Last active
June 20, 2020 12:54
-
-
Save zeratax/1881bc237d76409763f19d33fe87a60c to your computer and use it in GitHub Desktop.
dmnd.sh nginx config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # site-available/blog.dmnd.sh.conf | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name blog.dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| location / { | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| proxy_pass http://localhost:4000; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/chat.dmnd.sh.conf | |
| server { | |
| # Simple configuration for serving Riot | |
| server_name chat.dmnd.sh; | |
| listen 443 ssl; | |
| listen [::]:443 ssl; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| root /var/www/riot/; | |
| location / { | |
| try_files $uri/index.html $uri $uri/=404; | |
| error_page 404 /404.html; | |
| error_page 500 502 503 504 /500.html; | |
| } | |
| location ~ ^/(static|register) { | |
| proxy_pass http://localhost:5000; | |
| } | |
| location /token { | |
| proxy_pass http://localhost:5000; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/deny-all.conf | |
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| server_name _; | |
| return 444; | |
| } | |
| server { | |
| listen 443 default_server; | |
| listen [::]:443 default_server; | |
| server_name _; | |
| ssl_certificate /etc/letsencrypt/live/dmnd.sh/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/dmnd.sh/privkey.pem; | |
| return 444; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/dimension.dmnd.sh.conf | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name dimension.dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| location / { | |
| # f ($request_method = 'OPTIONS') { | |
| # add_header 'Access-Control-Max-Age' 1728000; | |
| # add_header 'Content-Type' 'text/plain charset=UTF-8'; | |
| # add_header 'Content-Length' 0; | |
| # return 204; | |
| # } | |
| # allow all; | |
| # add_header 'Access-Control-Allow-Origin' '*'; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| proxy_pass http://localhost:8184; | |
| } | |
| } | |
| # some clients have port 8448 still cached and to help them we keep this | |
| server { | |
| listen 8448 ssl; | |
| listen [::]:8448 ssl; | |
| server_name dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| location / { | |
| proxy_pass https://dmnd.sh:443; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| # rewrite ^/?(.*) https://dmnd.sh/$1 permanent; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/dmnd.sh.conf | |
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| upstream maubot { | |
| server localhost:29316; | |
| } | |
| include snippets/matrix-workers-loadbalancing.conf; | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name dmnd.sh www.dmnd.sh status.dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| index index.htm index.html; | |
| if ($host != dmnd.sh) { | |
| return 307 https://dmnd.sh$request_uri; | |
| } | |
| # homepage | |
| location / { | |
| root /home/travis/www/dist; | |
| rewrite ^/(.*)\.html(\?.*)?$ /$1$2 permanent; | |
| rewrite ^/(.*)/$ /$1 permanent; | |
| index index.html; | |
| try_files $uri/index.html $uri.html $uri/ $uri =404; | |
| error_page 404 /404.html; | |
| error_page 500 502 503 504 /500.html; | |
| } | |
| location /register { | |
| types {} | |
| default_type text/html; | |
| alias /home/travis/www/dist/register.html; | |
| # if ($request_method = GET) { | |
| # if ($request_uri ~* "^/register\.html(\?.*)?(#.*)?$") { | |
| rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; | |
| rewrite ^/(.*)/$ /$1 permanent; | |
| # } | |
| # index register.html; | |
| # try_files register.html $uri.html $uri/ $uri =404; | |
| if ($request_method = POST ) { | |
| proxy_pass http://localhost:5000; | |
| } | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Host $server_name; | |
| } | |
| location /files { | |
| autoindex on; | |
| autoindex_exact_size off; | |
| auth_basic "Restricted Content"; | |
| auth_basic_user_file /etc/nginx/.htpasswd; | |
| } | |
| # matrix-registration | |
| location /token { | |
| proxy_pass http://localhost:5000; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| location ~ /test-token(.*)$ { | |
| rewrite ^ /token$1?$args break; | |
| proxy_pass http://localhost:5001; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| location ~ /test-register(.*)$ { | |
| rewrite ^ /register$1?$args break; | |
| proxy_pass http://localhost:5001; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| location /static { | |
| proxy_pass http://localhost:5001; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| # matrix | |
| location /_matrix { | |
| proxy_pass http://localhost:8008; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| include snippets/matrix-workers.conf; | |
| # matrix-appservices | |
| location /_matrix/appservice-slack { | |
| proxy_pass http://localhost:9899; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| location /_matrix/appservice-webhook { | |
| rewrite /_matrix/appservice-webhook/(.*) /$1 break; | |
| proxy_pass http://localhost:9000; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| location /_matrix/appservice-telegram { | |
| proxy_pass http://localhost:8123; | |
| proxy_redirect off; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| client_max_body_size 1m; | |
| client_body_buffer_size 128k; | |
| proxy_connect_timeout 90; | |
| proxy_send_timeout 90; | |
| proxy_read_timeout 90; | |
| proxy_buffer_size 4k; | |
| proxy_buffers 4 32k; | |
| proxy_busy_buffers_size 64k; | |
| proxy_temp_file_write_size 64k; | |
| } | |
| location /_matrix/webhook-gitlab { | |
| proxy_pass http://localhost:29313; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| location /_matrix/maubot { | |
| proxy_redirect off; | |
| proxy_pass http://maubot; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| } | |
| location = /stickers { | |
| return 301 /stickers/; | |
| } | |
| location /stickers/ { | |
| proxy_pass http://localhost:8082/; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| } | |
| location /lag { | |
| proxy_pass http://localhost:8080; | |
| proxy_redirect off; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| } | |
| # sync stuff | |
| location /radicale/ { # The trailing / is important! | |
| proxy_pass http://localhost:5232/; # The trailing / is important! | |
| proxy_set_header X-Script-Name /radicale; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_pass_header Authorization; | |
| } | |
| # games | |
| location = /minecraft/map { | |
| return 307 /minecraft/map/; | |
| } | |
| location = /minecraft/map/ { | |
| return 307 https://dmnd.sh/minecraft/map/index.html; | |
| } | |
| location /minecraft/map/ { | |
| rewrite /minecraft/map/(.*) /$1 break; | |
| proxy_pass http://localhost:8777; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| proxy_set_header Host $host; | |
| proxy_cache map; | |
| proxy_cache_key "$host$uri"; | |
| proxy_cache_valid 200 302 60m; | |
| proxy_cache_valid 404 10m; | |
| proxy_cache_use_stale error timeout invalid_header updating http_500 http_503 http_504; | |
| proxy_connect_timeout 10; | |
| } | |
| # redirect to services | |
| location ^~ /jitsi { | |
| rewrite ^/jitsi/?(.*) https://jitsi.dmnd.sh/$1 permanent; | |
| } | |
| location ^~ /etherpad { | |
| rewrite ^/etherpad/?(.*) https://docs.dmnd.sh/$1 permanent; | |
| } | |
| location ^~ /dimension { | |
| rewrite ^/dimension/?(.*) https://dimension.dmnd.sh/$1 permanent; | |
| } | |
| } | |
| # some clients have port 8448 still cached and to help them we keep this | |
| server { | |
| listen 8448 ssl; | |
| listen [::]:8448 ssl; | |
| server_name dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| location ^~ / { | |
| rewrite ^/?(.*) https://dmnd.sh/$1 permanent; | |
| } | |
| location /_matrix { | |
| proxy_pass http://localhost:8008; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| include snippets/matrix-workers.conf; | |
| } | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/docs.dmnd.sh.conf | |
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| upstream etherpad-lite { | |
| server 127.0.0.1:9001; | |
| } | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name docs.dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| # Allow normal files to pass through | |
| location ~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|socket.io/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt) { | |
| proxy_buffering off; | |
| proxy_pass http://etherpad-lite; | |
| } | |
| # Redirect to force /p/* URLs to the friendly version | |
| location /p/ { | |
| rewrite ^/p/(.*) /$1 redirect; | |
| } | |
| # Match the home page | |
| location ~ ^/$ { | |
| proxy_buffering off; | |
| proxy_pass http://etherpad-lite; | |
| } | |
| # Handle pad URLs here | |
| location / { | |
| proxy_buffering off; | |
| proxy_set_header Host $host; | |
| proxy_pass http://etherpad-lite/p/; | |
| proxy_redirect / /p/; | |
| proxy_pass_header Server; | |
| # headers | |
| proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule | |
| proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP | |
| proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used | |
| proxy_set_header Host $host; # pass the host header | |
| proxy_http_version 1.1; # recommended with keepalive connections | |
| # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/jitsi.dmnd.sh.conf | |
| server { | |
| listen [::]:443 ssl http2; | |
| listen 443 ssl http2; | |
| server_name jitsi.dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| root /usr/share/jitsi-meet; | |
| index index.html index.htm; | |
| error_page 404 /static/404.html; | |
| location /config.js { | |
| alias /etc/jitsi/meet/jitsi.dmnd.sh-config.js; | |
| } | |
| location ~ ^/(?!(http-bind|external_api\.|xmpp-websocket))([a-zA-Z0-9=_äÄöÖüÜß\?\-]+)$ { | |
| rewrite ^/(.*)$ / break; | |
| } | |
| location / { | |
| ssi on; | |
| } | |
| # Backward compatibility | |
| location ~ /external_api.* { | |
| root /usr/share/jitsi-meet/libs; | |
| } | |
| # BOSH | |
| location /http-bind { | |
| proxy_pass http://localhost:5280/http-bind; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| proxy_set_header Host $http_host; | |
| } | |
| # xmpp websockets | |
| location /xmpp-websocket { | |
| proxy_pass http://localhost:5280; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| proxy_set_header Host $host; | |
| tcp_nodelay on; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/l10n.dmnd.sh.conf | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name l10n.dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| # Not used | |
| root /var/www/html; | |
| location ~ ^/favicon.ico$ { | |
| # DATA_DIR/static/favicon.ico | |
| alias /opt/weblate/lib/python3.7/site-packages/data/static/favicon.ico; | |
| expires 30d; | |
| } | |
| location /static/ { | |
| # DATA_DIR/static/ | |
| alias /opt/weblate/lib/python3.7/site-packages/data/static/; | |
| expires 30d; | |
| } | |
| location /media/ { | |
| # DATA_DIR/media/ | |
| alias /opt/weblate/lib/python3.7/site-packages/data/media/; | |
| expires 30d; | |
| } | |
| location / { | |
| include uwsgi_params; | |
| # Needed for long running operations in admin interface | |
| uwsgi_read_timeout 3600; | |
| # Adjust based to uwsgi configuration: | |
| # uwsgi_pass unix:///run/uwsgi/app/weblate/socket; | |
| uwsgi_pass 127.0.0.1:8077; | |
| } | |
| } | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # snippets/matrix-workers-loadbalancing.conf | |
| upstream synchrotron { | |
| server localhost:8002; | |
| } | |
| upstream federation_reader { | |
| server localhost:8003; | |
| } | |
| # must only be handled by a single instance. | |
| upstream federation_reader_send { | |
| server localhost:8003; | |
| } | |
| # must only be handled by a single instance. | |
| upstream media_repository { | |
| server localhost:8004; | |
| } | |
| upstream client_reader { | |
| server localhost:8005; | |
| } | |
| # must only be handled by a single instance. | |
| upstream client_reader_register { | |
| server localhost:8005; | |
| } | |
| # all requests with the same path room must be routed to the same instance | |
| upstream client_reader_messages { | |
| hash $request_uri consistent; | |
| server localhost:8005; | |
| } | |
| upstream user_dir { | |
| server localhost:8006; | |
| } | |
| upstream frontend_proxy { | |
| server localhost:8007; | |
| } | |
| upstream event_creator { | |
| server localhost:8009; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # snippets/pre-matrix-workers.conf | |
| # nginx-conf -i pre-matrix-workers.conf -o matrix-workers.conf | |
| # https://dev.yorhel.nl/nginx-confgen | |
| macro m_reverseproxy $location { | |
| proxy_pass http://$location; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| # synchrotron | |
| location ^/_matrix/client/(v2_alpha|r0)/sync$ { | |
| m_reverseproxy synchrotron; | |
| } | |
| location ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ { | |
| m_reverseproxy synchrotron; | |
| } | |
| location ^/_matrix/client/(api/v1|r0)/initialSync$ { | |
| m_reverseproxy synchrotron; | |
| } | |
| location ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ { | |
| m_reverseproxy synchrotron; | |
| } | |
| # federation_reader | |
| location ^/_matrix/federation/v1/(event|state|state_ids|backfill|get_missing_events|publicRooms|query|make_join|make_leave|send_join|send_leave|invite|query_auth|event|auth|exchange_third_party_invite|user/devices)/ { | |
| m_reverseproxy federation_reader; | |
| } | |
| location ^/_matrix/federation/v2/(send_join|send_leave|invite)/ { | |
| m_reverseproxy federation_reader; | |
| } | |
| location ^/_matrix/key/v2/query { | |
| m_reverseproxy federation_reader; | |
| } | |
| location ^/_matrix/federation/v1/get_groups_publicised$ { | |
| m_reverseproxy federation_reader; | |
| } | |
| location ^/_matrix/federation/v1/send/ { # must only be handled by a single instance. | |
| m_reverseproxy federation_reader_send; | |
| } | |
| location ^/_matrix/federation/v1/groups/ { | |
| m_reverseproxy federation_reader; | |
| } | |
| # media_repository | |
| location /_matrix/media/ { | |
| client_max_body_size 1024M; | |
| m_reverseproxy media_repository; | |
| } | |
| location ^/_synapse/admin/v1/purge_media_cache$ { | |
| m_reverseproxy media_repository; | |
| } | |
| location ^/_synapse/admin/v1/(room|user)/.*/media.*$ { | |
| m_reverseproxy media_repository; | |
| } | |
| location ^/_synapse/admin/v1/(media|quarantine_media)/.*$ { | |
| m_reverseproxy media_repository; | |
| } | |
| # client_reader | |
| location ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(members|state)$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/login$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/keys/(query|changes)$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/versions$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/(joined_groups|publicised_groups)$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/(pushrules|groups)/.*$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/groups/.*$ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/user/[^/]*/account_data/ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/user/[^/]*/rooms/[^/]*/account_data/ { | |
| m_reverseproxy client_reader; | |
| } | |
| location ^/_matrix/client/(r0|unstable)/register$ { # requests must be routed to the same instance | |
| m_reverseproxy client_reader_register; | |
| } | |
| location ^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$ { # requests must be routed to the same instance | |
| m_reverseproxy client_reader_register; | |
| } | |
| # Pagination requests can also be handled, but all requests with the same path room must be routed to the same instance. | |
| # Additionally, care must be taken to ensure that the purge history admin API is not used while pagination requests for the room are in flight | |
| location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ { | |
| m_reverseproxy client_reader_messages; | |
| } | |
| # user_dir | |
| location ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ { | |
| m_reverseproxy user_dir; | |
| } | |
| # frontend_proxy | |
| location ^/_matrix/client/(api/v1|r0|unstable)/keys/upload { | |
| m_reverseproxy frontend_proxy; | |
| } | |
| # If use_presence is False in the homeserver config, it can also handle REST endpoints matching the following regular expressions: | |
| # location ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { | |
| # m_reverseproxy frontend_proxy; | |
| # } | |
| # event_creator | |
| location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send { | |
| m_reverseproxy event_creator; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ { | |
| m_reverseproxy event_creator; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ { | |
| m_reverseproxy event_creator; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/join/ { | |
| m_reverseproxy event_creator; | |
| } | |
| location ^/_matrix/client/(api/v1|r0|unstable)/profile/ { | |
| m_reverseproxy event_creator; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # snippets/robots.conf | |
| location ^~ /robots.txt { | |
| alias /usr/share/nginx/html/robots.txt; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # snippets/ssl-dmnd.sh.conf | |
| include snippets/ssl-params.conf; | |
| # include /etc/letsencrypt/options-ssl-nginx.conf; | |
| ssl_certificate /etc/letsencrypt/live/dmnd.sh/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/dmnd.sh/privkey.pem; | |
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | |
| ssl_trusted_certificate /etc/letsencrypt/live/dmnd.sh/chain.pem; | |
| location ~ /.well-known { | |
| root /usr/share/nginx/html/; | |
| allow all; | |
| add_header 'Access-Control-Allow-Origin' '*'; | |
| # location ^~ /.well-known/acme-challenge/ { | |
| # root /usr/share/nginx/html/.well-known/acme-challenge/; | |
| # } | |
| } | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # snippets/ssl-params.conf | |
| # from https://cipherli.st/ | |
| # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 67.207.67.3 67.207.67.2 valid=300s; | |
| resolver_timeout 5s; | |
| # Disable preloading HSTS for now. You can use the commented out header line that includes | |
| # the "preload" directive if you understand the implications. | |
| #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
| add_header X-Content-Type-Options nosniff; | |
| #ssl_dhparam /etc/ssl/certs/dhparam.pem; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/ssl-redirect.conf | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name dmnd.sh www.dmnd.sh chat.dmnd.sh status.dmnd.sh docs.dmnd.sh jitsi.dmnd.sh dimension.dmnd.sh blog.dmnd.sh phantom.dmnd.sh l10n.dmnd.sh streaming.dmnd.sh syn.ci www.syn.ci ws.syn.ci; | |
| if ($host = dmnd.sh) { | |
| return 301 https://dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = www.dmnd.sh) { | |
| return 301 https://dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = jitsi.dmnd.sh) { | |
| return 301 https://jitsi.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = docs.dmnd.sh) { | |
| return 301 https://docs.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = status.dmnd.sh) { | |
| return 301 https://status.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = chat.dmnd.sh) { | |
| return 301 https://chat.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = dimension.dmnd.sh) { | |
| return 301 https://dimension.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = blog.dmnd.sh) { | |
| return 301 https://blog.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = phantom.dmnd.sh) { | |
| return 301 https://phantom.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = l10n.dmnd.sh) { | |
| return 301 https://l10n.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = streaming.dmnd.sh) { | |
| return 301 https://streaming.dmnd.sh$request_uri; | |
| } # managed by Certbot | |
| if ($host = syn.ci) { | |
| return 301 https://syn.ci$request_uri; | |
| } # managed by Certbot | |
| if ($host = www.syn.ci) { | |
| return 301 https://syn.ci$request_uri; | |
| } # managed by Certbot | |
| if ($host = ws.syn.ci) { | |
| return 301 https://ws.syn.ci$request_uri; | |
| } # managed by Certbot | |
| return 403; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| upstream streaming { | |
| server localhost:8823; | |
| } | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name streaming.dmnd.sh; | |
| include snippets/ssl-dmnd.sh.conf; | |
| include snippets/robots.conf; | |
| root /var/www/streaming/; | |
| location / { | |
| index player.html; | |
| # try_files $uri/player.html $uri.html $uri/ $uri =404; | |
| } | |
| location ~ /(admin|api|live|static)/* { | |
| proxy_pass http://streaming; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| } | |
| } | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/syn.ci.conf | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name www.syn.ci syn.ci; | |
| include snippets/ssl-dmnd.sh.conf; | |
| location / { | |
| proxy_redirect off; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| proxy_pass http://localhost:8096; | |
| } | |
| location /images { | |
| rewrite ^/images/(.*)$ /esm-bundled/images/$1 last; | |
| } | |
| } | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sites-available/ws.syn.ci.conf | |
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| upstream synci-backend { | |
| server 127.0.0.1:9090; | |
| } | |
| server { | |
| listen [::]:443 ssl; | |
| listen 443 ssl; | |
| server_name ws.syn.ci; | |
| include snippets/ssl-dmnd.sh.conf; | |
| location / { | |
| proxy_pass https://synci-backend; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment