Ceci est une ancienne révision du document !


Vhost pour le service Fichiers de Parinux

Port 80 avec let's encrypt

server {
listen  192.168.1.60:80;
server_tokens off;


server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org onenagros.parinux.org fichierslourds.parinux.org ;
access_log /var/log/nginx/fichiers-access.log;
error_log /var/log/nginx/fichiers-error.log;

	location ~ /.well-known/acme-challenge/ {
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
# Current specification requires "text/plain" or no content header at all.
# It seems that "text/plain" is a safe option.
	default_type "text/plain";
# This directory must be the same as in /etc/letsencrypt/cli.ini
# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
# there to "webroot".
# Do NOT use alias, use root! Target directory is located here:
# /var/www/common/letsencrypt/.well-known/acme-challenge/
	root /var/www/letsencrypt;
	}
	location / {
		return 301 https://transfert.parinux.org$request_uri;
                proxy_pass http://192.168.1.82/;
                proxy_set_header Host  $host;
                proxy_http_version 1.1;
	}
}

Port 443 et SSO via Oauth2 Proxy

on peut concaténer partial|r|download

<code> server {

  listen 192.168.1.60:443;
  server_name fichiers.parinux.org echanges.parinux.org transfert.parinux.org fichierslourds.parinux.org  onenagros.parinux.org ;
  access_log /var/log/nginx/fichiers-access.log;
  error_log /var/log/nginx/fichiers-error.log;
  ssl on;
  ssl_certificate /etc/letsencrypt/live/fichiers.parinux.org/fullchain.pem; 
  ssl_certificate_key /etc/letsencrypt/live/fichiers.parinux.org/privkey.pem;
server_tokens off;
      index index index.html index.htm index.nginx-debian.html;

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES512+EECDH:AES512+EDH; ssl_dhparam /etc/nginx/ssl/dhparam.pem;

add_header Strict-Transport-Security “max-age=15552000;preload”;

ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1.2;

ssl_prefer_server_ciphers on;

  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";

# add_header X-Robots-Tag none;

  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

location /r {

      proxy_pass http://192.168.1.82:8081;
      # Really important! Lufi uses WebSocket, it won't work without this
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # If you want to log the remote port of the file senders, you'll need that
      proxy_set_header X-Remote-Port $remote_port;
      proxy_set_header X-Forwarded-Proto $scheme;
      # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
      proxy_redirect     off;
      }

location /partial {

      proxy_pass http://192.168.1.82:8081;
      # Really important! Lufi uses WebSocket, it won't work without this
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # If you want to log the remote port of the file senders, you'll need that
      proxy_set_header X-Remote-Port $remote_port;
      proxy_set_header X-Forwarded-Proto $scheme;
      # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
      proxy_redirect     off;
      }

location /download {

      proxy_pass http://192.168.1.82:8081;
      # Really important! Lufi uses WebSocket, it won't work without this
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # If you want to log the remote port of the file senders, you'll need that
      proxy_set_header X-Remote-Port $remote_port;
      proxy_set_header X-Forwarded-Proto $scheme;
      # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
      proxy_redirect     off;
      }

location ~* ^/(img|css|font|js)/ {

      proxy_pass http://192.168.1.82:8081;
      proxy_set_header Host      $host;
      proxy_http_version 1.1;
      add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
      add_header Cache-Control "public, max-age=315360000";

}

location /oauth2/ {

proxy_pass   http://192.168.1.82:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP   $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
# or, if you are handling multiple domains:
# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
}

location = /oauth2/auth {

proxy_pass   http://192.168.1.82:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length   "";
proxy_pass_request_body   off;
}

location / {

auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# # pass information via X-User and X-Email headers to backend,
# # requires running with --set-xauthrequest flag
auth_request_set $user   $upstream_http_x_auth_request_user;
auth_request_set $email  $upstream_http_x_auth_request_email;
proxy_set_header X-User  $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token  $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
# limit and so the OAuth2 Proxy splits these into multiple parts.
# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
# Extract the Cookie attributes from the first Set-Cookie header and append them
# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
if ($auth_cookie ~* "(; .*)") {
	set $auth_cookie_name_0 $auth_cookie;
set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}
# Send both Set-Cookie headers now if there was a second part
if ($auth_cookie_name_upstream_1) {
add_header Set-Cookie $auth_cookie_name_0;
add_header Set-Cookie $auth_cookie_name_1;
}
       # HTTPS only header, improves security
       #add_header Strict-Transport-Security "max-age=15768000";
       # Adapt this to your configuration (port, subdirectory (see below))
       proxy_pass  http://192.168.1.82:8081;
       # Really important! Lufi uses WebSocket, it won't work without this
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_http_version 1.1;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       # If you want to log the remote port of the file senders, you'll need that
       proxy_set_header X-Remote-Port $remote_port;
       proxy_set_header X-Forwarded-Proto $scheme;
       # We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
       proxy_redirect     off;
  }

}

 
/var/lib/dokuwiki/data/attic/si/lufi.1613996034.txt.gz · Dernière modification: 2021/02/22 13:13 par dino
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Debian Driven by DokuWiki