Vhost pour le service Fichiers de Parinux

Port 80 avec let's encrypt

server {
listen  192.168.1.60:80;
server_tokens off;


server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org onenagros.parinux.org fichierslourds.parinux.org ;
access_log /var/log/nginx/fichiers-access.log;
error_log /var/log/nginx/fichiers-error.log;

	location ~ /.well-known/acme-challenge/ {
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
# Current specification requires "text/plain" or no content header at all.
# It seems that "text/plain" is a safe option.
	default_type "text/plain";
# This directory must be the same as in /etc/letsencrypt/cli.ini
# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
# there to "webroot".
# Do NOT use alias, use root! Target directory is located here:
# /var/www/common/letsencrypt/.well-known/acme-challenge/
	root /var/www/letsencrypt;
	}
	location / {
		return 301 https://transfert.parinux.org$request_uri;
                proxy_pass http://192.168.1.82/;
                proxy_set_header Host  $host;
                proxy_http_version 1.1;
	}
}

Port 443 et SSO via Oauth2 Proxy

on peut concaténer partial|r|download

server {
    listen 192.168.1.60:443;
    server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org fichierslourds.parinux.org  onenagros.parinux.org ;
    access_log /var/log/nginx/fichiers-access.log;
    error_log /var/log/nginx/fichiers-error.log;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/fichiers.parinux.org/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/fichiers.parinux.org/privkey.pem;
  server_tokens off;

        index index index.html index.htm index.nginx-debian.html;


 ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES512+EECDH:AES512+EDH;
 ssl_dhparam /etc/nginx/ssl/dhparam.pem;

add_header Strict-Transport-Security "max-age=15552000;preload";

 ssl_session_cache shared:SSL:1m;
 ssl_session_timeout  5m;
 ssl_protocols TLSv1.2;

 ssl_prefer_server_ciphers on;


    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
#    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

location /r {
        proxy_pass http://192.168.1.82:8081;
        # Really important! Lufi uses WebSocket, it won't work without this
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # If you want to log the remote port of the file senders, you'll need that
        proxy_set_header X-Remote-Port $remote_port;

        proxy_set_header X-Forwarded-Proto $scheme;

        # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
        proxy_redirect     off;

        }


location /partial {
        proxy_pass http://192.168.1.82:8081;
        # Really important! Lufi uses WebSocket, it won't work without this
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # If you want to log the remote port of the file senders, you'll need that
        proxy_set_header X-Remote-Port $remote_port;

        proxy_set_header X-Forwarded-Proto $scheme;

        # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
        proxy_redirect     off;


        }

location /download {
        proxy_pass http://192.168.1.82:8081;
        # Really important! Lufi uses WebSocket, it won't work without this
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # If you want to log the remote port of the file senders, you'll need that
        proxy_set_header X-Remote-Port $remote_port;

        proxy_set_header X-Forwarded-Proto $scheme;

        # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
        proxy_redirect     off;


        }

location ~* ^/(img|css|font|js)/ {
        proxy_pass http://192.168.1.82:8081;
        proxy_set_header Host      $host;
        proxy_http_version 1.1;
        add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
        add_header Cache-Control "public, max-age=315360000";
}

location /oauth2/ {
	proxy_pass   http://192.168.1.82:4180;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP   $remote_addr;
	proxy_set_header X-Scheme $scheme;
	proxy_set_header X-Auth-Request-Redirect $request_uri;
	# or, if you are handling multiple domains:
	# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
	}

location = /oauth2/auth {
	proxy_pass   http://192.168.1.82:4180;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Scheme $scheme;
	# nginx auth_request includes headers but not body
	proxy_set_header Content-Length   "";
	proxy_pass_request_body   off;
	}

location   / {
	auth_request /oauth2/auth;
	error_page 401 = /oauth2/sign_in;

	# # pass information via X-User and X-Email headers to backend,
	# # requires running with --set-xauthrequest flag
	auth_request_set $user   $upstream_http_x_auth_request_user;
	auth_request_set $email  $upstream_http_x_auth_request_email;
	proxy_set_header X-User  $user;
	proxy_set_header X-Email $email;

	# if you enabled --pass-access-token, this will pass the token to the backend
	auth_request_set $token  $upstream_http_x_auth_request_access_token;
	proxy_set_header X-Access-Token $token;

	# if you enabled --cookie-refresh, this is needed for it to work with auth_request
	auth_request_set $auth_cookie $upstream_http_set_cookie;
	add_header Set-Cookie $auth_cookie;

	# When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
	# limit and so the OAuth2 Proxy splits these into multiple parts.
	# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
	# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
	auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

	# Extract the Cookie attributes from the first Set-Cookie header and append them
	# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
	if ($auth_cookie ~* "(; .*)") {
		set $auth_cookie_name_0 $auth_cookie;
	set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
	}

	# Send both Set-Cookie headers now if there was a second part
	if ($auth_cookie_name_upstream_1) {
	add_header Set-Cookie $auth_cookie_name_0;
	add_header Set-Cookie $auth_cookie_name_1;
	}

         # HTTPS only header, improves security
         #add_header Strict-Transport-Security "max-age=15768000";

         # Adapt this to your configuration (port, subdirectory (see below))
         proxy_pass  http://192.168.1.82:8081;

         # Really important! Lufi uses WebSocket, it won't work without this
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         # If you want to log the remote port of the file senders, you'll need that
         proxy_set_header X-Remote-Port $remote_port;
         proxy_set_header X-Forwarded-Proto $scheme;

         # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
         proxy_redirect     off;
    }
}

 
/var/lib/dokuwiki/data/pages/si/lufi.txt · Dernière modification: 2021/02/22 13:14 par dino
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Debian Driven by DokuWiki