Skip to content

Instantly share code, notes, and snippets.

@MKRhere

MKRhere/proxy.conf

Last active May 12, 2025 12:37
Show Gist options
  • Save MKRhere/79a32acfa3ac4b5c34f3817e1f382ce8 to your computer and use it in GitHub Desktop.
Save MKRhere/79a32acfa3ac4b5c34f3817e1f382ce8 to your computer and use it in GitHub Desktop.
Download ZIP
up
Raw
proxy.conf
server {
server_name <DOMAIN.TLD>;
location / {
proxy_pass http://localhost:<PORT>;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
ssl_certificate /etc/nginx/sites/<DOMAIN.TLD>/fullchain.crt;
ssl_certificate_key /etc/nginx/sites/<DOMAIN.TLD>/cert.key;
include /etc/nginx/ssl/common.conf;
}
Raw
ssl.conf
# filename: /etc/nginx/ssl/.conf
erver {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
ssl_session_cache shared:MozSSL:10m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
Raw
ssl_common.conf
# filename: /etc/nginx/ssl/common.conf
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
http2 on;
http3 on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self';";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
add_header Alt-Svc 'h3=":443"; ma=86400';
Raw
static.conf
server {
server_name <DOMAIN.TLD>;
root <WEBROOT>;
index index.html;
location / {
try_files $uri $uri/ $uri.html $uri/index.html =404;
}
ssl_certificate /etc/nginx/sites/<DOMAIN.TLD>/fullchain.crt;
ssl_certificate_key /etc/nginx/sites/<DOMAIN.TLD>/cert.key;
include /etc/nginx/ssl/common.conf;
}
Raw
up.sh
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
export DO_API_KEY="dop_v1_ea6c0611ec6731f5d5d5fe010f3857e11edf0f9b8237ec195467ef57b03d09e4"
export ACME=/root/.acme.sh/acme.sh
if [[ "$1" == "issue" ]]; then
"$ACME" --issue --dns dns_dgon -d "$2"
mkdir -p /etc/nginx/sites/"$2"
"$ACME" --install-cert -d "$2" --key-file /etc/nginx/sites/"$2"/cert.key --fullchain-file /etc/nginx/sites/"$2"/fullchain.crt
fi
mkdir -p /etc/nginx/sites/"$2"
CONF=/etc/nginx/sites/"$2"/.conf
INCLUDES="include $CONF;"
INCLUDES_PATH=/etc/nginx/sites/includes.conf
if [[ "$1" == "proxy" ]]; then
cp /home/mkr/.mkr/up/proxy.conf "$CONF"
sed -i "s/<DOMAIN\.TLD>/${2}/g" "$CONF"
sed -i "s/<PORT>/${3}/g" "$CONF"
if ! grep -Fxq "$INCLUDES" "$INCLUDES_PATH"; then
echo "$INCLUDES" >> "$INCLUDES_PATH"
fi
nginx -t
nginx -s reload
fi
if [[ "$1" == "static" ]]; then
WEBROOT=$(printf '%s\n' $(realpath "$3") | sed 's/[]\/$*.^[]/\\&/g')
cp /home/mkr/.mkr/up/static.conf "$CONF"
sed -i "s/<DOMAIN\.TLD>/${2}/g" "$CONF"
sed -i "s/<WEBROOT>/${WEBROOT}/g" "$CONF"
if ! grep -Fxq "$INCLUDES" "$INCLUDES_PATH"; then
echo "$INCLUDES" >> "$INCLUDES_PATH"
fi
nginx -t
nginx -s reload
fi
if [[ "$1" == "kill" ]]; then
rm -f "$CONF"
INCLUDES_ESC=$(printf '%s\n' "$INCLUDES" | sed 's/[]\/$*.^[]/\\&/g')
sed -i "/^${INCLUDES_ESC}$/d" "$INCLUDES_PATH"
nginx -t
nginx -s reload
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment