fic/server
Archived
1
0
Fork 0
Code Issues Pull requests 10 Releases Wiki Activity

configs: Rework nginx configs

Browse source
This commit is contained in:
nemunaire 2021-09-05 05:23:55 +02:00
commit fb53c9a4f1
13 changed files with 54 additions and 286 deletions
Download patch file Download diff file Expand all files Collapse all files

223
configs/nginx/base/demo.conf Normal file
View file

@ -0,0 +1,223 @@
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
proxy_connect_timeout 1s;
server_tokens off;
server {
listen 80 default;
rewrite ^ https://$host$request_uri permanent;
}
server {
listen 443 default ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /etc/nginx/ssl/dhparams-4096.pem;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_client_certificate /srv/PKI/shared/ca.pem;
ssl_trusted_certificate /srv/PKI/shared/ca.pem;
ssl_verify_client optional;
root /srv/htdocs-frontend/;
error_page 401 /welcome.html;
error_page 403 404 /e404.html;
error_page 413 /e413.html;
error_page 500 502 504 /e500.html;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options deny;
add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;
add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'";
location = / {
include fic-auth.conf;
}
location = /auth {
internal;
proxy_pass https://163.5.55.58/remote.php/webdav/;
proxy_pass_request_body off;
proxy_set_header Host "owncloud.srs.epita.fr";
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location = /index.html {
include fic-auth.conf;
}
location = /welcome.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e404.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e413.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e500.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location ~ ^/[A-Z] {
include fic-auth.conf;
rewrite ^/.*$ /index.html;
}
location /edit {
include fic-auth.conf;
rewrite ^/.*$ /index.html;
}
location /issues {
include fic-auth.conf;
rewrite ^/.*$ /index.html;
}
location /rank {
include fic-auth.conf;
rewrite ^/.*$ /index.html;
}
location /tags/ {
include fic-auth.conf;
rewrite ^/.*$ /index.html;
}
location /register {
include fic-auth.conf;
rewrite ^/.*$ /index.html;
}
location /rules {
include fic-auth.conf;
rewrite ^/.*$ /index.html;
}
location /files/ {
alias /srv/FILES/;
sendfile on;
tcp_nodelay on;
}
location /wait.json {
include fic-auth.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
}
location /stats.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location /my.json {
include fic-auth.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
if (!-f /srv/startingblock/started) {
rewrite ^/.* /wait.json;
}
}
location /issues.json {
include fic-auth.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /events.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /teams.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /themes.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /settings.json {
root /srv/SETTINGSDIST/;
expires epoch;
add_header X-FIC-time $msec;
add_header Cache-Control no-cache;
}
location /submit/ {
include fic-auth.conf;
proxy_pass http://frontend:8080/submission;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /issue {
include fic-auth.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /chname {
include fic-auth.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /registration {
include fic-auth.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /openhint/ {
include fic-auth.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /wantchoices/ {
include fic-auth.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
}

248
configs/nginx/base/docker.conf Normal file
View file

@ -0,0 +1,248 @@
server_tokens off;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
proxy_connect_timeout 1s;
server {
listen 80 default;
listen [::]:80 default;
include fic-auth.conf;
root ${PATH_STATIC};
error_page 401 /welcome.html;
error_page 403 404 /e404.html;
error_page 413 404 /e413.html;
error_page 500 502 504 /e500.html;
error_page 401 /welcome.html;
error_page 403 404 /e404.html;
error_page 413 /e413.html;
error_page 500 502 504 /e500.html;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options deny;
add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;
add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'";
location = / {
include fic-get-team.conf;
}
location = /index.html {
include fic-get-team.conf;
}
location = /welcome.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e404.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e413.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e500.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location ${FIC_BASEURL2} {
rewrite ^${FIC_BASEURL2}(.*)$ /$1;
}
location ~ ^/[A-Z] {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /edit {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /issues {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rank {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /tags/ {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /register {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rules {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /files/ {
alias ${PATH_FILES}/;
sendfile on;
tcp_nodelay on;
}
location /wait.json {
include fic-get-team.conf;
root ${PATH_TEAMS}/$team/;
expires epoch;
add_header Cache-Control no-cache;
}
location /stats.json {
root ${PATH_TEAMS}/;
expires epoch;
add_header Cache-Control no-cache;
}
location /my.json {
include fic-get-team.conf;
root ${PATH_TEAMS}/$team/;
expires epoch;
add_header Cache-Control no-cache;
if (!-f ${PATH_STARTINGBLOCK}/started) {
rewrite ^/ /wait.json;
}
}
location /issues.json {
include fic-get-team.conf;
root ${PATH_TEAMS}/$team/;
expires epoch;
add_header Cache-Control no-cache;
}
location /teams.json {
root ${PATH_TEAMS};
expires epoch;
add_header Cache-Control no-cache;
}
location /themes.json {
root ${PATH_TEAMS};
expires epoch;
add_header Cache-Control no-cache;
}
location /settings.json {
root ${PATH_SETTINGS}/;
expires epoch;
add_header X-FIC-time $msec;
add_header Cache-Control no-cache;
}
location /submit/ {
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND}/submission/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /issue {
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /chname {
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /registration {
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /openhint/ {
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /wantchoices/ {
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /api/ {
include fic-get-team.conf;
proxy_pass http://${HOST_ADMIN}${FIC_BASEURL}admin/api/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location ${FIC_BASEURL}admin/ {
proxy_pass http://${HOST_ADMIN};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location ${FIC_BASEURL}qa/ {
include fic-get-team.conf;
proxy_pass http://${HOST_QA};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location ${FIC_BASEURL}dashboard/ {
include fic-get-team.conf;
proxy_pass http://${HOST_DASHBOARD};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location = /events.json {
proxy_pass http://${HOST_ADMIN}/api/events/;
proxy_method GET;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
proxy_cache STATIC;
proxy_cache_valid 3s;
}
}

213
configs/nginx/base/prod.conf Normal file
View file

@ -0,0 +1,213 @@
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
proxy_connect_timeout 1s;
server_tokens off;
server {
listen 80 default;
rewrite ^ https://$host$request_uri permanent;
}
server {
listen 443 default ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /etc/nginx/ssl/dhparams-4096.pem;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
include fic-auth.conf;
root /srv/htdocs-frontend/;
error_page 401 /welcome.html;
error_page 403 404 /e404.html;
error_page 413 /e413.html;
error_page 500 502 504 /e500.html;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options deny;
add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;
add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'";
location = / {
include fic-get-team.conf;
}
location = /index.html {
include fic-get-team.conf;
}
location = /welcome.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e404.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e413.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e500.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location ~ ^/[A-Z] {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /edit {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /issues {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rank {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /tags/ {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /register {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rules {
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /files/ {
alias /srv/FILES/;
sendfile on;
tcp_nodelay on;
}
location /wait.json {
include fic-get-team.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
}
location /stats.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location /my.json {
include fic-get-team.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
if (!-f /srv/startingblock/started) {
rewrite ^/.* /wait.json;
}
}
location /issues.json {
include fic-get-team.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /events.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /teams.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /themes.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location = /settings.json {
root /srv/SETTINGSDIST/;
expires epoch;
add_header X-FIC-time $msec;
add_header Cache-Control no-cache;
}
location /submit/ {
include fic-get-team.conf;
proxy_pass http://frontend:8080/submission/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /issue {
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /chname {
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /registration {
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /openhint/ {
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
location /wantchoices/ {
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-FIC-Team $team;
proxy_redirect off;
}
}

63
configs/nginx/base/static.conf Normal file
View file

@ -0,0 +1,63 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name fic.srs.epita.fr;
access_log /var/log/nginx/fic2016.access_log main;
error_log /var/log/nginx/fic2016.error_log info;
root /srv/www/fic2016-static/;
error_page 403 404 /e404.html;
error_page 413 404 /e413.html;
error_page 500 502 504 /e500.html;
location /.htaccess {
return 404;
}
location /chbase.sh {
return 404;
}
location ~ ^/[0-9] {
rewrite ^/.*$ /index.html;
}
location /edit {
rewrite ^/.*$ /index.html;
}
location /rank {
rewrite ^/.*$ /index.html;
}
location /tags/ {
rewrite ^/.*$ /index.html;
}
location = /welcome.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e404.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e413.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e500.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
}