Compare commits

..

2 Commits

Author SHA1 Message Date
hikari 611967fa30 feat: add push.sh script to deploy nginx config to prod 2026-03-03 15:19:44 -08:00
naomi 243f2d4a18 feat: new structure 2026-03-03 15:15:37 -08:00
94 changed files with 1929 additions and 2682 deletions
-53
View File
@@ -1,53 +0,0 @@
name: Test nginx configuration
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
jobs:
static-analysis:
name: Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run static analysis
run: bash test.sh
syntax-check:
name: nginx Syntax Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install nginx
run: |
sudo apt-get update -q
sudo apt-get install -y nginx-full
- name: Deploy config to /etc/nginx
run: sudo cp -a nginx/nginx/. /etc/nginx/
- name: Create stub SSL certificates
run: |
openssl req -x509 -newkey rsa:2048 -keyout /tmp/stub.key \
-out /tmp/stub.pem -days 1 -nodes -subj '/CN=stub'
while IFS= read -r dir; do
sudo mkdir -p "$dir"
sudo cp /tmp/stub.pem "$dir/fullchain.pem"
sudo cp /tmp/stub.key "$dir/privkey.pem"
done < <(grep -rh 'ssl_certificate ' /etc/nginx/sites-available/ \
| grep -v '#' \
| grep -oP '/etc/letsencrypt/live/[^\s/]+' \
| sort -u)
- name: Run nginx syntax check
run: sudo nginx -t
-29
View File
@@ -1,29 +0,0 @@
# NGINX Configs — Project Notes
## 404 Handling
### Global 404 redirect
Any 404 from any site is handled globally via `nginx/nginx/nginx.conf` in the `http {}` block:
```nginx
error_page 404 https://404.nhcarrigan.com;
```
This redirects (302) to `404.nhcarrigan.com` which serves `/home/naomi/404/index.html`.
No need to add `error_page` to individual server blocks — the `http {}` level default covers everything.
### 404 site config
`nginx/nginx/sites-available/404.conf` — serves the static 404 page at `/home/naomi/404`.
Requires an SSL cert at `/etc/letsencrypt/live/404.nhcarrigan.com/`.
### Catch-all server block (`catch-all.conf`)
Handles any HTTPS request for a subdomain that doesn't match any configured `server_name`.
Uses `default_server` on port 443, `server_name _`, and serves the same 404 page directly
(with `return 404` to preserve the status code, since this is the final fallback rather than a redirect).
## Adding a New Site
1. Create `nginx/nginx/sites-available/<name>.conf` with the server block.
2. Create a symlink: `ln -s ../sites-available/<name>.conf nginx/nginx/sites-enabled/<name>.conf`
3. Ensure an SSL cert exists on the server for the domain (`certbot --nginx -d <domain>`).
4. No need to add `error_page 404` — it's handled globally.
+3 -125
View File
@@ -1,132 +1,10 @@
# Nginx Configs # Nginx Configs
This repository holds the nginx configuration for NHCarrigan's production server, with scripts for deploying and pulling changes. This repository holds our NGINX configs and offers a basic script for pulling the latest versions from our servers.
## Directory Structure ## Live Version
``` These can't really be viewed live...
nginx/nginx/ # Maps directly to /etc/nginx/ on the server
├── nginx.conf # Global settings (workers, gzip, TLS, logging)
├── conf.d/
│ ├── cloudflare_ips.conf # Real-IP trust for Cloudflare ranges (auto-updated by cron)
│ ├── logging.conf # Custom log formats (custom_format + json_analytics)
│ └── tuning.conf # Performance tweaks (server_names_hash_bucket_size)
├── sites-available/ # One .conf file per logical group of sites
│ └── *.conf
├── sites-enabled/ # Symlinks to active configs in sites-available/
│ └── * -> ../sites-available/*.conf
└── ... # Standard nginx package files (mime.types, proxy_params, etc.)
```
## Adding a New Site
1. **Identify the right file.** Each `sites-available/*.conf` has a comment at the top describing what belongs there. Pick the most appropriate file, or create a new one if the site does not fit anywhere.
2. **Add the server block**, following this template for a proxied app:
```nginx
server {
listen 443 ssl;
server_name yourapp.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/yourapp.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourapp.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:<PORT>;
proxy_redirect off;
}
}
```
Or this template for a static site:
```nginx
server {
listen 443 ssl;
server_name yoursite.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/yoursite.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yoursite.nhcarrigan.com/privkey.pem;
root /home/naomi/yoursite;
location / {
index index.html;
}
}
```
3. **Keep server blocks sorted alphabetically** by `server_name` within the file. The CI sort check will fail if they are out of order. Note that hyphenated names sort before the bare domain in C locale (e.g. `app-api` before `app`).
4. **If you created a new `.conf` file**, create the corresponding symlink in `sites-enabled/`:
```bash
cd nginx/nginx/sites-enabled
ln -s ../sites-available/newfile.conf newfile.conf
```
5. **Get the SSL certificate** on the server before deploying:
```bash
sudo certbot certonly --nginx -d yourapp.nhcarrigan.com
```
6. **Run the tests** locally to verify everything passes:
```bash
bash test.sh
```
7. **Deploy** (see below).
## Removing a Site
1. Delete the server block from the relevant `sites-available/*.conf` file.
2. If the entire `.conf` file is now empty, delete the file and its `sites-enabled/` symlink.
3. Run `bash test.sh` to confirm nothing is broken.
4. Deploy.
## Deploying Changes
Push the local `nginx/nginx/` directory to the server (the `--delete` flag removes any files on the server that no longer exist locally):
```bash
bash push.sh
```
Then reload nginx to apply the changes:
```bash
ssh prod "sudo systemctl reload nginx"
```
To pull the current server config back into this repository:
```bash
bash pull.sh
```
## Testing
The test suite runs static analysis checks against the config files without requiring a live nginx instance:
```bash
bash test.sh
```
The following checks are run:
| # | Check |
|---|-------|
| 1 | No deprecated TLS versions (TLSv1 / TLSv1.1) |
| 2 | No duplicate `server_name` values |
| 3 | Every `sites-available/*.conf` has a `sites-enabled` symlink |
| 4 | No broken symlinks in `sites-enabled` |
| 5 | No orphaned symlinks in `sites-enabled` |
| 6 | No port-80 listeners in custom server blocks |
| 7 | `ssl_certificate` and `ssl_certificate_key` counts match per file |
| 8 | All plain-HTTP `proxy_pass` targets are local |
| 9 | All SSL cert paths use `/etc/letsencrypt/live/` |
| 10 | Certs use `fullchain.pem` / keys use `privkey.pem` |
| 11 | No raw IP addresses as `server_name` |
| 12 | `conf.d` contains only expected files |
| 13 | Server blocks are sorted alphabetically by `server_name` within each file |
CI additionally runs an nginx syntax check (`nginx -t`) using stub SSL certificates, catching any configuration errors that static analysis cannot detect.
## Feedback and Bugs ## Feedback and Bugs
+1 -1
View File
@@ -1,5 +1,5 @@
# Auto-generated Cloudflare IP ranges # Auto-generated Cloudflare IP ranges
# Updated: Wed Jun 10 10:59:21 PM PDT 2026 # Updated: Mon Mar 2 09:45:19 PM PST 2026
real_ip_header CF-Connecting-IP; real_ip_header CF-Connecting-IP;
+44
View File
@@ -0,0 +1,44 @@
server {
listen 80;
server_name localhost;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
-47
View File
@@ -1,47 +0,0 @@
log_format custom_format '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_x_forwarded_for"';
access_log /var/log/nginx/access.log custom_format;
log_format json_analytics escape=json '{'
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
'"connection": "$connection", ' # connection serial number
'"connection_requests": "$connection_requests", ' # number of requests made in connection
'"pid": "$pid", ' # process pid
'"request_id": "$request_id", ' # the unique request id
'"request_length": "$request_length", ' # request length (including headers and body)
'"remote_addr": "$remote_addr", ' # client IP
'"remote_user": "$remote_user", ' # client HTTP username
'"remote_port": "$remote_port", ' # client port
'"time_local": "$time_local", '
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
'"request": "$request", ' # full path no arguments if the request
'"request_uri": "$request_uri", ' # full path and arguments if the request
'"args": "$args", ' # args
'"status": "$status", ' # response status code
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
'"http_referer": "$http_referer", ' # HTTP referer
'"http_user_agent": "$http_user_agent", ' # user agent
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"http_host": "$http_host", ' # the request Host: header
'"server_name": "$server_name", ' # the name of the vhost serving the request
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
'"upstream_response_time": "$upstream_response_time", ' # time spent receiving upstream body
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
'"scheme": "$scheme", ' # http or https
'"request_method": "$request_method", ' # request method
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"gzip_ratio": "$gzip_ratio", '
'}';
access_log /var/log/nginx/json_access.log json_analytics;
-162
View File
@@ -1,162 +0,0 @@
# Pure-redirect virtual hosts — server blocks whose only purpose is a 301/302 to another URL.
# val.nhcarrigan.com → headpat image
server {
listen 443 ssl;
server_name val.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/val.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/val.nhcarrigan.com/privkey.pem;
location / {
return 302 https://cdn.nhcarrigan.com/val-headpat.jpg;
}
}
# assistant.nhcarrigan.com → cordelia (legacy name)
server {
listen 443 ssl;
server_name assistant.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/assistant.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/assistant.nhcarrigan.com/privkey.pem;
location / {
return 301 https://cordelia.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# trans-bot.nhcarrigan.com → aria (legacy name)
server {
listen 443 ssl;
server_name trans-bot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
location / {
return 301 https://aria.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# announcements.nhcarrigan.com → hikari /announcements
server {
listen 443 ssl;
server_name announcements.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/announcements.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/announcements.nhcarrigan.com/privkey.pem;
return 301 https://hikari.nhcarrigan.com/announcements;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# products.nhcarrigan.com → hikari /products
server {
listen 443 ssl;
server_name products.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/products.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/products.nhcarrigan.com/privkey.pem;
location / {
return 301 https://hikari.nhcarrigan.com/products;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# hooks.nhcarrigan.com → celestine (legacy name)
server {
listen 443 ssl;
server_name hooks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/hooks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hooks.nhcarrigan.com/privkey.pem;
location / {
return 301 https://celestine.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# chat.nhcarrigan.com → Discord invite
server {
listen 443 ssl;
server_name chat.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/chat.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.nhcarrigan.com/privkey.pem;
location / {
return 301 https://discord.gg/KKe7BaEnQB;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# forum.nhcarrigan.com → support (legacy name)
server {
listen 443 ssl;
server_name forum.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forum.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forum.nhcarrigan.com/privkey.pem;
location / {
return 301 https://support.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# cyc.nhcarrigan.com → zcal scheduling
server {
listen 443 ssl;
server_name cyc.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cyc.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cyc.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/cyc;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# meet.nhcarrigan.com → zcal scheduling
server {
listen 443 ssl;
server_name meet.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/meet.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meet.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/meet;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# huddle.nhcarrigan.com → zcal scheduling
server {
listen 443 ssl;
server_name huddle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/huddle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/huddle.nhcarrigan.com/privkey.pem;
return 301 https://zcal.co/nhcarrigan/huddle;
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# tasks.nhcarrigan.com → melody
server {
listen 443 ssl;
server_name tasks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/tasks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tasks.nhcarrigan.com/privkey.pem;
location / {
return 301 https://melody.nhcarrigan.com$uri$is_args$args;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
# Wildcard: *.naomi.lgbt → *.nhcarrigan.com
server {
listen 443 ssl;
server_name ~^(?<subdomain>.+)\.naomi\.lgbt$;
ssl_certificate /etc/letsencrypt/live/*.naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/*.naomi.lgbt/privkey.pem;
location / {
return 301 https://$subdomain.nhcarrigan.com$request_uri;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
File diff suppressed because it is too large Load Diff
-1
View File
@@ -1 +0,0 @@
server_names_hash_bucket_size 128;
+84 -6
View File
@@ -5,6 +5,7 @@ include /etc/nginx/modules-enabled/*.conf;
events { events {
worker_connections 768; worker_connections 768;
# multi_accept on;
} }
http { http {
@@ -12,11 +13,16 @@ http {
## ##
# Basic Settings # Basic Settings
## ##
server_names_hash_bucket_size 128;
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
tcp_nodelay on; tcp_nodelay on;
keepalive_timeout 65; keepalive_timeout 65;
types_hash_max_size 2048; types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
@@ -25,7 +31,7 @@ http {
# SSL Settings # SSL Settings
## ##
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
## ##
@@ -41,10 +47,12 @@ http {
gzip on; gzip on;
## # gzip_vary on;
# Global Error Pages # gzip_proxied any;
## # gzip_comp_level 6;
error_page 404 https://404.nhcarrigan.com; # gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
## ##
# Virtual Host Configs # Virtual Host Configs
@@ -53,5 +61,75 @@ http {
include /etc/nginx/sites-enabled/*; include /etc/nginx/sites-enabled/*;
# Look at the real IP, not the cloudflare IP. # Look at the real IP, not the cloudflare IP.
include /etc/nginx/cloudflare_ips.conf; include /etc/nginx/cloudflare_ips.conf;
log_format custom_format '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_x_forwarded_for"';
access_log /var/log/nginx/access.log custom_format;
log_format json_analytics escape=json '{'
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
'"connection": "$connection", ' # connection serial number
'"connection_requests": "$connection_requests", ' # number of requests made in connection
'"pid": "$pid", ' # process pid
'"request_id": "$request_id", ' # the unique request id
'"request_length": "$request_length", ' # request length (including headers and body)
'"remote_addr": "$remote_addr", ' # client IP
'"remote_user": "$remote_user", ' # client HTTP username
'"remote_port": "$remote_port", ' # client port
'"time_local": "$time_local", '
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
'"request": "$request", ' # full path no arguments if the request
'"request_uri": "$request_uri", ' # full path and arguments if the request
'"args": "$args", ' # args
'"status": "$status", ' # response status code
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
'"http_referer": "$http_referer", ' # HTTP referer
'"http_user_agent": "$http_user_agent", ' # user agent
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"http_host": "$http_host", ' # the request Host: header
'"server_name": "$server_name", ' # the name of the vhost serving the request
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
'"upstream_response_time": "$upstream_response_time", ' # time spent receiving upstream body
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
'"scheme": "$scheme", ' # http or https
'"request_method": "$request_method", ' # request method
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"gzip_ratio": "$gzip_ratio", '
'}';
access_log /var/log/nginx/json_access.log json_analytics;
} }
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
-14
View File
@@ -1,14 +0,0 @@
# 404 error page static site.
server {
listen 443 ssl;
server_name 404.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/404.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/404.nhcarrigan.com/privkey.pem;
root /home/naomi/404;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-14
View File
@@ -1,14 +0,0 @@
# AFP service proxy.
server {
listen 443 ssl;
server_name afp.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/afp.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/afp.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:10080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-40
View File
@@ -1,40 +0,0 @@
# Aria bot, Cordelia AI assistant, and trans-related services.
server {
listen 443 ssl;
server_name aria.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/aria.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aria.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name cordelia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cordelia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cordelia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5002;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name trans.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/trans.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/trans.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://0.0.0.0:5000;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-272
View File
@@ -1,272 +0,0 @@
# Discord bots and automated services (one entry per bot, sorted alphabetically).
server {
listen 443 ssl;
server_name altaria.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/altaria.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/altaria.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6022;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name amari.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/amari.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/amari.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:7044;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name becca.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/becca.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/becca.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5010;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name caelia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/caelia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/caelia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:7055;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name callista.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/callista.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/callista.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6111;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name chibika.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/chibika.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chibika.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5018;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name gwen.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/gwen.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gwen.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5012;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name keiko.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/keiko.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/keiko.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3333;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name liora.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/liora.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liora.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5022;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name maylin.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/maylin.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/maylin.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5011;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name melody.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/melody.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/melody.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name pavelle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/pavelle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pavelle.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6019;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name ruubot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/ruubot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ruubot.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass https://127.0.0.1:4443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name saisoku.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/saisoku.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/saisoku.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9100;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name serenya.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/serenya.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/serenya.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:7066;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name sorielle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/sorielle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sorielle.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5019;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name tyche.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/tyche.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tyche.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8123;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name umbrelle.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/umbrelle.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/umbrelle.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6088;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name valerium.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/valerium.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/valerium.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3443;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name veluna.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/veluna.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/veluna.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6099;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -1,23 +0,0 @@
# Catch-all for unmatched subdomains - serves a 404 page.
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.com/privkey.pem;
server_name _;
root /home/naomi/404;
error_page 404 /index.html;
location / {
return 404;
}
location = /index.html {
internal;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-54
View File
@@ -1,54 +0,0 @@
# CDN reverse proxy to Hetzner object storage, with legacy path redirects and CORS headers.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name cdn.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cdn.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cdn.nhcarrigan.com/privkey.pem;
# Catches "/new-avatars/name-full.png" and redirects to "/avatars/name.png"
location ~ ^/new-avatars/(.+)-full\.png$ {
return 301 $scheme://$host/avatars/$1.png;
}
# Catches anything else starting with "/new-avatars/" and moves it to "/avatars/"
location ~ ^/new-avatars/(.*)$ {
return 301 $scheme://$host/avatars/$1;
}
# Handle CORS preflight requests without the "if is evil" pattern.
location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Access-Control-Max-Age 86400 always;
add_header Content-Type "text/plain; charset=utf-8";
add_header Content-Length 0;
return 204;
}
proxy_pass https://nhcarrigan.hel1.your-objectstorage.com;
proxy_set_header Host nhcarrigan.hel1.your-objectstorage.com;
proxy_ssl_server_name on;
proxy_ssl_name nhcarrigan.hel1.your-objectstorage.com;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Authorization "";
proxy_set_header x-amz-date "";
proxy_set_header x-amz-security-token "";
proxy_hide_header Access-Control-Allow-Origin;
add_header X-Debug-Cdn "Proxy-Active" always;
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -1,15 +0,0 @@
# Celestine webhook handler.
server {
listen 443 ssl;
server_name celestine.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/celestine.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/celestine.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-25
View File
@@ -1,25 +0,0 @@
# Cipher - Bluesky collections archive.
server {
listen 443 ssl;
server_name cipher.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/cipher.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cipher.nhcarrigan.com/privkey.pem;
root /home/naomi/cipher;
location = / {
try_files /site.html =404;
}
location = /data.json {
default_type application/json;
add_header Content-Type "application/json; charset=utf-8";
}
# Everything else gets the global 404
location / {
return 404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-148
View File
@@ -1,148 +0,0 @@
# Static content and publishing sites: blog, books, donate, music, personality, secrets, style, testimonials.
server {
listen 443 ssl;
server_name blog.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/blog.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name books.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/books.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/books.nhcarrigan.com/privkey.pem;
root /home/naomi/books;
location / {
index index.html;
}
location /books.json {
try_files /books.json =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name donate.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/donate.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/donate.nhcarrigan.com/privkey.pem;
root /home/naomi/donate;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name grimoire.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/grimoire.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grimoire.nhcarrigan.com/privkey.pem;
root /home/naomi/grimoire;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name memes.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/memes.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/memes.nhcarrigan.com/privkey.pem;
root /home/naomi/memes;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name music.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/music.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/music.nhcarrigan.com/privkey.pem;
root /home/naomi/music;
location / {
index index.html;
}
location /songs.json {
try_files /songs.json =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name personality.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/personality.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/personality.nhcarrigan.com/privkey.pem;
root /home/naomi/personality/dist;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name secrets.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/secrets.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/secrets.nhcarrigan.com/privkey.pem;
root /home/naomi/secrets;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name style.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/style.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/style.nhcarrigan.com/privkey.pem;
root /home/naomi/style;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name testimonials.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/testimonials.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/testimonials.nhcarrigan.com/privkey.pem;
root /home/naomi/testimonials;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-14
View File
@@ -1,14 +0,0 @@
# Data service proxy.
server {
listen 443 ssl;
server_name data.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/data.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/data.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9999;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
+81 -8
View File
@@ -1,18 +1,91 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _; server_name _;
root /home/naomi/404;
error_page 404 /index.html;
location / { location / {
return 404; # First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
} }
location = /index.html { # pass PHP scripts to FastCGI server
internal; #
} #location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
} }
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
-70
View File
@@ -1,70 +0,0 @@
# Documentation and informational sites: contact, docs, manual, sitemap, socials.
server {
listen 443 ssl;
server_name contact.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/contact.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/contact.nhcarrigan.com/privkey.pem;
root /home/naomi/socials;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name docs.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/docs.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/docs.nhcarrigan.com/privkey.pem;
root /home/naomi/docs/dist;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name manual.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/manual.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/manual.nhcarrigan.com/privkey.pem;
root /home/naomi/manual;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name sitemap.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/sitemap.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitemap.nhcarrigan.com/privkey.pem;
root /home/naomi/sitemap;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name socials.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/socials.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/socials.nhcarrigan.com/privkey.pem;
root /home/naomi/socials;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-15
View File
@@ -1,15 +0,0 @@
# Eclaire Angular SPA.
server {
listen 443 ssl;
server_name eclaire.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/eclaire.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/eclaire.nhcarrigan.com/privkey.pem;
root /home/naomi/eclaire/dist/eclaire/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-19
View File
@@ -1,19 +0,0 @@
# Elowyn Angular SPA.
server {
listen 443 ssl;
server_name elowyn.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/elowyn.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/elowyn.nhcarrigan.com/privkey.pem;
root /home/naomi/elowyn;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-25
View File
@@ -1,25 +0,0 @@
# Elysium Vite SPA and Hono API backend.
server {
listen 443 ssl;
server_name elysium.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/elysium.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/elysium.nhcarrigan.com/privkey.pem;
root /home/naomi/elysium/apps/web/dist;
location /api/ {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3898/;
proxy_redirect off;
}
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-163
View File
@@ -1,163 +0,0 @@
# Grist forms platform (forms-api backend + forms frontend with CSS injection) and legacy form URL redirects.
server {
listen 443 ssl;
server_name forms-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forms-api.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forms-api.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:1234;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name forms.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/forms.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forms.nhcarrigan.com/privkey.pem;
###########################
# REDIRECTS FOR OLD FORMS #
###########################
# Volunteer Application Form
location ~* ^/form/PEpB3gA79gxP8wmfEf4zou96opkpUTjssTcaeYjhoi8$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/mCxDu3snk9TzFiDjrT4Vc8/4;
}
# Mentorship Application Form (now Discord self-selectable role)
location ~* ^/form/gNv4NYZmdiMWpkUcnknII2yYCvnYNGAmabG5O5He9Mo$ {
return 301 https://docs.nhcarrigan.com/about/mentorship;
}
# Testimonials Form
location ~* ^/form/M_GrmqASymmO744axMOmu2LaMAaT5F0LmdVcU2c8-gQ$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/6kULn8zswT8vYcoC8wE1Zi/4;
}
# Community Appeals Form
location ~* ^/form/l3PC15yalSWjdZASTQvGo22q_uj_7OtXAhZdcW35ev8$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/4w5VHsYiEkiS2mewvtuJYL/4;
}
# Recognition/Nomination Form
location ~* ^/form/wksk-NuR3HBuovSixbXFEnkYq-3Gp-bZMH-n__PNRKw$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/to2oFocVgALyr23EC84xM9/4;
}
# Community Feedback Form (now Discord forum channel)
location ~* ^/form/IDdo5e4OJS44QYFm9_aRJ36lY3Ox-BBTAM9zfnkhfoo$ {
return 301 https://docs.nhcarrigan.com/community/feedback;
}
# Product Feedback Form (now Discord forum channel)
location ~* ^/form/jkcGg0hMIa4U0hDL2OMip5pMX2UujN5W5n4Qn8HReJ8$ {
return 301 https://docs.nhcarrigan.com/community/feedback;
}
# Meeting Request Form (now Zcal scheduling)
location ~* ^/form/uUKZiJSDm6847iDOlpZkD5QF7cAjoTbTm0F4T0EdW0I$ {
return 301 https://zcal.co/nhcarrigan/meet;
}
# Commission Request Form
location ~* ^/form/XRlQjeu8CbMrTA-v0IPOxlUPEPitLKXTWg70UUCIORA$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/a9K6uzJkpnTfnKgo19b4Rp/4;
}
# Contact Form
location ~* ^/form/HyqoJ9Th5QDiOn_GPLNIRhe1a5ON7mDQf-O_ukM6R4g$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/8XTPmbrFtvDJAKSPgBgsvA/4;
}
# Git Account Request Form (no longer available - now Discord forum channels)
location ~* ^/form/c0_N5hb-VcmC2ClzaGOvDxVirMN_coiWG7eoPhDPsZ0$ {
return 301 https://docs.nhcarrigan.com/about/contact;
}
# Event/Publication Request Form
location ~* ^/form/Xqap3Q8hazzJd4Rrp9OOs9ip8Pa7C9zOVThlyFoPCbU$ {
return 301 https://forms.nhcarrigan.com/o/docs/forms/3xEKnDEbqQKG8GJp4kXRCs/4;
}
# Match any path ending in /forms/<id>
location ~ /forms/([^/]+)(?:/(.*))?$ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:11111;
proxy_redirect off;
# Disable Gzip from upstream so nginx can inject CSS
proxy_set_header Accept-Encoding "";
# Override Grist OG image (replace the URL directly so our image wins in all three tags)
sub_filter 'https://grist-static.com/icons/opengraph-preview-image.png' 'https://cdn.nhcarrigan.com/og-image.png';
# Inject CSS and remove Grist branding
sub_filter '</body>' '<style>
/* 1. Remove the "Powered by Grist" footer */
footer[class] {
display: none !important;
}
/* 2. Remove the Border/Shadow from the container */
.test-form-framing {
border: none !important;
box-shadow: none !important;
}
/* 3. Remove the "Grist Form" badge (First child of framing) */
.test-form-framing > *:first-child {
display: none !important;
}
/* 4. Style the reset button with the theme accent colour */
.test-form-reset {
background-color: #A8577E !important;
border-color: #A8577E !important;
color: #F5F5F5 !important;
}
main {
margin-bottom: auto !important;
}
div:has(> main:first-child) {
border-radius: 10px;
margin-bottom: 50px;
}
</style><script src="https://cdn.nhcarrigan.com/headers/index.js"></script><script>document.querySelector("footer")?.remove();</script>
</body>';
sub_filter_once off;
}
# Upgrade websocket requests and route the api backend
location ~ ^/(api|ws)/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:11111;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:11111;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-202
View File
@@ -1,202 +0,0 @@
# Games and gaming projects: beccalia, games hub, goblin, loan, lore, silly, wompwomp, yurigpt.
server {
listen 443 ssl;
server_name beccalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/beccalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/beccalia.nhcarrigan.com/privkey.pem;
root /home/naomi/games/beccalia;
location / {
index index.html;
}
location /origins {
index index.html;
}
location /prologue {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name blackwood.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/blackwood.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blackwood.nhcarrigan.com/privkey.pem;
root /home/naomi/blackwood/dist;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /assets/ {
expires max;
add_header Cache-Control "public, immutable";
access_log off;
}
location ~* \.(mp3|png|gif|ico|svg|webp)$ {
expires 30d;
add_header Cache-Control "public";
access_log off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name games.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/games.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/games.nhcarrigan.com/privkey.pem;
root /home/naomi/games;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name goblin.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/goblin.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/goblin.nhcarrigan.com/privkey.pem;
root /home/naomi/games/goblin;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name loan.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/loan.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loan.nhcarrigan.com/privkey.pem;
root /home/naomi/games/loan;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name lore.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/lore.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lore.nhcarrigan.com/privkey.pem;
root /home/naomi/lore/dist/lore/browser;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name silly.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/silly.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/silly.nhcarrigan.com/privkey.pem;
root /home/naomi/silly;
index index.html;
location = / {
try_files /index.html =404;
}
location / {
try_files $uri $uri/ $uri.html $uri/index.html =404;
}
location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|otf|eot|webp)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
location ~ /\.(?!well-known) {
deny all;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name wompwomp.club;
ssl_certificate /etc/letsencrypt/live/wompwomp.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wompwomp.club/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5033;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.wompwomp.club;
ssl_certificate /etc/letsencrypt/live/www.wompwomp.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.wompwomp.club/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5033;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.yurigpt.com;
ssl_certificate /etc/letsencrypt/live/www.yurigpt.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.yurigpt.com/privkey.pem;
root /home/naomi/yurigpt/dist/yurigpt/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name yurigpt.com;
ssl_certificate /etc/letsencrypt/live/yurigpt.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yurigpt.com/privkey.pem;
root /home/naomi/yurigpt/dist/yurigpt/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-14
View File
@@ -1,14 +0,0 @@
# Self-hosted Gitea instance.
server {
listen 443 ssl;
server_name git.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/git.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.nhcarrigan.com/privkey.pem;
location / {
client_max_body_size 5000M;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:53000;
proxy_redirect off;
}
}
-29
View File
@@ -1,29 +0,0 @@
# Hikari desktop app (Angular SPA + API backend).
server {
listen 443 ssl;
server_name hikari.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/hikari.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hikari.nhcarrigan.com/privkey.pem;
root /home/naomi/hikari/client/dist/client/browser;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:20000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header cf-connecting-ip $http_cf_connecting_ip;
proxy_set_header origin $http_origin;
# This removes /api from the forwarded URL
rewrite ^/api/(.*)$ /$1 break;
}
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-36
View File
@@ -1,36 +0,0 @@
server {
listen 443 ssl;
server_name img.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/img.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/img.nhcarrigan.com/privkey.pem;
# allow large file uploads
client_max_body_size 50000M;
# disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
proxy_request_buffering off;
# increase body buffer to avoid limiting upload speed
client_body_buffer_size 1024k;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# enable websockets: http://nginx.org/en/docs/http/websocket.html
proxy_http_version 1.1;
proxy_redirect off;
# set timeout
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
location / {
proxy_pass http://127.0.0.1:2283;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
-13
View File
@@ -1,13 +0,0 @@
server {
listen 443 ssl;
server_name learn.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/learn.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/learn.nhcarrigan.com/privkey.pem;
root /home/naomi/learn/dist;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-14
View File
@@ -1,14 +0,0 @@
# Library service proxy.
server {
listen 443 ssl;
server_name library.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/library.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/library.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:12321;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-26
View File
@@ -1,26 +0,0 @@
# Lucinda full-stack app (Angular SPA + API backend).
server {
listen 443 ssl;
server_name lucinda.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/lucinda.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lucinda.nhcarrigan.com/privkey.pem;
root /home/naomi/lucinda/client/dist/client/browser;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:12346/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# This removes /api from the forwarded URL
rewrite ^/api/(.*)$ /$1 break;
}
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-26
View File
@@ -1,26 +0,0 @@
# Lynira.link domain (bare + www).
server {
listen 443 ssl;
server_name lynira.link;
ssl_certificate /etc/letsencrypt/live/lynira.link/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lynira.link/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5044;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.lynira.link;
ssl_certificate /etc/letsencrypt/live/www.lynira.link/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.lynira.link/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5044;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-42
View File
@@ -1,42 +0,0 @@
# Mommy bot suite: mommy-bot Discord bot, mommy-slack Slack bot, mommy web front-end.
server {
listen 443 ssl;
server_name mommy-bot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy-bot.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8009;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name mommy-slack.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy-slack.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8010;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name mommy.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/mommy.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mommy.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8008;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -1,85 +0,0 @@
# Monitoring stack: analytics, incidents, logs, telemetry, uptime.
server {
listen 443 ssl;
server_name analytics.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/analytics.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/analytics.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:11080;
}
location = /live/websocket {
proxy_pass http://127.0.0.1:11080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name incidents.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/incidents.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/incidents.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name logs.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/logs.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/logs.nhcarrigan.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect http:// $scheme://;
proxy_connect_timeout 1m;
proxy_send_timeout 1m;
proxy_read_timeout 1m;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name telemetry.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/telemetry.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/telemetry.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5080;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name uptime.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/uptime.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/uptime.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3001;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-33
View File
@@ -1,33 +0,0 @@
# Nails app: Angular front-end SPA and API backend.
server {
listen 443 ssl;
server_name nails-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nails-api.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nails-api.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:1235;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name nails.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nails.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nails.nhcarrigan.com/privkey.pem;
root /home/naomi/nails/client/dist/client/browser;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-28
View File
@@ -1,28 +0,0 @@
# Nocturne static site.
server {
listen 443 ssl;
server_name nocturne.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nocturne.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nocturne.nhcarrigan.com/privkey.pem;
root /home/naomi/nocturne;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name scripture.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/scripture.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/scripture.nhcarrigan.com/privkey.pem;
root /home/naomi/scripture;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-93
View File
@@ -1,93 +0,0 @@
# SilverBullet notes instance and Planka project board.
server {
listen 443 ssl;
server_name board.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/board.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/board.nhcarrigan.com/privkey.pem;
location ~ /ws/* {
proxy_pass http://127.0.0.1:43333;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 1d;
proxy_send_timeout 1d;
proxy_read_timeout 1d;
}
location / {
proxy_pass http://127.0.0.1:43333;
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name notes.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/notes.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/notes.nhcarrigan.com/privkey.pem;
location ~ ^/(collab|socket\.io)(/.*)?$ {
proxy_pass http://127.0.0.1:30000;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 1d;
proxy_send_timeout 1d;
proxy_read_timeout 1d;
}
location / {
proxy_pass http://127.0.0.1:30000;
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
}
}
-161
View File
@@ -1,161 +0,0 @@
# Personal portfolio and vanity domains (naomi.lgbt, naomi.party, nhcarrigan.com, nhcarrigan.link, resume).
server {
listen 443 ssl;
server_name naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/naomi.lgbt/privkey.pem;
root /home/naomi/portfolio/site;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name naomi.party;
ssl_certificate /etc/letsencrypt/live/naomi.party/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/naomi.party/privkey.pem;
root /home/naomi/bsky;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.com/privkey.pem;
root /home/naomi/portfolio/site;
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
location /testimonials {
return 301 https://testimonials.nhcarrigan.com;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name nhcarrigan.link;
ssl_certificate /etc/letsencrypt/live/nhcarrigan.link/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nhcarrigan.link/privkey.pem;
root /home/naomi/link-redirector;
location / {
index index.html;
}
location /ads.txt {
add_header Content-Type text/plain;
return 200 "google.com, pub-3569924701890974, DIRECT, f08c47fec0942fa0";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name resume.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/resume.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/resume.nhcarrigan.com/privkey.pem;
root /home/naomi/resume/site;
location /resume.yaml {
default_type text/plain;
add_header Content-Type "text/plain; charset=utf-8";
}
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/www.naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.naomi.lgbt/privkey.pem;
root /home/naomi/portfolio/site;
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name www.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/www.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.nhcarrigan.com/privkey.pem;
root /home/naomi/portfolio/site;
location / {
index index.html;
}
location /games {
try_files /games.html =404;
}
location /koikatsu {
try_files /koikatsu.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-13
View File
@@ -1,13 +0,0 @@
# Naomi QR code generator.
server {
listen 443 ssl;
server_name qr.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/qr.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qr.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:15555;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-34
View File
@@ -1,34 +0,0 @@
# Rosalia alerting service and legacy alerts redirect.
server {
listen 443 ssl;
server_name alerts.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/alerts.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alerts.nhcarrigan.com/privkey.pem;
# Redirect ONLY root `/`
location = / {
return 307 https://rosalia.nhcarrigan.com;
}
# Proxy everything else
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name rosalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/rosalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rosalia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5003;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-41
View File
@@ -1,41 +0,0 @@
# Security tooling: SonarQube code quality gate and DefectDojo vulnerability management.
server {
listen 443 ssl;
server_name quality.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/quality.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/quality.nhcarrigan.com/privkey.pem;
client_max_body_size 1g;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9500;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name security.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/security.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/security.nhcarrigan.com/privkey.pem;
location /report {
alias /home/naomi/defectdojo;
index report.html;
}
location / {
proxy_pass http://127.0.0.1:43434;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100M;
proxy_read_timeout 90;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-28
View File
@@ -1,28 +0,0 @@
# Speaking sites: events listing and talk companion guides.
server {
listen 443 ssl;
server_name events.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/events.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/events.nhcarrigan.com/privkey.pem;
root /home/naomi/events;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name talks.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/talks.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/talks.nhcarrigan.com/privkey.pem;
root /home/naomi/talks;
location / {
try_files $uri $uri/index.html =404;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-26
View File
@@ -1,26 +0,0 @@
# Discourse community support forum.
server {
listen 443 ssl http2;
server_name support.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/support.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/support.nhcarrigan.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
client_max_body_size 20M;
location / {
proxy_pass http://localhost:32121;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-22
View File
@@ -1,22 +0,0 @@
# Tarot static site.
server {
listen 443 ssl;
server_name tarot.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/tarot.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tarot.nhcarrigan.com/privkey.pem;
root /home/naomi/tarot;
location = / {
try_files /index.html =404;
}
location ~ \.json$ {
try_files $uri =404;
}
location / {
return 403;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-33
View File
@@ -1,33 +0,0 @@
# Vitalia app: Angular front-end SPA and API backend.
server {
listen 443 ssl;
server_name vitalia-api.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:12345;
proxy_redirect off;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name vitalia.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/vitalia.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vitalia.nhcarrigan.com/privkey.pem;
root /home/naomi/vitalia/client/dist/client/browser;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location ~* \.(js|css)$ {
try_files $uri $uri/ @rewrite;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
@@ -1,15 +0,0 @@
# Workshops Angular SPA (companion guides for live workshops).
server {
listen 443 ssl;
server_name workshops.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/workshops.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/workshops.nhcarrigan.com/privkey.pem;
root /home/naomi/workshops/dist/workshops/browser;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-18
View File
@@ -1,18 +0,0 @@
# wtf.naomi.lgbt personal project.
server {
listen 443 ssl;
server_name wtf.naomi.lgbt;
ssl_certificate /etc/letsencrypt/live/wtf.naomi.lgbt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wtf.naomi.lgbt/privkey.pem;
client_max_body_size 100M;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3456;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-1
View File
@@ -1 +0,0 @@
../sites-available/404.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/afp.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/aria.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/bots.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/catch-all.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/cdn.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/celestine.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/cipher.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/content.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/data.conf
+1 -1
View File
@@ -1 +1 @@
../sites-available/default /etc/nginx/sites-available/default
-1
View File
@@ -1 +0,0 @@
../sites-available/docs.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/eclaire.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/elowyn.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/elysium.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/forms.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/games.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/git.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/hikari.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/img.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/learn.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/library.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/lucinda.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/lynira.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/mommy.conf
@@ -1 +0,0 @@
../sites-available/monitoring.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/nails.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/nocturne.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/notes.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/portfolio.conf
-13
View File
@@ -1,13 +0,0 @@
# Naomi QR code generator.
server {
listen 443 ssl;
server_name qr.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/qr.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qr.nhcarrigan.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:15555;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
-1
View File
@@ -1 +0,0 @@
../sites-available/rosalia.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/security.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/speaking.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/support.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/tarot.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/vitalia.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/workshops.conf
-1
View File
@@ -1 +0,0 @@
../sites-available/wtf.conf
-4
View File
@@ -1,4 +0,0 @@
# Block requests for dotfiles (e.g. .gitconfig, .env, .git/).
location ~ /\. {
return 403;
}
+13
View File
@@ -0,0 +1,13 @@
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
+5
View File
@@ -0,0 +1,5 @@
# Self signed certificates generated by the ssl-cert package
# Don't use them in a production server!
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+1 -1
View File
@@ -1,3 +1,3 @@
echo "Pushing nginx to prod" echo "Pushing nginx to prod"
rsync --archive --verbose --delete --rsync-path="sudo rsync" nginx/nginx/ prod:/etc/nginx rsync --archive --verbose --rsync-path="sudo rsync" nginx/nginx/ prod:/etc/nginx
echo "All done!" echo "All done!"
-1
View File
@@ -1 +0,0 @@
sites-available/img.conf
+13 -249
View File
@@ -1,260 +1,24 @@
#!/bin/bash #!/bin/bash
# Nginx configuration static analysis test suite. CONF="configs/prod.conf"
# Usage: bash test.sh [nginx-dir]
# Defaults to nginx/nginx relative to the repo root.
NGINX_DIR="${1:-nginx/nginx}" # Extract server_name values in order, ignoring commented lines
PASS=0 mapfile -t domains < <(grep -oP '^\s*server_name\s+\K[^;]+' "$CONF")
FAIL=0
pass() { sorted=($(printf "%s\n" "${domains[@]}" | sort))
printf " PASS: %s\n" "$1"
((PASS++))
}
fail() { # Print the sorted list for debugging
printf " FAIL: %s\n" "$1" echo "Auditing servers:"
((FAIL++)) printf "%s " "${sorted[@]}"
}
echo "=== nginx config static analysis ==="
echo "Directory: $NGINX_DIR"
echo "" echo ""
# ────────────────────────────────────────────────────────────────── for i in "${!domains[@]}"; do
# 1. No deprecated TLS versions if [[ "${domains[$i]}" != "${sorted[$i]}" ]]; then
# ────────────────────────────────────────────────────────────────── echo "Domain list is not sorted alphabetically."
echo "--- TLS version check ---" echo "First out-of-order entry: '${domains[$i]}' (should be '${sorted[$i]}')"
deprecated=$(grep -rnP 'TLSv1(?!\.[23])' "$NGINX_DIR" --include="*.conf" 2>/dev/null || true) exit 1
if [ -n "$deprecated" ]; then
fail "Deprecated TLS versions (TLSv1 or TLSv1.1) found:"
printf '%s\n' "$deprecated" | sed 's/^/ /'
else
pass "No deprecated TLS versions"
fi
echo ""
# ──────────────────────────────────────────────────────────────────
# 2. No duplicate literal server_name values across all site configs
# ──────────────────────────────────────────────────────────────────
echo "--- Duplicate server_name check ---"
duplicates=$(grep -rh --include="*.conf" 'server_name' "$NGINX_DIR/sites-available/" \
| grep -v '^\s*#' \
| sed 's/.*server_name\s*//' \
| sed 's/\s*;//' \
| tr ' ' '\n' \
| grep -vP '^\s*$|^_$|^~|^\*\.' \
| sort | uniq -d)
if [ -n "$duplicates" ]; then
fail "Duplicate server_name values:"
printf '%s\n' "$duplicates" | sed 's/^/ /'
else
pass "No duplicate server_name values"
fi
echo ""
# ──────────────────────────────────────────────────────────────────
# 3. Every sites-available/*.conf has a sites-enabled symlink
# ──────────────────────────────────────────────────────────────────
echo "--- sites-enabled coverage check ---"
missing_links=0
for conf in "$NGINX_DIR/sites-available/"*.conf; do
name=$(basename "$conf")
if [ ! -L "$NGINX_DIR/sites-enabled/$name" ]; then
fail "No sites-enabled symlink for: $name"
missing_links=1
fi fi
done done
[ "$missing_links" -eq 0 ] && pass "All sites-available configs have sites-enabled symlinks"
echo ""
# ────────────────────────────────────────────────────────────────── echo "All server_name entries are sorted alphabetically."
# 4. No broken symlinks in sites-enabled
# ──────────────────────────────────────────────────────────────────
echo "--- Broken symlink check ---"
broken=0
for link in "$NGINX_DIR/sites-enabled/"*; do
[ -L "$link" ] || continue
if [ ! -e "$link" ]; then
fail "Broken symlink: $(basename "$link")"
broken=1
fi
done
[ "$broken" -eq 0 ] && pass "No broken symlinks in sites-enabled"
echo ""
# ──────────────────────────────────────────────────────────────────
# 5. No orphaned sites-enabled symlinks (no matching sites-available file)
# ──────────────────────────────────────────────────────────────────
echo "--- Orphaned symlink check ---"
orphaned=0
for link in "$NGINX_DIR/sites-enabled/"*.conf; do
[ -L "$link" ] || continue
name=$(basename "$link")
if [ ! -f "$NGINX_DIR/sites-available/$name" ]; then
fail "Orphaned sites-enabled symlink: $name"
orphaned=1
fi
done
[ "$orphaned" -eq 0 ] && pass "No orphaned sites-enabled symlinks"
echo ""
# ──────────────────────────────────────────────────────────────────
# 6. No port-80 listeners in any custom server block
# (port 80 is blocked at the firewall; all traffic is HTTPS only)
# ──────────────────────────────────────────────────────────────────
echo "--- Port 80 listener check ---"
http_blocks=$(grep -rnP 'listen\s.*\b80\b' "$NGINX_DIR/sites-available/" \
| grep -v 'sites-available/default' \
| grep -v '^\s*#' || true)
if [ -n "$http_blocks" ]; then
fail "Port 80 listeners found in custom site configs:"
printf '%s\n' "$http_blocks" | sed 's/^/ /'
else
pass "No port 80 listeners in custom server blocks"
fi
echo ""
# ──────────────────────────────────────────────────────────────────
# 7. ssl_certificate and ssl_certificate_key counts match per file
# ──────────────────────────────────────────────────────────────────
echo "--- SSL certificate directive pairing check ---"
ssl_errors=0
for conf in "$NGINX_DIR/sites-available/"*.conf; do
certs=$(grep -cP 'ssl_certificate\b(?!_key)' "$conf" 2>/dev/null || echo 0)
keys=$(grep -c 'ssl_certificate_key' "$conf" 2>/dev/null || echo 0)
if [ "$certs" != "$keys" ]; then
fail "$(basename "$conf"): $certs ssl_certificate vs $keys ssl_certificate_key (must match)"
ssl_errors=1
fi
done
[ "$ssl_errors" -eq 0 ] && pass "All ssl_certificate directives are correctly paired"
echo ""
# ──────────────────────────────────────────────────────────────────
# 8. All plain-HTTP proxy_pass targets are local
# (https:// proxy_pass is permitted for intentional external proxying,
# e.g. CDN reverse-proxying to object storage over TLS)
# ──────────────────────────────────────────────────────────────────
echo "--- proxy_pass locality check ---"
external=$(grep -rn 'proxy_pass\s\+http://' "$NGINX_DIR/sites-available/" \
| grep -v '#' \
| grep -vP 'proxy_pass\s+http://(127\.0\.0\.1|localhost|0\.0\.0\.0)' || true)
if [ -n "$external" ]; then
fail "Plain-HTTP proxy_pass to non-local target found:"
printf '%s\n' "$external" | sed 's/^/ /'
else
pass "All plain-HTTP proxy_pass targets are local"
fi
echo ""
# ──────────────────────────────────────────────────────────────────
# 9. All SSL cert paths use /etc/letsencrypt/live/
# ──────────────────────────────────────────────────────────────────
echo "--- SSL certificate path convention check ---"
nonstandard_certs=$(grep -rn 'ssl_certificate' "$NGINX_DIR/sites-available/" \
| grep -v '#' \
| grep -vP '/etc/letsencrypt/live/' || true)
if [ -n "$nonstandard_certs" ]; then
fail "SSL certs not under /etc/letsencrypt/live/:"
printf '%s\n' "$nonstandard_certs" | sed 's/^/ /'
else
pass "All SSL certificate paths use /etc/letsencrypt/live/"
fi
echo ""
# ──────────────────────────────────────────────────────────────────
# 10. ssl_certificate uses fullchain.pem, ssl_certificate_key uses privkey.pem
# ──────────────────────────────────────────────────────────────────
echo "--- SSL certificate filename convention check ---"
cert_name_errors=0
wrong_certs=$(grep -rnP 'ssl_certificate\b(?!_key)' "$NGINX_DIR/sites-available/" \
| grep -v '#' \
| grep -v 'fullchain\.pem' || true)
wrong_keys=$(grep -rn 'ssl_certificate_key' "$NGINX_DIR/sites-available/" \
| grep -v '#' \
| grep -v 'privkey\.pem' || true)
if [ -n "$wrong_certs" ]; then
fail "ssl_certificate not using fullchain.pem:"
printf '%s\n' "$wrong_certs" | sed 's/^/ /'
cert_name_errors=1
fi
if [ -n "$wrong_keys" ]; then
fail "ssl_certificate_key not using privkey.pem:"
printf '%s\n' "$wrong_keys" | sed 's/^/ /'
cert_name_errors=1
fi
[ "$cert_name_errors" -eq 0 ] && pass "All SSL certs use fullchain.pem / privkey.pem"
echo ""
# ──────────────────────────────────────────────────────────────────
# 11. No server_name directives use raw IP addresses
# ──────────────────────────────────────────────────────────────────
echo "--- IP address as server_name check ---"
ip_names=$(grep -rh --include="*.conf" 'server_name' "$NGINX_DIR/sites-available/" \
| grep -v '#' \
| sed 's/.*server_name\s*//' \
| sed 's/\s*;//' \
| tr ' ' '\n' \
| grep -P '^\d{1,3}(\.\d{1,3}){3}$' || true)
if [ -n "$ip_names" ]; then
fail "server_name uses raw IP addresses:"
printf '%s\n' "$ip_names" | sed 's/^/ /'
else
pass "No server_name directives use raw IP addresses"
fi
echo ""
# ──────────────────────────────────────────────────────────────────
# 12. No conf.d files conflict with built-in nginx conf.d conventions
# (i.e. no stray default.conf or catch-all templates left over)
# ──────────────────────────────────────────────────────────────────
echo "--- conf.d stray file check ---"
stray=$(find "$NGINX_DIR/conf.d" -name "*.conf" \
| grep -vP '/(logging|tuning|cloudflare_ips)\.conf$' || true)
if [ -n "$stray" ]; then
fail "Unexpected files in conf.d (only logging.conf, tuning.conf, cloudflare_ips.conf expected):"
printf '%s\n' "$stray" | sed 's/^/ /'
else
pass "conf.d contains only expected files"
fi
echo ""
# ──────────────────────────────────────────────────────────────────
# 13. Server blocks within each sites-available file are sorted
# alphabetically by server_name (LC_ALL=C; regex/wildcard excluded)
# ──────────────────────────────────────────────────────────────────
echo "--- Alphabetical server_name order check ---"
sort_errors=0
for conf in "$NGINX_DIR/sites-available/"*.conf; do
[ "$(basename "$conf")" = "default" ] && continue
mapfile -t actual < <(grep -P '^\s*server_name\s' "$conf" \
| grep -v '^\s*#' \
| sed 's/.*server_name\s*//' \
| sed 's/\s*;//' \
| awk '{print $1}' \
| grep -vP '^~|^\*\.|^_$')
mapfile -t expected < <(printf '%s\n' "${actual[@]}" | LC_ALL=C sort)
for ((i = 0; i < ${#actual[@]}; i++)); do
if [ "${actual[$i]}" != "${expected[$i]}" ]; then
fail "$(basename "$conf"): not sorted — found '${actual[$i]}', expected '${expected[$i]}'"
sort_errors=1
break
fi
done
done
[ "$sort_errors" -eq 0 ] && pass "All sites-available files have alphabetically sorted server blocks"
echo ""
# ──────────────────────────────────────────────────────────────────
# Summary
# ──────────────────────────────────────────────────────────────────
echo "==================================="
printf "Results: %d passed, %d failed\n" "$PASS" "$FAIL"
echo "==================================="
[ "$FAIL" -gt 0 ] && exit 1
exit 0 exit 0