blob: 4e9fa7dcf3e4024e00f2aaa7f1c09997f1218523 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
# <%= domain %> proxy config
# Set the max size for file uploads
client_max_body_size 100M;
# SNI Configuration
server {
listen 443 default;
server_name _;
ssl on;
ssl_certificate /etc/ssl/certs/blank.crt;
ssl_certificate_key /etc/ssl/private/blank.pem;
return 403;
}
server {
# see config tips at
# http://blog.taragana.com/index.php/archive/nginx-hacking-tips/
# Don't log anything
access_log /dev/null;
error_log /dev/null;
# simple reverse-proxy
listen 80;
server_name *.<%= domain %> <%= domain %>
# enable HSTS header
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
# https redirection by default
rewrite ^(.*) https://$host$1 redirect;
# rewrite rules for backups.<%= domain %>
#if ($host ~* ^backups\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for admin.<%= domain %>
#if ($host ~* ^admin\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for munin.<%= domain %>
#if ($host ~* ^munin\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for trac.<%= domain %>
#if ($host ~* ^trac\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for nagios.<%= domain %>
#if ($host ~* ^nagios\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for htpasswd.<%= domain %>
#if ($host ~* ^htpasswd\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for postfixadmin.<%= domain %>
#if ($host ~* ^postfixadmin\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for mail.<%= domain %>
#if ($host ~* ^mail\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# rewrite rules for lists.<%= domain %>
#if ($host ~* ^lists\.<%= domain %>$) {
# rewrite ^(.*) https://$host$1 redirect;
# break;
#}
# pass requests for dynamic content
location / {
proxy_set_header Host $http_host;
proxy_pass http://weblocal:80;
}
}
server {
# https reverse proxy
listen 443;
server_name *.<%= domain %> <%= domain %>;
# Don't log anything
access_log /dev/null;
error_log /dev/null;
ssl on;
ssl_certificate /etc/ssl/certs/cert.crt;
ssl_certificate_key /etc/ssl/private/cert.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
ssl_prefer_server_ciphers on;
# Set the max size for file uploads
client_max_body_size 100M;
location / {
# preserve http header and set forwarded proto
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 120;
proxy_connect_timeout 120;
# rewrite rules for admin.<%= domain %>
if ($host ~* ^admin\.<%= domain %>$) {
proxy_pass http://admin:80;
break;
}
# rewrite rules for munin.<%= domain %>
if ($host ~* ^munin\.<%= domain %>$) {
proxy_pass http://admin:80;
break;
}
# rewrite rules for trac.<%= domain %>
if ($host ~* ^trac\.<%= domain %>$) {
proxy_pass http://admin:80;
break;
}
# rewrite rules for nagios.<%= domain %>
if ($host ~* ^nagios\.<%= domain %>$) {
proxy_pass http://admin:80;
break;
}
# rewrite rules for postfixadmin.<%= domain %>
if ($host ~* ^postfixadmin\.<%= domain %>$) {
proxy_pass http://mail:80;
break;
}
# rewrite rules for mail.<%= domain %>
if ($host ~* ^mail\.<%= domain %>$) {
proxy_pass http://mail:80;
break;
}
# rewrite rules for lists.<%= domain %>
if ($host ~* ^lists\.<%= domain %>$) {
proxy_pass http://mail:80;
break;
}
# default proxy pass
proxy_pass http://weblocal:80;
}
}
|