worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; real_ip_header X-Real-IP; # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $http_x_forwarded_proto; '' $scheme; } # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the # server port the client connected to map $http_x_forwarded_port $proxy_x_forwarded_port { default $http_x_forwarded_port; '' $server_port; } # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection { default upgrade; '' close; } # Set appropriate X-Forwarded-Ssl header map $scheme $proxy_x_forwarded_ssl { default off; https on; } # HTTP 1.1 support proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; upstream nextcloud-handler { server nextcloud:9000; } server { listen 443 ssl http2; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; server_name tower.${DOMAIN}; ## HSTS ## # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting # removed from this list could take several months. # #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; root /var/www/html/nextcloud; location = /robots.txt { allow all; log_not_found off; access_log off; } location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/remote.php/dav; } # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location / { rewrite ^ /index.php; } location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; # Cannot use $document_root as the path to monica on the docker container # is different to the path to the public files in this nginx container. fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; # fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass nextcloud-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { try_files $uri /index.php$request_uri; # Optional: Don't log access to other assets access_log off; } } upstream collabora-handler { server collabora:9980; } server { listen 443 ssl; server_name office.${DOMAIN}; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; # static files location ^~ /browser { proxy_pass http://collabora-handler; proxy_set_header Host $http_host; } # WOPI discovery URL location ^~ /hosting/discovery { proxy_pass http://collabora-handler; proxy_set_header Host $http_host; } # Capabilities location ^~ /hosting/capabilities { proxy_pass http://collabora-handler; proxy_set_header Host $http_host; } # main websocket location ~ ^/cool/(.*)/ws$ { proxy_pass http://collabora-handler; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ ^/(c|l)ool { proxy_pass http://collabora-handler; proxy_set_header Host $http_host; } # Admin Console websocket location ^~ /cool/adminws { proxy_pass http://collabora-handler; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } location / { proxy_pass http://collabora-handler; } } upstream gitea-handler { server gitea:3000; } server { listen 443 ssl http2; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; server_name labs.${DOMAIN}; location / { proxy_pass http://gitea-handler; } } upstream tt-rss-handler { server tt-rss:9000; } server { listen 443 ssl http2; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; root /var/www/html/tt-rss; server_name intel.${DOMAIN}; location /cache { aio threads; internal; } location /backups { internal; } location ~ \.php$ { # regex to split $uri to $fastcgi_script_name and $fastcgi_path fastcgi_split_path_info ^(.+?\.php)(/.*)$; # Check that the PHP script exists before passing it try_files $fastcgi_script_name =404; # Bypass the fact that try_files resets $fastcgi_path_info # see: http://trac.nginx.org/nginx/ticket/321 set $path_info $fastcgi_path_info; fastcgi_param PATH_INFO $path_info; fastcgi_index index.php; include fastcgi.conf; fastcgi_pass tt-rss-handler; } location / { try_files $uri $uri/ =404; } } upstream foundry-handler { server foundry:30000; } server { listen 443 ssl http2; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; server_name rec.${DOMAIN}; client_max_body_size 300M; location /foundry { # Set proxy headers proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # These are important to support WebSockets; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://foundry-handler; } } upstream pihole-handler { server pihole; } server { listen 443 ssl http2; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; server_name net.${DOMAIN}; client_max_body_size 300M; location / { # Set proxy headers proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # These are important to support WebSockets; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://pihole-handler; } } upstream jitsi-handler { server jitsi:80; } server { listen 443 ssl http2; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; server_name comms.${DOMAIN}; location / { proxy_pass http://jitsi-handler; } } server { listen 443 ssl http2; ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; server_name christmas.${DOMAIN}; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; root "/var/www/html/christmas"; location / { try_files $uri.html $uri /default.html; } } server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } }