mirror of
https://github.com/bensuperpc/infrastructure.git
synced 2024-12-22 08:44:28 +01:00
Update with Caddy
Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
This commit is contained in:
parent
1e912164a6
commit
1babc4f57b
2
Makefile
2
Makefile
@ -20,7 +20,7 @@
|
|||||||
|
|
||||||
DOCKER := docker
|
DOCKER := docker
|
||||||
|
|
||||||
PROFILES := webserver database wordpress
|
PROFILES := webserver database wordpress adminer
|
||||||
PROFILE_CMD := $(addprefix --profile ,$(PROFILES))
|
PROFILE_CMD := $(addprefix --profile ,$(PROFILES))
|
||||||
|
|
||||||
|
|
||||||
|
11
README.md
11
README.md
@ -63,12 +63,15 @@ And then, caddy will generate the certificate for you and renew it automatically
|
|||||||
|
|
||||||
### Configure the infrastructure
|
### Configure the infrastructure
|
||||||
|
|
||||||
You must create a file named `.env` with the following content:
|
You must create a folder named `env` with the following content:
|
||||||
|
|
||||||
|
file named `.env` with the following content:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
MARIADB_ROOT_PASSWORD=<your_root_password>
|
MARIADB_ROOT_PASSWORD=7L1Ncbquax0B2TCOmrjaQl9n5mnY88bQ
|
||||||
MARIADB_USER=<your_user>
|
MARIADB_USER=bensuperpc
|
||||||
MARIADB_PASSWORD=<your_password>
|
MARIADB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw
|
||||||
|
MARIADB_DATABASE=wordpress
|
||||||
```
|
```
|
||||||
|
|
||||||
### Wordpress website
|
### Wordpress website
|
||||||
|
@ -1,3 +1 @@
|
|||||||
#import /path/to/*.caddy
|
|
||||||
|
|
||||||
import wordpress/Caddyfile
|
import wordpress/Caddyfile
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
bensuperpc.org {
|
www.bensuperpc.org {
|
||||||
# push
|
# push
|
||||||
|
|
||||||
root * /var/www/html
|
root * /var/www/html
|
||||||
@ -14,27 +14,21 @@ bensuperpc.org {
|
|||||||
path *.sql
|
path *.sql
|
||||||
path /wp-content/uploads/*.php
|
path /wp-content/uploads/*.php
|
||||||
}
|
}
|
||||||
|
|
||||||
rewrite @disallowed '/index.php'
|
rewrite @disallowed '/index.php'
|
||||||
|
|
||||||
respond /uploads/*.php 404
|
respond /uploads/*.php 404
|
||||||
|
|
||||||
header {
|
|
||||||
-Server
|
|
||||||
Content-Security-Policy default-src 'self' *.bensuperpc.org
|
|
||||||
X-XSS-Protection 1; mode=block
|
|
||||||
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
|
|
||||||
X-Frame-Options DENY
|
|
||||||
X-Frame-Options: SAMEORIGIN
|
|
||||||
X-Content-Type-Options nosniff
|
|
||||||
Referrer-Policy no-referrer-when-downgrade
|
|
||||||
}
|
|
||||||
|
|
||||||
log {
|
log {
|
||||||
output stdout
|
output stdout
|
||||||
format console
|
format console
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
www.bensuperpc.com {
|
bensuperpc.org {
|
||||||
redir https://bensuperpc.org{uri}
|
redir https://www.bensuperpc.org{uri} permanent
|
||||||
|
}
|
||||||
|
|
||||||
|
adminer.bensuperpc.org {
|
||||||
|
reverse_proxy adminer:7777
|
||||||
}
|
}
|
||||||
|
@ -20,7 +20,7 @@ services:
|
|||||||
wordpress:
|
wordpress:
|
||||||
depends_on:
|
depends_on:
|
||||||
- database
|
- database
|
||||||
image: wordpress:6.2-fpm-alpine
|
image: wordpress:fpm
|
||||||
container_name: wordpress
|
container_name: wordpress
|
||||||
profiles:
|
profiles:
|
||||||
- wordpress
|
- wordpress
|
||||||
@ -38,6 +38,7 @@ services:
|
|||||||
container_name: webserver
|
container_name: webserver
|
||||||
profiles:
|
profiles:
|
||||||
- webserver
|
- webserver
|
||||||
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- 80:80/tcp
|
- 80:80/tcp
|
||||||
- 80:80/udp
|
- 80:80/udp
|
||||||
@ -50,20 +51,18 @@ services:
|
|||||||
- ./caddy:/etc/caddy:ro
|
- ./caddy:/etc/caddy:ro
|
||||||
networks:
|
networks:
|
||||||
- blog-network
|
- blog-network
|
||||||
# phpmyadmin:
|
adminer:
|
||||||
# image: phpmyadmin:5.2.0
|
image: adminer:latest
|
||||||
# container_name: phpmyadmin
|
container_name: adminer
|
||||||
# profiles:
|
profiles:
|
||||||
# - phpmyadmin
|
- adminer
|
||||||
# restart: always
|
restart: always
|
||||||
# env_file:
|
env_file:
|
||||||
# - env/phpmyadmin.env
|
- env/adminer.env
|
||||||
# ports:
|
depends_on:
|
||||||
# - 8080:80
|
- database
|
||||||
# depends_on:
|
networks:
|
||||||
# - database
|
- blog-network
|
||||||
# networks:
|
|
||||||
# - blog-network
|
|
||||||
# security_opt:
|
# security_opt:
|
||||||
# - no-new-privileges:true
|
# - no-new-privileges:true
|
||||||
# - seccomp:unconfined
|
# - seccomp:unconfined
|
||||||
|
4
env/flask_database.env
vendored
4
env/flask_database.env
vendored
@ -1,4 +0,0 @@
|
|||||||
POSTGRES_HOST_AUTH_METHOD=trust
|
|
||||||
POSTGRES_USER=bensuperpc
|
|
||||||
POSTGRES_PASSWORD=nPRh270dKH3hz%6HS2$X%8F3fqoQ*Fex
|
|
||||||
POSTGRES_DB=website
|
|
7
env/flask_website.env
vendored
7
env/flask_website.env
vendored
@ -1,7 +0,0 @@
|
|||||||
FLASK_DEBUG=1
|
|
||||||
|
|
||||||
# Acces to the database
|
|
||||||
POSTGRES_URL=flask_db:5432
|
|
||||||
POSTGRES_USER=bensuperpc
|
|
||||||
POSTGRES_PW=nPRh270dKH3hz%6HS2$X%8F3fqoQ*Fex
|
|
||||||
POSTGRES_DB=website
|
|
3
env/pgadmin.env
vendored
3
env/pgadmin.env
vendored
@ -1,3 +0,0 @@
|
|||||||
PGADMIN_DEFAULT_EMAIL=bensuperpc@bensuperpc.org
|
|
||||||
PGADMIN_DEFAULT_PASSWORD=LmRVf9DY291ez7B^^%2RntHcsCrJ5fQ!
|
|
||||||
#PGADMIN_ENABLE_TLS
|
|
4
env/phpmyadmin.env
vendored
4
env/phpmyadmin.env
vendored
@ -1,4 +0,0 @@
|
|||||||
MYSQL_ROOT_PASSWORD=g1qQWxTXyFXIKpAfbE0h5bxn&prr4zfd
|
|
||||||
MYSQL_USER=bensuperpc
|
|
||||||
MYSQL_PASSWORD=4Xnc7FB7902%*w9PW4y9&anQ5&hQdTzt
|
|
||||||
PMA_HOST=db
|
|
4
env/wordpress.env
vendored
4
env/wordpress.env
vendored
@ -1,4 +1,4 @@
|
|||||||
WORDPRESS_DB_USER=bensuperpc
|
WORDPRESS_DB_USER=bensuperpc
|
||||||
WORDPRESS_DB_PASSWORD=4Xnc7FB7902%*w9PW4y9&anQ5&hQdTzt
|
WORDPRESS_DB_PASSWORD=lEOEf8cndnDjp84O4Uv5D9zJLJDFatLw
|
||||||
WORDPRESS_DB_NAME=wordpress
|
WORDPRESS_DB_NAME=wordpress
|
||||||
WORDPRESS_DB_HOST=wp_db:3306
|
WORDPRESS_DB_HOST=database:3306
|
||||||
|
4
env/wp_database.env
vendored
4
env/wp_database.env
vendored
@ -1,4 +0,0 @@
|
|||||||
MARIADB_ROOT_PASSWORD=g1qQWxTXyFXIKpAfbE0h5bxn&prr4zfd
|
|
||||||
MARIADB_USER=bensuperpc
|
|
||||||
MARIADB_PASSWORD=4Xnc7FB7902%*w9PW4y9&anQ5&hQdTzt
|
|
||||||
MARIADB_DATABASE=wordpress
|
|
@ -1,32 +0,0 @@
|
|||||||
version: "3.9"
|
|
||||||
|
|
||||||
services:
|
|
||||||
certbot:
|
|
||||||
depends_on:
|
|
||||||
- webserver
|
|
||||||
image: certbot/certbot:v1.32.0
|
|
||||||
container_name: certbot
|
|
||||||
profiles:
|
|
||||||
- certbot
|
|
||||||
volumes:
|
|
||||||
- certbot-cert:/etc/letsencrypt
|
|
||||||
- wordpress:/var/www/wordpress
|
|
||||||
- jellyfin:/var/www/jellyfin
|
|
||||||
#command: >
|
|
||||||
# certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --staging --webroot
|
|
||||||
# --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
|
|
||||||
# --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
|
|
||||||
|
|
||||||
#command: >
|
|
||||||
# certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --force-renewal --webroot
|
|
||||||
# --webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
|
|
||||||
# --webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
|
|
||||||
|
|
||||||
command: >
|
|
||||||
certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot
|
|
||||||
--webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
|
|
||||||
--webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
certbot-cert:
|
|
||||||
name: certbot-cert
|
|
@ -1,46 +0,0 @@
|
|||||||
version: "3.9"
|
|
||||||
|
|
||||||
services:
|
|
||||||
qbittorrent:
|
|
||||||
image: lscr.io/linuxserver/qbittorrent:latest
|
|
||||||
container_name: qbittorrent
|
|
||||||
profiles:
|
|
||||||
- qbittorrent
|
|
||||||
environment:
|
|
||||||
- PUID=1000
|
|
||||||
- PGID=1000
|
|
||||||
- TZ=Europe/London
|
|
||||||
- WEBUI_PORT=8080
|
|
||||||
volumes:
|
|
||||||
- qbittorrent-conf:/config
|
|
||||||
- qbittorrent-downloads:/downloads
|
|
||||||
#ports:
|
|
||||||
# - 8080:8080
|
|
||||||
# - 6881:6881
|
|
||||||
# - 6881:6881/udp
|
|
||||||
restart: unless-stopped
|
|
||||||
networks:
|
|
||||||
- app-network
|
|
||||||
jellyfin:
|
|
||||||
image: lscr.io/linuxserver/jellyfin:latest
|
|
||||||
container_name: jellyfin
|
|
||||||
profiles:
|
|
||||||
- jellyfin
|
|
||||||
environment:
|
|
||||||
- PUID=1000
|
|
||||||
- PGID=1000
|
|
||||||
- TZ=Europe/London
|
|
||||||
- JELLYFIN_PublishedServerUrl=192.168.0.5 #optional
|
|
||||||
volumes:
|
|
||||||
- jellyfin-config:/config
|
|
||||||
- jellyfin-tvseries:/data/tvshows
|
|
||||||
- jellyfin-movies:/data/movies
|
|
||||||
- jellyfin:/var/www/html
|
|
||||||
#ports:
|
|
||||||
# - 8096:8096
|
|
||||||
# - 8920:8920 #optional
|
|
||||||
# - 7359:7359/udp #optional
|
|
||||||
# - 1900:1900/udp #optional
|
|
||||||
restart: unless-stopped
|
|
||||||
networks:
|
|
||||||
- app-network
|
|
@ -1,6 +0,0 @@
|
|||||||
version: "3.9"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
app-network:
|
|
||||||
driver: bridge
|
|
||||||
name: app-network
|
|
@ -1,32 +0,0 @@
|
|||||||
version: "3.9"
|
|
||||||
|
|
||||||
services:
|
|
||||||
webserver:
|
|
||||||
depends_on:
|
|
||||||
- wordpress
|
|
||||||
image: nginx:1.23
|
|
||||||
container_name: webserver
|
|
||||||
profiles:
|
|
||||||
- webserver
|
|
||||||
restart: unless-stopped
|
|
||||||
ports:
|
|
||||||
- "80:80"
|
|
||||||
- "443:443"
|
|
||||||
volumes:
|
|
||||||
- wordpress:/var/www/wordpress
|
|
||||||
- jellyfin:/var/www/jellyfin
|
|
||||||
- ./nginx/conf.d:/etc/nginx/conf.d:ro
|
|
||||||
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
||||||
- certbot-cert:/etc/letsencrypt:ro
|
|
||||||
networks:
|
|
||||||
- app-network
|
|
||||||
security_opt:
|
|
||||||
- "no-new-privileges:true"
|
|
||||||
cap_drop:
|
|
||||||
- "ALL"
|
|
||||||
cap_add:
|
|
||||||
- "NET_RAW"
|
|
||||||
- "NET_BIND_SERVICE"
|
|
||||||
- "CAP_CHOWN"
|
|
||||||
- "SETGID"
|
|
||||||
- "SETUID"
|
|
@ -1,15 +0,0 @@
|
|||||||
version: "3.9"
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
qbittorrent-downloads:
|
|
||||||
name: qbittorrent-downloads
|
|
||||||
qbittorrent-conf:
|
|
||||||
name: qbittorrent-conf
|
|
||||||
jellyfin-config:
|
|
||||||
name: jellyfin-config
|
|
||||||
jellyfin-tvseries:
|
|
||||||
name: jellyfin-tvseries
|
|
||||||
jellyfin-movies:
|
|
||||||
name: jellyfin-movies
|
|
||||||
jellyfin:
|
|
||||||
name: jellyfin
|
|
@ -1,62 +0,0 @@
|
|||||||
version: "3.9"
|
|
||||||
|
|
||||||
services:
|
|
||||||
wp_db:
|
|
||||||
image: mariadb:10.10.2
|
|
||||||
container_name: wp_db
|
|
||||||
profiles:
|
|
||||||
- wp_db
|
|
||||||
restart: unless-stopped
|
|
||||||
env_file:
|
|
||||||
- env/wp_database.env
|
|
||||||
volumes:
|
|
||||||
- dbdata:/var/lib/mysql
|
|
||||||
networks:
|
|
||||||
- app-network
|
|
||||||
|
|
||||||
wordpress:
|
|
||||||
depends_on:
|
|
||||||
- wp_db
|
|
||||||
image: wordpress:6.1.1-php8.1-fpm
|
|
||||||
container_name: wordpress
|
|
||||||
profiles:
|
|
||||||
- wordpress
|
|
||||||
restart: unless-stopped
|
|
||||||
env_file:
|
|
||||||
- env/wordpress.env
|
|
||||||
# environment:
|
|
||||||
# - WORDPRESS_DB_HOST=wp_db:3306
|
|
||||||
volumes:
|
|
||||||
- wordpress:/var/www/html
|
|
||||||
networks:
|
|
||||||
- app-network
|
|
||||||
security_opt:
|
|
||||||
- "no-new-privileges:true"
|
|
||||||
cap_drop:
|
|
||||||
- "ALL"
|
|
||||||
cap_add:
|
|
||||||
- "NET_RAW"
|
|
||||||
- "CAP_CHOWN"
|
|
||||||
- "SETGID"
|
|
||||||
- "SETUID"
|
|
||||||
|
|
||||||
phpmyadmin:
|
|
||||||
image: phpmyadmin:5.2.0
|
|
||||||
container_name: phpmyadmin
|
|
||||||
profiles:
|
|
||||||
- phpmyadmin
|
|
||||||
restart: unless-stopped
|
|
||||||
env_file:
|
|
||||||
- env/phpmyadmin.env
|
|
||||||
# ports:
|
|
||||||
# - 8080:80
|
|
||||||
depends_on:
|
|
||||||
- wp_db
|
|
||||||
networks:
|
|
||||||
- app-network
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
wordpress:
|
|
||||||
name: wordpress
|
|
||||||
dbdata:
|
|
||||||
name: dbdata
|
|
@ -1,29 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
|
|
||||||
|
|
||||||
root /var/www/jellyfin;
|
|
||||||
|
|
||||||
location ~ /.well-known/acme-challenge {
|
|
||||||
allow all;
|
|
||||||
root /var/www/jellyfin;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
# Proxy main Jellyfin traffic
|
|
||||||
proxy_pass http://jellyfin:8096;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
|
|
||||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
|
||||||
proxy_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
resolver 8.8.8.8;
|
|
||||||
}
|
|
@ -1,50 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name bensuperpc.org www.bensuperpc.org;
|
|
||||||
|
|
||||||
index index.php index.html index.htm;
|
|
||||||
|
|
||||||
root /var/www/wordpress;
|
|
||||||
|
|
||||||
location ~ /.well-known/acme-challenge {
|
|
||||||
allow all;
|
|
||||||
root /var/www/wordpress;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php$is_args$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
try_files $uri =404;
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
fastcgi_pass wordpress:9000;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
include fastcgi_params;
|
|
||||||
|
|
||||||
# Necessary to avoid 404 error when changing the wordpress path
|
|
||||||
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
|
|
||||||
|
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ /\.ht {
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
|
|
||||||
location = /favicon.ico {
|
|
||||||
log_not_found off; access_log off;
|
|
||||||
}
|
|
||||||
location = /robots.txt {
|
|
||||||
log_not_found off; access_log off; allow all;
|
|
||||||
}
|
|
||||||
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
|
|
||||||
expires max;
|
|
||||||
log_not_found off;
|
|
||||||
}
|
|
||||||
|
|
||||||
resolver 8.8.8.8;
|
|
||||||
}
|
|
@ -1,141 +0,0 @@
|
|||||||
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=3g inactive=30d use_temp_path=off;
|
|
||||||
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=3g;
|
|
||||||
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
|
|
||||||
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
|
|
||||||
|
|
||||||
upstream jellyfin_server {
|
|
||||||
# ip_hash;
|
|
||||||
server jellyfin:8096;
|
|
||||||
# server jellyfin:8096 weight=1 max_fails=3 fail_timeout=30s;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Redirect all http requests to the main server wordpress_server
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
|
|
||||||
|
|
||||||
location ~ /.well-known/acme-challenge {
|
|
||||||
allow all;
|
|
||||||
root /var/www/jellyfin;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
|
|
||||||
|
|
||||||
#client_max_body_size 20M;
|
|
||||||
set $jellyfin jellyfin;
|
|
||||||
resolver 8.8.8.8 valid=30;
|
|
||||||
|
|
||||||
# All things related to SSL
|
|
||||||
ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
|
|
||||||
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
||||||
#add_header Strict-Transport-Security "max-age=31536000" always;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;
|
|
||||||
|
|
||||||
# Security / XSS Mitigation Headers
|
|
||||||
# NOTE: X-Frame-Options may cause issues with the webOS app
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header X-Content-Type-Options "nosniff";
|
|
||||||
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
|
||||||
|
|
||||||
location = / {
|
|
||||||
return 302 http://$host/web/;
|
|
||||||
#return 302 https://$host/web/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
# Proxy main Jellyfin traffic
|
|
||||||
proxy_pass http://jellyfin_server;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
|
|
||||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
|
||||||
proxy_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location = /web/ {
|
|
||||||
# Proxy main Jellyfin traffic
|
|
||||||
proxy_pass http://jellyfin_server/web/index.html;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /socket {
|
|
||||||
# Proxy Jellyfin Websockets traffic
|
|
||||||
proxy_pass http://jellyfin_server;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Cache images
|
|
||||||
location ~ /Items/(.*)/Images {
|
|
||||||
#proxy_pass http://127.0.0.1:8096;
|
|
||||||
proxy_pass http://jellyfin_server;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
|
|
||||||
proxy_cache jellyfin;
|
|
||||||
proxy_cache_revalidate on;
|
|
||||||
proxy_cache_lock on;
|
|
||||||
add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
|
|
||||||
}
|
|
||||||
|
|
||||||
# Cache videos
|
|
||||||
location ~* ^/Videos/(.*)/(?!live)
|
|
||||||
{
|
|
||||||
slice 2m;
|
|
||||||
|
|
||||||
proxy_cache jellyfin-videos;
|
|
||||||
proxy_cache_valid 200 206 301 302 30d;
|
|
||||||
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
|
|
||||||
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
|
||||||
proxy_connect_timeout 15s;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Connection "";
|
|
||||||
# Transmit slice range to the backend
|
|
||||||
proxy_set_header Range $slice_range;
|
|
||||||
|
|
||||||
proxy_cache_lock on;
|
|
||||||
proxy_cache_lock_age 60s;
|
|
||||||
|
|
||||||
#proxy_pass http://$jellyfin:8096;
|
|
||||||
proxy_pass http://jellyfin_server;
|
|
||||||
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
|
|
||||||
|
|
||||||
add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/
|
|
@ -1,12 +0,0 @@
|
|||||||
#upstream minecraft {
|
|
||||||
# server minecraft:25565;
|
|
||||||
#}
|
|
||||||
#
|
|
||||||
#server {
|
|
||||||
# listen 25566;
|
|
||||||
# server_name minecraft.bensuperpc.org www.minecraft.bensuperpc.org;
|
|
||||||
# location / {
|
|
||||||
# proxy_pass minecraft;
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
#include /etc/nginx/conf.d/sub/cache-proxy.conf;
|
|
||||||
|
|
||||||
upstream phpmyadmin_server {
|
|
||||||
# ip_hash;
|
|
||||||
server phpmyadmin:80;
|
|
||||||
# server phpmyadmin:80 weight=1 max_fails=3 fail_timeout=30s;
|
|
||||||
}
|
|
||||||
|
|
||||||
# PHPmyadmin
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
#listen 443;
|
|
||||||
#listen [::]:443;
|
|
||||||
|
|
||||||
server_name phpmyadmin.bensuperpc.org www.phpmyadmin.bensuperpc.org;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/sub/gzip.conf;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://phpmyadmin_server;
|
|
||||||
proxy_redirect off;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
}
|
|
||||||
|
|
||||||
# resolver 8.8.8.8;
|
|
||||||
}
|
|
@ -1,26 +0,0 @@
|
|||||||
upstream qbittorrent_server {
|
|
||||||
# ip_hash;
|
|
||||||
server qbittorrent:8080;
|
|
||||||
# server qbittorrent:8080 weight=1 max_fails=3 fail_timeout=30s;
|
|
||||||
}
|
|
||||||
|
|
||||||
# PHPmyadmin
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
#listen 443;
|
|
||||||
#listen [::]:443;
|
|
||||||
|
|
||||||
server_name qbittorrent.bensuperpc.org www.qbittorrent.bensuperpc.org;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/sub/gzip.conf;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://qbittorrent_server;
|
|
||||||
proxy_redirect off;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
}
|
|
||||||
|
|
||||||
# resolver 8.8.8.8;
|
|
||||||
}
|
|
@ -1,23 +0,0 @@
|
|||||||
# The path to store the cache files, limit the folder to 100MB
|
|
||||||
fastcgi_cache_path /var/run/nginx-cache-fastcgi levels=1:2 keys_zone=WORDPRESS:100m inactive=120m max_size=1g use_temp_path=off;
|
|
||||||
|
|
||||||
# A unique request is defined by this cache key
|
|
||||||
fastcgi_cache_key "$scheme$request_method$host$request_uri";
|
|
||||||
|
|
||||||
# Show the cached version if upstream gives a timeout or a HTTP 500 error
|
|
||||||
fastcgi_cache_use_stale error timeout invalid_header http_500;
|
|
||||||
|
|
||||||
# Revalidate items in the cache if they are update
|
|
||||||
fastcgi_cache_revalidate on;
|
|
||||||
|
|
||||||
# Minimum time to store an item in the cache
|
|
||||||
fastcgi_cache_min_uses 3;
|
|
||||||
|
|
||||||
# Cache everything for 1 day
|
|
||||||
fastcgi_cache_valid 1d;
|
|
||||||
|
|
||||||
# Don't use the following headers to define the cache variables
|
|
||||||
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
|
|
||||||
|
|
||||||
# Some parts of this file are from
|
|
||||||
# https://gist.github.com/TrafeX/6d582b6d040702088722
|
|
@ -1,20 +0,0 @@
|
|||||||
# The path to store the cache files, limit the folder to 100MB
|
|
||||||
proxy_cache_path /var/run/nginx-cache-proxy levels=1:2 keys_zone=PROXY:100m inactive=120m max_size=1g use_temp_path=off;
|
|
||||||
|
|
||||||
# A unique request is defined by this cache key
|
|
||||||
proxy_cache_key "$scheme$request_method$host$request_uri";
|
|
||||||
|
|
||||||
# Show the cached version if upstream gives a timeout or a HTTP 500 error
|
|
||||||
proxy_cache_use_stale error timeout invalid_header http_500;
|
|
||||||
|
|
||||||
# Revalidate items in the cache if they are update
|
|
||||||
proxy_cache_revalidate on;
|
|
||||||
|
|
||||||
# Minimum time to store an item in the cache
|
|
||||||
proxy_cache_min_uses 3;
|
|
||||||
|
|
||||||
# Cache everything for 1 day
|
|
||||||
proxy_cache_valid 1d;
|
|
||||||
|
|
||||||
# Don't use the following headers to define the cache variables
|
|
||||||
proxy_ignore_headers Cache-Control Expires Set-Cookie;
|
|
@ -1,20 +0,0 @@
|
|||||||
# The path to store the cache files, limit the folder to 100MB
|
|
||||||
uwsgi_cache_path /var/run/nginx-cache-uwsgi levels=1:2 keys_zone=UWSGI:100m inactive=120m max_size=1g use_temp_path=off;
|
|
||||||
|
|
||||||
# A unique request is defined by this cache key
|
|
||||||
uwsgi_cache_key "$scheme$request_method$host$request_uri";
|
|
||||||
|
|
||||||
# Show the cached version if upstream gives a timeout or a HTTP 500 error
|
|
||||||
uwsgi_cache_use_stale error timeout invalid_header http_500;
|
|
||||||
|
|
||||||
# Revalidate items in the cache if they are update
|
|
||||||
uwsgi_cache_revalidate on;
|
|
||||||
|
|
||||||
# Minimum time to store an item in the cache
|
|
||||||
uwsgi_cache_min_uses 3;
|
|
||||||
|
|
||||||
# Cache everything for 1 day
|
|
||||||
uwsgi_cache_valid 1d;
|
|
||||||
|
|
||||||
# Don't use the following headers to define the cache variables
|
|
||||||
uwsgi_ignore_headers Cache-Control Expires Set-Cookie;
|
|
@ -1,13 +0,0 @@
|
|||||||
# Compression config
|
|
||||||
gzip on;
|
|
||||||
gunzip on;
|
|
||||||
|
|
||||||
gzip_static on;
|
|
||||||
gzip_min_length 1000;
|
|
||||||
gzip_buffers 4 32k;
|
|
||||||
# gzip_http_version 1.1;
|
|
||||||
gzip_proxied any;
|
|
||||||
gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css;
|
|
||||||
gzip_vary on;
|
|
||||||
gzip_comp_level 6;
|
|
||||||
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
|
|
@ -1,13 +0,0 @@
|
|||||||
# generated 2022-11-23, Mozilla Guideline v5.6, nginx 1.23, OpenSSL 1.1.1k, modern configuration
|
|
||||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.23&config=modern&openssl=1.1.1k&guideline=5.6
|
|
||||||
|
|
||||||
ssl_session_cache shared:le_nginx_SSL:10m;
|
|
||||||
ssl_session_timeout 1440m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
|
|
||||||
# OCSP stapling
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
@ -1,161 +0,0 @@
|
|||||||
include /etc/nginx/conf.d/sub/cache-fastcgi.conf;
|
|
||||||
|
|
||||||
# All upstream serveur
|
|
||||||
upstream wordpress_server {
|
|
||||||
# ip_hash;
|
|
||||||
server wordpress:9000;
|
|
||||||
# server wordpress:9000 weight=1 max_fails=3 fail_timeout=30s;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Redirect all http requests to the main server wordpress_server
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
|
|
||||||
|
|
||||||
location ~ /.well-known/acme-challenge {
|
|
||||||
allow all;
|
|
||||||
root /var/www/wordpress;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Main server wordpress_server
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
|
|
||||||
|
|
||||||
root /var/www/wordpress;
|
|
||||||
index index.php index.html index.htm;
|
|
||||||
|
|
||||||
# Keepalive for 70 seconds
|
|
||||||
keepalive_timeout 70;
|
|
||||||
|
|
||||||
# Number of requests per connection
|
|
||||||
keepalive_requests 100;
|
|
||||||
|
|
||||||
reset_timedout_connection on;
|
|
||||||
|
|
||||||
# Increase proxy buffers for large requests
|
|
||||||
proxy_buffer_size 128k;
|
|
||||||
proxy_buffers 4 256k;
|
|
||||||
proxy_busy_buffers_size 256k;
|
|
||||||
|
|
||||||
fastcgi_buffer_size 128k;
|
|
||||||
fastcgi_buffers 256 16k;
|
|
||||||
fastcgi_busy_buffers_size 256k;
|
|
||||||
fastcgi_temp_file_write_size 256k;
|
|
||||||
|
|
||||||
# Upload limit
|
|
||||||
client_max_body_size 50m;
|
|
||||||
client_body_buffer_size 128k;
|
|
||||||
|
|
||||||
# Initialize the variable that specified to skip the cache
|
|
||||||
set $skip_cache 0;
|
|
||||||
|
|
||||||
# POST requests and url's with a query string should always skip cache
|
|
||||||
if ($request_method = POST) {
|
|
||||||
set $skip_cache 1;
|
|
||||||
}
|
|
||||||
if ($query_string != "") {
|
|
||||||
set $skip_cache 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Don't cache url's containing the following segments
|
|
||||||
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
|
|
||||||
set $skip_cache 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Don't use the cache for logged in users or recent commenters
|
|
||||||
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
|
|
||||||
set $skip_cache 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/sub/gzip.conf;
|
|
||||||
|
|
||||||
# All things related to SSL
|
|
||||||
ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
|
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
access_log /var/log/nginx/wordpress.access.log;
|
|
||||||
error_log /var/log/nginx/wordpress.error.log;
|
|
||||||
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
||||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php$is_args$args;
|
|
||||||
# try_files $uri $uri/ /index.php?$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
try_files $uri =404;
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
fastcgi_pass wordpress_server;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
include fastcgi_params;
|
|
||||||
|
|
||||||
# Necessary to avoid 404 error when changing the wordpress path
|
|
||||||
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
|
|
||||||
|
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
||||||
|
|
||||||
fastcgi_intercept_errors on;
|
|
||||||
|
|
||||||
# Don't cache when $skip_cache is true
|
|
||||||
fastcgi_cache_bypass $skip_cache;
|
|
||||||
fastcgi_no_cache $skip_cache;
|
|
||||||
|
|
||||||
# Use the WORDPRESS zone
|
|
||||||
fastcgi_cache WORDPRESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Don't write to accesslog for these files
|
|
||||||
location = /favicon.ico {
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
location = /robots.txt {
|
|
||||||
allow all;
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Media files with one of these extensions should be cached by the browser
|
|
||||||
location ~* \.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
|
|
||||||
expires max;
|
|
||||||
log_not_found off;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Deny access to .* files
|
|
||||||
location ~ /\. {
|
|
||||||
deny all;
|
|
||||||
access_log off;
|
|
||||||
log_not_found off;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Add cache status header for easy debugging
|
|
||||||
add_header X-cache $upstream_cache_status;
|
|
||||||
|
|
||||||
# From cat /etc/resolv.conf
|
|
||||||
resolver 8.8.8.8;
|
|
||||||
|
|
||||||
# Some parts of this file are from
|
|
||||||
# https://gist.github.com/TrafeX/6d582b6d040702088722
|
|
||||||
}
|
|
@ -1,32 +0,0 @@
|
|||||||
|
|
||||||
user nginx;
|
|
||||||
worker_processes auto;
|
|
||||||
|
|
||||||
error_log /var/log/nginx/error.log notice;
|
|
||||||
pid /var/run/nginx.pid;
|
|
||||||
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
http {
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
#tcp_nopush on;
|
|
||||||
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
#gzip on;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user