# This removes /api from the forwarded URL
rewrite ^/api/(.*)$ /$1 break;
}
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+26
View File
@@ -0,0 +1,26 @@
# Lynira.link domain (bare + www).
server {
listen 443 ssl;
server_name lynira.link;
ssl_certificate /etc/letsencrypt/live/lynira.link/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lynira.link/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5044;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.lynira.link;
ssl_certificate /etc/letsencrypt/live/www.lynira.link/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.lynira.link/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5044;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+42
View File
@@ -0,0 +1,42 @@
# Mommy bot suite: mommy-bot Discord bot, mommy-slack Slack bot, mommy web front-end.
server {
listen 443 ssl;
server_name mommy-bot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8009;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name mommy-slack.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8010;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name mommy.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8008;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -0,0 +1,85 @@
# Monitoring stack: analytics, incidents, logs, telemetry, uptime.
server {
listen 443 ssl;
server_name analytics.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/analytics.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/analytics.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:11080;
}
location = /live/websocket {
proxy_pass http://127.0.0.1:11080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name incidents.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/incidents.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/incidents.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name logs.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/logs.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/logs.nhcarrigan.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect http:// $scheme://;
proxy_connect_timeout 1m;
proxy_send_timeout 1m;
proxy_read_timeout 1m;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name telemetry.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/telemetry.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/telemetry.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name uptime.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/uptime.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/uptime.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+33
View File
@@ -0,0 +1,33 @@
# Nails app: Angular front-end SPA and API backend.
server {
listen 443 ssl;
server_name nails-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nails-api.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nails-api.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:1235;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name nails.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nails.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nails.nhcarrigan.com/privkey.pem;
root /home/naomi/nails/client/dist/client/browser;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+28
View File
@@ -0,0 +1,28 @@
# Nocturne static site.
server {
listen 443 ssl;
server_name nocturne.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nocturne.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nocturne.nhcarrigan.com/privkey.pem;
root /home/naomi/nocturne;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name scripture.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/scripture.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/scripture.nhcarrigan.com/privkey.pem;
root /home/naomi/scripture;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+93
View File
@@ -0,0 +1,93 @@
# SilverBullet notes instance and Planka project board.
server {
listen 443 ssl;
server_name board.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/board.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/board.nhcarrigan.com/privkey.pem;
location ~ /ws/* {
proxy_pass http://127.0.0.1:43333;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 1d;
proxy_send_timeout 1d;
proxy_read_timeout 1d;
}
location / {
proxy_pass http://127.0.0.1:43333;
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name notes.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/notes.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/notes.nhcarrigan.com/privkey.pem;
location ~ ^/(collab|socket\.io)(/.*)?$ {
proxy_pass http://127.0.0.1:30000;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 1d;
proxy_send_timeout 1d;
proxy_read_timeout 1d;
}
location / {
proxy_pass http://127.0.0.1:30000;
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
}
}
+161
View File
@@ -0,0 +1,161 @@
# Personal portfolio and vanity domains (naomi.lgbt, naomi.party, nhcarrigan.com, nhcarrigan.link, resume).
server {
listen 443 ssl;
server_name naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/naomi.lgbt/privkey.pem;
root /home/naomi/portfolio/site;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name naomi.party;
ssl_certificate /etc/letsencrypt/live/naomi.party/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/naomi.party/privkey.pem;
root /home/naomi/bsky;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.com/privkey.pem;
root /home/naomi/portfolio/site;
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
location /testimonials {
return 301 https://testimonials.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name nhcarrigan.link;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.link/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.link/privkey.pem;
root /home/naomi/link-redirector;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name resume.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/resume.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/resume.nhcarrigan.com/privkey.pem;
root /home/naomi/resume/site;
location /resume.yaml {
default_type text/plain;
add_header Content-Type "text/plain; charset=utf-8";
}
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/www.naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.naomi.lgbt/privkey.pem;
root /home/naomi/portfolio/site;
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/www.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.nhcarrigan.com/privkey.pem;
root /home/naomi/portfolio/site;
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+13
View File
@@ -0,0 +1,13 @@
# Naomi QR code generator.
server {
listen 443 ssl;
server_name qr.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/qr.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qr.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:15555;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+34
View File
@@ -0,0 +1,34 @@
# Rosalia alerting service and legacy alerts redirect.
server {
listen 443 ssl;
server_name alerts.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/alerts.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alerts.nhcarrigan.com/privkey.pem;
# Redirect ONLY root `/`
location = / {
return 307 https://rosalia.nhcarrigan.com;
}
# Proxy everything else
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name rosalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/rosalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rosalia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+41
View File
@@ -0,0 +1,41 @@
# Security tooling: SonarQube code quality gate and DefectDojo vulnerability management.
server {
listen 443 ssl;
server_name quality.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/quality.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/quality.nhcarrigan.com/privkey.pem;
client_max_body_size 1g;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9500;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name security.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/security.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/security.nhcarrigan.com/privkey.pem;
location /report {
alias /home/naomi/defectdojo;
index report.html;
}
location / {
proxy_pass http://127.0.0.1:43434;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100M;
proxy_read_timeout 90;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+28
View File
@@ -0,0 +1,28 @@
# Speaking sites: events listing and talk companion guides.
server {
listen 443 ssl;
server_name events.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/events.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/events.nhcarrigan.com/privkey.pem;
root /home/naomi/events;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name talks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/talks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/talks.nhcarrigan.com/privkey.pem;
root /home/naomi/talks;
location / {
try_files $uri $uri/index.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+26
View File
@@ -0,0 +1,26 @@
# Discourse community support forum.
server {
listen 443 ssl http2;
server_name support.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/support.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/support.nhcarrigan.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
client_max_body_size 20M;
location / {
proxy_pass http://localhost:32121;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+22
View File
@@ -0,0 +1,22 @@
# Tarot static site.
server {
listen 443 ssl;
server_name tarot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/tarot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tarot.nhcarrigan.com/privkey.pem;
root /home/naomi/tarot;
location = / {
try_files /index.html =404;
}
location ~ \.json$ {
try_files $uri =404;
}
location / {
return 403;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+33
View File
@@ -0,0 +1,33 @@
# Vitalia app: Angular front-end SPA and API backend.
server {
listen 443 ssl;
server_name vitalia-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:12345;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name vitalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
root /home/naomi/vitalia/client/dist/client/browser;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -0,0 +1,15 @@
# Workshops Angular SPA (companion guides for live workshops).
server {
listen 443 ssl;
server_name workshops.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/workshops.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/workshops.nhcarrigan.com/privkey.pem;
root /home/naomi/workshops/dist/workshops/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+18
View File
@@ -0,0 +1,18 @@
# wtf.naomi.lgbt personal project.
server {
listen 443 ssl;
server_name wtf.naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/wtf.naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wtf.naomi.lgbt/privkey.pem;
client_max_body_size 100M;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3456;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+1
View File
@@ -0,0 +1 @@
../sites-available/404.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/afp.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/aria.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/bots.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/catch-all.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/cdn.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/celestine.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/cipher.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/content.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/data.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/default
+1
View File
@@ -0,0 +1 @@
../sites-available/docs.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/eclaire.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/elowyn.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/elysium.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/forms.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/games.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/git.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/hikari.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/img.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/learn.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/library.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/lucinda.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/lynira.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/mommy.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/monitoring.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/nails.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/nocturne.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/notes.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/portfolio.conf
+13
View File
@@ -0,0 +1,13 @@
# Naomi QR code generator.
server {
listen 443 ssl;
server_name qr.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/qr.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qr.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:15555;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+1
View File
@@ -0,0 +1 @@
../sites-available/rosalia.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/security.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/speaking.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/support.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/tarot.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/vitalia.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/workshops.conf
+1
View File
@@ -0,0 +1 @@
../sites-available/wtf.conf
+4
View File
@@ -0,0 +1,4 @@
# Block requests for dotfiles (e.g. .gitconfig, .env, .git/).
location ~ /\. {
return 403;
}
+17
View File
@@ -0,0 +1,17 @@
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
+125
View File
@@ -0,0 +1,125 @@
# This map is not a full windows-1251 <> utf8 map: it does not
# contain Serbian and Macedonian letters. If you need a full map,
# use contrib/unicode2nginx/win-utf map instead.
charset_map windows-1251 utf-8 {
82 E2809A; # single low-9 quotation mark
84 E2809E; # double low-9 quotation mark
85 E280A6; # ellipsis
86 E280A0; # dagger
87 E280A1; # double dagger
88 E282AC; # euro
89 E280B0; # per mille
91 E28098; # left single quotation mark
92 E28099; # right single quotation mark
93 E2809C; # left double quotation mark
94 E2809D; # right double quotation mark
95 E280A2; # bullet
96 E28093; # en dash
97 E28094; # em dash
99 E284A2; # trade mark sign
A0 C2A0; # &nbsp;
A1 D18E; # capital Byelorussian short U
A2 D19E; # small Byelorussian short u
A4 C2A4; # currency sign
A5 D290; # capital Ukrainian soft G
A6 C2A6; # borken bar
A7 C2A7; # section sign
A8 D081; # capital YO
A9 C2A9; # (C)
AA D084; # capital Ukrainian YE
AB C2AB; # left-pointing double angle quotation mark
AC C2AC; # not sign
AD C2AD; # soft hypen
AE C2AE; # (R)
AF D087; # capital Ukrainian YI
B0 C2B0; # &deg;
B1 C2B1; # plus-minus sign
B2 D086; # capital Ukrainian I
B3 D196; # small Ukrainian i
B4 D291; # small Ukrainian soft g
B5 C2B5; # micro sign
B6 C2B6; # pilcrow sign
B7 C2B7; # &middot;
B8 D191; # small yo
B9 E28496; # numero sign
BA D194; # small Ukrainian ye
BB C2BB; # right-pointing double angle quotation mark
BF D197; # small Ukrainian yi
C0 D090; # capital A
C1 D091; # capital B
C2 D092; # capital V
C3 D093; # capital G
C4 D094; # capital D
C5 D095; # capital YE
C6 D096; # capital ZH
C7 D097; # capital Z
C8 D098; # capital I
C9 D099; # capital J
CA D09A; # capital K
CB D09B; # capital L
CC D09C; # capital M
CD D09D; # capital N
CE D09E; # capital O
CF D09F; # capital P
D0 D0A0; # capital R
D1 D0A1; # capital S
D2 D0A2; # capital T
D3 D0A3; # capital U
D4 D0A4; # capital F
D5 D0A5; # capital KH
D6 D0A6; # capital TS
D7 D0A7; # capital CH
D8 D0A8; # capital SH
D9 D0A9; # capital SHCH
DA D0AA; # capital hard sign
DB D0AB; # capital Y
DC D0AC; # capital soft sign
DD D0AD; # capital E
DE D0AE; # capital YU
DF D0AF; # capital YA
E0 D0B0; # small a
E1 D0B1; # small b
E2 D0B2; # small v
E3 D0B3; # small g
E4 D0B4; # small d
E5 D0B5; # small ye
E6 D0B6; # small zh
E7 D0B7; # small z
E8 D0B8; # small i
E9 D0B9; # small j
EA D0BA; # small k
EB D0BB; # small l
EC D0BC; # small m
ED D0BD; # small n
EE D0BE; # small o
EF D0BF; # small p
F0 D180; # small r
F1 D181; # small s
F2 D182; # small t
F3 D183; # small u
F4 D184; # small f
F5 D185; # small kh
F6 D186; # small ts
F7 D187; # small ch
F8 D188; # small sh
F9 D189; # small shch
FA D18A; # small hard sign
FB D18B; # small y
FC D18C; # small soft sign
FD D18D; # small e
FE D18E; # small yu
FF D18F; # small ya
}
+3 -7
View File
@@ -1,7 +1,3 @@
servers=("prod" "gitea") echo "Pulling prod nginx"
rsync --archive --verbose prod:/etc/nginx nginx
for server in "${servers[@]}" echo "All done!"
do
echo "Pulling $server"
rsync --archive --verbose $server:/etc/nginx/conf.d/server.conf configs/$server.conf
done
Executable
+3
View File
@@ -0,0 +1,3 @@
echo "Pushing nginx to prod"
rsync --archive --verbose --delete --rsync-path="sudo rsync" nginx/nginx/ prod:/etc/nginx
echo "All done!"
+1
View File
@@ -0,0 +1 @@
sites-available/img.conf

Some files were not shown because too many files have changed in this diff Show More