server { listen 192.168.1.60:80; server_tokens off; server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org onenagros.parinux.org fichierslourds.parinux.org ; access_log /var/log/nginx/fichiers-access.log; error_log /var/log/nginx/fichiers-error.log; location ~ /.well-known/acme-challenge/ { # Set correct content type. According to this: # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 # Current specification requires "text/plain" or no content header at all. # It seems that "text/plain" is a safe option. default_type "text/plain"; # This directory must be the same as in /etc/letsencrypt/cli.ini # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter # there to "webroot". # Do NOT use alias, use root! Target directory is located here: # /var/www/common/letsencrypt/.well-known/acme-challenge/ root /var/www/letsencrypt; } location / { return 301 https://transfert.parinux.org$request_uri; proxy_pass http://192.168.1.82/; proxy_set_header Host $host; proxy_http_version 1.1; } }
on peut concaténer partial|r|download
server { listen 192.168.1.60:443; server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org fichierslourds.parinux.org onenagros.parinux.org ; access_log /var/log/nginx/fichiers-access.log; error_log /var/log/nginx/fichiers-error.log; ssl on; ssl_certificate /etc/letsencrypt/live/fichiers.parinux.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fichiers.parinux.org/privkey.pem; server_tokens off; index index index.html index.htm index.nginx-debian.html; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES512+EECDH:AES512+EDH; ssl_dhparam /etc/nginx/ssl/dhparam.pem; add_header Strict-Transport-Security "max-age=15552000;preload"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; # add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; location /r { proxy_pass http://192.168.1.82:8081; # Really important! Lufi uses WebSocket, it won't work without this proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # If you want to log the remote port of the file senders, you'll need that proxy_set_header X-Remote-Port $remote_port; proxy_set_header X-Forwarded-Proto $scheme; # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here. proxy_redirect off; } location /partial { proxy_pass http://192.168.1.82:8081; # Really important! Lufi uses WebSocket, it won't work without this proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # If you want to log the remote port of the file senders, you'll need that proxy_set_header X-Remote-Port $remote_port; proxy_set_header X-Forwarded-Proto $scheme; # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here. proxy_redirect off; } location /download { proxy_pass http://192.168.1.82:8081; # Really important! Lufi uses WebSocket, it won't work without this proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # If you want to log the remote port of the file senders, you'll need that proxy_set_header X-Remote-Port $remote_port; proxy_set_header X-Forwarded-Proto $scheme; # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here. proxy_redirect off; } location ~* ^/(img|css|font|js)/ { proxy_pass http://192.168.1.82:8081; proxy_set_header Host $host; proxy_http_version 1.1; add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT"; add_header Cache-Control "public, max-age=315360000"; } location /oauth2/ { proxy_pass http://192.168.1.82:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; # or, if you are handling multiple domains: # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; } location = /oauth2/auth { proxy_pass http://192.168.1.82:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body proxy_set_header Content-Length ""; proxy_pass_request_body off; } location / { auth_request /oauth2/auth; error_page 401 = /oauth2/sign_in; # # pass information via X-User and X-Email headers to backend, # # requires running with --set-xauthrequest flag auth_request_set $user $upstream_http_x_auth_request_user; auth_request_set $email $upstream_http_x_auth_request_email; proxy_set_header X-User $user; proxy_set_header X-Email $email; # if you enabled --pass-access-token, this will pass the token to the backend auth_request_set $token $upstream_http_x_auth_request_access_token; proxy_set_header X-Access-Token $token; # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb # limit and so the OAuth2 Proxy splits these into multiple parts. # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; # Extract the Cookie attributes from the first Set-Cookie header and append them # to the second part ($upstream_cookie_* variables only contain the raw cookie content) if ($auth_cookie ~* "(; .*)") { set $auth_cookie_name_0 $auth_cookie; set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; } # Send both Set-Cookie headers now if there was a second part if ($auth_cookie_name_upstream_1) { add_header Set-Cookie $auth_cookie_name_0; add_header Set-Cookie $auth_cookie_name_1; } # HTTPS only header, improves security #add_header Strict-Transport-Security "max-age=15768000"; # Adapt this to your configuration (port, subdirectory (see below)) proxy_pass http://192.168.1.82:8081; # Really important! Lufi uses WebSocket, it won't work without this proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # If you want to log the remote port of the file senders, you'll need that proxy_set_header X-Remote-Port $remote_port; proxy_set_header X-Forwarded-Proto $scheme; # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here. proxy_redirect off; } }