aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-03-04 10:11:32 +0800
committerAaron LI <aly@aaronly.me>2018-03-14 11:35:08 +0800
commitb9ce06b9729574cd79f494dcd7c01dcc381ac708 (patch)
tree2527f106c97e2880185bf7347be1e6808d134086 /roles
parentf0872a922769fab1abd02e4a066a40cfc477980c (diff)
downloadansible-dfly-vps-b9ce06b9729574cd79f494dcd7c01dcc381ac708.tar.bz2
web: add nginx sites
Diffstat (limited to 'roles')
-rw-r--r--roles/web/templates/sites/00-acme-httpredirect.conf.j226
-rw-r--r--roles/web/templates/sites/1314233.conf.j222
-rw-r--r--roles/web/templates/sites/233233.g.conf.j2164
-rw-r--r--roles/web/templates/sites/233233.zw.conf.j2102
-rw-r--r--roles/web/templates/sites/aaronly.conf.j222
-rw-r--r--roles/web/templates/sites/liwt.git.conf.j247
-rw-r--r--roles/web/templates/sites/liwt.radicale.conf.j251
-rw-r--r--roles/web/templates/sites/liwt.www.conf.j2109
8 files changed, 543 insertions, 0 deletions
diff --git a/roles/web/templates/sites/00-acme-httpredirect.conf.j2 b/roles/web/templates/sites/00-acme-httpredirect.conf.j2
new file mode 100644
index 0000000..bf6d325
--- /dev/null
+++ b/roles/web/templates/sites/00-acme-httpredirect.conf.j2
@@ -0,0 +1,26 @@
+#
+# Nignx/sites: 00-acme-httpredirect.conf
+# Provide ACME challenges to issue certificate from Let's Encrypt,
+# and redirect HTTP to HTTPs.
+#
+# Aaron LI
+#
+
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ server_name _;
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type text/plain;
+ root /usr/local/www/acme;
+ }
+ location = /.well-known/acme-challenge/ {
+ return 404;
+ }
+
+ # Redirect to HTTPS
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/roles/web/templates/sites/1314233.conf.j2 b/roles/web/templates/sites/1314233.conf.j2
new file mode 100644
index 0000000..57994ee
--- /dev/null
+++ b/roles/web/templates/sites/1314233.conf.j2
@@ -0,0 +1,22 @@
+{% set domain = "1314233.xyz" %}
+{% set domain_new = "233233.xyz" %}
+#
+# Nignx/sites: 1314233.conf
+# Redirect {{ domain }} to {{ domain_new }}
+#
+# Aaron LI
+#
+
+{% if domains_hascert[domain] %}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{ domain }} *.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ return 301 $scheme://{{ domain_new }}$request_uri;
+}
+{% endif %}
diff --git a/roles/web/templates/sites/233233.g.conf.j2 b/roles/web/templates/sites/233233.g.conf.j2
new file mode 100644
index 0000000..1197b9f
--- /dev/null
+++ b/roles/web/templates/sites/233233.g.conf.j2
@@ -0,0 +1,164 @@
+{% set domain = "233233.xyz" %}
+#
+# nginx/sites: reverse proxy to Google Search (with images and webcache))
+#
+# Credit:
+# * Nginx rewrite append a parameter at the end of an URL
+# https://serverfault.com/a/311660/387898
+# * https://github.com/tracycool/Reverse-Proxy-for-Google
+# * https://github.com/caiguanhao/nginx-bypass-gfw/blob/master/google.conf
+#
+# References:
+# * Google Custom Search - CSE parameters list
+# https://developers.google.com/custom-search/json-api/v1/reference/cse/list
+#
+#
+# Aaron LI
+# 2017-05-23
+#
+
+{% if domains_hascert[domain] %}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name g.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ # Enable caching
+ #proxy_cache CACHE;
+
+ # Tune buffer
+ proxy_buffer_size 64k;
+ proxy_buffers 4 128k;
+ proxy_busy_buffers_size 128k;
+
+ # Replace cookie domain
+ proxy_cookie_domain google.com $host;
+
+ # Hide some upstream headers to avoid duplicates/overrideing
+ proxy_hide_header Strict-Transport-Security;
+ proxy_hide_header Content-Security-Policy;
+ proxy_hide_header X-Frame-Options;
+ proxy_hide_header X-XSS-Protection;
+ proxy_hide_header X-Content-Type-Options;
+ proxy_hide_header Referrer-Policy;
+
+ # Substitute links in contents
+ # NOTE: Require to set Accept-Encoding="" header in order to request
+ # *uncompressed* data from upstream, otherwise won't work!
+ sub_filter_types text/css text/javascript application/json;
+ sub_filter_once off;
+ sub_filter //www.google.com/ //$host/;
+ sub_filter //apis.google.com/ //$host/__gapis/;
+ sub_filter //ajax.googleapis.com/ //$host/__gajax/;
+ sub_filter //fonts.googleapis.com/ //$host/__gfonts/;
+ sub_filter //www.gstatic.com/ //$host/__gstatic/www/;
+ sub_filter //ssl.gstatic.com/ //$host/__gstatic/ssl/;
+ sub_filter //encrypted-tbn0.gstatic.com/ //$host/__gstatic/enc-tbn0/;
+ # Google Images
+ sub_filter //webcache.googleusercontent.com/ //$host/__gwebcache/;
+
+ # WARNING:
+ # The "proxy_set_header" directives are inherited from the previous
+ # level *if and only if* there are *no* such directives defined on
+ # the current level!
+
+ #
+ # Reverse proxy to Google search and its friends :-)
+ #
+ location / {
+ proxy_pass https://www.google.com;
+
+ # These header need set explicitly, otherwise the browser will
+ # be redirected to Google's URL without proxy...
+ proxy_set_header Host www.google.com;
+ proxy_set_header Referer https://www.google.com;
+ # Set other necessary headers
+ # NOTE: Set Accept-Encoding="" to request *uncompressed* data
+ # from upstream, otherwise "sub_filter" doesn't work!
+ # Credit: https://stackoverflow.com/a/36274259
+ {% block proxy_set_header_common %}
+ proxy_set_header User-Agent $http_user_agent;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Cookie "";
+ proxy_set_header Accept-Language "en-US";
+ proxy_set_header Accept-Encoding "";
+ {% endblock %}
+
+ # Append "&gfe_rd=cr&gws_rd=cr" to disable country redirection.
+ # Append "&hl=en" to set interface language to English.
+ #
+ # "rewrite" matches against URL's *path* part only, which means
+ # "$1" will *not* contain the query string. And Nginx appends
+ # original query string to the rewrite replacement by default.
+ #
+ # Credit: https://serverfault.com/a/311660/387898
+ rewrite ^(.*)$ $1?gfe_rd=cr&gws_rd=cr&hl=en break;
+ }
+
+ location ^~ /__gwebcache/ {
+ # ^~ will make location search stop here if matched.
+ proxy_pass https://webcache.googleusercontent.com/;
+ # Note the trailing '/' above, which tells Nginx to strip the
+ # matched URI.
+ # Credit: https://serverfault.com/a/725433/387898
+
+ proxy_set_header Host webcache.googleusercontent.com;
+ proxy_set_header Referer https://webcache.googleusercontent.com;
+ # NOTE: The upper level "proxy_set_header" directives are *not*
+ # inherited since there are such directives on this level!
+ {{ self.proxy_set_header_common() }}
+ }
+ location ^~ /__gstatic/ssl/ {
+ proxy_pass https://ssl.gstatic.com/;
+ proxy_set_header Host ssl.gstatic.com;
+ proxy_set_header Referer https://ssl.gstatic.com;
+ {{ self.proxy_set_header_common() }}
+ }
+ location ^~ /__gstatic/www/ {
+ proxy_pass https://www.gstatic.com/;
+ proxy_set_header Host ssl.gstatic.com;
+ proxy_set_header Referer https://ssl.gstatic.com;
+ {{ self.proxy_set_header_common() }}
+ }
+ location ^~ /__gstatic/enc-tbn0/ {
+ proxy_pass https://encrypted-tbn0.gstatic.com/;
+ proxy_set_header Host encrypted-tbn0.gstatic.com;
+ proxy_set_header Referer https://encrypted-tbn0.gstatic.com;
+ {{ self.proxy_set_header_common() }}
+ }
+ location ^~ /__gapis/ {
+ proxy_pass https://apis.google.com/;
+ proxy_set_header Host apis.google.com;
+ proxy_set_header Referer https://apis.google.com;
+ {{ self.proxy_set_header_common() }}
+ }
+ location ^~ /__gfonts/ {
+ proxy_pass https://fonts.googleapis.com/;
+ proxy_set_header Host fonts.googleapis.com;
+ proxy_set_header Referer https://fonts.googleapis.com;
+ {{ self.proxy_set_header_common() }}
+ }
+ location ^~ /__gajax/ {
+ proxy_pass https://ajax.googleapis.com/;
+ proxy_set_header Host ajax.googleapis.com;
+ proxy_set_header Referer https://ajax.googleapis.com;
+ {{ self.proxy_set_header_common() }}
+ }
+
+ # Forbid spider
+ if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
+ return 403;
+ }
+
+ location /robots.txt {
+ default_type text/plain;
+ return 200 "User-agent: *\nDisallow: /\n";
+ }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/233233.zw.conf.j2 b/roles/web/templates/sites/233233.zw.conf.j2
new file mode 100644
index 0000000..a17457e
--- /dev/null
+++ b/roles/web/templates/sites/233233.zw.conf.j2
@@ -0,0 +1,102 @@
+{% set domain = "233233.xyz" %}
+#
+# nginx/sites: reverse proxy to the Chinese Wikipedia:
+# * zw.{{ domain }} -> zh.wikipedia.org
+# * zw.{{ domain }}/m/ -> zh.m.wikipedia.org
+#
+#
+# Aaron LI
+# 2017-05-23
+#
+
+{% if domains_hascert[domain] %}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name zw.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ # Enable caching
+ #proxy_cache CACHE;
+
+ # Replace cookie domain
+ proxy_cookie_domain wikipedia.org $host;
+
+ # Hide some upstream headers to avoid duplicates/overrideing
+ proxy_hide_header Strict-Transport-Security;
+ proxy_hide_header Content-Security-Policy;
+ proxy_hide_header X-Frame-Options;
+ proxy_hide_header X-XSS-Protection;
+ proxy_hide_header X-Content-Type-Options;
+ proxy_hide_header Referrer-Policy;
+
+ # Substitute links in contents
+ # NOTE: Require to set Accept-Encoding="" header in order to request
+ # *uncompressed* data from upstream, otherwise won't work!
+ sub_filter_types text/css text/javascript application/json;
+ sub_filter_once off;
+ {% block sub_filter_common %}
+ sub_filter //zh.wikipedia.org/ //$host/;
+ sub_filter //zh.m.wikipedia.org/ //$host/m/;
+ {% endblock %}
+
+ # Reverse proxy to zh.wikipedia.org
+ location / {
+ proxy_pass https://zh.wikipedia.org;
+
+ # Handle the redirection to the mobile version
+ proxy_redirect default;
+ proxy_redirect https://zh.m.wikipedia.org/ /m/;
+
+ # NOTE: The `Host` header cannot be set to `$host`, otherwise,
+ # we get error "Domain not configured" from Wikipedia.
+ proxy_set_header Host zh.wikipedia.org;
+ proxy_set_header Referer https://zh.wikipedia.org;
+ {% block proxy_set_header_common %}
+ proxy_set_header User-Agent $http_user_agent;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Cookie "";
+ proxy_set_header Accept-Encoding "";
+ proxy_set_header Accept-Language $http_accept_language;
+ {% endblock %}
+ }
+
+ # Reverse proxy to zh.m.wikipedia.org
+ location ^~ /m/ {
+ # NOTE: This `proxy_pass` directive is specified WITH an URI
+ # (i.e., the trailing `/` here), then when a request is
+ # passed to the server, the part of a *normalized*
+ # request URI matching the location is replaced by the
+ # URI specified in the directive.
+ # Reference: http://nginx.org/r/proxy_pass
+ proxy_pass https://zh.m.wikipedia.org/;
+
+ # Handle the redirection to the desktop version
+ proxy_redirect default;
+ proxy_redirect https://zh.wikipedia.org/ /;
+
+ proxy_set_header Host zh.m.wikipedia.org;
+ proxy_set_header Referer https://zh.m.wikipedia.org;
+ {{ self.proxy_set_header_common() }}
+
+ # All "sub_filter" directives from upper level must be copied here!
+ {{ self.sub_filter_common() }}
+ sub_filter /wiki/ /m/wiki/;
+ }
+
+ # Forbid spider
+ if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
+ return 403;
+ }
+
+ location /robots.txt {
+ default_type text/plain;
+ return 200 "User-agent: *\nDisallow: /\n";
+ }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/aaronly.conf.j2 b/roles/web/templates/sites/aaronly.conf.j2
new file mode 100644
index 0000000..b1fb481
--- /dev/null
+++ b/roles/web/templates/sites/aaronly.conf.j2
@@ -0,0 +1,22 @@
+{% set domain = "aaronly.me" %}
+{% set domain_new = "liwt.net" %}
+#
+# Nignx/sites: aaronly.conf
+# Redirect {{ domain }} to {{ domain_new }}
+#
+# Aaron LI
+#
+
+{% if domains_hascert[domain] %}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{ domain }} *.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ return 301 $scheme://{{ domain_new }}$request_uri;
+}
+{% endif %}
diff --git a/roles/web/templates/sites/liwt.git.conf.j2 b/roles/web/templates/sites/liwt.git.conf.j2
new file mode 100644
index 0000000..363d493
--- /dev/null
+++ b/roles/web/templates/sites/liwt.git.conf.j2
@@ -0,0 +1,47 @@
+{% set domain = "liwt.net" %}
+#
+# nginx/sites: liwt.git.conf
+# Website: git.{{ domain }}
+# Share/publish projects (git repositories) using `cgit`.
+#
+# Refernce:
+# [1] ArchWiki - cgit
+# https://wiki.archlinux.org/index.php/Cgit
+#
+#
+# Aaron LI
+# 2017-06-18
+#
+
+{% if domains_hascert[domain] %}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name git.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ # Projects (git repositories) location
+ root /usr/local/www/cgit;
+ try_files $uri @cgit;
+
+ location @cgit {
+ # Require `www/uwsgi` package and configurations in `/etc/rc.conf`.
+ include uwsgi_params;
+ # modifier1: 9 - size of CGI block vars (HTTP request body excluded)
+ uwsgi_modifier1 9;
+ uwsgi_pass unix:/var/run/uwsgi-cgit.sock;
+ }
+
+ location /static/ {
+ root /home/www/git/;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/local/www/nginx-dist;
+ }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/liwt.radicale.conf.j2 b/roles/web/templates/sites/liwt.radicale.conf.j2
new file mode 100644
index 0000000..416a872
--- /dev/null
+++ b/roles/web/templates/sites/liwt.radicale.conf.j2
@@ -0,0 +1,51 @@
+{% set domain = "liwt.net" %}
+#
+# nginx/sites: aaronly.radicale.conf
+# CalDAV/CardDAV server: caldav.{{ domain }}, carddav.{{ domain }}
+#
+# Aaron LI
+# 2017-04-27
+#
+
+{% if domains_hascert[domain] %}
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name caldav.{{ domain }} carddav.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ # Reverse proxy to Radicale
+ location / {
+ # Auth through HTTP
+ auth_basic "Radicale ...";
+ auth_basic_user_file /usr/local/etc/nginx/auth/radicale.passwd;
+
+ # XXX: Hack to support "username@domain"-style logins
+ if ($remote_user ~ ^(?<user_>[^@/]+)(@[^/]+)?$) {
+ set $username $user_;
+ }
+
+ # When a reverse proxy is used, the path at which Radicale is
+ # available must be provided via the "X-Script-Name" header.
+ # The proxy must remove the location from the URL path that is
+ # forwarded to Radicale.
+ # http://radicale.org/proxy/
+ #
+ #proxy_pass http://127.0.0.1:5232/; # Note the trailing "/"
+ #proxy_set_header Host $host;
+ #proxy_set_header X-Real-IP $remote_addr;
+ #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ #proxy_set_header X-Forwarded-Proto $scheme;
+ #proxy_set_header X-Remote-User $username;
+
+ # WSGI interface: http://radicale.org/wsgi/
+ include uwsgi_params;
+ # Require to set 'auth/type' to 'remote_user' in config file
+ uwsgi_param REMOTE_USER $username;
+ uwsgi_pass unix:/var/run/uwsgi-radicale.sock;
+ }
+}
+{% endif %}
diff --git a/roles/web/templates/sites/liwt.www.conf.j2 b/roles/web/templates/sites/liwt.www.conf.j2
new file mode 100644
index 0000000..f13c475
--- /dev/null
+++ b/roles/web/templates/sites/liwt.www.conf.j2
@@ -0,0 +1,109 @@
+{% set domain = "liwt.net" %}
+#
+# nginx/sites: liwt.www.conf
+# Main website: {{ domain }}
+#
+# Refernce
+# --------
+# * Nginx - Converting rewrite rules
+# https://nginx.org/en/docs/http/converting_rewrite_rules.html
+# * StackOverflow - Nginx no-www to www and www to no-www
+# http://stackoverflow.com/a/7958540
+# * StackOverflow - Remove 'www' and redirect to 'https' with nginx
+# http://stackoverflow.com/a/258424
+# * Nginx Caching | Servers for Hackers
+# https://serversforhackers.com/nginx-caching/
+#
+#
+# Aaron LI
+#
+
+{% if domains_hascert[domain] %}
+# Separate server block to redirect www to no-www
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name www.{{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ return 301 $scheme://{{ domain }}$request_uri;
+}
+
+server {
+ listen 443 ssl http2 default_server;
+ listen [::]:443 ssl http2;
+ server_name {{ domain }};
+
+ # SSL/TLS Certificate kindly provided by Let's Encrypt
+ ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem;
+
+ # Website location
+ root /home/www/www;
+ index index.html;
+
+ location / {
+ try_files $uri $uri/ $uri/index.html $uri.html =404;
+ }
+
+ location = /ip {
+ default_type text/plain;
+ return 200 "$remote_addr\n";
+ }
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+
+ error_page 403 /403.html;
+ error_page 404 /404.html;
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/local/www/nginx-dist;
+ }
+
+ ## Expire rules for static content [3]
+ # Feed
+ location ~* \.(?:rss|atom)$ {
+ expires 1h;
+ add_header Cache-Control "public";
+ }
+ # Media: images, icons, video, audio
+ location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp3|mp4|ogg|ogv|webm)$ {
+ expires 30d;
+ access_log off;
+ add_header Cache-Control "public";
+ }
+ # CSS and Javascript
+ location ~* \.(?:css|js)$ {
+ expires 30d;
+ access_log off;
+ add_header Cache-Control "public";
+ }
+
+ ## Block rules
+ # .git
+ location ~ /\.git {
+ deny all;
+ log_not_found off;
+ access_log off;
+ }
+ # All hidden directories and files (begin with .)
+ location ~ /\. {
+ deny all;
+ log_not_found off;
+ access_log off;
+ }
+ # Temporary files (end with ~)
+ location ~ ~$ {
+ deny all;
+ log_not_found off;
+ access_log off;
+ }
+}
+{% endif %}