web: add nginx sites

8 files changed, 543 insertions, 0 deletions

diff --git a/roles/web/templates/sites/00-acme-httpredirect.conf.j2 b/roles/web/templates/sites/00-acme-httpredirect.conf.j2
new file mode 100644
index 0000000..bf6d325
--- /dev/null
+++ b/roles/web/templates/sites/00-acme-httpredirect.conf.j2
@@ -0,0 +1,26 @@
+#
+# Nignx/sites: 00-acme-httpredirect.conf
+# Provide ACME challenges to issue certificate from Let's Encrypt,
+# and redirect HTTP to HTTPs.
+#
+# Aaron LI
+#
+
+server {
+    listen       80 default_server;
+    listen  [::]:80 default_server;
+    server_name  _;
+
+    location ^~ /.well-known/acme-challenge/ {
+        default_type  text/plain;
+        root          /usr/local/www/acme;
+    }
+    location = /.well-known/acme-challenge/ {
+        return  404;
+    }
+
+    # Redirect to HTTPS
+    location / {
+        return  301  https://$host$request_uri;
+    }
+}
diff --git a/roles/web/templates/sites/1314233.conf.j2 b/roles/web/templates/sites/1314233.conf.j2
new file mode 100644
index 0000000..57994ee
--- /dev/null
+++ b/roles/web/templates/sites/1314233.conf.j2
@@ -0,0 +1,22 @@
+{% set domain = "1314233.xyz" %}
+{% set domain_new = "233233.xyz" %}
+#
+# Nignx/sites: 1314233.conf
+# Redirect {{ domain }} to {{ domain_new }}
+#
+# Aaron LI
+#
+
+{% if domains_hascert[domain] %}
+server {
+    listen            443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ domain }}  *.{{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    return  301  $scheme://{{ domain_new }}$request_uri;
+}
+{% endif %}
diff --git a/roles/web/templates/sites/233233.g.conf.j2 b/roles/web/templates/sites/233233.g.conf.j2
new file mode 100644
index 0000000..1197b9f
--- /dev/null
+++ b/roles/web/templates/sites/233233.g.conf.j2
@@ -0,0 +1,164 @@
+{% set domain = "233233.xyz" %}
+#
+# nginx/sites: reverse proxy to Google Search (with images and webcache))
+#
+# Credit:
+# * Nginx rewrite append a parameter at the end of an URL
+#   https://serverfault.com/a/311660/387898
+# * https://github.com/tracycool/Reverse-Proxy-for-Google
+# * https://github.com/caiguanhao/nginx-bypass-gfw/blob/master/google.conf
+#
+# References:
+# * Google Custom Search - CSE parameters list
+#   https://developers.google.com/custom-search/json-api/v1/reference/cse/list
+#
+#
+# Aaron LI
+# 2017-05-23
+#
+
+{% if domains_hascert[domain] %}
+server {
+    listen            443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  g.{{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    # Enable caching
+    #proxy_cache  CACHE;
+
+    # Tune buffer
+    proxy_buffer_size        64k;
+    proxy_buffers            4 128k;
+    proxy_busy_buffers_size  128k;
+
+    # Replace cookie domain
+    proxy_cookie_domain  google.com  $host;
+
+    # Hide some upstream headers to avoid duplicates/overrideing
+    proxy_hide_header  Strict-Transport-Security;
+    proxy_hide_header  Content-Security-Policy;
+    proxy_hide_header  X-Frame-Options;
+    proxy_hide_header  X-XSS-Protection;
+    proxy_hide_header  X-Content-Type-Options;
+    proxy_hide_header  Referrer-Policy;
+
+    # Substitute links in contents
+    # NOTE: Require to set Accept-Encoding="" header in order to request
+    #       *uncompressed* data from upstream, otherwise won't work!
+    sub_filter_types  text/css text/javascript application/json;
+    sub_filter_once   off;
+    sub_filter  //www.google.com/                  //$host/;
+    sub_filter  //apis.google.com/                 //$host/__gapis/;
+    sub_filter  //ajax.googleapis.com/             //$host/__gajax/;
+    sub_filter  //fonts.googleapis.com/            //$host/__gfonts/;
+    sub_filter  //www.gstatic.com/                 //$host/__gstatic/www/;
+    sub_filter  //ssl.gstatic.com/                 //$host/__gstatic/ssl/;
+    sub_filter  //encrypted-tbn0.gstatic.com/      //$host/__gstatic/enc-tbn0/;
+                # Google Images
+    sub_filter  //webcache.googleusercontent.com/  //$host/__gwebcache/;
+
+    # WARNING:
+    # The "proxy_set_header" directives are inherited from the previous
+    # level *if and only if* there are *no* such directives defined on
+    # the current level!
+
+    #
+    # Reverse proxy to Google search and its friends :-)
+    #
+    location / {
+        proxy_pass  https://www.google.com;
+
+        # These header need set explicitly, otherwise the browser will
+        # be redirected to Google's URL without proxy...
+        proxy_set_header  Host     www.google.com;
+        proxy_set_header  Referer  https://www.google.com;
+        # Set other necessary headers
+        # NOTE: Set Accept-Encoding="" to request *uncompressed* data
+        #       from upstream, otherwise "sub_filter" doesn't work!
+        # Credit: https://stackoverflow.com/a/36274259
+        {% block proxy_set_header_common %}
+        proxy_set_header  User-Agent         $http_user_agent;
+        proxy_set_header  X-Real-IP          $remote_addr;
+        proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto  $scheme;
+        proxy_set_header  Cookie             "";
+        proxy_set_header  Accept-Language    "en-US";
+        proxy_set_header  Accept-Encoding    "";
+        {% endblock %}
+
+        # Append "&gfe_rd=cr&gws_rd=cr" to disable country redirection.
+        # Append "&hl=en" to set interface language to English.
+        #
+        # "rewrite" matches against URL's *path* part only, which means
+        # "$1" will *not* contain the query string.  And Nginx appends
+        # original query string to the rewrite replacement by default.
+        #
+        # Credit: https://serverfault.com/a/311660/387898
+        rewrite  ^(.*)$  $1?gfe_rd=cr&gws_rd=cr&hl=en  break;
+    }
+
+    location ^~ /__gwebcache/ {
+        # ^~ will make location search stop here if matched.
+        proxy_pass  https://webcache.googleusercontent.com/;
+        # Note the trailing '/' above, which tells Nginx to strip the
+        # matched URI.
+        # Credit: https://serverfault.com/a/725433/387898
+
+        proxy_set_header  Host     webcache.googleusercontent.com;
+        proxy_set_header  Referer  https://webcache.googleusercontent.com;
+        # NOTE: The upper level "proxy_set_header" directives are *not*
+        #       inherited since there are such directives on this level!
+        {{ self.proxy_set_header_common() }}
+    }
+    location ^~ /__gstatic/ssl/ {
+        proxy_pass        https://ssl.gstatic.com/;
+        proxy_set_header  Host     ssl.gstatic.com;
+        proxy_set_header  Referer  https://ssl.gstatic.com;
+        {{ self.proxy_set_header_common() }}
+    }
+    location ^~ /__gstatic/www/ {
+        proxy_pass        https://www.gstatic.com/;
+        proxy_set_header  Host     ssl.gstatic.com;
+        proxy_set_header  Referer  https://ssl.gstatic.com;
+        {{ self.proxy_set_header_common() }}
+    }
+    location ^~ /__gstatic/enc-tbn0/ {
+        proxy_pass        https://encrypted-tbn0.gstatic.com/;
+        proxy_set_header  Host     encrypted-tbn0.gstatic.com;
+        proxy_set_header  Referer  https://encrypted-tbn0.gstatic.com;
+        {{ self.proxy_set_header_common() }}
+    }
+    location ^~ /__gapis/ {
+        proxy_pass        https://apis.google.com/;
+        proxy_set_header  Host     apis.google.com;
+        proxy_set_header  Referer  https://apis.google.com;
+        {{ self.proxy_set_header_common() }}
+    }
+    location ^~ /__gfonts/ {
+        proxy_pass        https://fonts.googleapis.com/;
+        proxy_set_header  Host     fonts.googleapis.com;
+        proxy_set_header  Referer  https://fonts.googleapis.com;
+        {{ self.proxy_set_header_common() }}
+    }
+    location ^~ /__gajax/ {
+        proxy_pass        https://ajax.googleapis.com/;
+        proxy_set_header  Host     ajax.googleapis.com;
+        proxy_set_header  Referer  https://ajax.googleapis.com;
+        {{ self.proxy_set_header_common() }}
+    }
+
+    # Forbid spider
+    if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
+        return  403;
+    }
+
+    location /robots.txt {
+        default_type  text/plain;
+        return  200  "User-agent: *\nDisallow: /\n";
+    }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/233233.zw.conf.j2 b/roles/web/templates/sites/233233.zw.conf.j2
new file mode 100644
index 0000000..a17457e
--- /dev/null
+++ b/roles/web/templates/sites/233233.zw.conf.j2
@@ -0,0 +1,102 @@
+{% set domain = "233233.xyz" %}
+#
+# nginx/sites: reverse proxy to the Chinese Wikipedia:
+# * zw.{{ domain }}    -> zh.wikipedia.org
+# * zw.{{ domain }}/m/ -> zh.m.wikipedia.org
+#
+#
+# Aaron LI
+# 2017-05-23
+#
+
+{% if domains_hascert[domain] %}
+server {
+    listen            443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  zw.{{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    # Enable caching
+    #proxy_cache  CACHE;
+
+    # Replace cookie domain
+    proxy_cookie_domain  wikipedia.org  $host;
+
+    # Hide some upstream headers to avoid duplicates/overrideing
+    proxy_hide_header  Strict-Transport-Security;
+    proxy_hide_header  Content-Security-Policy;
+    proxy_hide_header  X-Frame-Options;
+    proxy_hide_header  X-XSS-Protection;
+    proxy_hide_header  X-Content-Type-Options;
+    proxy_hide_header  Referrer-Policy;
+
+    # Substitute links in contents
+    # NOTE: Require to set Accept-Encoding="" header in order to request
+    #       *uncompressed* data from upstream, otherwise won't work!
+    sub_filter_types  text/css text/javascript application/json;
+    sub_filter_once   off;
+    {% block sub_filter_common %}
+    sub_filter  //zh.wikipedia.org/    //$host/;
+    sub_filter  //zh.m.wikipedia.org/  //$host/m/;
+    {% endblock %}
+
+    # Reverse proxy to zh.wikipedia.org
+    location / {
+        proxy_pass           https://zh.wikipedia.org;
+
+        # Handle the redirection to the mobile version
+        proxy_redirect       default;
+        proxy_redirect       https://zh.m.wikipedia.org/ /m/;
+
+        # NOTE: The `Host` header cannot be set to `$host`, otherwise,
+        #       we get error "Domain not configured" from Wikipedia.
+        proxy_set_header  Host               zh.wikipedia.org;
+        proxy_set_header  Referer            https://zh.wikipedia.org;
+        {% block proxy_set_header_common %}
+        proxy_set_header  User-Agent         $http_user_agent;
+        proxy_set_header  X-Real-IP          $remote_addr;
+        proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto  $scheme;
+        proxy_set_header  Cookie             "";
+        proxy_set_header  Accept-Encoding    "";
+        proxy_set_header  Accept-Language    $http_accept_language;
+        {% endblock %}
+    }
+
+    # Reverse proxy to zh.m.wikipedia.org
+    location ^~ /m/ {
+        # NOTE: This `proxy_pass` directive is specified WITH an URI
+        #       (i.e., the trailing `/` here), then when a request is
+        #       passed to the server, the part of a *normalized*
+        #       request URI matching the location is replaced by the
+        #       URI specified in the directive.
+        # Reference: http://nginx.org/r/proxy_pass
+        proxy_pass           https://zh.m.wikipedia.org/;
+
+        # Handle the redirection to the desktop version
+        proxy_redirect       default;
+        proxy_redirect       https://zh.wikipedia.org/ /;
+
+        proxy_set_header  Host               zh.m.wikipedia.org;
+        proxy_set_header  Referer            https://zh.m.wikipedia.org;
+        {{ self.proxy_set_header_common() }}
+
+        # All "sub_filter" directives from upper level must be copied here!
+        {{ self.sub_filter_common() }}
+        sub_filter  /wiki/  /m/wiki/;
+    }
+
+    # Forbid spider
+    if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
+        return  403;
+    }
+
+    location /robots.txt {
+        default_type  text/plain;
+        return  200  "User-agent: *\nDisallow: /\n";
+    }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/aaronly.conf.j2 b/roles/web/templates/sites/aaronly.conf.j2
new file mode 100644
index 0000000..b1fb481
--- /dev/null
+++ b/roles/web/templates/sites/aaronly.conf.j2
@@ -0,0 +1,22 @@
+{% set domain = "aaronly.me" %}
+{% set domain_new = "liwt.net" %}
+#
+# Nignx/sites: aaronly.conf
+# Redirect {{ domain }} to {{ domain_new }}
+#
+# Aaron LI
+#
+
+{% if domains_hascert[domain] %}
+server {
+    listen            443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ domain }}  *.{{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    return  301  $scheme://{{ domain_new }}$request_uri;
+}
+{% endif %}
diff --git a/roles/web/templates/sites/liwt.git.conf.j2 b/roles/web/templates/sites/liwt.git.conf.j2
new file mode 100644
index 0000000..363d493
--- /dev/null
+++ b/roles/web/templates/sites/liwt.git.conf.j2
@@ -0,0 +1,47 @@
+{% set domain = "liwt.net" %}
+#
+# nginx/sites: liwt.git.conf
+# Website: git.{{ domain }}
+# Share/publish projects (git repositories) using `cgit`.
+#
+# Refernce:
+# [1] ArchWiki - cgit
+#     https://wiki.archlinux.org/index.php/Cgit
+#
+#
+# Aaron LI
+# 2017-06-18
+#
+
+{% if domains_hascert[domain] %}
+server {
+    listen            443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  git.{{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    # Projects (git repositories) location
+    root         /usr/local/www/cgit;
+    try_files    $uri @cgit;
+
+    location @cgit {
+        # Require `www/uwsgi` package and configurations in `/etc/rc.conf`.
+        include          uwsgi_params;
+        # modifier1: 9 - size of CGI block vars (HTTP request body excluded)
+        uwsgi_modifier1  9;
+        uwsgi_pass       unix:/var/run/uwsgi-cgit.sock;
+    }
+
+    location /static/ {
+        root  /home/www/git/;
+    }
+
+    error_page  500 502 503 504 /50x.html;
+    location = /50x.html {
+        root  /usr/local/www/nginx-dist;
+    }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/liwt.radicale.conf.j2 b/roles/web/templates/sites/liwt.radicale.conf.j2
new file mode 100644
index 0000000..416a872
--- /dev/null
+++ b/roles/web/templates/sites/liwt.radicale.conf.j2
@@ -0,0 +1,51 @@
+{% set domain = "liwt.net" %}
+#
+# nginx/sites: aaronly.radicale.conf
+# CalDAV/CardDAV server: caldav.{{ domain }}, carddav.{{ domain }}
+#
+# Aaron LI
+# 2017-04-27
+#
+
+{% if domains_hascert[domain] %}
+server {
+    listen            443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  caldav.{{ domain }}  carddav.{{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    # Reverse proxy to Radicale
+    location / {
+        # Auth through HTTP
+        auth_basic            "Radicale ...";
+        auth_basic_user_file  /usr/local/etc/nginx/auth/radicale.passwd;
+
+        # XXX: Hack to support "username@domain"-style logins
+        if ($remote_user ~ ^(?<user_>[^@/]+)(@[^/]+)?$) {
+            set  $username  $user_;
+        }
+
+        # When a reverse proxy is used, the path at which Radicale is
+        # available must be provided via the "X-Script-Name" header.
+        # The proxy must remove the location from the URL path that is
+        # forwarded to Radicale.
+        # http://radicale.org/proxy/
+        #
+        #proxy_pass        http://127.0.0.1:5232/;  # Note the trailing "/"
+        #proxy_set_header  Host               $host;
+        #proxy_set_header  X-Real-IP          $remote_addr;
+        #proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
+        #proxy_set_header  X-Forwarded-Proto  $scheme;
+        #proxy_set_header  X-Remote-User      $username;
+
+        # WSGI interface: http://radicale.org/wsgi/
+        include      uwsgi_params;
+        # Require to set 'auth/type' to 'remote_user' in config file
+        uwsgi_param  REMOTE_USER      $username;
+        uwsgi_pass   unix:/var/run/uwsgi-radicale.sock;
+    }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/liwt.www.conf.j2 b/roles/web/templates/sites/liwt.www.conf.j2
new file mode 100644
index 0000000..f13c475
--- /dev/null
+++ b/roles/web/templates/sites/liwt.www.conf.j2
@@ -0,0 +1,109 @@
+{% set domain = "liwt.net" %}
+#
+# nginx/sites: liwt.www.conf
+# Main website: {{ domain }}
+#
+# Refernce
+# --------
+# * Nginx - Converting rewrite rules
+#   https://nginx.org/en/docs/http/converting_rewrite_rules.html
+# * StackOverflow - Nginx no-www to www and www to no-www
+#   http://stackoverflow.com/a/7958540
+# * StackOverflow - Remove 'www' and redirect to 'https' with nginx
+#   http://stackoverflow.com/a/258424
+# * Nginx Caching | Servers for Hackers
+#   https://serversforhackers.com/nginx-caching/
+#
+#
+# Aaron LI
+#
+
+{% if domains_hascert[domain] %}
+# Separate server block to redirect www to no-www
+server {
+    listen            443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  www.{{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    return  301  $scheme://{{ domain }}$request_uri;
+}
+
+server {
+    listen            443 ssl http2 default_server;
+    listen       [::]:443 ssl http2;
+    server_name  {{ domain }};
+
+    # SSL/TLS Certificate kindly provided by Let's Encrypt
+    ssl_certificate      /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+    # Website location
+    root   /home/www/www;
+    index  index.html;
+
+    location / {
+        try_files  $uri $uri/ $uri/index.html $uri.html =404;
+    }
+
+    location = /ip {
+        default_type  text/plain;
+        return  200  "$remote_addr\n";
+    }
+
+    location = /robots.txt {
+	allow          all;
+        log_not_found  off;
+        access_log     off;
+    }
+
+    error_page  403 /403.html;
+    error_page  404 /404.html;
+    error_page  500 502 503 504 /50x.html;
+    location = /50x.html {
+        root  /usr/local/www/nginx-dist;
+    }
+
+    ## Expire rules for static content [3]
+    # Feed
+    location ~* \.(?:rss|atom)$ {
+        expires     1h;
+        add_header  Cache-Control "public";
+    }
+    # Media: images, icons, video, audio
+    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp3|mp4|ogg|ogv|webm)$ {
+        expires     30d;
+        access_log  off;
+        add_header  Cache-Control "public";
+    }
+    # CSS and Javascript
+    location ~* \.(?:css|js)$ {
+        expires     30d;
+        access_log  off;
+        add_header  Cache-Control "public";
+    }
+
+    ## Block rules
+    # .git
+    location ~ /\.git {
+        deny           all;
+        log_not_found  off;
+        access_log     off;
+    }
+    # All hidden directories and files (begin with .)
+    location ~ /\. {
+        deny           all;
+        log_not_found  off;
+        access_log     off;
+    }
+    # Temporary files (end with ~)
+    location ~ ~$ {
+        deny           all;
+        log_not_found  off;
+        access_log     off;
+    }
+}
+{% endif %}