open-fixture-library/server/nginx-site-available at master · OpenLightingProject/open-fixture-library · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://wiki.nginx.org/Pitfalls
# https://wiki.nginx.org/QuickStart
# https://wiki.nginx.org/Configuration
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
#
# Test the configuration with `nginx -t`
# before restarting with `systemctl restart nginx`
##


# requests to https://open-fixture-library.org (without subdomain)
# proxied to http://localhost:5000
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name open-fixture-library.org;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/open-fixture-library.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/open-fixture-library.org/privkey.pem; # managed by Certbot
    # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # from https://github.com/certbot/certbot/blob/v1.5.0/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

    # drop connection for all subdomains (if not handled elsewhere anyway)
    if ($host != open-fixture-library.org) {
        return 444;
    }

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}


# redirect HTTPS requests from www subdomain to main domain
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.open-fixture-library.org;
    server_tokens off;

    return 301 https://open-fixture-library.org$request_uri;
}


# all HTTP requests that don't match another rule
server {
    listen 80 default_server;
    listen [::]:80;

    server_name _;
    server_tokens off;

    # drop connection
    return 444;
}


# redirect requests to http://[www.]open-fixture-library.org to HTTPS version
# No canonicalization steps are taken yet.
# See https://www.sentinelstand.com/article/http-strict-transport-security-hsts-canonical-www-redirects
server {
    listen 80;
    listen [::]:80;

    server_name open-fixture-library.org www.open-fixture-library.org;
    server_tokens off;

    return 301 https://$host$request_uri;
}


# requests to https://webhooks.open-fixture-library.org
# proxied to http://localhost:40010
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name webhooks.open-fixture-library.org;
    server_tokens off;

    location / {
        proxy_pass http://localhost:40010;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}


# requests to https://embetty.open-fixture-library.org
# proxied to http://localhost:6977
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name embetty.open-fixture-library.org;
    server_tokens off;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

        # if request does not have an "Origin" HTTP header (only sent from within fetch / XHR requests)
        if ($http_origin = '') {
            set $cors 'allowed';
        }

        # if request comes from one of these allowed domains:
        # - https://open-fixture-library.org
        # - https://*.open-fixture-library.org
        # - localhost on any port, http and https
        # (see https://regex101.com/r/uit4OY/1)
        if ($http_origin ~* (^(?:https:\/\/(?:[a-z0-9_-]+\.)?open-fixture-library\.org|https?:\/\/localhost)(?::\d+)?$)) {
            set $cors 'allowed';
        }

        if ($cors != 'allowed') {
            add_header 'Access-Control-Allow-Origin' 'https://open-fixture-library.org' always;
            add_header 'Vary' 'Origin' always;
            return 403;
        }

        proxy_pass http://localhost:6977;
    }
}