====== Vhost pour le service Fichiers de Parinux ======
====== Port 80 avec let's encrypt ======
server {
listen 192.168.1.60:80;
server_tokens off;
server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org onenagros.parinux.org fichierslourds.parinux.org ;
access_log /var/log/nginx/fichiers-access.log;
error_log /var/log/nginx/fichiers-error.log;
location ~ /.well-known/acme-challenge/ {
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
# Current specification requires "text/plain" or no content header at all.
# It seems that "text/plain" is a safe option.
default_type "text/plain";
# This directory must be the same as in /etc/letsencrypt/cli.ini
# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
# there to "webroot".
# Do NOT use alias, use root! Target directory is located here:
# /var/www/common/letsencrypt/.well-known/acme-challenge/
root /var/www/letsencrypt;
}
location / {
return 301 https://transfert.parinux.org$request_uri;
proxy_pass http://192.168.1.82/;
proxy_set_header Host $host;
proxy_http_version 1.1;
}
}
====== Port 443 et SSO via Oauth2 Proxy ======
on peut concaténer partial|r|download
server {
listen 192.168.1.60:443;
server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org fichierslourds.parinux.org onenagros.parinux.org ;
access_log /var/log/nginx/fichiers-access.log;
error_log /var/log/nginx/fichiers-error.log;
ssl on;
ssl_certificate /etc/letsencrypt/live/fichiers.parinux.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fichiers.parinux.org/privkey.pem;
server_tokens off;
index index index.html index.htm index.nginx-debian.html;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES512+EECDH:AES512+EDH;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
add_header Strict-Transport-Security "max-age=15552000;preload";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
# add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
location /r {
proxy_pass http://192.168.1.82:8081;
# Really important! Lufi uses WebSocket, it won't work without this
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# If you want to log the remote port of the file senders, you'll need that
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
proxy_redirect off;
}
location /partial {
proxy_pass http://192.168.1.82:8081;
# Really important! Lufi uses WebSocket, it won't work without this
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# If you want to log the remote port of the file senders, you'll need that
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
proxy_redirect off;
}
location /download {
proxy_pass http://192.168.1.82:8081;
# Really important! Lufi uses WebSocket, it won't work without this
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# If you want to log the remote port of the file senders, you'll need that
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
proxy_redirect off;
}
location ~* ^/(img|css|font|js)/ {
proxy_pass http://192.168.1.82:8081;
proxy_set_header Host $host;
proxy_http_version 1.1;
add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
add_header Cache-Control "public, max-age=315360000";
}
location /oauth2/ {
proxy_pass http://192.168.1.82:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
# or, if you are handling multiple domains:
# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
}
location = /oauth2/auth {
proxy_pass http://192.168.1.82:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# # pass information via X-User and X-Email headers to backend,
# # requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
# limit and so the OAuth2 Proxy splits these into multiple parts.
# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
# Extract the Cookie attributes from the first Set-Cookie header and append them
# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
if ($auth_cookie ~* "(; .*)") {
set $auth_cookie_name_0 $auth_cookie;
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}
# Send both Set-Cookie headers now if there was a second part
if ($auth_cookie_name_upstream_1) {
add_header Set-Cookie $auth_cookie_name_0;
add_header Set-Cookie $auth_cookie_name_1;
}
# HTTPS only header, improves security
#add_header Strict-Transport-Security "max-age=15768000";
# Adapt this to your configuration (port, subdirectory (see below))
proxy_pass http://192.168.1.82:8081;
# Really important! Lufi uses WebSocket, it won't work without this
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# If you want to log the remote port of the file senders, you'll need that
proxy_set_header X-Remote-Port $remote_port;
proxy_set_header X-Forwarded-Proto $scheme;
# We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
proxy_redirect off;
}
}