Add immich and switch to nginx-acme
This commit is contained in:
@@ -3,6 +3,7 @@ worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
pid /run/nginx.pid;
|
||||
error_log /var/log/nginx/error.log;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
@@ -10,6 +11,14 @@ events {
|
||||
}
|
||||
|
||||
http {
|
||||
resolver 127.0.0.11:53;
|
||||
acme_issuer letsencrypt {
|
||||
uri https://acme-v02.api.letsencrypt.org/directory;
|
||||
contact matthew.pomes@pm.me;
|
||||
state_path /var/cache/nginx/acme-letsencrypt;
|
||||
|
||||
accept_terms_of_service;
|
||||
}
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
@@ -57,6 +66,12 @@ http {
|
||||
##
|
||||
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
server {
|
||||
listen 80;
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -1,17 +1,8 @@
|
||||
server {
|
||||
if ($host = 5d-diplomacy.loadingm.xyz) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name 5d-diplomacy.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
@@ -25,16 +16,14 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name 5d-diplomacy.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 20M;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
|
||||
@@ -1,18 +1,3 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name auth.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
@@ -20,16 +5,14 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name auth.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 20M;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
@@ -42,10 +25,6 @@ server {
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
# Proxy main karakeep traffic
|
||||
proxy_pass http://authelia:9091;
|
||||
|
||||
@@ -1,18 +1,3 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name bitwarden.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
@@ -20,16 +5,14 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name bitwarden.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 20M;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
@@ -51,10 +34,6 @@ server {
|
||||
# set $CSP "$CSP; frame-ancestors 'self' data:";
|
||||
# set $CSP "$CSP; font-src 'self' data:";
|
||||
# add_header Content-Security-Policy $CSP;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
location /notifications/hub {
|
||||
proxy_pass http://bitwarden:80;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
@@ -1,18 +1,3 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name gitea.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
@@ -20,16 +5,14 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name gitea.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 200G;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
@@ -42,10 +25,6 @@ server {
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
# Proxy main karakeep traffic
|
||||
proxy_pass http://gitea:3000;
|
||||
|
||||
@@ -1,52 +1,14 @@
|
||||
##
|
||||
# You should look at the following URL's in order to grasp a solid understanding
|
||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
||||
# https://www.nginx.com/resources/wiki/start/
|
||||
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
|
||||
# https://wiki.debian.org/Nginx/DirectoryStructure
|
||||
#
|
||||
# In most cases, administrators will remove this file from sites-enabled/ and
|
||||
# leave it as reference inside of sites-available where it will continue to be
|
||||
# updated by the nginx packaging team.
|
||||
#
|
||||
# This file will automatically load configuration files provided by other
|
||||
# applications, such as Drupal or Wordpress. These applications will be made
|
||||
# available underneath a path with that package name, such as /drupal8.
|
||||
#
|
||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||
##
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name gpodder.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Default server configuration
|
||||
#
|
||||
server {
|
||||
|
||||
# SSL configuration
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
|
||||
server_name gpodder.loadingm.xyz;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
@@ -60,10 +22,6 @@ server {
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
# Proxy main karakeep traffic
|
||||
proxy_pass http://gpodder:8000;
|
||||
|
||||
41
nginx/sites-enabled/immich
Normal file
41
nginx/sites-enabled/immich
Normal file
@@ -0,0 +1,41 @@
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
|
||||
server_name immich.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 200G;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
# Permissions policy. May cause issues with some clients
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
||||
|
||||
# Content Security Policy
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
# Enforces https content and restricts JS/CSS to origin
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
location / {
|
||||
# Proxy main karakeep traffic
|
||||
proxy_pass http://immich:2283;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
|
||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
||||
proxy_buffering off;
|
||||
}
|
||||
}
|
||||
@@ -1,18 +1,3 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name jellyfin.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
@@ -20,16 +5,14 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name jellyfin.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 20M;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
@@ -42,10 +25,6 @@ server {
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
# Proxy main Jellyfin traffic
|
||||
proxy_pass http://jellyfin:8096;
|
||||
|
||||
@@ -1,18 +1,3 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name jellyseerr.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
@@ -20,26 +5,20 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name jellyseerr.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 20M;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
# Permissions policy. May cause issues with some clients
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Content Security Policy
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
# Enforces https content and restricts JS/CSS to origin
|
||||
|
||||
@@ -1,18 +1,3 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name karakeep.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
@@ -20,16 +5,14 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name karakeep.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 20M;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
@@ -52,10 +35,6 @@ server {
|
||||
set $CSP "$CSP; font-src 'self' data:";
|
||||
add_header Content-Security-Policy $CSP;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
# Proxy main karakeep traffic
|
||||
proxy_pass http://karakeep-web:3000;
|
||||
|
||||
@@ -1,18 +1,3 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name memos.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
@@ -20,16 +5,14 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name memos.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 200G;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
@@ -42,10 +25,6 @@ server {
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
location / {
|
||||
# Proxy main karakeep traffic
|
||||
proxy_pass http://memos:5230;
|
||||
|
||||
@@ -5,9 +5,11 @@ server {
|
||||
http2 on;
|
||||
|
||||
server_name ollama.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
# include /etc/nginx/snippets/authelia-location.conf;
|
||||
location /ws/ {
|
||||
proxy_pass http://ollama-webui:8080;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
@@ -1,52 +1,14 @@
|
||||
##
|
||||
# You should look at the following URL's in order to grasp a solid understanding
|
||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
||||
# https://www.nginx.com/resources/wiki/start/
|
||||
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
|
||||
# https://wiki.debian.org/Nginx/DirectoryStructure
|
||||
#
|
||||
# In most cases, administrators will remove this file from sites-enabled/ and
|
||||
# leave it as reference inside of sites-available where it will continue to be
|
||||
# updated by the nginx packaging team.
|
||||
#
|
||||
# This file will automatically load configuration files provided by other
|
||||
# applications, such as Drupal or Wordpress. These applications will be made
|
||||
# available underneath a path with that package name, such as /drupal8.
|
||||
#
|
||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||
##
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80;
|
||||
server_name loadingm.xyz *.loadingm.xyz;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
# Uncomment to redirect HTTP to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Default server configuration
|
||||
#
|
||||
server {
|
||||
|
||||
# SSL configuration
|
||||
listen 443 ssl default_server;
|
||||
listen [::]:443 ssl default_server;
|
||||
http2 on;
|
||||
|
||||
server_name loadingm.xyz;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
root /data/site;
|
||||
|
||||
@@ -60,11 +22,4 @@ server {
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
}
|
||||
|
||||
@@ -1,13 +1,14 @@
|
||||
|
||||
server {
|
||||
# Nginx versions 1.25+
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
http2 on;
|
||||
|
||||
server_name servarr.loadingm.xyz;
|
||||
acme_certificate letsencrypt;
|
||||
ssl_certificate $acme_certificate;
|
||||
ssl_certificate_key $acme_certificate_key;
|
||||
ssl_certificate_cache max=2;
|
||||
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
include /etc/nginx/snippets/authelia-location.conf;
|
||||
|
||||
location /qbt/ {
|
||||
|
||||
@@ -1,25 +0,0 @@
|
||||
# Content Security Policy
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
# Enforces https content and restricts JS/CSS to origin
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
|
||||
|
||||
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
|
||||
client_max_body_size 20M;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
|
||||
# include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
|
||||
|
||||
# Security / XSS Mitigation Headers
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
# Permissions policy. May cause issues with some clients
|
||||
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user