add docker support

author: iCrawl <[email protected]> 2020-12-24 20:16:00 +0100
committer: iCrawl <[email protected]> 2020-12-26 21:00:53 +0100
commit: 5d2d46d8dca912614d6893a9f3ff30a487e76a77 (patch)
tree: 7d45769f3c88aa6346483abcaa4370f67fced603 /docker/nginx
parent: Merge pull request #230 from WeebDev/fix/chunk-uploads (diff)
download: host.fuwn.me-5d2d46d8dca912614d6893a9f3ff30a487e76a77.tar.xz
host.fuwn.me-5d2d46d8dca912614d6893a9f3ff30a487e76a77.zip
7 files changed, 160 insertions, 0 deletions
diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile
new file mode 100644
index 0000000..60626ba
--- /dev/null
+++ b/docker/nginx/Dockerfile
@@ -0,0 +1,5 @@
+FROM nginx
+
+COPY nginxconfig.io /etc/nginx/nginxconfig.io
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY chibisafe.moe.conf /etc/nginx/conf.d/chibisafe.moe.conf
diff --git a/docker/nginx/chibisafe.moe.http.example.conf b/docker/nginx/chibisafe.moe.http.example.conf
new file mode 100644
index 0000000..0a0d507
--- /dev/null
+++ b/docker/nginx/chibisafe.moe.http.example.conf
@@ -0,0 +1,21 @@
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         chibisafe.moe;
+
+    # security
+    include             nginxconfig.io/security.conf;
+
+    # logging
+    access_log          /var/log/nginx/chibisafe.moe.access.log;
+    error_log           /var/log/nginx/chibisafe.moe.error.log warn;
+
+    # reverse proxy
+    location / {
+        proxy_pass http://localhost:5000;
+        include    nginxconfig.io/proxy.conf;
+    }
+
+    # additional config
+    include nginxconfig.io/general.conf;
+}
diff --git a/docker/nginx/chibisafe.moe.https.example.conf b/docker/nginx/chibisafe.moe.https.example.conf
new file mode 100644
index 0000000..fce9e9a
--- /dev/null
+++ b/docker/nginx/chibisafe.moe.https.example.conf
@@ -0,0 +1,32 @@
+server {
+    listen              443 ssl http2;
+    listen              [::]:443 ssl http2;
+    server_name         chibisafe.moe;
+
+    # SSL
+    ssl_certificate     /etc/nginx/ssl/chibisafe.moe.crt;
+    ssl_certificate_key /etc/nginx/ssl/chibisafe.moe.key;
+
+    # security
+    include             nginxconfig.io/security.conf;
+
+    # logging
+    access_log          /var/log/nginx/chibisafe.moe.access.log;
+    error_log           /var/log/nginx/chibisafe.moe.error.log warn;
+
+    # reverse proxy
+    location / {
+        proxy_pass http://localhost:5000;
+        include    nginxconfig.io/proxy.conf;
+    }
+
+    # additional config
+    include nginxconfig.io/general.conf;
+}
+
+# HTTP redirect
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://$server_name$request_uri;
+}
diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
new file mode 100644
index 0000000..a878b9b
--- /dev/null
+++ b/docker/nginx/nginx.conf
@@ -0,0 +1,54 @@
+# Generated by nginxconfig.io
+# https://www.digitalocean.com/community/tools/nginx?domains.0.server.domain=tourneys.naval-base.com&domains.0.server.documentRoot=&domains.0.https.certType=custom&domains.0.php.php=false&domains.0.reverseProxy.reverseProxy=true&domains.0.reverseProxy.proxyPass=http%3A%2F%2F127.0.0.1%3A3001&domains.0.routing.root=false&domains.0.logging.accessLog=true&domains.0.logging.errorLog=true
+
+user                 www-data;
+pid                  /run/nginx.pid;
+worker_processes     auto;
+worker_rlimit_nofile 65535;
+
+events {
+    multi_accept       on;
+    worker_connections 65535;
+}
+
+http {
+    charset              utf-8;
+    sendfile             on;
+    tcp_nopush           on;
+    tcp_nodelay          on;
+    server_tokens        off;
+    log_not_found        off;
+    types_hash_max_size  2048;
+    client_max_body_size 90M;
+	client_body_timeout  600s;
+
+    # MIME
+    include              mime.types;
+    default_type         application/octet-stream;
+
+    # Logging
+    access_log           /var/log/nginx/access.log;
+    error_log            /var/log/nginx/error.log warn;
+
+    # SSL
+    ssl_session_timeout  1d;
+    ssl_session_cache    shared:SSL:10m;
+    ssl_session_tickets  off;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam          /etc/nginx/dhparam.pem;
+
+    # Mozilla Intermediate configuration
+    ssl_protocols        TLSv1.2 TLSv1.3;
+    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+    # OCSP Stapling
+    ssl_stapling         off;
+    ssl_stapling_verify  off;
+    resolver             1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+    resolver_timeout     2s;
+
+    # Load configs
+    include              /etc/nginx/conf.d/*.conf;
+    # include              /etc/nginx/sites-enabled/*;
+}
diff --git a/docker/nginx/nginxconfig.io/general.conf b/docker/nginx/nginxconfig.io/general.conf
new file mode 100644
index 0000000..a9df8d6
--- /dev/null
+++ b/docker/nginx/nginxconfig.io/general.conf
@@ -0,0 +1,18 @@
+# favicon.ico
+location = /favicon.ico {
+    log_not_found off;
+    access_log    off;
+}
+
+# robots.txt
+location = /robots.txt {
+    log_not_found off;
+    access_log    off;
+}
+
+# gzip
+gzip            on;
+gzip_vary       on;
+gzip_proxied    any;
+gzip_comp_level 6;
+gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
diff --git a/docker/nginx/nginxconfig.io/proxy.conf b/docker/nginx/nginxconfig.io/proxy.conf
new file mode 100644
index 0000000..874b041
--- /dev/null
+++ b/docker/nginx/nginxconfig.io/proxy.conf
@@ -0,0 +1,18 @@
+proxy_http_version                 1.1;
+proxy_cache_bypass                 $http_upgrade;
+
+# Proxy headers
+proxy_set_header Upgrade           $http_upgrade;
+proxy_set_header Connection        "upgrade";
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host  $host;
+proxy_set_header X-Forwarded-Port  $server_port;
+proxy_set_header X-NginX-Proxy     true;
+
+# Proxy timeouts
+proxy_connect_timeout              60s;
+proxy_send_timeout                 60s;
+proxy_read_timeout                 60s;
diff --git a/docker/nginx/nginxconfig.io/security.conf b/docker/nginx/nginxconfig.io/security.conf
new file mode 100644
index 0000000..03b1ef6
--- /dev/null
+++ b/docker/nginx/nginxconfig.io/security.conf
@@ -0,0 +1,12 @@
+# security headers
+add_header X-Frame-Options           "SAMEORIGIN" always;
+add_header X-XSS-Protection          "1; mode=block" always;
+add_header X-Content-Type-Options    "nosniff" always;
+add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+# . files
+location ~ /\.(?!well-known) {
+    deny all;
+}
author	iCrawl <[email protected]>	2020-12-24 20:16:00 +0100
committer	iCrawl <[email protected]>	2020-12-26 21:00:53 +0100
commit	5d2d46d8dca912614d6893a9f3ff30a487e76a77 (patch)
tree	7d45769f3c88aa6346483abcaa4370f67fced603 /docker/nginx
parent	Merge pull request #230 from WeebDev/fix/chunk-uploads (diff)
download	host.fuwn.me-5d2d46d8dca912614d6893a9f3ff30a487e76a77.tar.xz host.fuwn.me-5d2d46d8dca912614d6893a9f3ff30a487e76a77.zip