diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/web/templates/sites/00-acme-httpredirect.conf.j2 | 26 | ||||
-rw-r--r-- | roles/web/templates/sites/1314233.conf.j2 | 22 | ||||
-rw-r--r-- | roles/web/templates/sites/233233.g.conf.j2 | 164 | ||||
-rw-r--r-- | roles/web/templates/sites/233233.zw.conf.j2 | 102 | ||||
-rw-r--r-- | roles/web/templates/sites/aaronly.conf.j2 | 22 | ||||
-rw-r--r-- | roles/web/templates/sites/liwt.git.conf.j2 | 47 | ||||
-rw-r--r-- | roles/web/templates/sites/liwt.radicale.conf.j2 | 51 | ||||
-rw-r--r-- | roles/web/templates/sites/liwt.www.conf.j2 | 109 |
8 files changed, 543 insertions, 0 deletions
diff --git a/roles/web/templates/sites/00-acme-httpredirect.conf.j2 b/roles/web/templates/sites/00-acme-httpredirect.conf.j2 new file mode 100644 index 0000000..bf6d325 --- /dev/null +++ b/roles/web/templates/sites/00-acme-httpredirect.conf.j2 @@ -0,0 +1,26 @@ +# +# Nignx/sites: 00-acme-httpredirect.conf +# Provide ACME challenges to issue certificate from Let's Encrypt, +# and redirect HTTP to HTTPs. +# +# Aaron LI +# + +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + location ^~ /.well-known/acme-challenge/ { + default_type text/plain; + root /usr/local/www/acme; + } + location = /.well-known/acme-challenge/ { + return 404; + } + + # Redirect to HTTPS + location / { + return 301 https://$host$request_uri; + } +} diff --git a/roles/web/templates/sites/1314233.conf.j2 b/roles/web/templates/sites/1314233.conf.j2 new file mode 100644 index 0000000..57994ee --- /dev/null +++ b/roles/web/templates/sites/1314233.conf.j2 @@ -0,0 +1,22 @@ +{% set domain = "1314233.xyz" %} +{% set domain_new = "233233.xyz" %} +# +# Nignx/sites: 1314233.conf +# Redirect {{ domain }} to {{ domain_new }} +# +# Aaron LI +# + +{% if domains_hascert[domain] %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ domain }} *.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + return 301 $scheme://{{ domain_new }}$request_uri; +} +{% endif %} diff --git a/roles/web/templates/sites/233233.g.conf.j2 b/roles/web/templates/sites/233233.g.conf.j2 new file mode 100644 index 0000000..1197b9f --- /dev/null +++ b/roles/web/templates/sites/233233.g.conf.j2 @@ -0,0 +1,164 @@ +{% set domain = "233233.xyz" %} +# +# nginx/sites: reverse proxy to Google Search (with images and webcache)) +# +# Credit: +# * Nginx rewrite append a parameter at the end of an URL +# https://serverfault.com/a/311660/387898 +# * https://github.com/tracycool/Reverse-Proxy-for-Google +# * https://github.com/caiguanhao/nginx-bypass-gfw/blob/master/google.conf +# +# References: +# * Google Custom Search - CSE parameters list +# https://developers.google.com/custom-search/json-api/v1/reference/cse/list +# +# +# Aaron LI +# 2017-05-23 +# + +{% if domains_hascert[domain] %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name g.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + # Enable caching + #proxy_cache CACHE; + + # Tune buffer + proxy_buffer_size 64k; + proxy_buffers 4 128k; + proxy_busy_buffers_size 128k; + + # Replace cookie domain + proxy_cookie_domain google.com $host; + + # Hide some upstream headers to avoid duplicates/overrideing + proxy_hide_header Strict-Transport-Security; + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header Referrer-Policy; + + # Substitute links in contents + # NOTE: Require to set Accept-Encoding="" header in order to request + # *uncompressed* data from upstream, otherwise won't work! + sub_filter_types text/css text/javascript application/json; + sub_filter_once off; + sub_filter //www.google.com/ //$host/; + sub_filter //apis.google.com/ //$host/__gapis/; + sub_filter //ajax.googleapis.com/ //$host/__gajax/; + sub_filter //fonts.googleapis.com/ //$host/__gfonts/; + sub_filter //www.gstatic.com/ //$host/__gstatic/www/; + sub_filter //ssl.gstatic.com/ //$host/__gstatic/ssl/; + sub_filter //encrypted-tbn0.gstatic.com/ //$host/__gstatic/enc-tbn0/; + # Google Images + sub_filter //webcache.googleusercontent.com/ //$host/__gwebcache/; + + # WARNING: + # The "proxy_set_header" directives are inherited from the previous + # level *if and only if* there are *no* such directives defined on + # the current level! + + # + # Reverse proxy to Google search and its friends :-) + # + location / { + proxy_pass https://www.google.com; + + # These header need set explicitly, otherwise the browser will + # be redirected to Google's URL without proxy... + proxy_set_header Host www.google.com; + proxy_set_header Referer https://www.google.com; + # Set other necessary headers + # NOTE: Set Accept-Encoding="" to request *uncompressed* data + # from upstream, otherwise "sub_filter" doesn't work! + # Credit: https://stackoverflow.com/a/36274259 + {% block proxy_set_header_common %} + proxy_set_header User-Agent $http_user_agent; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Cookie ""; + proxy_set_header Accept-Language "en-US"; + proxy_set_header Accept-Encoding ""; + {% endblock %} + + # Append "&gfe_rd=cr&gws_rd=cr" to disable country redirection. + # Append "&hl=en" to set interface language to English. + # + # "rewrite" matches against URL's *path* part only, which means + # "$1" will *not* contain the query string. And Nginx appends + # original query string to the rewrite replacement by default. + # + # Credit: https://serverfault.com/a/311660/387898 + rewrite ^(.*)$ $1?gfe_rd=cr&gws_rd=cr&hl=en break; + } + + location ^~ /__gwebcache/ { + # ^~ will make location search stop here if matched. + proxy_pass https://webcache.googleusercontent.com/; + # Note the trailing '/' above, which tells Nginx to strip the + # matched URI. + # Credit: https://serverfault.com/a/725433/387898 + + proxy_set_header Host webcache.googleusercontent.com; + proxy_set_header Referer https://webcache.googleusercontent.com; + # NOTE: The upper level "proxy_set_header" directives are *not* + # inherited since there are such directives on this level! + {{ self.proxy_set_header_common() }} + } + location ^~ /__gstatic/ssl/ { + proxy_pass https://ssl.gstatic.com/; + proxy_set_header Host ssl.gstatic.com; + proxy_set_header Referer https://ssl.gstatic.com; + {{ self.proxy_set_header_common() }} + } + location ^~ /__gstatic/www/ { + proxy_pass https://www.gstatic.com/; + proxy_set_header Host ssl.gstatic.com; + proxy_set_header Referer https://ssl.gstatic.com; + {{ self.proxy_set_header_common() }} + } + location ^~ /__gstatic/enc-tbn0/ { + proxy_pass https://encrypted-tbn0.gstatic.com/; + proxy_set_header Host encrypted-tbn0.gstatic.com; + proxy_set_header Referer https://encrypted-tbn0.gstatic.com; + {{ self.proxy_set_header_common() }} + } + location ^~ /__gapis/ { + proxy_pass https://apis.google.com/; + proxy_set_header Host apis.google.com; + proxy_set_header Referer https://apis.google.com; + {{ self.proxy_set_header_common() }} + } + location ^~ /__gfonts/ { + proxy_pass https://fonts.googleapis.com/; + proxy_set_header Host fonts.googleapis.com; + proxy_set_header Referer https://fonts.googleapis.com; + {{ self.proxy_set_header_common() }} + } + location ^~ /__gajax/ { + proxy_pass https://ajax.googleapis.com/; + proxy_set_header Host ajax.googleapis.com; + proxy_set_header Referer https://ajax.googleapis.com; + {{ self.proxy_set_header_common() }} + } + + # Forbid spider + if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") { + return 403; + } + + location /robots.txt { + default_type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } +} +{% endif %} diff --git a/roles/web/templates/sites/233233.zw.conf.j2 b/roles/web/templates/sites/233233.zw.conf.j2 new file mode 100644 index 0000000..a17457e --- /dev/null +++ b/roles/web/templates/sites/233233.zw.conf.j2 @@ -0,0 +1,102 @@ +{% set domain = "233233.xyz" %} +# +# nginx/sites: reverse proxy to the Chinese Wikipedia: +# * zw.{{ domain }} -> zh.wikipedia.org +# * zw.{{ domain }}/m/ -> zh.m.wikipedia.org +# +# +# Aaron LI +# 2017-05-23 +# + +{% if domains_hascert[domain] %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name zw.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + # Enable caching + #proxy_cache CACHE; + + # Replace cookie domain + proxy_cookie_domain wikipedia.org $host; + + # Hide some upstream headers to avoid duplicates/overrideing + proxy_hide_header Strict-Transport-Security; + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header Referrer-Policy; + + # Substitute links in contents + # NOTE: Require to set Accept-Encoding="" header in order to request + # *uncompressed* data from upstream, otherwise won't work! + sub_filter_types text/css text/javascript application/json; + sub_filter_once off; + {% block sub_filter_common %} + sub_filter //zh.wikipedia.org/ //$host/; + sub_filter //zh.m.wikipedia.org/ //$host/m/; + {% endblock %} + + # Reverse proxy to zh.wikipedia.org + location / { + proxy_pass https://zh.wikipedia.org; + + # Handle the redirection to the mobile version + proxy_redirect default; + proxy_redirect https://zh.m.wikipedia.org/ /m/; + + # NOTE: The `Host` header cannot be set to `$host`, otherwise, + # we get error "Domain not configured" from Wikipedia. + proxy_set_header Host zh.wikipedia.org; + proxy_set_header Referer https://zh.wikipedia.org; + {% block proxy_set_header_common %} + proxy_set_header User-Agent $http_user_agent; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Cookie ""; + proxy_set_header Accept-Encoding ""; + proxy_set_header Accept-Language $http_accept_language; + {% endblock %} + } + + # Reverse proxy to zh.m.wikipedia.org + location ^~ /m/ { + # NOTE: This `proxy_pass` directive is specified WITH an URI + # (i.e., the trailing `/` here), then when a request is + # passed to the server, the part of a *normalized* + # request URI matching the location is replaced by the + # URI specified in the directive. + # Reference: http://nginx.org/r/proxy_pass + proxy_pass https://zh.m.wikipedia.org/; + + # Handle the redirection to the desktop version + proxy_redirect default; + proxy_redirect https://zh.wikipedia.org/ /; + + proxy_set_header Host zh.m.wikipedia.org; + proxy_set_header Referer https://zh.m.wikipedia.org; + {{ self.proxy_set_header_common() }} + + # All "sub_filter" directives from upper level must be copied here! + {{ self.sub_filter_common() }} + sub_filter /wiki/ /m/wiki/; + } + + # Forbid spider + if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") { + return 403; + } + + location /robots.txt { + default_type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } +} +{% endif %} diff --git a/roles/web/templates/sites/aaronly.conf.j2 b/roles/web/templates/sites/aaronly.conf.j2 new file mode 100644 index 0000000..b1fb481 --- /dev/null +++ b/roles/web/templates/sites/aaronly.conf.j2 @@ -0,0 +1,22 @@ +{% set domain = "aaronly.me" %} +{% set domain_new = "liwt.net" %} +# +# Nignx/sites: aaronly.conf +# Redirect {{ domain }} to {{ domain_new }} +# +# Aaron LI +# + +{% if domains_hascert[domain] %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ domain }} *.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + return 301 $scheme://{{ domain_new }}$request_uri; +} +{% endif %} diff --git a/roles/web/templates/sites/liwt.git.conf.j2 b/roles/web/templates/sites/liwt.git.conf.j2 new file mode 100644 index 0000000..363d493 --- /dev/null +++ b/roles/web/templates/sites/liwt.git.conf.j2 @@ -0,0 +1,47 @@ +{% set domain = "liwt.net" %} +# +# nginx/sites: liwt.git.conf +# Website: git.{{ domain }} +# Share/publish projects (git repositories) using `cgit`. +# +# Refernce: +# [1] ArchWiki - cgit +# https://wiki.archlinux.org/index.php/Cgit +# +# +# Aaron LI +# 2017-06-18 +# + +{% if domains_hascert[domain] %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name git.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + # Projects (git repositories) location + root /usr/local/www/cgit; + try_files $uri @cgit; + + location @cgit { + # Require `www/uwsgi` package and configurations in `/etc/rc.conf`. + include uwsgi_params; + # modifier1: 9 - size of CGI block vars (HTTP request body excluded) + uwsgi_modifier1 9; + uwsgi_pass unix:/var/run/uwsgi-cgit.sock; + } + + location /static/ { + root /home/www/git/; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } +} +{% endif %} diff --git a/roles/web/templates/sites/liwt.radicale.conf.j2 b/roles/web/templates/sites/liwt.radicale.conf.j2 new file mode 100644 index 0000000..416a872 --- /dev/null +++ b/roles/web/templates/sites/liwt.radicale.conf.j2 @@ -0,0 +1,51 @@ +{% set domain = "liwt.net" %} +# +# nginx/sites: aaronly.radicale.conf +# CalDAV/CardDAV server: caldav.{{ domain }}, carddav.{{ domain }} +# +# Aaron LI +# 2017-04-27 +# + +{% if domains_hascert[domain] %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name caldav.{{ domain }} carddav.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + # Reverse proxy to Radicale + location / { + # Auth through HTTP + auth_basic "Radicale ..."; + auth_basic_user_file /usr/local/etc/nginx/auth/radicale.passwd; + + # XXX: Hack to support "username@domain"-style logins + if ($remote_user ~ ^(?<user_>[^@/]+)(@[^/]+)?$) { + set $username $user_; + } + + # When a reverse proxy is used, the path at which Radicale is + # available must be provided via the "X-Script-Name" header. + # The proxy must remove the location from the URL path that is + # forwarded to Radicale. + # http://radicale.org/proxy/ + # + #proxy_pass http://127.0.0.1:5232/; # Note the trailing "/" + #proxy_set_header Host $host; + #proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Proto $scheme; + #proxy_set_header X-Remote-User $username; + + # WSGI interface: http://radicale.org/wsgi/ + include uwsgi_params; + # Require to set 'auth/type' to 'remote_user' in config file + uwsgi_param REMOTE_USER $username; + uwsgi_pass unix:/var/run/uwsgi-radicale.sock; + } +} +{% endif %} diff --git a/roles/web/templates/sites/liwt.www.conf.j2 b/roles/web/templates/sites/liwt.www.conf.j2 new file mode 100644 index 0000000..f13c475 --- /dev/null +++ b/roles/web/templates/sites/liwt.www.conf.j2 @@ -0,0 +1,109 @@ +{% set domain = "liwt.net" %} +# +# nginx/sites: liwt.www.conf +# Main website: {{ domain }} +# +# Refernce +# -------- +# * Nginx - Converting rewrite rules +# https://nginx.org/en/docs/http/converting_rewrite_rules.html +# * StackOverflow - Nginx no-www to www and www to no-www +# http://stackoverflow.com/a/7958540 +# * StackOverflow - Remove 'www' and redirect to 'https' with nginx +# http://stackoverflow.com/a/258424 +# * Nginx Caching | Servers for Hackers +# https://serversforhackers.com/nginx-caching/ +# +# +# Aaron LI +# + +{% if domains_hascert[domain] %} +# Separate server block to redirect www to no-www +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name www.{{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + return 301 $scheme://{{ domain }}$request_uri; +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2; + server_name {{ domain }}; + + # SSL/TLS Certificate kindly provided by Let's Encrypt + ssl_certificate /usr/local/etc/ssl/acme/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/ssl/acme/private/{{ domain }}.pem; + + # Website location + root /home/www/www; + index index.html; + + location / { + try_files $uri $uri/ $uri/index.html $uri.html =404; + } + + location = /ip { + default_type text/plain; + return 200 "$remote_addr\n"; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + error_page 403 /403.html; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + ## Expire rules for static content [3] + # Feed + location ~* \.(?:rss|atom)$ { + expires 1h; + add_header Cache-Control "public"; + } + # Media: images, icons, video, audio + location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp3|mp4|ogg|ogv|webm)$ { + expires 30d; + access_log off; + add_header Cache-Control "public"; + } + # CSS and Javascript + location ~* \.(?:css|js)$ { + expires 30d; + access_log off; + add_header Cache-Control "public"; + } + + ## Block rules + # .git + location ~ /\.git { + deny all; + log_not_found off; + access_log off; + } + # All hidden directories and files (begin with .) + location ~ /\. { + deny all; + log_not_found off; + access_log off; + } + # Temporary files (end with ~) + location ~ ~$ { + deny all; + log_not_found off; + access_log off; + } +} +{% endif %} |