diff --git a/dot_config/nginx/nginx.conf.tmpl b/dot_config/nginx/nginx.conf.tmpl index ca66a57..04b4d48 100644 --- a/dot_config/nginx/nginx.conf.tmpl +++ b/dot_config/nginx/nginx.conf.tmpl @@ -1,7 +1,7 @@ worker_processes 1; -working_directory {{.chezmoi.homeDir}}/.config/nginx; +working_directory {{ .chezmoi.homeDir }}/.config/nginx; error_log stderr info; daemon off; @@ -66,8 +66,8 @@ http { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.crt; - ssl_certificate_key {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.key; + ssl_certificate {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.crt; + ssl_certificate_key {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.key; client_max_body_size 10G; proxy_request_buffering off; @@ -101,15 +101,15 @@ http { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.crt; - ssl_certificate_key {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.key; + ssl_certificate {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.crt; + ssl_certificate_key {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.key; - root {{.chezmoi.homeDir}}/jopixel/$project/www/static; + root {{ .chezmoi.homeDir }}/jopixel/$project/www/static; error_page 404 /errors/404.html; error_page 403 /errors/403.html; location /errors/ { - alias {{.chezmoi.homeDir}}/jopixel/errorpages/; + alias {{ .chezmoi.homeDir }}/jopixel/errorpages/; } } @@ -134,12 +134,12 @@ http { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.crt; - ssl_certificate_key {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.key; + ssl_certificate {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.crt; + ssl_certificate_key {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.key; client_max_body_size 1G; - root {{.chezmoi.homeDir}}/jopixel/$project/www/www; + root {{ .chezmoi.homeDir }}/jopixel/$project/www/www; #add_header Access-Control-Allow-Origin "*"; @@ -202,12 +202,24 @@ http { proxy_pass http://s3.appsincloud.net:7480/; } + location /files/ { + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://s3.appsincloud.net:7480/; + } + location /_static/ { internal; - root {{.chezmoi.homeDir}}/jopixel/$project/www/static; + root {{ .chezmoi.homeDir }}/jopixel/$project/www/static; try_files $uri =404; } + # ^~ == prefix location, ignoruj regexp locations + location ^~ /static/ { + alias {{ .chezmoi.homeDir }}/jopixel/$project/www/static/; + expires max; + log_not_found off; + } + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; @@ -221,7 +233,7 @@ http { error_page 404 /errors/404.html; error_page 403 /errors/403.html; location /errors/ { - alias {{.chezmoi.homeDir}}/jopixel/errorpages/; + alias {{ .chezmoi.homeDir }}/jopixel/errorpages/; } } @@ -236,14 +248,14 @@ http { listen 443 ssl default_server http2; listen [::]:443 ssl default_server http2; - ssl_certificate {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.crt; - ssl_certificate_key {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.key; + ssl_certificate {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.crt; + ssl_certificate_key {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.key; client_max_body_size 1G; set $project "katalogy"; - root {{.chezmoi.homeDir}}/jopixel/$project/www/www; + root {{ .chezmoi.homeDir }}/jopixel/$project/www/www; #add_header Access-Control-Allow-Origin "*"; @@ -308,7 +320,7 @@ http { location /_static/ { internal; - root {{.chezmoi.homeDir}}/jopixel/$project/www/static; + root {{ .chezmoi.homeDir }}/jopixel/$project/www/static; try_files $uri =404; } @@ -325,7 +337,7 @@ http { error_page 404 /errors/404.html; error_page 403 /errors/403.html; location /errors/ { - alias {{.chezmoi.homeDir}}/jopixel/errorpages/; + alias {{ .chezmoi.homeDir }}/jopixel/errorpages/; } } @@ -338,8 +350,8 @@ http { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.crt; - ssl_certificate_key {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.key; + ssl_certificate {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.crt; + ssl_certificate_key {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.key; location / { @@ -362,12 +374,12 @@ http { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.crt; - ssl_certificate_key {{.chezmoi.homeDir}}/.config/nginx/ssl/localhost.key; + ssl_certificate {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.crt; + ssl_certificate_key {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.key; client_max_body_size 1G; - root {{.chezmoi.homeDir}}/jopixel/wp2.localhost/live/www/www; + root {{ .chezmoi.homeDir }}/jopixel/wp2.localhost/live/www/www; #add_header Access-Control-Allow-Origin "*"; @@ -383,7 +395,7 @@ http { } location /skel { - alias {{.chezmoi.homeDir}}/jopixel/vpscontroller/wordpress-skel/uploads/; + alias {{ .chezmoi.homeDir }}/jopixel/vpscontroller/wordpress-skel/uploads/; } location ~ .php$ { @@ -425,4 +437,95 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + server_name djinn1.localhost; + + # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; # about 40000 sessions + ssl_session_tickets off; + + add_header Strict-Transport-Security "max-age=63072000" always; + set $prefix ""; + + ssl_certificate {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.crt; + ssl_certificate_key {{ .chezmoi.homeDir }}/.config/nginx/ssl/localhost.key; + + root {{ .chezmoi.homeDir }}/jopixel/jitsi-meet/; + + # ssi on with javascript for multidomain variables in config.js + ssi on; + ssi_types application/x-javascript application/javascript; + + index index.html index.htm; + error_page 404 /static/404.html; + + gzip on; + gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm; + gzip_vary on; + gzip_proxied no-cache no-store private expired auth; + gzip_min_length 512; + + # location = /config.js { + # alias /etc/jitsi/meet/djinn1.jopixel.cz-config.js; + # } + + # location = /external_api.js { + # alias /usr/share/jitsi-meet/libs/external_api.min.js; + # } + + # ensure all static content can always be found first + location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ + { + add_header 'Access-Control-Allow-Origin' '*'; + alias {{ .chezmoi.homeDir }}/jopixel/jitsi-meet/$1/$2; + } + + location ~ ^/([^/?&:'"]+)$ { + try_files $uri @root_path; + } + + location @root_path { + rewrite ^/(.*)$ / break; + } + + # location ~ ^/([^/?&:'"]+)/config.js$ + # { + # set $subdomain "$1."; + # set $subdir "$1/"; + + # alias /etc/jitsi/meet/djinn1.jopixel.cz-config.js; + # } + + # BOSH for subdomains + location ~ ^/([^/?&:'"]+)/http-bind { + set $subdomain "$1."; + set $subdir "$1/"; + set $prefix "$1"; + + rewrite ^/(.*)$ /http-bind; + } + + # websockets for subdomains + location ~ ^/([^/?&:'"]+)/xmpp-websocket { + set $subdomain "$1."; + set $subdir "$1/"; + set $prefix "$1"; + + rewrite ^/(.*)$ /xmpp-websocket; + } + + # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / + location ~ ^/([^/?&:'"]+)/(.*)$ { + set $subdomain "$1."; + set $subdir "$1/"; + rewrite ^/([^/?&:'"]+)/(.*)$ /$2; + } + } }