Added NGinx configuration file to repository.

2024-09-08 04:45:31 +02:00 · 2024-09-08 04:45:31 +02:00 · 790af6138d
commit 790af6138d
parent 78c30f13b3
2 changed files with 156 additions and 0 deletions
--- a/misc/oidc_db_v2.sql
+++ b/misc/oidc_db_v2.sql
--- a/misc/reverse-proxy.conf
+++ b/misc/reverse-proxy.conf
@ -0,0 +1,156 @@
+#stream {
+#map $ssl_preread_server_name $targetBackend {
+#authserver.cacert-phoenix.org 127.0.0.4444;
+#}
+#}
+
+#server {
+	#    if ($host = authserver.cacert-phoenix.org) {
+	#return 301 https://$host$request_uri;
+	#} # managed by Certbot
+
+	#    inet 141.98.154.48/23 brd 141.98.155.255 scope global eth0
+	    #       valid_lft forever preferred_lft forever
+       #    inet6 2a02:c202:3014:5331::1/64 scope global 
+
+	#    listen 141.98.154.48:4444;
+	#    #    ssl on;
+	#    server_name authserver.cacert-phoenix.org;
+    #    return 404; # managed by Certbot
+
+	#    location / {
+	#proxy_pass https://127.0.0.1:4444;
+	#proxy_set_header Host $host;
+	#p#roxy_set_header X-Real-IP $remote_addr;
+	#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	#}
+
+	#}
+server {
+    if ($host = authserver.cacert-phoenix.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    server_name authserver.cacert-phoenix.org;
+    return 404; # managed by Certbot
+
+
+}
+server {
+    if ($host = idp.cacert-phoenix.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    server_name idp.cacert-phoenix.org;
+    return 404; # managed by Certbot
+
+
+}
+server {
+    if ($host = registration.cacert-phoenix.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    server_name registration.cacert-phoenix.org;
+    return 404; # managed by Certbot
+
+
+}
+server {
+    server_name authserver.cacert-phoenix.org;
+ 
+    location / {
+        proxy_pass https://127.0.0.1:4444;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    listen 141.98.154.48:4444 ssl;
+
+    ssl_certificate /etc/letsencrypt/live/registration.cacert-phoenix.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/registration.cacert-phoenix.org/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    server_name idp.cacert-phoenix.org;
+ 
+    location / {
+        proxy_pass https://127.0.0.1:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    listen 141.98.154.48:3000 ssl;
+    ssl_certificate /etc/letsencrypt/live/registration.cacert-phoenix.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/registration.cacert-phoenix.org/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+server {
+    server_name registration.cacert-phoenix.org;
+ 
+    root           /var/www/html;
+
+    index index.php;
+
+     ssl_verify_client on;
+        ssl_client_certificate /etc/nginx/certs/cas.pem;
+	#        ssl_verify_depth 1;
+
+	location ~ ^/(.+\.php)$ {
+    	fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+    	if (!-f $document_root$fastcgi_script_name) {
+        	return 404;
+    	}
+	include snippets/fastcgi-php.conf;
+    	include fastcgi_params;
+	# fastcgi_index index.php;
+    	fastcgi_pass unix:/run/php/php8.2-fpm.sock;
+    	fastcgi_read_timeout 600s;
+	#fastcgi_param SCRIPT_FILENAME /srv/www.example.org/html$fastcgi_script_name;
+    	fastcgi_param PATH_INFO $fastcgi_path_info;
+    	fastcgi_intercept_errors on;
+    	fastcgi_param PHP_VALUE "memory_limit = 512M
+		opcache.validate_root = 1
+		post_max_size = 32M
+		max_execution_time = 240
+		max_input_time = 240
+		upload_max_filesize = 16M";
+    client_body_buffer_size 128k;
+    http2_push_preload on;
+     fastcgi_param TLS_SUCCESS $ssl_client_verify;
+                        fastcgi_param TLS_DN      $ssl_client_s_dn;
+                        fastcgi_param TLS_CERT    $ssl_client_cert;
+                        fastcgi_param TLS_FP    $ssl_client_fingerprint;
+                        fastcgi_param TLS_SER   $ssl_client_serial;
+                        fastcgi_param SSL_CLIENT_S_DN   $ssl_client_s_dn;
+  }
+
+
+  # deny access to Apache .htaccess on Nginx with PHP,
+  # if Apache and Nginx document roots concur
+  location ~ /\.ht {
+    deny all;
+  }
+  
+    listen 443 ssl http2; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/registration.cacert-phoenix.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/registration.cacert-phoenix.org/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}