si:lufi

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

si:lufi [2021/02/22 12:13] – créée dinosi:lufi [2021/02/22 12:14] (Version actuelle) dino
Ligne 1: Ligne 1:
 +====== Vhost pour le service Fichiers de Parinux ======
 +
 +====== Port 80 avec let's encrypt ======
 +
 +<code>
 +
 +server {
 +listen  192.168.1.60:80;
 +server_tokens off;
 +
 +
 +server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org onenagros.parinux.org fichierslourds.parinux.org ;
 +access_log /var/log/nginx/fichiers-access.log;
 +error_log /var/log/nginx/fichiers-error.log;
 +
 + location ~ /.well-known/acme-challenge/ {
 +# Set correct content type. According to this:
 +# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
 +# Current specification requires "text/plain" or no content header at all.
 +# It seems that "text/plain" is a safe option.
 + default_type "text/plain";
 +# This directory must be the same as in /etc/letsencrypt/cli.ini
 +# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
 +# there to "webroot".
 +# Do NOT use alias, use root! Target directory is located here:
 +# /var/www/common/letsencrypt/.well-known/acme-challenge/
 + root /var/www/letsencrypt;
 + }
 + location / {
 + return 301 https://transfert.parinux.org$request_uri;
 +                proxy_pass http://192.168.1.82/;
 +                proxy_set_header Host  $host;
 +                proxy_http_version 1.1;
 + }
 +}
 +</code>
 +
 +
 +
 +====== Port 443 et SSO via Oauth2 Proxy ======
 +
 +on peut concaténer partial|r|download
 +
 +
 +<code>
 +server {
 +    listen 192.168.1.60:443;
 +    server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org fichierslourds.parinux.org  onenagros.parinux.org ;
 +    access_log /var/log/nginx/fichiers-access.log;
 +    error_log /var/log/nginx/fichiers-error.log;
 +
 +    ssl on;
 +    ssl_certificate /etc/letsencrypt/live/fichiers.parinux.org/fullchain.pem; 
 +    ssl_certificate_key /etc/letsencrypt/live/fichiers.parinux.org/privkey.pem;
 +  server_tokens off;
 +
 +        index index index.html index.htm index.nginx-debian.html;
 +
 +
 + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES512+EECDH:AES512+EDH;
 + ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 +
 +add_header Strict-Transport-Security "max-age=15552000;preload";
 +
 + ssl_session_cache shared:SSL:1m;
 + ssl_session_timeout  5m;
 + ssl_protocols TLSv1.2;
 +
 + ssl_prefer_server_ciphers on;
 +
 +
 +    add_header X-Content-Type-Options nosniff;
 +    add_header X-Frame-Options "SAMEORIGIN";
 +    add_header X-XSS-Protection "1; mode=block";
 +#    add_header X-Robots-Tag none;
 +    add_header X-Download-Options noopen;
 +    add_header X-Permitted-Cross-Domain-Policies none;
 +
 +location /r {
 +        proxy_pass http://192.168.1.82:8081;
 +        # Really important! Lufi uses WebSocket, it won't work without this
 +        proxy_set_header Upgrade $http_upgrade;
 +        proxy_set_header Connection "upgrade";
 +
 +        proxy_http_version 1.1;
 +        proxy_set_header Host $host;
 +        proxy_set_header X-Real-IP $remote_addr;
 +        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
 +        # If you want to log the remote port of the file senders, you'll need that
 +        proxy_set_header X-Remote-Port $remote_port;
 +
 +        proxy_set_header X-Forwarded-Proto $scheme;
 +
 +        # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
 +        proxy_redirect     off;
 +
 +        }
 +
 +
 +location /partial {
 +        proxy_pass http://192.168.1.82:8081;
 +        # Really important! Lufi uses WebSocket, it won't work without this
 +        proxy_set_header Upgrade $http_upgrade;
 +        proxy_set_header Connection "upgrade";
 +
 +        proxy_http_version 1.1;
 +        proxy_set_header Host $host;
 +        proxy_set_header X-Real-IP $remote_addr;
 +        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
 +        # If you want to log the remote port of the file senders, you'll need that
 +        proxy_set_header X-Remote-Port $remote_port;
 +
 +        proxy_set_header X-Forwarded-Proto $scheme;
 +
 +        # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
 +        proxy_redirect     off;
 +
 +
 +        }
 +
 +location /download {
 +        proxy_pass http://192.168.1.82:8081;
 +        # Really important! Lufi uses WebSocket, it won't work without this
 +        proxy_set_header Upgrade $http_upgrade;
 +        proxy_set_header Connection "upgrade";
 +
 +        proxy_http_version 1.1;
 +        proxy_set_header Host $host;
 +        proxy_set_header X-Real-IP $remote_addr;
 +        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
 +        # If you want to log the remote port of the file senders, you'll need that
 +        proxy_set_header X-Remote-Port $remote_port;
 +
 +        proxy_set_header X-Forwarded-Proto $scheme;
 +
 +        # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
 +        proxy_redirect     off;
 +
 +
 +        }
 +
 +location ~* ^/(img|css|font|js)/ {
 +        proxy_pass http://192.168.1.82:8081;
 +        proxy_set_header Host      $host;
 +        proxy_http_version 1.1;
 +        add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
 +        add_header Cache-Control "public, max-age=315360000";
 +}
 +
 +location /oauth2/ {
 + proxy_pass   http://192.168.1.82:4180;
 + proxy_set_header Host $host;
 + proxy_set_header X-Real-IP   $remote_addr;
 + proxy_set_header X-Scheme $scheme;
 + proxy_set_header X-Auth-Request-Redirect $request_uri;
 + # or, if you are handling multiple domains:
 + # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
 + }
 +
 +location = /oauth2/auth {
 + proxy_pass   http://192.168.1.82:4180;
 + proxy_set_header Host $host;
 + proxy_set_header X-Real-IP $remote_addr;
 + proxy_set_header X-Scheme $scheme;
 + # nginx auth_request includes headers but not body
 + proxy_set_header Content-Length   "";
 + proxy_pass_request_body   off;
 + }
 +
 +location   / {
 + auth_request /oauth2/auth;
 + error_page 401 = /oauth2/sign_in;
 +
 + # # pass information via X-User and X-Email headers to backend,
 + # # requires running with --set-xauthrequest flag
 + auth_request_set $user   $upstream_http_x_auth_request_user;
 + auth_request_set $email  $upstream_http_x_auth_request_email;
 + proxy_set_header X-User  $user;
 + proxy_set_header X-Email $email;
 +
 + # if you enabled --pass-access-token, this will pass the token to the backend
 + auth_request_set $token  $upstream_http_x_auth_request_access_token;
 + proxy_set_header X-Access-Token $token;
 +
 + # if you enabled --cookie-refresh, this is needed for it to work with auth_request
 + auth_request_set $auth_cookie $upstream_http_set_cookie;
 + add_header Set-Cookie $auth_cookie;
 +
 + # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
 + # limit and so the OAuth2 Proxy splits these into multiple parts.
 + # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
 + # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
 + auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
 +
 + # Extract the Cookie attributes from the first Set-Cookie header and append them
 + # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
 + if ($auth_cookie ~* "(; .*)") {
 + set $auth_cookie_name_0 $auth_cookie;
 + set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
 + }
 +
 + # Send both Set-Cookie headers now if there was a second part
 + if ($auth_cookie_name_upstream_1) {
 + add_header Set-Cookie $auth_cookie_name_0;
 + add_header Set-Cookie $auth_cookie_name_1;
 + }
 +
 +         # HTTPS only header, improves security
 +         #add_header Strict-Transport-Security "max-age=15768000";
 +
 +         # Adapt this to your configuration (port, subdirectory (see below))
 +         proxy_pass  http://192.168.1.82:8081;
 +
 +         # Really important! Lufi uses WebSocket, it won't work without this
 +         proxy_set_header Upgrade $http_upgrade;
 +         proxy_set_header Connection "upgrade";
 +         proxy_http_version 1.1;
 +         proxy_set_header Host $host;
 +         proxy_set_header X-Real-IP $remote_addr;
 +         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
 +         # If you want to log the remote port of the file senders, you'll need that
 +         proxy_set_header X-Remote-Port $remote_port;
 +         proxy_set_header X-Forwarded-Proto $scheme;
 +
 +         # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
 +         proxy_redirect     off;
 +    }
 +}
 +</code>