nginx conf helpers

nginx/logs.esy.fun

@@ -0,0 +1,44 @@
+# Nginx configuration
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+  server_name logs.esy.fun; ## YYY
+  ## In case of conflict, either remove "default_server" from the listen line below,
+  ## or delete the /etc/nginx/sites-enabled/default file.
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  access_log  /var/log/nginx/logs.esy_access.log;
+  error_log   /var/log/nginx/logs.esy_error.log;
+
+  root /var/log;
+  auth_basic "Admin restricted";
+  auth_basic_user_file /etc/nginx/htpasswd; 
+  index index.html;
+  location / { 
+    autoindex on;
+    try_files $uri $uri/ =404; }
+
+  location ~ ^/.*\.log$ {
+    default_type text/plain;
+    add_header Content-Disposition "inline";
+  }
+
+  listen [::]:443 ssl; # managed by Certbot
+  listen 443 ssl; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/esy.fun/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/esy.fun/privkey.pem; # managed by Certbot
+
+  ## [Optional] Enable HTTP Strict Transport Security
+  ## HSTS is a feature improving protection against MITM attacks
+  ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+}
+
+server {
+  if ($host = logs.esy.fun) {
+     return 301 https://$host$request_uri;
+  } # managed by Certbot
+  server_name logs.esy.fun;
+  listen 0.0.0.0:80;
+  listen [::]:80;
+  return 404; # managed by Certbot
+}

nginx/new-reverse-proxy.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env zsh
+
+(($#<3)) && {
+  print "usage: $0:t SUB DOMAIN"
+  exit 1
+} >&2
+
+SUB="$1"
+DOMAIN="$2"
+PORT="$3"
+
+m4 -D SUB=$SUB -D DOMAIN=$DOMAIN -D PORT=$PORT reverse-proxy-template.m4 > $SUB.$DOMAIN

nginx/new-static-website.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env zsh
+
+(($#<2)) && {
+  print "usage: $0:t SUB DOMAIN"
+  exit 1
+} >&2
+
+SUB="$1"
+DOMAIN="$2"
+
+m4 -D SUB=$SUB -D DOMAIN=$DOMAIN static-template.m4 > $SUB.$DOMAIN

nginx/reverse-proxy-template.m4

@@ -0,0 +1,57 @@
+# Nginx configuration
+
+server {
+  server_name SUB.DOMAIN;
+  access_log  /var/log/nginx/SUB_ssl_access.log;
+  error_log   /var/log/nginx/SUB_ssl_error.log;
+
+  listen *:443 ssl;
+  listen [::]:443 ssl;
+  server_tokens off;
+
+  ## SSL
+  ssl on;
+  ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 5m;
+
+  ## [Optional] Enable HTTP Strict Transport Security
+  ## HSTS is a feature improving protection against MITM attacks
+  ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+  location / {
+	  proxy_pass http://127.0.0.1:PORT;
+	  gzip off;
+	  proxy_redirect off;
+
+          ## Some requests take more than 30 seconds.
+	  proxy_read_timeout      300;
+	  proxy_connect_timeout   300;
+	  proxy_redirect          off;
+
+	  proxy_http_version 1.1;
+
+	  proxy_set_header    Host                $http_host;
+	  proxy_set_header    X-Real-IP           $remote_addr;
+	  proxy_set_header    X-Forwarded-Ssl     on;
+	  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+	  proxy_set_header    X-Forwarded-Proto   $scheme;
+  }
+}
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+  ## In case of conflict, either remove "default_server" from the listen line below,
+  ## or delete the /etc/nginx/sites-enabled/default file.
+  listen 0.0.0.0:80;
+  listen [::]:80;
+  server_name SUB.DOMAIN; ## YYY
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  return 301 https://$http_host$request_uri;
+  access_log  /var/log/nginx/SUB.DOMAIN()_access.log;
+  error_log   /var/log/nginx/SUB.DOMAIN()_error.log;
+}
+

nginx/static-template.m4

@@ -0,0 +1,49 @@
+# Nginx configuration
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+  server_name SUB.DOMAIN;
+  root /var/www/SUB.DOMAIN;
+  access_log  /var/log/nginx/SUB.DOMAIN()_access.log;
+  error_log   /var/log/nginx/SUB.DOMAIN()_error.log;
+
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  index index.html;
+  location / { try_files $uri $uri/ =404; }
+
+  # optimise headers
+  # imagine almost never expire
+  location ~* \.(jpg|jpeg|png|gif|ico)$ {
+       expires 30d;
+  }
+
+  listen [::]:443 http2 ssl; # managed by Certbot
+  listen 443 http2 ssl; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
+
+  # WARNING
+  # compression with HTTPS can be used to decrypt
+  # Only for public data !
+  gzip on;
+  gzip_types application/javascript image/* text/css;
+  gunzip on;
+
+  etag on;
+  ## [Optional] Enable HTTP Strict Transport Security
+  ## HSTS is a feature improving protection against MITM attacks
+  ## For more information see:
+  ##   https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+}
+
+server {
+  if ($host = SUB.DOMAIN) {
+     return 301 https://$host$request_uri;
+  } # managed by Certbot
+  server_name SUB.DOMAIN;
+  listen 0.0.0.0:80;
+  listen [::]:80;
+  return 404; # managed by Certbot
+}