Bensuperpc/infrastructure
1
0
Fork 0
mirror of https://github.com/bensuperpc/infrastructure.git synced 2025-10-25 07:16:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Bensuperpc:bf80b3a4059954559da327422165c8395436d963
Branches Tags
Bensuperpc:main Bensuperpc:dns Bensuperpc:mainold
...
compare: Bensuperpc:mainold
Branches Tags
Bensuperpc:main Bensuperpc:dns Bensuperpc:mainold

6 Commits
bf80b3a405 ... mainold

Author SHA1 Message Date
Bensuperpc
cd2862a358 Update infra 
Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
 2023-04-16 23:43:40 +02:00
Bensuperpc
13c2b7df19 Update nginx config 
Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
 2023-04-16 12:56:07 +02:00
Bensuperpc
20fe33f7d5 Update nginx 
Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
 2023-04-16 00:43:35 +02:00
Bensuperpc
c2f8075fd7 Revert "Update with caddy instead nginx" 
This reverts commit c07c16f2d7.
 2023-04-15 20:41:28 +02:00
Bensuperpc
b13654df15 Revert "Update caddy" 
This reverts commit 951e5b2956.
 2023-04-15 20:41:21 +02:00
Bensuperpc
66b014c076 Revert "Update Caddy" 
This reverts commit 1e912164a6.
 2023-04-15 20:41:16 +02:00
27 changed files with 297 additions and 279 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
*.env
**/*.env

7
Makefile
View File

@@ -7,9 +7,9 @@
#// |_| |_| //
#//////////////////////////////////////////////////////////////
#// //
#// Infrastructur, 2022 //
#// Script, 2022 //
#// Created: 14, April, 2022 //
#// Modified: 10, April, 2023 //
#// Modified: 17, March, 2023 //
#// file: - //
#// - //
#// Source: //
@@ -20,7 +20,7 @@
DOCKER := docker
PROFILES := webserver database wordpress
PROFILES := wp_db wordpress webserver certbot phpmyadmin qbittorrent jellyfin
PROFILE_CMD := $(addprefix --profile ,$(PROFILES))
@@ -68,7 +68,6 @@ state:
.PHONY: update
update:
git submodule update --init --recursive --remote
git pull --recurse-submodules --all --progress
docker compose $(COMPOSE_FILES) $(PROFILES_CMD) pull

114
README.md
View File

@@ -2,24 +2,23 @@
_My personal infrastructure for my servers and services._
**I moved to caddy inetead of nginx, you can find the old version before this commit:**b98fca7af8954770feec0cd962d35f47bde0d5d2**
## About
This is my infrastructure. It's a collection of scripts and configuration files that I use to manage my servers and services.
It uses ~~Nginx ~~ caddy and docker-compose to run my services (And many other things).
It uses Nginx and docker-compose to run my services (And many other things).
It's a **work in progress**, and I'm still learning a lot about it.
If you have any **questions** or **suggestions**, feel free to open an issue or a pull request.
## Features
- [x] caddy 2 reverse proxy
- [x] Nginx reverse proxy
- [x] Docker / docker-compose
- [x] ~~Letsencrypt / Certbot~~ (Caddy)
- [x] Wordpress (Via FASTCGI/caddy)
- [x] Letsencrypt / Certbot
- [x] Wordpress (Via FASTCGI/NGINX)
- [x] PHPMyAdmin (MariaDB)
- [ ] Qbittorrent
- [ ] Jellyfin
- [x] PGAdmin (PostgreSQL)
- [x] Qbittorrent
- [x] Jellyfin
- [ ] Gitea
- [ ] Mastodon
- [ ] Minecraft server (Hyperworld v2)
@@ -59,18 +58,94 @@ For all **bensuperpc.org**, you need to replace it with your domain, example: **
find . \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/bensuperpc.org/bensuperpc.com/g'
```
And then, caddy will generate the certificate for you and renew it automatically :D (It's easier than certbot and nginx)
### Configure the infrastructure
You must create a file named `.env` with the following content:
Keep original config file
```sh
MARIADB_ROOT_PASSWORD=<your_root_password>
MARIADB_USER=<your_user>
MARIADB_PASSWORD=<your_password>
cp -r nginx/conf.d nginx/conf.d-original
```
Remove the old config file
```sh
rm -fr nginx/nginx-conf
```
Copy _nginx-conf-cert_ to _nginx-conf_, for temporary use to get the SSL certificate
```sh
cp -r nginx/conf.d-cert nginx/conf.d
```
Replace certbot commands in _docker-compose.yml_, and replace _bensuperpc.org_ by your domain
```yaml
command: >
certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot
--webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
--webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
```
With to get the SSL certificate
```yaml
command: >
certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --staging --webroot
--webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
--webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
```
Run the docker-compose and exit with CTRL+C and when you have the SSL certificate
```sh
make start-at
```
Replace certbot commands in _docker-compose.yml_ to update and renew the SSL certificate
```sh
command: >
certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --force-renewal --webroot
--webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
--webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
```
Run the docker-compose to update and renew the SSL certificate and exit with CTRL+C when you have the SSL certificate
```sh
make start-at
```
Now you can replace the certbot commands in _docker-compose.yml_ with the original one
```yaml
command: >
certonly --email bensuperpc@bensuperpc.fr --agree-tos --rsa-key-size 4096 --no-eff-email --verbose --noninteractive --keep-until-expiring --webroot
--webroot-path=/var/www/wordpress --domain bensuperpc.org --domain www.bensuperpc.org
--webroot-path=/var/www/jellyfin --domain jellyfin.bensuperpc.org --domain www.jellyfin.bensuperpc.org
```
Remove the cert config file
```sh
rm -fr nginx/conf.d
```
Copy _nginx-conf-original_ to _nginx-conf_, for definitive use
```sh
cp -r nginx/conf.d-original nginx/conf.d
```
Now you start services
```sh
make start-at
```
### Flask website
You can follow the [README.md](bensuperpc_website/README.md) to install the Flask website.
### Wordpress website
For the Wordpress website, you can configure in GUI when you go to the website.
@@ -94,6 +169,9 @@ make stop
You can access to the website with:
- [bensuperpc.org](https://bensuperpc.org) and [www.bensuperpc.org](https://www.bensuperpc.org) (Wordpress for now)
- [phpmyadmin.bensuperpc.org](http://phpmyadmin.bensuperpc.org) and [www.phpmyadmin.bensuperpc.org](http://www.phpmyadmin.bensuperpc.org) (PHPMyAdmin for MariaDB)
- [pgadmin.bensuperpc.org](http://pgadmin.bensuperpc.org) and [www.pgadmin.bensuperpc.org](http://www.pgadmin.bensuperpc.org) (PGAdmin for PostgreSQL)
- [qbittorrent.bensuperpc.org](http://qbittorrent.bensuperpc.org) and [www.qbittorrent.bensuperpc.org](http://www.qbittorrent.bensuperpc.org) (Qbittorrent)
## Build with
@@ -104,8 +182,8 @@ You can access to the website with:
- [Docker](https://www.docker.com/)
- [Docker Compose](https://docs.docker.com/compose/)
- [Docker Hub](https://hub.docker.com/)
- [How To Start WordPress with Caddy using Docker Compose](https://minhcung.me/how-to-start-wordpress-with-caddy-using-docker-compose-3d31bb9ef88b)
- [Digital Ocean - How To Install WordPress with Docker Compose (nginx)](https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-docker-compose)
- [Digital Ocean](https://www.digitalocean.com/)
- [Digital Ocean - How To Install WordPress with Docker Compose](https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-docker-compose)
- [PGAmin](https://www.pgadmin.org/)
- [Qbittorrent](https://www.qbittorrent.org/)
- [Jellyfin](https://jellyfin.org/)

3
caddy/Caddyfile
View File

@@ -1,3 +0,0 @@
#import /path/to/*.caddy
import wordpress/Caddyfile

40
caddy/wordpress/Caddyfile
View File

@@ -1,40 +0,0 @@
bensuperpc.org {
# push
root * /var/www/html
php_fastcgi wordpress:9000
file_server
encode zstd gzip
metrics /metrics
@disallowed {
path /xmlrpc.php
path *.sql
path /wp-content/uploads/*.php
}
rewrite @disallowed '/index.php'
respond /uploads/*.php 404
header {
-Server
Content-Security-Policy default-src 'self' *.bensuperpc.org
X-XSS-Protection 1; mode=block
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
X-Frame-Options DENY
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options nosniff
Referrer-Policy no-referrer-when-downgrade
}
log {
output stdout
format console
}
}
www.bensuperpc.com {
redir https://bensuperpc.org{uri}
}

2
old_enginx/docker-compose.certbot.yml → docker-compose.certbot.yml
View File

@@ -4,7 +4,7 @@ services:
certbot:
depends_on:
- webserver
image: certbot/certbot:v1.32.0
image: certbot/certbot:v2.5.0
container_name: certbot
profiles:
- certbot

2
old_enginx/docker-compose.divers.yml → docker-compose.divers.yml
View File

@@ -44,3 +44,5 @@ services:
restart: unless-stopped
networks:
- app-network
security_opt:
- no-new-privileges:true

0
old_enginx/docker-compose.network.yml → docker-compose.network.yml
View File

12
old_enginx/docker-compose.nginx.yml → docker-compose.nginx.yml
View File

@@ -4,7 +4,7 @@ services:
webserver:
depends_on:
- wordpress
image: nginx:1.23
image: nginx:1.24.0
container_name: webserver
profiles:
- webserver
@@ -21,12 +21,4 @@ services:
networks:
- app-network
security_opt:
- "no-new-privileges:true"
cap_drop:
- "ALL"
cap_add:
- "NET_RAW"
- "NET_BIND_SERVICE"
- "CAP_CHOWN"
- "SETGID"
- "SETUID"
- no-new-privileges:true

0
old_enginx/docker-compose.volume.yml → docker-compose.volume.yml
View File

31
old_enginx/docker-compose.wordpress.yml → docker-compose.wordpress.yml
View File

@@ -2,7 +2,7 @@ version: "3.9"
services:
wp_db:
image: mariadb:10.10.2
image: mariadb:10.10.3
container_name: wp_db
profiles:
- wp_db
@@ -13,33 +13,34 @@ services:
- dbdata:/var/lib/mysql
networks:
- app-network
security_opt:
- no-new-privileges:true
wordpress:
depends_on:
- wp_db
image: wordpress:6.1.1-php8.1-fpm
image: wordpress:6.2.0-fpm
container_name: wordpress
profiles:
- wordpress
restart: unless-stopped
env_file:
- env/wordpress.env
# environment:
# - WORDPRESS_DB_HOST=wp_db:3306
volumes:
- wordpress:/var/www/html
networks:
- app-network
security_opt:
- "no-new-privileges:true"
cap_drop:
- "ALL"
cap_add:
- "NET_RAW"
- "CAP_CHOWN"
- "SETGID"
- "SETUID"
- no-new-privileges:true
# cap_drop:
# - ALL
# cap_add:
# - SETUID
# - SETGID
# - DAC_OVERRIDE
# - NET_BIND_SERVICE
# - NET_RAW
# - CAP_CHOWN
phpmyadmin:
image: phpmyadmin:5.2.0
container_name: phpmyadmin
@@ -48,12 +49,12 @@ services:
restart: unless-stopped
env_file:
- env/phpmyadmin.env
# ports:
# - 8080:80
depends_on:
- wp_db
networks:
- app-network
security_opt:
- no-new-privileges:true
volumes:
wordpress:

88
docker-compose.yml
View File

@@ -1,88 +0,0 @@
version: '3.7'
# https://minhcung.me/how-to-start-wordpress-with-caddy-using-docker-compose-3d31bb9ef88b
services:
database:
image: mariadb:latest
container_name: database
profiles:
- database
volumes:
- database:/var/lib/mysql:rw
restart: always
env_file:
- env/mariadb.env
environment:
MYSQL_DATABASE: blog_wp
command: '--default-authentication-plugin=mysql_native_password'
networks:
- blog-network
# Wordpress
wordpress:
depends_on:
- database
image: wordpress:6.2-fpm-alpine
container_name: wordpress
profiles:
- wordpress
restart: always
env_file:
- env/wordpress.env
volumes:
- ./php.ini:/usr/local/etc/php/conf.d/custom.ini:ro
- wordpress:/var/www/html:rw
networks:
- blog-network
# Webserver
caddy:
image: caddy:alpine
container_name: webserver
profiles:
- webserver
ports:
- 80:80/tcp
- 80:80/udp
- 443:443/tcp
- 443:443/udp
volumes:
- wordpress:/var/www/html:rw
- caddy_data:/data:rw
- caddy_config:/config:rw
- ./caddy:/etc/caddy:ro
networks:
- blog-network
# phpmyadmin:
# image: phpmyadmin:5.2.0
# container_name: phpmyadmin
# profiles:
# - phpmyadmin
# restart: always
# env_file:
# - env/phpmyadmin.env
# ports:
# - 8080:80
# depends_on:
# - database
# networks:
# - blog-network
# security_opt:
# - no-new-privileges:true
# - seccomp:unconfined
# - apparmor:unconfined
# cap_drop:
# - ALL
# cap_add:
# - CHOWN
networks:
blog-network:
driver: bridge
name: blog-network
volumes:
database:
name: database
wordpress:
name: wordpress
caddy_data:
name: caddy_data
caddy_config:
name: caddy_config

0
old_enginx/nginx/conf.d-cert/jellyfin.conf → nginx/conf.d-cert/jellyfin.conf
View File

0
old_enginx/nginx/conf.d-cert/wordpress.conf → nginx/conf.d-cert/wordpress.conf
View File

67
old_enginx/nginx/conf.d/jellyfin.conf → nginx/conf.d/jellyfin.conf
View File

@@ -1,7 +1,4 @@
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=3g inactive=30d use_temp_path=off;
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=3g;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=2g inactive=30d use_temp_path=off;
upstream jellyfin_server {
# ip_hash;
@@ -14,6 +11,8 @@ server {
listen 80;
listen [::]:80;
root /var/www/jellyfin;
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
location ~ /.well-known/acme-challenge {
@@ -31,29 +30,42 @@ server {
listen [::]:443 ssl http2;
server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;
#client_max_body_size 20M;
set $jellyfin jellyfin;
resolver 8.8.8.8 valid=30;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
# All things related to SSL
ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;
# Logging
access_log /var/log/nginx/wordpress.access.log;
error_log /var/log/nginx/wordpress.error.log;
# Security
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# Security / XSS Mitigation Headers
# NOTE: X-Frame-Options may cause issues with the webOS app
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# NOTE: The default CSP headers may cause issues with the webOS app
add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
return 302 https://$host/web/;
}
location / {
@@ -70,6 +82,7 @@ server {
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin_server/web/index.html;
@@ -95,10 +108,9 @@ server {
proxy_set_header X-Forwarded-Host $http_host;
}
# Cache images
# Cache images (inside server block)
location ~ /Items/(.*)/Images {
#proxy_pass http://127.0.0.1:8096;
proxy_pass http://jellyfin_server;
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -112,30 +124,7 @@ server {
add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
}
# Cache videos
location ~* ^/Videos/(.*)/(?!live)
{
slice 2m;
proxy_cache jellyfin-videos;
proxy_cache_valid 200 206 301 302 30d;
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Transmit slice range to the backend
proxy_set_header Range $slice_range;
proxy_cache_lock on;
proxy_cache_lock_age 60s;
#proxy_pass http://$jellyfin:8096;
proxy_pass http://jellyfin_server;
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";
add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
}
resolver 8.8.8.8;
}
# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/

6
old_enginx/nginx/conf.d/phpmyadmin.conf → nginx/conf.d/phpmyadmin.conf
View File

@@ -1,5 +1,3 @@
#include /etc/nginx/conf.d/sub/cache-proxy.conf;
upstream phpmyadmin_server {
# ip_hash;
server phpmyadmin:80;
@@ -15,8 +13,6 @@ server {
server_name phpmyadmin.bensuperpc.org www.phpmyadmin.bensuperpc.org;
include /etc/nginx/conf.d/sub/gzip.conf;
location / {
proxy_pass http://phpmyadmin_server;
proxy_redirect off;
@@ -24,5 +20,5 @@ server {
proxy_set_header X-Forwarded-For $remote_addr;
}
# resolver 8.8.8.8;
resolver 8.8.8.8;
}

4
old_enginx/nginx/conf.d/qbittorrent.conf → nginx/conf.d/qbittorrent.conf
View File

@@ -13,8 +13,6 @@ server {
server_name qbittorrent.bensuperpc.org www.qbittorrent.bensuperpc.org;
include /etc/nginx/conf.d/sub/gzip.conf;
location / {
proxy_pass http://qbittorrent_server;
proxy_redirect off;
@@ -22,5 +20,5 @@ server {
proxy_set_header X-Forwarded-For $remote_addr;
}
# resolver 8.8.8.8;
resolver 8.8.8.8;
}

6
nginx/conf.d/stream/minecraft.conf Normal file
View File

@@ -0,0 +1,6 @@
#server {
# Port number the reverse proxy is listening on
# listen 25565;
# The original Minecraft server address
# proxy_pass server.example.com:25565;
#}

5
old_enginx/nginx/conf.d/sub/cache-fastcgi.conf → nginx/conf.d/sub/cache-fastcgi.conf
View File

@@ -19,5 +19,10 @@ fastcgi_cache_valid 1d;
# Don't use the following headers to define the cache variables
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
# Some parts of this file are from
# https://gist.github.com/TrafeX/6d582b6d040702088722

5
old_enginx/nginx/conf.d/sub/cache-proxy.conf → nginx/conf.d/sub/cache-proxy.conf
View File

@@ -18,3 +18,8 @@ proxy_cache_valid 1d;
# Don't use the following headers to define the cache variables
proxy_ignore_headers Cache-Control Expires Set-Cookie;
# Increase proxy buffers for large requests
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

0
old_enginx/nginx/conf.d/sub/cache-uwsgi.conf → nginx/conf.d/sub/cache-uwsgi.conf
View File

0
old_enginx/nginx/conf.d/sub/gzip.conf → nginx/conf.d/sub/gzip.conf
View File

2
old_enginx/nginx/conf.d/sub/options-ssl-nginx.conf → nginx/conf.d/sub/options-ssl-nginx.conf
View File

@@ -8,6 +8,8 @@ ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

150
old_enginx/nginx/conf.d/wordpress.conf → nginx/conf.d/wordpress.conf
View File

@@ -14,43 +14,11 @@ server {
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/wordpress;
}
location / {
return 301 https://$host$request_uri;
}
}
# Main server wordpress_server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
root /var/www/wordpress;
index index.php index.html index.htm;
# Keepalive for 70 seconds
keepalive_timeout 70;
# Number of requests per connection
keepalive_requests 100;
reset_timedout_connection on;
# Increase proxy buffers for large requests
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
# Upload limit
client_max_body_size 50m;
client_body_buffer_size 128k;
@@ -78,7 +46,121 @@ server {
server_tokens off;
include /etc/nginx/conf.d/sub/gzip.conf;
location ~ /.well-knownwell-known/acme-challenge {
allow all;
root /var/www/wordpress;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress_server;
fastcgi_index index.php;
include fastcgi_params;
# Necessary to avoid 404 error when changing the wordpress path
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_intercept_errors on;
# Don't cache when $skip_cache is true
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
# Use the WORDPRESS zone
fastcgi_cache WORDPRESS;
fastcgi_connect_timeout 600;
fastcgi_send_timeout 600;
fastcgi_read_timeout 600;
}
# Don't write to accesslog for these files
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Media files with one of these extensions should be cached by the browser
location ~* \.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
}
# Deny access to .* files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Add cache status header for easy debugging
add_header X-cache $upstream_cache_status;
# From cat /etc/resolv.conf
resolver 8.8.8.8;
# Some parts of this file are from
# https://gist.github.com/TrafeX/6d582b6d040702088722
#location / {
# return 301 https://$host$request_uri;
#}
}
# Main server wordpress_server
server {
listen 443 ssl http2;
#listen 443 http3 reuseport;
listen [::]:443 ssl http2;
server_name wordpress.bensuperpc.org www.wordpress.bensuperpc.org bensuperpc.org www.bensuperpc.org;
root /var/www/wordpress;
index index.php index.html index.htm;
reset_timedout_connection on;
# Upload limit
client_max_body_size 50m;
client_body_buffer_size 128k;
# Initialize the variable that specified to skip the cache
set $skip_cache 0;
# POST requests and url's with a query string should always skip cache
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
# Don't cache url's containing the following segments
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
server_tokens off;
# All things related to SSL
ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
@@ -91,12 +173,12 @@ server {
access_log /var/log/nginx/wordpress.access.log;
error_log /var/log/nginx/wordpress.error.log;
# Security
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location / {
try_files $uri $uri/ /index.php$is_args$args;

12
old_enginx/nginx/nginx.conf → nginx/nginx.conf
View File

@@ -24,9 +24,17 @@ http {
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
# Keepalive for 70 seconds
keepalive_timeout 70;
#gzip on;
# Number of requests per connection
keepalive_requests 100;
include /etc/nginx/conf.d/sub/gzip.conf;
include /etc/nginx/conf.d/*.conf;
}
stream {
include /etc/nginx/conf.d/stream/*.conf;
}

12
old_enginx/nginx/conf.d/minecraft.conf
View File

@@ -1,12 +0,0 @@
#upstream minecraft {
# server minecraft:25565;
#}
#
#server {
# listen 25566;
# server_name minecraft.bensuperpc.org www.minecraft.bensuperpc.org;
# location / {
# proxy_pass minecraft;
# }
#}

3
php.ini
View File

@@ -1,3 +0,0 @@
memory_limit = 512M
upload_max_filesize = 128M
post_max_size = 128M