commit 1898a7b0884c99860bb56137ddac7f64b48a6f94 Author: hrupi Date: Tue Sep 3 21:00:49 2024 +0300 init commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c30d935 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +logs/* +ssl/* +sites-enabled/* +!sites-enabled/example.conf.tplm diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d0a406a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +ARG ubu_tag +FROM ubuntu:${ubu_tag} +ENV TZ="Europe/Moscow" +ARG nginx_ssl_path +ARG nginx_config_path +ARG nginx_proxy_config_path +RUN apt-get update \ + && apt-get install nginx libnginx-mod-http-geoip2 nginx-common nginx-core curl tzdata -y \ + && apt-get clean \ + && rm -fr /var/lib/apt/lists/* +COPY ./nginx.conf ${nginx_config_path}/nginx.conf +ENTRYPOINT ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/configuration/cache.conf b/configuration/cache.conf new file mode 100644 index 0000000..500cc32 --- /dev/null +++ b/configuration/cache.conf @@ -0,0 +1,12 @@ +# proxy_cache all; +# proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=all:20m max_size=4096m; +# proxy_cache_key "$host$request_uri$cookie_user"; +# proxy_cache_valid 200 301 302 10m; +# proxy_cache_valid 502 404 10s; +# proxy_cache_lock on; +# proxy_cache_lock_age 10s; +# proxy_cache_lock_timeout 10s; +# proxy_ignore_headers "Set-Cookie"; +# proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +#proxy_cache_bypass +#proxy_no_cache \ No newline at end of file diff --git a/configuration/compression.conf b/configuration/compression.conf new file mode 100644 index 0000000..27cba7e --- /dev/null +++ b/configuration/compression.conf @@ -0,0 +1,7 @@ +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_buffers 64 4k; +gzip_comp_level 9; +gzip_min_length 200; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; diff --git a/configuration/error_pages.conf b/configuration/error_pages.conf new file mode 100644 index 0000000..de1ab52 --- /dev/null +++ b/configuration/error_pages.conf @@ -0,0 +1,13 @@ +error_page 404 /404.html; +error_page 502 /502.html; + +location = /404.html { + root /etc/nginx/error-pages/404; + proxy_intercept_errors on; + internal; +} +location = /502.html { + root /etc/nginx/error-pages/502; + proxy_intercept_errors on; + internal; +} \ No newline at end of file diff --git a/configuration/general.conf b/configuration/general.conf new file mode 100644 index 0000000..6e51e96 --- /dev/null +++ b/configuration/general.conf @@ -0,0 +1,12 @@ +location = /favicon.ico { + log_not_found off; +} + +location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { + expires 12h; +} + +location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ { + add_header Access-Control-Allow-Origin "*"; + expires 12h; +} \ No newline at end of file diff --git a/configuration/includes.conf b/configuration/includes.conf new file mode 100644 index 0000000..ffa31e0 --- /dev/null +++ b/configuration/includes.conf @@ -0,0 +1,2 @@ +include configuration/compression.conf; +include configuration/error_pages.conf; \ No newline at end of file diff --git a/configuration/security.conf b/configuration/security.conf new file mode 100644 index 0000000..e2d8b3d --- /dev/null +++ b/configuration/security.conf @@ -0,0 +1,10 @@ +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; +add_header Permissions-Policy "interest-cohort=()" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + +location ~ /\.(?!well-known) { + deny all; +} \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..43ec88f --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,33 @@ +services: + reverse: + image: nginx:stable-alpine + container_name: reverse + hostname: reverse + restart: always + extra_hosts: + - "host.docker.internal=host-gateway" + volumes: + - "./nginx.conf:/etc/nginx/nginx.conf:ro" + - "./locations:/etc/nginx/locations:ro" + - "./configuration:/etc/nginx/configuration:ro" + - "./sites-enabled:/etc/nginx/sites-enabled:ro" + - "./error-pages:/etc/nginx/error-pages/" + - "./resources:/var/www/html/resources" + - "./ssl:/etc/nginx/ssl" + - "./logs:/var/log/nginx/" + networks: + local_net: {} + ports: + - 80:80 + - 443:443 + - 60180:60180 + - 60280:60280 + - 60380:60380 + - 60480:60480 + - 64443:64443 + +networks: + local_net: + external: true + driver: bridge + name: services diff --git a/error-pages/404/404.html b/error-pages/404/404.html new file mode 100644 index 0000000..e702b27 --- /dev/null +++ b/error-pages/404/404.html @@ -0,0 +1,2 @@ +

Error 404: Not found :-(

+

I have no idea where that file is, sorry. Are you sure you typed in the correct URL?

diff --git a/error-pages/502/502.html b/error-pages/502/502.html new file mode 100644 index 0000000..7091f7a --- /dev/null +++ b/error-pages/502/502.html @@ -0,0 +1,15 @@ + + + + + + + oh no... + + \ No newline at end of file diff --git a/error-pages/502/502.jpg b/error-pages/502/502.jpg new file mode 100644 index 0000000..33ecfc3 Binary files /dev/null and b/error-pages/502/502.jpg differ diff --git a/locations/acme_reverse.location b/locations/acme_reverse.location new file mode 100644 index 0000000..68f064e --- /dev/null +++ b/locations/acme_reverse.location @@ -0,0 +1,8 @@ +location /.well-known/acme-challenge/ { + proxy_pass http://apache/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} \ No newline at end of file diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..f1390a3 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,30 @@ +user nobody nogroup; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 24; +} + +http { + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + + #client_max_body_size 1024M; + client_max_body_size 64M; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log debug; + + gzip on; + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.conf; +} diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..e69de29 diff --git a/resources/502.jpg b/resources/502.jpg new file mode 100644 index 0000000..33ecfc3 Binary files /dev/null and b/resources/502.jpg differ diff --git a/sites-enabled/example.conf.tplm b/sites-enabled/example.conf.tplm new file mode 100644 index 0000000..b717c41 --- /dev/null +++ b/sites-enabled/example.conf.tplm @@ -0,0 +1,37 @@ +resolver 127.0.0.11 valid=60s ipv6=off; +resolver_timeout 10s; + +server { + listen 80 default_server; + listen [::]:80 default_server; + rewrite ^(.*) https://$host$1 permanent; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name spve15.softsols.ru; + ssl_certificate /etc/nginx/ssl/live/softsols.ru/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/live/softsols.ru/privkey.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + include configuration/includes.conf; + + proxy_redirect off; + set $proxy_value https://172.17.0.1:59115; + location / { + proxy_pass $proxy_value; + proxy_redirect off; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_buffering off; + client_max_body_size 0; + proxy_connect_timeout 3600s; + proxy_read_timeout 3600s; + proxy_send_timeout 3600s; + send_timeout 3600s; + } +}