diff --git a/nginx/arm.stpl b/nginx/arm.stpl index bae34ff..1bc8497 100755 --- a/nginx/arm.stpl +++ b/nginx/arm.stpl @@ -1,81 +1,79 @@ #=========================================================================# # Default Web Domain Template # # DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # +# https://hestiacp.com/docs/server-administration/web-templates.html # #=========================================================================# - upstream portainer { server 127.0.0.1:9090; } - map $http_upgrade $connection_upgrade { default upgrade; '' close; } -server { - listen %ip%:%proxy_ssl_port% ssl; - listen [::]:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; - # TLS 1.3 0-RTT anti-replay +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay if ($anti_replay = 307) { return 307 https://$host$request_uri; } if ($anti_replay = 425) { return 425; } - error_log /var/log/%web_system%/domains/%domain%.error.log error; + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - add_header Strict-Transport-Security "max-age=63072000" always; + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } - location / { - proxy_pass https://%ip%:%web_ssl_port%; - location ~* ^.+\.(%proxy_extensions%)$ { - root %sdocroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } + location / { + proxy_pass https://%ip%:%web_ssl_port%; - location /portainer/ { - proxy_http_version 1.1; - proxy_set_header Host $http_host; # required for docker client's sake - proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; - proxy_set_header Connection ""; - proxy_buffers 32 4k; - proxy_pass https://portainer/; - } + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - location /portainer/api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_pass https://portainer/api/websocket/; - } + expires max; + } + } + location /portainer/ { + proxy_http_version 1.1; + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } + proxy_set_header Connection ""; + proxy_buffers 32 4k; + proxy_pass https://portainer/; + } - location @fallback { - proxy_pass https://%ip%:%web_ssl_port%; - } + location /portainer/api/websocket/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_pass https://portainer/api/websocket/; + } + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } - location ~ /\.(?!well-known\/|file) { - deny all; - return 404; - } + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } - # proxy_hide_header Upgrade; + proxy_hide_header Upgrade; - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; } - diff --git a/nginx/arm.tpl b/nginx/arm.tpl index 9b1b904..7547b20 100755 --- a/nginx/arm.tpl +++ b/nginx/arm.tpl @@ -1,40 +1,43 @@ #=========================================================================# # Default Web Domain Template # # DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # +# https://hestiacp.com/docs/server-administration/web-templates.html # #=========================================================================# server { - listen %ip%:%proxy_port%; - listen [::]:%proxy_port%; - server_name %domain_idn% %alias_idn%; - - include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; - location / { - proxy_pass http://%ip%:%web_port%; - location ~* ^.+\.(%proxy_extensions%)$ { - root %docroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } - location @fallback { - proxy_pass http://%ip%:%web_port%; - } + location / { + proxy_pass http://%ip%:%web_port%; - location ~ /\.(?!well-known\/|file) { - deny all; - return 404; - } + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; - include %home%/%user%/conf/web/%domain%/nginx.conf_*; + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; } - diff --git a/nginx/default.stpl b/nginx/default.stpl deleted file mode 100755 index d7bc48e..0000000 --- a/nginx/default.stpl +++ /dev/null @@ -1,46 +0,0 @@ -#=========================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # -#=========================================================================# - -server { - listen %ip%:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - - location / { - proxy_pass https://%ip%:%web_ssl_port%; - location ~* ^.+\.(%proxy_extensions%)$ { - root %sdocroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass https://%ip%:%web_ssl_port%; - } - - location ~ /\.(?!well-known\/|file) { - deny all; - return 404; - } - - proxy_hide_header Upgrade; - - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; -} - diff --git a/nginx/forgejo.stpl b/nginx/forgejo.stpl new file mode 100755 index 0000000..505a1b6 --- /dev/null +++ b/nginx/forgejo.stpl @@ -0,0 +1,54 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay + if ($anti_replay = 307) { return 307 https://$host$request_uri; } + if ($anti_replay = 425) { return 425; } + + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://127.0.0.1:5320; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://127.0.0.1:5320; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + proxy_hide_header Upgrade; + + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; +} diff --git a/nginx/forgejo.tpl b/nginx/forgejo.tpl new file mode 100755 index 0000000..7547b20 --- /dev/null +++ b/nginx/forgejo.tpl @@ -0,0 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; +} diff --git a/nginx/gitea.stpl b/nginx/gitea.stpl deleted file mode 100755 index 2eb337b..0000000 --- a/nginx/gitea.stpl +++ /dev/null @@ -1,51 +0,0 @@ -#=======================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -#=======================================================================# - - -server { - listen %ip%:%proxy_ssl_port% ssl; - listen [::]:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; - - # TLS 1.3 0-RTT anti-replay - if ($anti_replay = 307) { return 307 https://$host$request_uri; } - if ($anti_replay = 425) { return 425; } - - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - - location / { - proxy_pass http://127.0.0.1:5320; - location ~* ^.+\.(%proxy_extentions%)$ { -# root %sdocroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass http://127.0.0.1:5320; - } - - location ~ /\.ht {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} - - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; -} - diff --git a/nginx/gitea.tpl b/nginx/gitea.tpl deleted file mode 100755 index 9b1b904..0000000 --- a/nginx/gitea.tpl +++ /dev/null @@ -1,40 +0,0 @@ -#=========================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # -#=========================================================================# - -server { - listen %ip%:%proxy_port%; - listen [::]:%proxy_port%; - server_name %domain_idn% %alias_idn%; - - include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; - - location / { - proxy_pass http://%ip%:%web_port%; - location ~* ^.+\.(%proxy_extensions%)$ { - root %docroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass http://%ip%:%web_port%; - } - - location ~ /\.(?!well-known\/|file) { - deny all; - return 404; - } - - include %home%/%user%/conf/web/%domain%/nginx.conf_*; -} - diff --git a/nginx/gitlab.stpl b/nginx/gitlab.stpl index 28d40bf..5016cf1 100755 --- a/nginx/gitlab.stpl +++ b/nginx/gitlab.stpl @@ -1,51 +1,54 @@ -#=======================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -#=======================================================================# - +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# server { - listen %ip%:%proxy_ssl_port% ssl; - listen [::]:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; - # TLS 1.3 0-RTT anti-replay + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay if ($anti_replay = 307) { return 307 https://$host$request_uri; } if ($anti_replay = 425) { return 425; } - error_log /var/log/%web_system%/domains/%domain%.error.log error; + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } - location / { - proxy_pass https://127.0.0.1:19443; - location ~* ^.+\.(%proxy_extentions%)$ { -# root %sdocroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } + location / { + proxy_pass https://127.0.0.1:19443; - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; - location @fallback { - proxy_pass https://127.0.0.1:19443; - } + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - location ~ /\.ht {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} + expires max; + } + } - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; + location @fallback { + proxy_pass https://127.0.0.1:19443; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + +# proxy_hide_header Upgrade; + + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; } - diff --git a/nginx/gitlab.tpl b/nginx/gitlab.tpl index 9b1b904..7547b20 100755 --- a/nginx/gitlab.tpl +++ b/nginx/gitlab.tpl @@ -1,40 +1,43 @@ #=========================================================================# # Default Web Domain Template # # DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # +# https://hestiacp.com/docs/server-administration/web-templates.html # #=========================================================================# server { - listen %ip%:%proxy_port%; - listen [::]:%proxy_port%; - server_name %domain_idn% %alias_idn%; - - include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; - location / { - proxy_pass http://%ip%:%web_port%; - location ~* ^.+\.(%proxy_extensions%)$ { - root %docroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } - location @fallback { - proxy_pass http://%ip%:%web_port%; - } + location / { + proxy_pass http://%ip%:%web_port%; - location ~ /\.(?!well-known\/|file) { - deny all; - return 404; - } + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; - include %home%/%user%/conf/web/%domain%/nginx.conf_*; + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; } - diff --git a/nginx/kuma.stpl b/nginx/kuma.stpl deleted file mode 100755 index d37c4be..0000000 --- a/nginx/kuma.stpl +++ /dev/null @@ -1,47 +0,0 @@ -#=======================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -#=======================================================================# - - -server { - listen %ip%:%proxy_ssl_port% ssl; - listen [::]:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; - - # TLS 1.3 0-RTT anti-replay - if ($anti_replay = 307) { return 307 https://$host$request_uri; } - if ($anti_replay = 425) { return 425; } - - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:3001/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - - location ~ /\.ht {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} - - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; -} - diff --git a/nginx/kuma.tpl b/nginx/kuma.tpl deleted file mode 100755 index 9b1b904..0000000 --- a/nginx/kuma.tpl +++ /dev/null @@ -1,40 +0,0 @@ -#=========================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # -#=========================================================================# - -server { - listen %ip%:%proxy_port%; - listen [::]:%proxy_port%; - server_name %domain_idn% %alias_idn%; - - include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; - - location / { - proxy_pass http://%ip%:%web_port%; - location ~* ^.+\.(%proxy_extensions%)$ { - root %docroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass http://%ip%:%web_port%; - } - - location ~ /\.(?!well-known\/|file) { - deny all; - return 404; - } - - include %home%/%user%/conf/web/%domain%/nginx.conf_*; -} - diff --git a/nginx/mail.stpl b/nginx/maddy.stpl similarity index 96% rename from nginx/mail.stpl rename to nginx/maddy.stpl index 4b1d274..d783355 100755 --- a/nginx/mail.stpl +++ b/nginx/maddy.stpl @@ -22,7 +22,7 @@ server { include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; location / { - proxy_pass https://127.0.0.1:8020; + proxy_pass http://127.0.0.1:8090; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; diff --git a/nginx/default.tpl b/nginx/maddy.tpl similarity index 97% rename from nginx/default.tpl rename to nginx/maddy.tpl index 497746c..d657828 100755 --- a/nginx/default.tpl +++ b/nginx/maddy.tpl @@ -7,7 +7,7 @@ server { listen %ip%:%proxy_port%; server_name %domain_idn% %alias_idn%; - + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; location / { @@ -30,7 +30,7 @@ server { } location ~ /\.(?!well-known\/|file) { - deny all; + deny all; return 404; } diff --git a/nginx/mail.tpl b/nginx/mail.tpl deleted file mode 100755 index 3a7fba1..0000000 --- a/nginx/mail.tpl +++ /dev/null @@ -1,39 +0,0 @@ -#=======================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -#=======================================================================# - -server { - listen %ip%:%proxy_port%; - server_name %domain_idn% %alias_idn%; - - include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; - - location / { - proxy_pass http://127.0.0.1:8010; - location ~* ^.+\.(%proxy_extensions%)$ { - root %docroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass http://%ip%:%web_port%; - } - - location ~ /\.ht {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} - - include %home%/%user%/conf/web/%domain%/nginx.conf_*; -} - diff --git a/nginx/mailu.stpl b/nginx/mailu.stpl new file mode 100755 index 0000000..f7afa20 --- /dev/null +++ b/nginx/mailu.stpl @@ -0,0 +1,54 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay + if ($anti_replay = 307) { return 307 https://$host$request_uri; } + if ($anti_replay = 425) { return 425; } + + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass https://127.0.0.1:8020; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass https://127.0.0.1:8020; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + proxy_hide_header Upgrade; + + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; +} diff --git a/nginx/mailu.tpl b/nginx/mailu.tpl new file mode 100755 index 0000000..7547b20 --- /dev/null +++ b/nginx/mailu.tpl @@ -0,0 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; +} diff --git a/nginx/mastodon.stpl b/nginx/mastodon.stpl deleted file mode 100755 index cfabf70..0000000 --- a/nginx/mastodon.stpl +++ /dev/null @@ -1,85 +0,0 @@ -#=========================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # -#=========================================================================# -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream backend { - server 127.0.0.1:3000 fail_timeout=0; -} - -upstream streaming { - server 127.0.0.1:4000 fail_timeout=0; -} -server { - listen %ip%:%proxy_ssl_port% ssl; - listen [::]:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; - - # TLS 1.3 0-RTT anti-replay - if ($anti_replay = 307) { return 307 https://$host$request_uri; } - if ($anti_replay = 425) { return 425; } - - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - - root /home/mastodon/public; - - gzip on; - gzip_disable "msie6"; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon; - - location ^~ /api/v1/streaming { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Proxy ""; - - proxy_pass http://streaming; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - - tcp_nodelay on; - } - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Proxy ""; - proxy_pass_header Server; - - proxy_pass http://backend; - proxy_buffering on; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; -} - diff --git a/nginx/mastodon.tpl b/nginx/mastodon.tpl deleted file mode 100755 index 9b1b904..0000000 --- a/nginx/mastodon.tpl +++ /dev/null @@ -1,40 +0,0 @@ -#=========================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work # -#=========================================================================# - -server { - listen %ip%:%proxy_port%; - listen [::]:%proxy_port%; - server_name %domain_idn% %alias_idn%; - - include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; - - location / { - proxy_pass http://%ip%:%web_port%; - location ~* ^.+\.(%proxy_extensions%)$ { - root %docroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass http://%ip%:%web_port%; - } - - location ~ /\.(?!well-known\/|file) { - deny all; - return 404; - } - - include %home%/%user%/conf/web/%domain%/nginx.conf_*; -} - diff --git a/nginx/misskey.stpl b/nginx/misskey.stpl index 562e17b..13a400a 100755 --- a/nginx/misskey.stpl +++ b/nginx/misskey.stpl @@ -1,35 +1,43 @@ -#=======================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -#=======================================================================# +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + map $http_upgrade $connection_upgrade { default upgrade; '' close; } -server { - listen %ip%:%proxy_ssl_port% ssl; - listen [::]:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; - # TLS 1.3 0-RTT anti-replay +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay if ($anti_replay = 307) { return 307 https://$host$request_uri; } if ($anti_replay = 425) { return 425; } - error_log /var/log/%web_system%/domains/%domain%.error.log error; + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } - # Change to your upload limit + # Change to your upload limit client_max_body_size 120m; # Proxy to Node location / { - proxy_pass http://127.0.0.1:3003; + proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_http_version 1.1; proxy_redirect off; @@ -51,6 +59,6 @@ server { # add_header X-Cache $upstream_cache_status; } - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; -} + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; +} diff --git a/nginx/misskey.tpl b/nginx/misskey.tpl index 9fe897b..7547b20 100755 --- a/nginx/misskey.tpl +++ b/nginx/misskey.tpl @@ -1,9 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + server { - listen %ip%:%proxy_port%; - listen [::]:%proxy_port%; - server_name %domain_idn% %alias_idn%; - location / { - rewrite ^(.*) https://%domain_idn%$1 permanent; - } -include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt; + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; } diff --git a/nginx/nezha.stpl b/nginx/nezha.stpl new file mode 100755 index 0000000..c78edb3 --- /dev/null +++ b/nginx/nezha.stpl @@ -0,0 +1,73 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_timeout 1d; + #ssl_session_cache shared:SSL:10m; # 如果与其他配置冲突,请注释此项 + ssl_protocols TLSv1.2 TLSv1.3; + # TLS 1.3 0-RTT anti-replay + if ($anti_replay = 307) { return 307 https://$host$request_uri; } + if ($anti_replay = 425) { return 425; } + + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + underscores_in_headers on; + + # grpc 相关 + location ^~ /proto.NezhaService/ { + grpc_set_header Host $host; + grpc_set_header nz-realip $remote_addr; # 如果你使用nginx作为最外层,就把上面一行注释掉,启用此行 + grpc_read_timeout 600s; + grpc_send_timeout 600s; + grpc_socket_keepalive on; + client_max_body_size 10m; + grpc_buffer_size 4m; + grpc_pass grpc://dashboard; + } + # websocket 相关 + location ~* ^/api/v1/ws/(server|terminal|file)(.*)$ { + proxy_set_header Host $host; + proxy_set_header nz-realip $remote_addr; # 如果你使用nginx作为最外层,就把上面一行注释掉,启用此行 + proxy_set_header Origin https://$host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + proxy_pass http://127.0.0.1:8008; + } + # web + location / { + proxy_set_header Host $host; + proxy_set_header nz-realip $remote_addr; # 如果你使用nginx作为最外层,就把上面一行注释掉,启用此行 + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + proxy_max_temp_file_size 0; + proxy_set_header X-Forwarded-Proto $scheme; # 如果你使用nginx作为最外层,就启用此行避免无法正确读取访问的协议 + proxy_pass http://127.0.0.1:8008; + } +} + +upstream dashboard { + server 127.0.0.1:8008; + keepalive 512; +} \ No newline at end of file diff --git a/nginx/nezha.tpl b/nginx/nezha.tpl new file mode 100755 index 0000000..7547b20 --- /dev/null +++ b/nginx/nezha.tpl @@ -0,0 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; +} diff --git a/nginx/sanarm.stpl b/nginx/sanarm.stpl new file mode 100755 index 0000000..19b7791 --- /dev/null +++ b/nginx/sanarm.stpl @@ -0,0 +1,54 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay + if ($anti_replay = 307) { return 307 https://$host$request_uri; } + if ($anti_replay = 425) { return 425; } + + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass https://%ip%:%web_ssl_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %sdocroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass https://%ip%:%web_ssl_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + proxy_hide_header Upgrade; + + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; +} diff --git a/nginx/sanarm.tpl b/nginx/sanarm.tpl new file mode 100755 index 0000000..7547b20 --- /dev/null +++ b/nginx/sanarm.tpl @@ -0,0 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; +} diff --git a/nginx/sharkey.stpl b/nginx/sharkey.stpl new file mode 100755 index 0000000..614e335 --- /dev/null +++ b/nginx/sharkey.stpl @@ -0,0 +1,64 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + + +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay + if ($anti_replay = 307) { return 307 https://$host$request_uri; } + if ($anti_replay = 425) { return 425; } + + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + # Change to your upload limit + client_max_body_size 120m; + + # Proxy to Node + location / { + proxy_pass http://127.0.0.1:13000; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_redirect off; + + # If it's behind another reverse proxy or CDN, remove the following. + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # For WebSocket + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Cache settings +# proxy_cache cache1; +# proxy_cache_lock on; +# proxy_cache_use_stale updating; +# proxy_force_ranges on; +# add_header X-Cache $upstream_cache_status; + } + + + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; +} diff --git a/nginx/sharkey.tpl b/nginx/sharkey.tpl new file mode 100755 index 0000000..7547b20 --- /dev/null +++ b/nginx/sharkey.tpl @@ -0,0 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; +} diff --git a/nginx/synapse.stpl b/nginx/synapse.stpl new file mode 100755 index 0000000..b0b2167 --- /dev/null +++ b/nginx/synapse.stpl @@ -0,0 +1,60 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay + if ($anti_replay = 307) { return 307 https://$host$request_uri; } + if ($anti_replay = 425) { return 425; } + + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + proxy_pass http://127.0.0.1:6080; + proxy_set_header X-Forwarded-For $remote_addr; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + } + + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://im.kernel.ws"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + location ~* ^(\/_matrix|\/_synapse) { + proxy_pass http://127.0.0.1:8008; + proxy_set_header X-Forwarded-For $remote_addr; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + } + location /admin/ { + proxy_pass http://127.0.0.1:8100/; + proxy_set_header X-Forwarded-For $remote_addr; + } + + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; +} diff --git a/nginx/synapse.tpl b/nginx/synapse.tpl new file mode 100755 index 0000000..7547b20 --- /dev/null +++ b/nginx/synapse.tpl @@ -0,0 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; +} diff --git a/nginx/tz.stpl b/nginx/tz.stpl deleted file mode 100755 index e72fb70..0000000 --- a/nginx/tz.stpl +++ /dev/null @@ -1,52 +0,0 @@ -#=======================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -#=======================================================================# - - -server { - listen %ip%:%proxy_ssl_port% ssl; - listen [::]:%proxy_ssl_port% ssl; - server_name %domain_idn% %alias_idn%; - ssl_certificate %ssl_pem%; - ssl_certificate_key %ssl_key%; - ssl_stapling on; - ssl_stapling_verify on; - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; - - location / { - proxy_pass http://127.0.0.1:9010; - location ~* ^.+\.(%proxy_extentions%)$ { -# root %sdocroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - location ~ ^/(ws|terminal/.+)$ { - proxy_pass http://127.0.0.1:9010; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - } - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass http://127.0.0.1:9010; - } - - location ~ /\.ht {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} - - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; -} - diff --git a/nginx/tz.tpl b/nginx/tz.tpl deleted file mode 100755 index 16eee6f..0000000 --- a/nginx/tz.tpl +++ /dev/null @@ -1,43 +0,0 @@ -#=======================================================================# -# Default Web Domain Template # -# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # -#=======================================================================# - - -server { - listen %ip%:%proxy_port% ; - listen [::]:%proxy_port%; - server_name %domain_idn% %alias_idn%; - - error_log /var/log/%web_system%/domains/%domain%.error.log error; - - include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; - - location / { - proxy_pass http://127.0.0.1:8010; - location ~* ^.+\.(%proxy_extentions%)$ { - root %sdocroot%; - access_log /var/log/%web_system%/domains/%domain%.log combined; - access_log /var/log/%web_system%/domains/%domain%.bytes bytes; - expires max; - try_files $uri @fallback; - } - } - - location /error/ { - alias %home%/%user%/web/%domain%/document_errors/; - } - - location @fallback { - proxy_pass http://127.0.0.1:8010; - } - - location ~ /\.ht {return 404;} - location ~ /\.svn/ {return 404;} - location ~ /\.git/ {return 404;} - location ~ /\.hg/ {return 404;} - location ~ /\.bzr/ {return 404;} - - include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; -} - diff --git a/nginx/uptime.stpl b/nginx/uptime.stpl new file mode 100755 index 0000000..936299d --- /dev/null +++ b/nginx/uptime.stpl @@ -0,0 +1,47 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_ssl_port% ssl; + listen [::]:%proxy_ssl_port% ssl; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + ssl_certificate %ssl_pem%; + ssl_certificate_key %ssl_key%; + ssl_stapling on; + ssl_stapling_verify on; + + # TLS 1.3 0-RTT anti-replay + if ($anti_replay = 307) { return 307 https://$host$request_uri; } + if ($anti_replay = 425) { return 425; } + + include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:3001/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + proxy_hide_header Upgrade; + + include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*; +} diff --git a/nginx/uptime.tpl b/nginx/uptime.tpl new file mode 100755 index 0000000..7547b20 --- /dev/null +++ b/nginx/uptime.tpl @@ -0,0 +1,43 @@ +#=========================================================================# +# Default Web Domain Template # +# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS # +# https://hestiacp.com/docs/server-administration/web-templates.html # +#=========================================================================# + +server { + listen %ip%:%proxy_port%; + listen [::]:%proxy_port%; + server_name %domain_idn% %alias_idn%; + error_log /var/log/%web_system%/domains/%domain%.error.log error; + + include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*; + + location ~ /\.(?!well-known\/|file) { + deny all; + return 404; + } + + location / { + proxy_pass http://%ip%:%web_port%; + + location ~* ^.+\.(%proxy_extensions%)$ { + try_files $uri @fallback; + + root %docroot%; + access_log /var/log/%web_system%/domains/%domain%.log combined; + access_log /var/log/%web_system%/domains/%domain%.bytes bytes; + + expires max; + } + } + + location @fallback { + proxy_pass http://%ip%:%web_port%; + } + + location /error/ { + alias %home%/%user%/web/%domain%/document_errors/; + } + + include %home%/%user%/conf/web/%domain%/nginx.conf_*; +}