diff options
| -rw-r--r-- | web/etc/nginx/default.conf | 339 |
1 files changed, 339 insertions, 0 deletions
diff --git a/web/etc/nginx/default.conf b/web/etc/nginx/default.conf new file mode 100644 index 0000000..4335774 --- /dev/null +++ b/web/etc/nginx/default.conf @@ -0,0 +1,339 @@ +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. + +ssl_dhparam /etc/nginx/dhparam.pem; +resolver 185.110.149.2 185.110.148.2; + +# Yoda! +server { + listen 80 default_server; + listen [::]:80 default_server; + root /var/www/html; + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + add_header Strict-Transport-Security max-age=15768000; + server_name yoda.tg16.gathering.org; + + location /display { + allow 185.110.148.24; + allow 2a06:5841:1337::24; + allow 185.110.148.25; + allow 2a06:5841:1337::25; + allow 185.110.148.26; + allow 2a06:5841:1337::26; + allow 2a06:5841:150a::/64; + allow 185.110.150.0/25; + deny all; + } + #location / { + # return 301 https://$host$request_uri; + #} +} + +# Munin +server { + listen 80; + listen [::]:80; + access_log /var/log/nginx/munin.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/munin.tg16.gathering.org_ssl_error.log error; + root /var/www/html; + + server_name munin.tg16.gathering.org; + + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + + location ^~ /munin-cgi/munin-cgi-graph/ { + fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock; + include fastcgi_params; + } + + + location /munin/static/ { + alias /etc/munin/static/; + } + + location /munin/ { + fastcgi_split_path_info ^(/munin)(.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/munin/fastcgi-html.sock; + include fastcgi_params; + + rewrite ^/munin/(.*.png)$ /munin-cgi/munin-cgi-graph/$1; + } + + location = / { + return 301 $scheme://$server_name/munin/; + } +} + +# Yoda! +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/yoda.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/yoda.tg16.gathering.org_ssl_error.log error; + server_name yoda.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/html; + index index.pl index.html; + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + try_files $uri $uri/ =404; + } +} + +# Webcam +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/webcam.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/webcam.tg16.gathering.org_ssl_error.log error; + server_name webcam.tg16.gathering.org webcams.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/webcam; + location / { + return 301 http://stream.tg16.gathering.org/; + #try_files $uri $uri/ =404; + } +} + +# Stream +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/stream.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/stream.tg16.gathering.org_ssl_error.log error; + server_name stream.tg16.gathering.org streams.tg16.gathering.org; + #add_header Strict-Transport-Security max-age=15768000; + add_header Strict-Transport-Security max-age=0; + #add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/stream/; +# index index.pl index.html; + index index.pl index.py index.html; + location /hls { + types { + #application/vnd.apple.mpegurl m3u8; + application/x-mpegURL m3u8; + video/mp2t ts; + text/html htm; + } + root /var/www/; + add_header Cache-Control no-cache; + } + location /stat { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } + location /stat.xsl { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + } + location ~ \.py { + try_files $uri =404; + fastcgi_pass unix:/tmp/index-fcgi.sock; + fastcgi_index index.py; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + return 301 http://$host$request_uri; + #try_files $uri $uri/ =404; + } +} + +# Stream +server { + listen 80; + listen [::]:80; + access_log /var/log/nginx/stream.tg16.gathering.org_access.log; + error_log /var/log/nginx/stream.tg16.gathering.org_error.log error; + server_name stream.tg16.gathering.org streams.tg16.gathering.org; + add_header Strict-Transport-Security max-age=0; + client_max_body_size 10m; + root /var/www/stream/; +# index index.pl index.html; + index index.pl index.py index.html; + location /hls { + types { + #application/vnd.apple.mpegurl m3u8; + application/x-mpegURL m3u8; + video/mp2t ts; + text/html htm; + } + root /var/www/; + add_header Cache-Control no-cache; + } + location /stat { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } + location /stat.xsl { + allow 185.110.150.0/25; + allow 2a06:5841:150a::/64; + allow 185.110.149.0/26; + allow 2a06:5841:149a::/64; + allow 185.110.148.0/26; + allow 2a06:5841:1337::/64; + allow 185.110.151.0/27; + allow 2a06:5841:151a::/64; + deny all; + } + location ~ \.py { + try_files $uri =404; + fastcgi_pass unix:/tmp/index-fcgi.sock; + fastcgi_index index.py; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; + } + location ~ \.pl|cgi$ { + try_files $uri =404; + gzip off; + fastcgi_pass 127.0.0.1:8999; + fastcgi_index index.pl; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + location / { + try_files $uri $uri/ =404; + } +} + +# NMS-backend +upstream nms { + server obi-wan.tg16.gathering.org; + keepalive 32; +} + +# NMS +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/nms.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/nms.tg16.gathering.org_ssl_error.log error; + server_name nms.tg16.gathering.org nms-public.tg16.gathering.org nms-api.tg16.gathering.org nms4.tg16.gathering.org nms6.tg16.gathering.org; + add_header Strict-Transport-Security max-age=15768000; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://nms; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } +} + +# Stats +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + access_log /var/log/nginx/stats.tg16.gathering.org_ssl_access.log; + error_log /var/log/nginx/stats.tg16.gathering.org_ssl_error.log error; + server_name stats.tg16.gathering.org; + add_header Strict-Transport-Security max-age=15768000; + add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + ssl_certificate /root/le/prodcerts/yoda.prod.pem; + ssl_certificate_key /root/le/keys/domain.key; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + client_max_body_size 10m; + ssl_stapling on; + ssl_stapling_verify on; + root /var/www/stats; + location / { + try_files $uri $uri/ =404; + } +} |