From d2be7395901a1da5eafbcf03c78e82b2bc22c14e Mon Sep 17 00:00:00 2001 From: JulienAldon Date: Sun, 11 Jan 2026 16:59:07 +0100 Subject: [PATCH] add nginx config files --- nginx/sites-available/benoit.mathieu.wiki | 26 +++++++++ nginx/sites-available/bookshelf.aldon.fr | 28 ++++++++++ nginx/sites-available/default | 59 ++++++++++++++++++++ nginx/sites-available/discussion.fefan.fr | 26 +++++++++ nginx/sites-available/fefan.fr | 64 ++++++++++++++++++++++ nginx/sites-available/gitea.aldon.fr | 28 ++++++++++ nginx/sites-available/grist.aldon.fr | 26 +++++++++ nginx/sites-available/keycloak.aldon.fr | 26 +++++++++ nginx/sites-available/nextcloud.aldon.fr | 64 ++++++++++++++++++++++ nginx/sites-available/vaultwarden.aldon.fr | 59 ++++++++++++++++++++ 10 files changed, 406 insertions(+) create mode 100644 nginx/sites-available/benoit.mathieu.wiki create mode 100644 nginx/sites-available/bookshelf.aldon.fr create mode 100644 nginx/sites-available/default create mode 100644 nginx/sites-available/discussion.fefan.fr create mode 100644 nginx/sites-available/fefan.fr create mode 100644 nginx/sites-available/gitea.aldon.fr create mode 100644 nginx/sites-available/grist.aldon.fr create mode 100644 nginx/sites-available/keycloak.aldon.fr create mode 100644 nginx/sites-available/nextcloud.aldon.fr create mode 100644 nginx/sites-available/vaultwarden.aldon.fr diff --git a/nginx/sites-available/benoit.mathieu.wiki b/nginx/sites-available/benoit.mathieu.wiki new file mode 100644 index 0000000..dc3aeda --- /dev/null +++ b/nginx/sites-available/benoit.mathieu.wiki @@ -0,0 +1,26 @@ +server { + listen 80; + server_name benoit.mathieu.wiki www.benoit.mathieu.wiki; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name benoit.mathieu.wiki; + + ssl_certificate /etc/letsencrypt/live/benoit.mathieu.wiki/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/benoit.mathieu.wiki/privkey.pem; + + location / { + proxy_pass http://192.168.1.38:8080; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-REAL-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/nginx/sites-available/bookshelf.aldon.fr b/nginx/sites-available/bookshelf.aldon.fr new file mode 100644 index 0000000..1a1a672 --- /dev/null +++ b/nginx/sites-available/bookshelf.aldon.fr @@ -0,0 +1,28 @@ +server { + listen 80; + server_name bookshelf.aldon.fr; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + server_name bookshelf.aldon.fr; + + ssl_certificate /etc/letsencrypt/live/aldon.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/aldon.fr/privkey.pem; + + location / { + proxy_pass http://192.168.1.27; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/nginx/sites-available/default b/nginx/sites-available/default new file mode 100644 index 0000000..e4978fd --- /dev/null +++ b/nginx/sites-available/default @@ -0,0 +1,59 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + ## + # Errors pages + ## + + error_page 404 500 502 503 504 /errors/50x.html; + + location ^~ /errors/ { + internal; + root /usr/share/nginx/html/; + allow all; + } +} \ No newline at end of file diff --git a/nginx/sites-available/discussion.fefan.fr b/nginx/sites-available/discussion.fefan.fr new file mode 100644 index 0000000..74c05e0 --- /dev/null +++ b/nginx/sites-available/discussion.fefan.fr @@ -0,0 +1,26 @@ +server { + listen 80; + server_name discussion.fefan.fr; + return 301 http://$host$request_uri; +} + +server { + listen 443 ssl; + server_name discussion.fefan.fr; + + ssl_certificate /etc/letsencrypt/live/fefan.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/fefan.fr/privkey.pem; + + location / { + proxy_pass http://192.168.1.15:3000; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-REAL-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/nginx/sites-available/fefan.fr b/nginx/sites-available/fefan.fr new file mode 100644 index 0000000..7d1ed7d --- /dev/null +++ b/nginx/sites-available/fefan.fr @@ -0,0 +1,64 @@ +server { + server_name www.content.fefan.fr; + return 301 $scheme://content.fefan.fr$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name content.fefan.fr; + + ssl_certificate /etc/letsencrypt/live/fefan.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/fefan.fr/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:10m; + ssl_session_timeout 1440m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers off; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + + location / { + resolver 127.0.0.11 valid=30s; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + set $upstream_strapi 192.168.1.11; + proxy_pass http://$upstream_strapi:1337; + } + + location = /50x.html { + root /usr/share/nginx/html; + } + + error_page 500 502 503 504 /50x.html; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name www.fefan.fr fefan.fr; + + ssl_certificate /etc/letsencrypt/live/fefan.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/fefan.fr/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:10m; + ssl_session_timeout 1440m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers off; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + + location / { + resolver 127.0.0.11 valid=30s; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + set $upstream_next 192.168.1.11; + proxy_pass http://$upstream_next:3000; + } + + location = /50x.html { + root /usr/share/nginx/html; + } + + error_page 500 502 503 504 /50x.html; +} \ No newline at end of file diff --git a/nginx/sites-available/gitea.aldon.fr b/nginx/sites-available/gitea.aldon.fr new file mode 100644 index 0000000..11189b2 --- /dev/null +++ b/nginx/sites-available/gitea.aldon.fr @@ -0,0 +1,28 @@ +server { + listen 80; + server_name gitea.aldon.fr; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + server_name gitea.aldon.fr; + + ssl_certificate /etc/letsencrypt/live/aldon.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/aldon.fr/privkey.pem; + + location / { + proxy_pass http://192.168.1.50:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/nginx/sites-available/grist.aldon.fr b/nginx/sites-available/grist.aldon.fr new file mode 100644 index 0000000..6556710 --- /dev/null +++ b/nginx/sites-available/grist.aldon.fr @@ -0,0 +1,26 @@ +server { + listen 80; + server_name grist.aldon.fr; + return 301 http://$host$request_uri; +} + +server { + listen 443 ssl; + server_name grist.aldon.fr; + + ssl_certificate /etc/letsencrypt/live/aldon.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/aldon.fr/privkey.pem; + + location / { + proxy_pass http://192.168.1.35:8484; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-REAL-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/nginx/sites-available/keycloak.aldon.fr b/nginx/sites-available/keycloak.aldon.fr new file mode 100644 index 0000000..52e3a0b --- /dev/null +++ b/nginx/sites-available/keycloak.aldon.fr @@ -0,0 +1,26 @@ +server { + listen 80; + server_name keycloak.aldon.fr; + return 301 http://$host$request_uri; +} + +server { + listen 443 ssl; + server_name keycloak.aldon.fr; + + ssl_certificate /etc/letsencrypt/live/aldon.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/aldon.fr/privkey.pem; + + location / { + proxy_pass http://192.168.1.34:8080; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-REAL-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/nginx/sites-available/nextcloud.aldon.fr b/nginx/sites-available/nextcloud.aldon.fr new file mode 100644 index 0000000..4794d4c --- /dev/null +++ b/nginx/sites-available/nextcloud.aldon.fr @@ -0,0 +1,64 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 80; + listen [::]:80; + + if ($scheme = "http") { + return 301 https://$host$request_uri; + } + if ($http_x_forwarded_proto = "http") { + return 301 https://$host$request_uri; + } + + listen 443 ssl http2; + proxy_buffering off; + proxy_request_buffering off; + + client_max_body_size 0; + client_body_buffer_size 512k; + proxy_read_timeout 86400s; + + server_name nextcloud.aldon.fr; + + ssl_certificate /etc/letsencrypt/live/aldon.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/aldon.fr/privkey.pem; + + ssl_dhparam "/etc/dhparam"; + + ssl_early_data on; + ssl_session_cache shared:SSL:10m; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ecdh_curve x25519:x448:secp521r1:secp256r1; + + ssl_prefer_server_ciphers on; + ssl_conf_command Options PrioritizeChaCha; + ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-ECDHE-ECSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:RCDHE-RSA-AES128-GCM-SHA256; + + location / { + proxy_pass http://192.168.1.30:11000$request_uri; + + proxy_set_header Host $host; + proxy_set_header X-REAL-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Early-Data $ssl_early_data; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Error pages + error_page 502 /502.html; + location /502.html { + root /var/www/html; + } + } + +} \ No newline at end of file diff --git a/nginx/sites-available/vaultwarden.aldon.fr b/nginx/sites-available/vaultwarden.aldon.fr new file mode 100644 index 0000000..da8b444 --- /dev/null +++ b/nginx/sites-available/vaultwarden.aldon.fr @@ -0,0 +1,59 @@ +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server 192.168.1.36:8080; + keepalive 2; +} + +# See: https://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name vaultwarden.aldon.fr; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl http2; + server_name vaultwarden.aldon.fr; + + ssl_certificate /etc/letsencrypt/live/aldon.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/aldon.fr/privkey.pem; + + add_header Strict-Transport-Security "max-age=31536000;"; + + #ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.aldon.fr/fullchain.pem; + + client_max_body_size 525M; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + proxy_pass http://vaultwarden-default; + } + + # Optionally add extra authentication besides the ADMIN_TOKEN + # Remove the comments below `#` and create the htpasswd_file to have it active + # + #location /admin { + # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ + # auth_basic "Private"; + # auth_basic_user_file /path/to/htpasswd_file; + # + # proxy_pass http://vaultwarden-default; + #} +} \ No newline at end of file