├── -template └── appname.md ├── .github └── FUNDING.yml ├── LICENSE ├── README.md ├── apps ├── guacamole │ └── guacamole.md ├── nzbget │ └── nzbget.md ├── nzbhydra │ └── nzbhydra.md ├── ombi │ └── ombi.md ├── organizr │ ├── auth │ │ ├── auth_request.md │ │ ├── dir_auth.conf │ │ └── sub_auth.conf │ └── organizr.md ├── plex │ └── plex.md ├── portainer │ └── portainer.md ├── radarr │ └── radarr.md ├── sonarr │ └── sonarr.md ├── tautulli │ └── tautulli.md └── unifi_controller │ └── unifi_controller.md ├── contributing.md └── instructions.md /-template/appname.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [App Name](https://github.com/1activegeek/nginx-config-collection/blob/master/-template/appname.md) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/1activegeek/nginx-config-collection/blob/master/-template/appname.md) 8 | 9 | 10 | There are 2 different versions of the app. Please be aware that there are some differences between the versions. 11 | 12 | 13 | Block Details | Supported | Notes 14 | ------ | ------ | ------ 15 | authentication | Yes/No/Untested | 16 | sub-directory | Yes/No/Untested | Be sure to set baseurl in app 17 | sub-domain | Yes/No/Untested | 18 | base URL | Yes/No/Untested | 19 | iFrame | Yes/No/Untested | 20 | 21 | 22 | ## Location Directive 23 | ```nginx 24 | location // { 25 | proxy_pass http://:/; 26 | 27 | # Basic Proxy Config 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | proxy_set_header X-Forwarded-Proto $scheme; 31 | proxy_http_version 1.1; 32 | proxy_no_cache $cookie_session; 33 | } 34 | ``` 35 | 36 | ## Sub-Directory Configuration 37 | 38 |

39 | 40 |

Expand for Code

41 | 42 | ### appname.conf 43 | ```nginx 44 | ## Main server block to redirect traffic from HTTP to HTTPS 45 | server { 46 | listen 80; 47 | server_name ; 48 | return 301 https://$host$request_uri; 49 | } 50 | 51 | ## Main server block for HTTPS 52 | server { 53 | listen 443 ssl; 54 | 55 | root /config/www; 56 | index index.html index.htm index.php; 57 | 58 | server_name ; 59 | 60 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 61 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 62 | 63 | ## Strong Security recommended settings per cipherli.st 64 | ssl_protocols TLSv1.2; 65 | ssl_prefer_server_ciphers on; 66 | ssl_dhparam /config/nginx/dhparams.pem; 67 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 68 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 69 | ssl_session_timeout 10m; 70 | ssl_session_cache shared:SSL:10m; 71 | ssl_session_tickets off; # Requires nginx >= 1.5.9 72 | ssl_stapling on; # Requires nginx >= 1.3.7 73 | ssl_stapling_verify on; # Requires nginx => 1.3.7 74 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 75 | add_header X-Frame-Options SAMEORIGIN; 76 | add_header X-Content-Type-Options nosniff; 77 | add_header X-XSS-Protection "1; mode=block"; 78 | add_header X-Robots-Tag none; 79 | 80 | client_max_body_size 0; 81 | 82 | location // { 83 | proxy_pass http://:/; 84 | include /config/nginx/proxy.conf; 85 | } 86 | ``` 87 | ### Proxy.conf 88 | ```nginx 89 | client_max_body_size 10m; 90 | client_body_buffer_size 128k; 91 | 92 | #Timeout if the real server is dead 93 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 94 | 95 | # Advanced Proxy Config 96 | send_timeout 5m; 97 | proxy_read_timeout 240; 98 | proxy_send_timeout 240; 99 | proxy_connect_timeout 240; 100 | 101 | # Basic Proxy Config 102 | proxy_set_header X-Real-IP $remote_addr; 103 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 104 | proxy_set_header X-Forwarded-Proto $scheme; 105 | proxy_redirect http:// $scheme://; 106 | proxy_http_version 1.1; 107 | proxy_no_cache $cookie_session; 108 | proxy_buffers 32 4k; 109 | ``` 110 | 111 |

112 | 113 | 114 | ## Sub-Domain Configuration 115 | 116 |

117 | 118 |

Expand for Code

119 | 120 | ### appname.conf 121 | ```nginx 122 | ## Main server block to redirect traffic from HTTP to HTTPS 123 | server { 124 | listen 80; 125 | server_name ; 126 | return 301 https://$host$request_uri; 127 | } 128 | 129 | ## Main server block for HTTPS 130 | server { 131 | listen 443 ssl; 132 | 133 | root /config/www; 134 | index index.html index.htm index.php; 135 | 136 | server_name ; 137 | 138 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 139 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 140 | 141 | ## Strong Security recommended settings per cipherli.st 142 | ssl_protocols TLSv1.2; 143 | ssl_prefer_server_ciphers on; 144 | ssl_dhparam /config/nginx/dhparams.pem; 145 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 146 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 147 | ssl_session_timeout 10m; 148 | ssl_session_cache shared:SSL:10m; 149 | ssl_session_tickets off; # Requires nginx >= 1.5.9 150 | ssl_stapling on; # Requires nginx >= 1.3.7 151 | ssl_stapling_verify on; # Requires nginx => 1.3.7 152 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 153 | add_header X-Frame-Options SAMEORIGIN; 154 | add_header X-Content-Type-Options nosniff; 155 | add_header X-XSS-Protection "1; mode=block"; 156 | add_header X-Robots-Tag none; 157 | 158 | client_max_body_size 0; 159 | 160 | location / { 161 | proxy_pass http://:/; 162 | include /config/nginx/proxy.conf; 163 | } 164 | ``` 165 | ### proxy.conf 166 | ```nginx 167 | client_max_body_size 10m; 168 | client_body_buffer_size 128k; 169 | 170 | #Timeout if the real server is dead 171 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 172 | 173 | # Advanced Proxy Config 174 | send_timeout 5m; 175 | proxy_read_timeout 240; 176 | proxy_send_timeout 240; 177 | proxy_connect_timeout 240; 178 | 179 | # Basic Proxy Config 180 | proxy_set_header X-Real-IP $remote_addr; 181 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 182 | proxy_set_header X-Forwarded-Proto $scheme; 183 | proxy_redirect http:// $scheme://; 184 | proxy_http_version 1.1; 185 | proxy_no_cache $cookie_session; 186 | proxy_buffers 32 4k; 187 | ``` 188 | 189 |

190 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: shawnmix # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: # Replace with a single custom sponsorship URL 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NGINX Server Block Configuration Collection 2 | 3 | ## [\*\*Instructions\*\*](instructions.md) | [Contribute](/contributing.md) | [Template](/-template/appname.md) 4 | 5 | ======== **PLEASE READ THE INSTRUCTIONS CAREFULLY** ======== 6 | 7 | The goal of this repo is to be a central location for a listing of known-good working NGINX server block configurations. There is a planned format for these configurations so that it can ease the use of ensuring ALL relevant details are noted. This will include mandatory README files for EACH contribution, outlining all relevant details. The format and relevant details are in the contributing section. 8 | 9 | This repository will hopefully grow and flourish from the addition of content from others. Please share this, star it, and contribute! The more folks we have contributing to this, the better off this can become. 10 | 11 | # Configuration blocks 12 | *Categories will come later* 13 | 14 | - [Guacamole (Apache Guacamole)](/apps/guacamole/guacamole.md) 15 | - [NZBGet](/apps/nzbget/nzbget.md) 16 | - [NZBHydra](/apps/nzbhydra/nzbhydra.md) 17 | - [Ombi](/apps/ombi/ombi.md) 18 | - [Organizr](/apps/organizr/organizr.md) 19 | - [Plex](/apps/plex/plex.md) 20 | - [Portainer](/apps/portainer/portainer.md) 21 | - [Radarr](/apps/radarr/radarr.md) 22 | - [Sonarr](/apps/sonarr/sonarr.md) 23 | - [Tautulli (Formerly PlexPy)](/apps/tautulli/tautulli.md) 24 | - [Unifi Controller](/apps/unifi_controller/unifi_controller.md) 25 | -------------------------------------------------------------------------------- /apps/guacamole/guacamole.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Guacamole](https://guacamole.apache.org) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://guacamole.apache.org/doc/gug/proxying-guacamole.html#nginx) 8 | 9 | 10 | 11 | 12 | Block Details | Supported | Notes 13 | ------ | ------ | ------ 14 | authentication | Yes | It uses it's own authentication, it's suggested to use local (IP) based auth to restrict external access 15 | sub-directory | Yes | 16 | sub-domain | Untested | 17 | base URL | Yes | It has a built in base of guacamole, if using an alternative, you must modify additional parameters in the block. This is referenced in the official documentation. 18 | iFrame | Yes | 19 | 20 | 21 | ## Location Directive 22 | ```nginx 23 | location /guacamole/ { 24 | proxy_pass http://:8080/guacamole; ## Default is 8080, adjust if necessary 25 | proxy_buffering off; 26 | proxy_set_header Upgrade $http_upgrade; 27 | proxy_set_header Connection $http_connection; 28 | 29 | # Basic Proxy Config 30 | proxy_set_header X-Real-IP $remote_addr; 31 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 32 | proxy_set_header X-Forwarded-Proto $scheme; 33 | proxy_http_version 1.1; 34 | proxy_no_cache $cookie_session; 35 | } 36 | ``` 37 | 38 | ## Sub-Directory Configuration 39 | 40 |

41 | 42 |

Expand for Code

43 | 44 | ### guacamole.conf 45 | ```nginx 46 | ## Main server block to redirect traffic from HTTP to HTTPS 47 | server { 48 | listen 80; 49 | server_name ; 50 | return 301 https://$host$request_uri; 51 | } 52 | 53 | ## Main server block for HTTPS 54 | server { 55 | listen 443 ssl; 56 | server_name ; 57 | 58 | root /config/www; 59 | index index.html index.htm index.php; 60 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 61 | 62 | location /guacamole/ { 63 | proxy_pass http://:6789/guacamole/; ## Default is 6789, adjust if necessary 64 | proxy_buffering off; 65 | proxy_set_header Upgrade $http_upgrade; 66 | proxy_set_header Connection $http_connection; 67 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 68 | } 69 | ``` 70 | ### proxy.conf 71 | ```nginx 72 | client_max_body_size 10m; 73 | client_body_buffer_size 128k; 74 | 75 | #Timeout if the real server is dead 76 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 77 | 78 | # Advanced Proxy Config 79 | send_timeout 5m; 80 | proxy_read_timeout 240; 81 | proxy_send_timeout 240; 82 | proxy_connect_timeout 240; 83 | 84 | # Basic Proxy Config 85 | proxy_set_header Host $host:$server_port; 86 | proxy_set_header X-Real-IP $remote_addr; 87 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 88 | proxy_set_header X-Forwarded-Proto $scheme; 89 | proxy_redirect http:// $scheme://; 90 | proxy_http_version 1.1; 91 | proxy_set_header Connection ""; 92 | proxy_cache_bypass $cookie_session; 93 | proxy_no_cache $cookie_session; 94 | proxy_buffers 32 4k; 95 | ``` 96 | ### ssl.conf 97 | ```nginx 98 | ## Certificates from LE container placement 99 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 100 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 101 | 102 | ## Strong Security recommended settings per cipherli.st 103 | ssl_dhparam /config/nginx/dhparams.pem; 104 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 105 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 106 | ssl_session_timeout 10m; 107 | 108 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 109 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 110 | add_header X-Content-Type-Options nosniff; 111 | add_header X-XSS-Protection "1; mode=block"; 112 | add_header X-Robots-Tag none; 113 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 114 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 115 | add_header Referrer-Policy "strict-origin"; 116 | proxy_cookie_path / "/; HTTPOnly; Secure"; 117 | more_set_headers "Server: Classified"; 118 | more_clear_headers 'X-Powered-By'; 119 | ``` 120 | 121 |

122 | 123 | 124 | ## Sub-Domain Configuration 125 | 126 |

127 | 128 |

Expand for Code

129 | 130 | ```nginx 131 | N/A 132 | ``` 133 | 134 |

135 | -------------------------------------------------------------------------------- /apps/nzbget/nzbget.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [NZBGet](https://nzbget.net) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://nzbget.net/behind-other-web-server#nginx) 8 | 9 | 10 | 11 | 12 | Block Details | Supported | Notes 13 | ------ | ------ | ------ 14 | authentication | Yes | Supports auth, but if using it may be best to turn off NZBget auth or vice versa 15 | sub-directory | Yes | Be sure to set the baseurl 16 | sub-domain | Untested | 17 | base URL | Yes | 18 | iFrame | Yes | 19 | 20 | 21 | ## Location Directive 22 | ```nginx 23 | location // { 24 | proxy_pass http://:6789/; ## Default is 6789, adjust if necessary 25 | 26 | # Basic Proxy Config 27 | proxy_set_header X-Real-IP $remote_addr; 28 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | proxy_http_version 1.1; 31 | proxy_no_cache $cookie_session; 32 | } 33 | ``` 34 | 35 | ## Sub-Directory Configuration 36 | 37 |

38 | 39 |

Expand for Code

40 | 41 | ### nzbget.conf 42 | ```nginx 43 | ## Main server block to redirect traffic from HTTP to HTTPS 44 | server { 45 | listen 80; 46 | server_name ; 47 | return 301 https://$host$request_uri; 48 | } 49 | 50 | ## Main server block for HTTPS 51 | server { 52 | listen 443 ssl; 53 | server_name ; 54 | 55 | root /config/www; 56 | index index.html index.htm index.php; 57 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 58 | 59 | location // { 60 | proxy_pass http://:6789/; ## Default is 6789, adjust if necessary 61 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 62 | } 63 | ``` 64 | ### proxy.conf 65 | ```nginx 66 | client_max_body_size 10m; 67 | client_body_buffer_size 128k; 68 | 69 | #Timeout if the real server is dead 70 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 71 | 72 | # Advanced Proxy Config 73 | send_timeout 5m; 74 | proxy_read_timeout 240; 75 | proxy_send_timeout 240; 76 | proxy_connect_timeout 240; 77 | 78 | # Basic Proxy Config 79 | proxy_set_header Host $host:$server_port; 80 | proxy_set_header X-Real-IP $remote_addr; 81 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 82 | proxy_set_header X-Forwarded-Proto $scheme; 83 | proxy_redirect http:// $scheme://; 84 | proxy_http_version 1.1; 85 | proxy_set_header Connection ""; 86 | proxy_cache_bypass $cookie_session; 87 | proxy_no_cache $cookie_session; 88 | proxy_buffers 32 4k; 89 | ``` 90 | ### ssl.conf 91 | ```nginx 92 | ## Certificates from LE container placement 93 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 94 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 95 | 96 | ## Strong Security recommended settings per cipherli.st 97 | ssl_dhparam /config/nginx/dhparams.pem; 98 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 99 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 100 | ssl_session_timeout 10m; 101 | 102 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 103 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 104 | add_header X-Content-Type-Options nosniff; 105 | add_header X-XSS-Protection "1; mode=block"; 106 | add_header X-Robots-Tag none; 107 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 108 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 109 | add_header Referrer-Policy "strict-origin"; 110 | proxy_cookie_path / "/; HTTPOnly; Secure"; 111 | more_set_headers "Server: Classified"; 112 | more_clear_headers 'X-Powered-By'; 113 | ``` 114 | 115 |

116 | 117 | 118 | ## Sub-Domain Configuration 119 | 120 |

121 | 122 |

Expand for Code

123 | 124 | ```nginx 125 | N/A 126 | ``` 127 | 128 |

129 | -------------------------------------------------------------------------------- /apps/nzbhydra/nzbhydra.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [NZBHydra](https://github.com/theotherp/nzbhydra) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/theotherp/nzbhydra/wiki/Reverse-proxies-and-URLs#nginx) 8 | 9 | 10 | Be sure to set the Base URL inside the app. Additionally make sure that you use a trailiing slash when calling the NZBHydra URL. And lastly, set the "External URL" in the app to match the full FQDN/BaseURL if you want external functionality to work. 11 | 12 | 13 | Block Details | Supported | Notes 14 | ------ | ------ | ------ 15 | authentication | Yes | 16 | sub-directory | Yes | Be sure to set the baseurl 17 | sub-domain | Untested | 18 | base URL | Yes | 19 | iFrame | Yes | 20 | 21 | 22 | ## Location Directive 23 | ```nginx 24 | location // { 25 | proxy_pass http://:5075/; ## Default is 5075, adjust if necessary 26 | 27 | # Basic Proxy Config 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | proxy_set_header X-Forwarded-Proto $scheme; 31 | proxy_http_version 1.1; 32 | proxy_no_cache $cookie_session; 33 | } 34 | ``` 35 | 36 | ## Sub-Directory Configuration 37 | 38 |

39 | 40 |

Expand for Code

41 | 42 | ### nzbhydra.conf 43 | ```nginx 44 | ## Main server block to redirect traffic from HTTP to HTTPS 45 | server { 46 | listen 80; 47 | server_name ; 48 | return 301 https://$host$request_uri; 49 | } 50 | 51 | ## Main server block for HTTPS 52 | server { 53 | listen 443 ssl; 54 | server_name ; 55 | 56 | root /config/www; 57 | index index.html index.htm index.php; 58 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 59 | 60 | location // { 61 | proxy_pass http://:5075/; ## Default is 5075, adjust if necessary 62 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 63 | } 64 | ``` 65 | ### proxy.conf 66 | ```nginx 67 | client_max_body_size 10m; 68 | client_body_buffer_size 128k; 69 | 70 | #Timeout if the real server is dead 71 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 72 | 73 | # Advanced Proxy Config 74 | send_timeout 5m; 75 | proxy_read_timeout 240; 76 | proxy_send_timeout 240; 77 | proxy_connect_timeout 240; 78 | 79 | # Basic Proxy Config 80 | proxy_set_header Host $host:$server_port; 81 | proxy_set_header X-Real-IP $remote_addr; 82 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 83 | proxy_set_header X-Forwarded-Proto $scheme; 84 | proxy_redirect http:// $scheme://; 85 | proxy_http_version 1.1; 86 | proxy_set_header Connection ""; 87 | proxy_cache_bypass $cookie_session; 88 | proxy_no_cache $cookie_session; 89 | proxy_buffers 32 4k; 90 | ``` 91 | ### ssl.conf 92 | ```nginx 93 | ## Certificates from LE container placement 94 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 95 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 96 | 97 | ## Strong Security recommended settings per cipherli.st 98 | ssl_dhparam /config/nginx/dhparams.pem; 99 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 100 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 101 | ssl_session_timeout 10m; 102 | 103 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 104 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 105 | add_header X-Content-Type-Options nosniff; 106 | add_header X-XSS-Protection "1; mode=block"; 107 | add_header X-Robots-Tag none; 108 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 109 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 110 | add_header Referrer-Policy "strict-origin"; 111 | proxy_cookie_path / "/; HTTPOnly; Secure"; 112 | more_set_headers "Server: Classified"; 113 | more_clear_headers 'X-Powered-By'; 114 | ``` 115 | 116 |

117 | 118 | 119 | ## Sub-Domain Configuration 120 | 121 |

122 | 123 |

Expand for Code

124 | 125 | ```nginx 126 | N/A 127 | ``` 128 | 129 |

130 | -------------------------------------------------------------------------------- /apps/ombi/ombi.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Ombi](https://www.ombi.io) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/tidusjar/Ombi/wiki/Nginx-and-Apache-Reverse-Proxy-examples-(Linux)) 8 | 9 | 10 | There are 2 different versions of the app. Please be aware that there are some differences between the versions in the configs. Specifically "The url rewrite is required after version 3.0.2517." 11 | 12 | *NOTE: Some users have noticed issues with the rewrite being placed AFTER the location block and have been successful when placing it before the location block. If you experience issues with the rewrite below the location, try switching it.* 13 | 14 | 15 | Block Details | Supported | Notes 16 | ------ | ------ | ------ 17 | authentication | Yes | It is suggested to use the built-in Plex based authentication. 18 | sub-directory | Yes | Using V3, so it does include a rewrite as well. 19 | sub-domain | Yes | Rewrite may not be required. Need validation here. 20 | base URL | Yes | Be sure to set the Base URL in Ombi 21 | iFrame | Yes | No need for extra headers or plugins to allow iFrame 22 | 23 | 24 | ## Location Directive 25 | ```nginx 26 | location // { 27 | proxy_pass http://:5000/; ## Default is 5000, adjust if necessary 28 | proxy_cache_bypass $http_upgrade; 29 | proxy_set_header Connection keep-alive; 30 | proxy_set_header Upgrade $http_upgrade; 31 | proxy_set_header X-Forwarded-Host $server_name; 32 | proxy_set_header X-Forwarded-Ssl on; 33 | 34 | # Basic Proxy Config 35 | proxy_set_header X-Real-IP $remote_addr; 36 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 37 | proxy_set_header X-Forwarded-Proto $scheme; 38 | proxy_http_version 1.1; 39 | proxy_no_cache $cookie_session; 40 | } 41 | 42 | ## Required for Ombi 3.0.2517+ 43 | if ($http_referer ~* //) { 44 | rewrite ^/dist/([0-9\d*]).js //dist/$1.js last; 45 | } 46 | ``` 47 | 48 | ## Sub-Directory Configuration 49 | 50 |

51 | 52 |

Expand for Code

53 | 54 | ### ombi.conf 55 | ```nginx 56 | ## Main server block to redirect traffic from HTTP to HTTPS 57 | server { 58 | listen 80; 59 | server_name ; 60 | return 301 https://$host$request_uri; 61 | } 62 | 63 | ## Main server block for HTTPS 64 | server { 65 | listen 443 ssl; 66 | server_name ; 67 | 68 | root /config/www; 69 | index index.html index.htm index.php; 70 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 71 | 72 | location // { 73 | proxy_pass http://:5000/; ## Default is 5000, adjust if necessary 74 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 75 | proxy_cache_bypass $http_upgrade; 76 | proxy_set_header Connection keep-alive; 77 | proxy_set_header Upgrade $http_upgrade; 78 | proxy_set_header X-Forwarded-Host $server_name; 79 | proxy_set_header X-Forwarded-Ssl on; 80 | } 81 | ## Required for Ombi 3.0.2517+ 82 | if ($http_referer ~* //) { 83 | rewrite ^/dist/([0-9\d*]).js //dist/$1.js last; 84 | } 85 | ``` 86 | ### proxy.conf 87 | ```nginx 88 | client_max_body_size 10m; 89 | client_body_buffer_size 128k; 90 | 91 | #Timeout if the real server is dead 92 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 93 | 94 | # Advanced Proxy Config 95 | send_timeout 5m; 96 | proxy_read_timeout 240; 97 | proxy_send_timeout 240; 98 | proxy_connect_timeout 240; 99 | 100 | # Basic Proxy Config 101 | proxy_set_header Host $host:$server_port; 102 | proxy_set_header X-Real-IP $remote_addr; 103 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 104 | proxy_set_header X-Forwarded-Proto $scheme; 105 | proxy_redirect http:// $scheme://; 106 | proxy_http_version 1.1; 107 | proxy_set_header Connection ""; 108 | proxy_cache_bypass $cookie_session; 109 | proxy_no_cache $cookie_session; 110 | proxy_buffers 32 4k; 111 | ``` 112 | ### ssl.conf 113 | ```nginx 114 | ## Certificates from LE container placement 115 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 116 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 117 | 118 | ## Strong Security recommended settings per cipherli.st 119 | ssl_dhparam /config/nginx/dhparams.pem; 120 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 121 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 122 | ssl_session_timeout 10m; 123 | 124 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 125 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 126 | add_header X-Content-Type-Options nosniff; 127 | add_header X-XSS-Protection "1; mode=block"; 128 | add_header X-Robots-Tag none; 129 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 130 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 131 | add_header Referrer-Policy "strict-origin"; 132 | proxy_cookie_path / "/; HTTPOnly; Secure"; 133 | more_set_headers "Server: Classified"; 134 | more_clear_headers 'X-Powered-By'; 135 | ``` 136 | 137 |

138 | 139 | 140 | ## Sub-Domain Configuration 141 | 142 |

143 | 144 |

Expand for Code

145 | 146 | ### ombi.conf 147 | ```nginx 148 | ## Main server block to redirect traffic from HTTP to HTTPS 149 | server { 150 | listen 80; 151 | server_name ; 152 | return 301 https://$host$request_uri; 153 | } 154 | 155 | ## Main server block for HTTPS 156 | server { 157 | listen 443 ssl; 158 | server_name ; 159 | 160 | root /config/www; 161 | index index.html index.htm index.php; 162 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 163 | 164 | location / { 165 | proxy_pass http://:5000/; ## Default is 5000, adjust if necessary 166 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 167 | proxy_cache_bypass $http_upgrade; 168 | proxy_set_header Connection keep-alive; 169 | proxy_set_header Upgrade $http_upgrade; 170 | proxy_set_header X-Forwarded-Host $server_name; 171 | proxy_set_header X-Forwarded-Ssl on; 172 | } 173 | ## Required for Ombi 3.0.2517+ 174 | if ($http_referer ~* /) { 175 | rewrite ^/dist/([0-9\d*]).js /dist/$1.js last; 176 | } 177 | ``` 178 | ### proxy.conf 179 | ```nginx 180 | client_max_body_size 10m; 181 | client_body_buffer_size 128k; 182 | 183 | #Timeout if the real server is dead 184 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 185 | 186 | # Advanced Proxy Config 187 | send_timeout 5m; 188 | proxy_read_timeout 240; 189 | proxy_send_timeout 240; 190 | proxy_connect_timeout 240; 191 | 192 | # Basic Proxy Config 193 | proxy_set_header Host $host:$server_port; 194 | proxy_set_header X-Real-IP $remote_addr; 195 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 196 | proxy_set_header X-Forwarded-Proto $scheme; 197 | proxy_redirect http:// $scheme://; 198 | proxy_http_version 1.1; 199 | proxy_set_header Connection ""; 200 | proxy_cache_bypass $cookie_session; 201 | proxy_no_cache $cookie_session; 202 | proxy_buffers 32 4k; 203 | ``` 204 | ### ssl.conf 205 | ```nginx 206 | ## Certificates from LE container placement 207 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 208 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 209 | 210 | ## Strong Security recommended settings per cipherli.st 211 | ssl_dhparam /config/nginx/dhparams.pem; 212 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 213 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 214 | ssl_session_timeout 10m; 215 | 216 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 217 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 218 | add_header X-Content-Type-Options nosniff; 219 | add_header X-XSS-Protection "1; mode=block"; 220 | add_header X-Robots-Tag none; 221 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 222 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 223 | add_header Referrer-Policy "strict-origin"; 224 | proxy_cookie_path / "/; HTTPOnly; Secure"; 225 | more_set_headers "Server: Classified"; 226 | more_clear_headers 'X-Powered-By'; 227 | ``` 228 | 229 |

230 | -------------------------------------------------------------------------------- /apps/organizr/auth/auth_request.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Organizr](https://organizr.us) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/causefx/Organizr/wiki/Authentication-%7C-Server-Based#nginx) 8 | 9 | 10 | Enables you to lock down services by using [auth_request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) to allow users that are logged in to organizr to use the location. 11 | 12 | Does not work great with APIs connecting to your service. Follow this [guide](https://technicalramblings.com/blog/allowing-mobile-apps-work-with-services-using-organizr-server-auth/) for a write up on how to allow `/api`. 13 | 14 | 15 | Block Details | Supported | Notes 16 | ------ | ------ | ------ 17 | authentication | N/A | 18 | sub-directory | Yes | 19 | sub-domain | Yes | 20 | base URL | N/A | 21 | iFrame | N/A | 22 | 23 | 24 | 25 | ## Sub-Directory Configuration 26 | 27 |

28 | 29 |

Expand for Code

30 | 31 | ### organizr.conf 32 | ```nginx 33 | location /auth-admin { rewrite ^ /auth.php?admin; } #You can ban users and IP's, check Documentation 34 | location /auth-user { rewrite ^ /auth.php?user; } #You can ban users and IP's, check Documentation 35 | ``` 36 | 37 |

38 | 39 | 40 | ## Sub-Domain Configuration 41 | 42 |

43 | It s easiest to include this file in all your subdomains. 44 |

Expand for Code

45 | 46 | ### sub_auth.conf 47 | ```nginx 48 | location = /auth-admin { 49 | proxy_pass /auth-admin; 50 | proxy_pass_request_body off; 51 | proxy_set_header Content-Length ""; 52 | } 53 | location = /auth-user { 54 | proxy_pass /auth-user; 55 | proxy_pass_request_body off; 56 | proxy_set_header Content-Length ""; 57 | } 58 | ``` 59 | 60 |

-------------------------------------------------------------------------------- /apps/organizr/auth/dir_auth.conf: -------------------------------------------------------------------------------- 1 | #AUTHORIZATION BLOCK 2 | location /auth-admin { rewrite ^ /auth.php?admin; } 3 | location /auth-user { rewrite ^ /auth.php?user; } -------------------------------------------------------------------------------- /apps/organizr/auth/sub_auth.conf: -------------------------------------------------------------------------------- 1 | location = /auth-admin { 2 | proxy_pass /auth-admin; 3 | proxy_pass_request_body off; 4 | proxy_set_header Content-Length ""; 5 | } 6 | location = /auth-user { 7 | proxy_pass /auth-user; 8 | proxy_pass_request_body off; 9 | proxy_set_header Content-Length ""; 10 | } -------------------------------------------------------------------------------- /apps/organizr/organizr.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Organizr](https://organizr.us) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/causefx/Organizr/wiki/Authentication-%7C-Server-Based#nginx) 8 | 9 | 10 | The app supports being used with other authentication mechansisms. This will be configured in the app. It is highly suggested to use this as the authentication mechanism for your other tabs in this app which you may likely be reverse proxying. This can be done using an auth snippet of code. 11 | 12 | 13 | Block Details | Supported | Notes 14 | ------ | ------ | ------ 15 | authentication | Yes | It is suggested to use authentication through Organizr. 16 | sub-directory | Yes | 17 | sub-domain | Yes | 18 | base URL | Yes | 19 | iFrame | Untested | 20 | 21 | ## Addons 22 | - [Auth](/apps/organizr/auth/auth_request.md) 23 | 24 | 25 | 26 | 27 | ## Location Directive 28 | ```nginx 29 | location // { 30 | proxy_pass http:///; ## Default is 80, so no need to adjust 31 | 32 | # Basic Proxy Config 33 | proxy_set_header X-Real-IP $remote_addr; 34 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 35 | proxy_set_header X-Forwarded-Proto $scheme; 36 | proxy_http_version 1.1; 37 | proxy_no_cache $cookie_session; 38 | } 39 | ``` 40 | 41 | ## Sub-Directory Configuration 42 | 43 |

44 | 45 |

Expand for Code

46 | 47 | ### organizr.conf 48 | ```nginx 49 | ## Main server block to redirect traffic from HTTP to HTTPS 50 | server { 51 | listen 80; 52 | server_name ; 53 | return 301 https://$host$request_uri; 54 | } 55 | 56 | ## Main server block for HTTPS 57 | server { 58 | listen 443 ssl; 59 | server_name ; 60 | 61 | root /config/www; 62 | index index.html index.htm index.php; 63 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 64 | 65 | location // { 66 | proxy_pass http:///; ## Default is 80, so no need to adjust 67 | include /config/nginx/proxy.conf 68 | } 69 | ``` 70 | ### proxy.conf 71 | ```nginx 72 | client_max_body_size 10m; 73 | client_body_buffer_size 128k; 74 | 75 | #Timeout if the real server is dead 76 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 77 | 78 | # Advanced Proxy Config 79 | send_timeout 5m; 80 | proxy_read_timeout 240; 81 | proxy_send_timeout 240; 82 | proxy_connect_timeout 240; 83 | 84 | # Basic Proxy Config 85 | proxy_set_header Host $host:$server_port; 86 | proxy_set_header X-Real-IP $remote_addr; 87 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 88 | proxy_set_header X-Forwarded-Proto $scheme; 89 | proxy_redirect http:// $scheme://; 90 | proxy_http_version 1.1; 91 | proxy_set_header Connection ""; 92 | proxy_cache_bypass $cookie_session; 93 | proxy_no_cache $cookie_session; 94 | proxy_buffers 32 4k; 95 | ``` 96 | ### ssl.conf 97 | ```nginx 98 | ## Certificates from LE container placement 99 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 100 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 101 | 102 | ## Strong Security recommended settings per cipherli.st 103 | ssl_dhparam /config/nginx/dhparams.pem; 104 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 105 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 106 | ssl_session_timeout 10m; 107 | 108 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 109 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 110 | add_header X-Content-Type-Options nosniff; 111 | add_header X-XSS-Protection "1; mode=block"; 112 | add_header X-Robots-Tag none; 113 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 114 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 115 | add_header Referrer-Policy "strict-origin"; 116 | proxy_cookie_path / "/; HTTPOnly; Secure"; 117 | more_set_headers "Server: Classified"; 118 | more_clear_headers 'X-Powered-By'; 119 | ``` 120 | 121 |

122 | 123 | 124 | ## Sub-Domain Configuration 125 | 126 |

127 | 128 |

Expand for Code

129 | 130 | ### organizr.conf 131 | ```nginx 132 | ## Main server block to redirect traffic from HTTP to HTTPS 133 | server { 134 | listen 80; 135 | server_name ; 136 | return 301 https://$host$request_uri; 137 | } 138 | 139 | ## Main server block for HTTPS 140 | server { 141 | listen 443 ssl; 142 | server_name ; 143 | 144 | root /config/www; 145 | index index.html index.htm index.php; 146 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 147 | 148 | location / { 149 | proxy_pass http:///; ## Default is 80, so no need to adjust 150 | 151 | # Basic Proxy Config 152 | proxy_set_header X-Real-IP $remote_addr; 153 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 154 | proxy_set_header X-Forwarded-Proto $scheme; 155 | proxy_http_version 1.1; 156 | proxy_no_cache $cookie_session; 157 | } 158 | ``` 159 | ### proxy.conf 160 | ```nginx 161 | client_max_body_size 10m; 162 | client_body_buffer_size 128k; 163 | 164 | #Timeout if the real server is dead 165 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 166 | 167 | # Advanced Proxy Config 168 | send_timeout 5m; 169 | proxy_read_timeout 240; 170 | proxy_send_timeout 240; 171 | proxy_connect_timeout 240; 172 | 173 | # Basic Proxy Config 174 | proxy_set_header Host $host:$server_port; 175 | proxy_set_header X-Real-IP $remote_addr; 176 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 177 | proxy_set_header X-Forwarded-Proto $scheme; 178 | proxy_redirect http:// $scheme://; 179 | proxy_http_version 1.1; 180 | proxy_set_header Connection ""; 181 | proxy_cache_bypass $cookie_session; 182 | proxy_no_cache $cookie_session; 183 | proxy_buffers 32 4k; 184 | ``` 185 | ### ssl.conf 186 | ```nginx 187 | ## Certificates from LE container placement 188 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 189 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 190 | 191 | ## Strong Security recommended settings per cipherli.st 192 | ssl_dhparam /config/nginx/dhparams.pem; 193 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 194 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 195 | ssl_session_timeout 10m; 196 | 197 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 198 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 199 | add_header X-Content-Type-Options nosniff; 200 | add_header X-XSS-Protection "1; mode=block"; 201 | add_header X-Robots-Tag none; 202 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 203 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 204 | add_header Referrer-Policy "strict-origin"; 205 | proxy_cookie_path / "/; HTTPOnly; Secure"; 206 | more_set_headers "Server: Classified"; 207 | more_clear_headers 'X-Powered-By'; 208 | ``` 209 | 210 |

211 | -------------------------------------------------------------------------------- /apps/plex/plex.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Plex](https://plex.tv) 4 | 5 | ## Application notes 6 | 7 | 8 | It seems this requires use of a sub-directory. It actually has problems if placed on the root of a sub-domain. While it may work, it is not suggested to proxy ALL Plex traffic through this proxy. This would put a large load on the system unnecessarily. 9 | 10 | If you desire to utilize the SSO feature with an app called Organizr, you will have to use this on a sub-directory. Sub domains should likely be supproted if desired, however it will not work with the SSO mechanism properly. 11 | 12 | **EDIT: 2018-03-16 - The old mechanism seems to not be working as properly as it did previously, at least in my setup. I've switched to this which is working. It had something to do with the way the Plex system looks for deviceID or auth Tokens when it's not seen the device previously.** 13 | 14 | Block Details | Supported | Notes 15 | ------ | ------ | ------ 16 | authentication | Untested | Has Plex auth built in, it actually may not function with another auth in front 17 | sub-directory | Yes | 18 | sub-domain | N/A | 19 | base URL | Yes | You must use /plex, it can not be altered 20 | iFrame | Yes | 21 | 22 | 23 | ## Location Directive 24 | ```nginx 25 | location /plex { 26 | return 301 /web; 27 | } 28 | location ~ ^/(\?(?:.*)(X-Plex-Device=)|web|video|photo|library|web|status|system|updater|clients|:|playQueues)(.*) { 29 | proxy_pass http://:32400/; ## Default is 32400, adjust if necessary 30 | proxy_set_header Upgrade $http_upgrade; 31 | proxy_set_header Connection "upgrade"; 32 | 33 | # Basic Proxy Config 34 | proxy_set_header X-Real-IP $remote_addr; 35 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 36 | proxy_set_header X-Forwarded-Proto $scheme; 37 | proxy_http_version 1.1; 38 | proxy_no_cache $cookie_session; 39 | } 40 | ``` 41 | 42 | ## Sub-Directory Configuration 43 | 44 |

45 | 46 |

Expand for Code

47 | 48 | ### plex.conf 49 | ```nginx 50 | ## Main server block to redirect traffic from HTTP to HTTPS 51 | server { 52 | listen 80; 53 | server_name ; 54 | return 301 https://$host$request_uri; 55 | } 56 | 57 | ## Main server block for HTTPS 58 | server { 59 | listen 443 ssl; 60 | server_name ; 61 | 62 | root /config/www; 63 | index index.html index.htm index.php; 64 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 65 | 66 | location /plex { 67 | return 301 /web; 68 | } 69 | location ~ ^/(\?(?:.*)(X-Plex-Device=)|web|video|photo|library|web|status|system|updater|clients|:|playQueues)(.*) { 70 | proxy_pass http://:32400/; ## Default is 32400, adjust if necessary 71 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 72 | proxy_set_header Upgrade $http_upgrade; 73 | proxy_set_header Connection "upgrade"; 74 | } 75 | ``` 76 | ### proxy.conf 77 | ```nginx 78 | client_max_body_size 10m; 79 | client_body_buffer_size 128k; 80 | 81 | #Timeout if the real server is dead 82 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 83 | 84 | # Advanced Proxy Config 85 | send_timeout 5m; 86 | proxy_read_timeout 240; 87 | proxy_send_timeout 240; 88 | proxy_connect_timeout 240; 89 | 90 | # Basic Proxy Config 91 | proxy_set_header Host $host:$server_port; 92 | proxy_set_header X-Real-IP $remote_addr; 93 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 94 | proxy_set_header X-Forwarded-Proto $scheme; 95 | proxy_redirect http:// $scheme://; 96 | proxy_http_version 1.1; 97 | proxy_set_header Connection ""; 98 | proxy_cache_bypass $cookie_session; 99 | proxy_no_cache $cookie_session; 100 | proxy_buffers 32 4k; 101 | ``` 102 | ### ssl.conf 103 | ```nginx 104 | ## Certificates from LE container placement 105 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 106 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 107 | 108 | ## Strong Security recommended settings per cipherli.st 109 | ssl_dhparam /config/nginx/dhparams.pem; 110 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 111 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 112 | ssl_session_timeout 10m; 113 | 114 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 115 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 116 | add_header X-Content-Type-Options nosniff; 117 | add_header X-XSS-Protection "1; mode=block"; 118 | add_header X-Robots-Tag none; 119 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 120 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 121 | add_header Referrer-Policy "strict-origin"; 122 | proxy_cookie_path / "/; HTTPOnly; Secure"; 123 | more_set_headers "Server: Classified"; 124 | more_clear_headers 'X-Powered-By'; 125 | ``` 126 | 127 |

128 | 129 | 130 | ## Sub-Domain Configuration 131 | 132 |

133 | 134 |

Expand for Code

135 | 136 | ``` 137 | N/A 138 | ``` 139 | 140 |

141 | -------------------------------------------------------------------------------- /apps/portainer/portainer.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [NZBGet](https://portainer.io) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://portainer.readthedocs.io/en/stable/faq.html#how-can-i-configure-my-reverse-proxy-to-serve-portainer) 8 | 9 | 10 | It's important to note that if you proxy this container, and attempt to restart either the nginx container or this container, you can run into issues. Specifically when restarting the nginx container, you will lose access to the interface until nginx is back online. If you attempt to restart the portainer container, you will effectively end up losing it because the connection to the web console is lost. 11 | 12 | Block Details | Supported | Notes 13 | ------ | ------ | ------ 14 | authentication | Yes | It has it's own built-in authentication, it's best to setup location (IP) based auth to limit access to internal only 15 | sub-directory | Yes | 16 | sub-domain | Untested | 17 | base URL | No | 18 | iFrame | Yes | 19 | 20 | 21 | ## Location Directive 22 | ```nginx 23 | location // { 24 | proxy_pass http://:9000/; ## Default is 9000, adjust if necessary 25 | 26 | # Basic Proxy Config 27 | proxy_set_header X-Real-IP $remote_addr; 28 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | proxy_http_version 1.1; 31 | proxy_no_cache $cookie_session; 32 | } 33 | location //api/websocket/ { 34 | proxy_pass http://:9000/api/websocket/; ## Default is 9000, adjust if necessary 35 | 36 | # Basic Proxy Config 37 | proxy_set_header X-Real-IP $remote_addr; 38 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 39 | proxy_set_header X-Forwarded-Proto $scheme; 40 | proxy_http_version 1.1; 41 | proxy_no_cache $cookie_session; 42 | } 43 | ``` 44 | 45 | ## Sub-Directory Configuration 46 | 47 |

48 | 49 |

Expand for Code

50 | 51 | ### portainer.conf 52 | ```nginx 53 | ## Main server block to redirect traffic from HTTP to HTTPS 54 | server { 55 | listen 80; 56 | server_name ; 57 | return 301 https://$host$request_uri; 58 | } 59 | 60 | ## Main server block for HTTPS 61 | server { 62 | listen 443 ssl; 63 | server_name ; 64 | 65 | root /config/www; 66 | index index.html index.htm index.php; 67 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 68 | 69 | location // { 70 | proxy_pass http://:9000/; ## Default is 9000, adjust if necessary 71 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 72 | } 73 | location //api/websocket/ { 74 | proxy_pass http://:9000/api/websocket/; ## Default is 9000, adjust if necessary 75 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 76 | } 77 | ``` 78 | ### proxy.conf 79 | ```nginx 80 | client_max_body_size 10m; 81 | client_body_buffer_size 128k; 82 | 83 | #Timeout if the real server is dead 84 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 85 | 86 | # Advanced Proxy Config 87 | send_timeout 5m; 88 | proxy_read_timeout 240; 89 | proxy_send_timeout 240; 90 | proxy_connect_timeout 240; 91 | 92 | # Basic Proxy Config 93 | proxy_set_header Host $host:$server_port; 94 | proxy_set_header X-Real-IP $remote_addr; 95 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 96 | proxy_set_header X-Forwarded-Proto $scheme; 97 | proxy_redirect http:// $scheme://; 98 | proxy_http_version 1.1; 99 | proxy_set_header Connection ""; 100 | proxy_cache_bypass $cookie_session; 101 | proxy_no_cache $cookie_session; 102 | proxy_buffers 32 4k; 103 | ``` 104 | ### ssl.conf 105 | ```nginx 106 | ## Certificates from LE container placement 107 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 108 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 109 | 110 | ## Strong Security recommended settings per cipherli.st 111 | ssl_dhparam /config/nginx/dhparams.pem; 112 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 113 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 114 | ssl_session_timeout 10m; 115 | 116 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 117 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 118 | add_header X-Content-Type-Options nosniff; 119 | add_header X-XSS-Protection "1; mode=block"; 120 | add_header X-Robots-Tag none; 121 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 122 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 123 | add_header Referrer-Policy "strict-origin"; 124 | proxy_cookie_path / "/; HTTPOnly; Secure"; 125 | more_set_headers "Server: Classified"; 126 | more_clear_headers 'X-Powered-By'; 127 | ``` 128 | 129 |

130 | 131 | 132 | ## Sub-Domain Configuration 133 | 134 |

135 | 136 |

Expand for Code

137 | 138 | ```nginx 139 | N/A 140 | ``` 141 | 142 |

143 | -------------------------------------------------------------------------------- /apps/radarr/radarr.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Radarr](https://radarr.video) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/Radarr/Radarr/wiki/Reverse-Proxy#nginx) 8 | 9 | 10 | 11 | 12 | Block Details | Supported | Notes 13 | ------ | ------ | ------ 14 | authentication | Yes | 15 | sub-directory | Yes | Be sure to set the baseurl 16 | sub-domain | Untested | 17 | base URL | Yes | 18 | iFrame | Yes | 19 | 20 | 21 | ## Location Directive 22 | ```nginx 23 | location / { 24 | proxy_pass http://:7878; ## Default is 7878, adjust if necessary 25 | 26 | # Basic Proxy Config 27 | proxy_set_header X-Real-IP $remote_addr; 28 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | proxy_http_version 1.1; 31 | proxy_no_cache $cookie_session; 32 | } 33 | ``` 34 | 35 | ## Sub-Directory Configuration 36 | 37 |

38 | 39 |

Expand for Code

40 | 41 | ### radarr.conf 42 | ```nginx 43 | ## Main server block to redirect traffic from HTTP to HTTPS 44 | server { 45 | listen 80; 46 | server_name ; 47 | return 301 https://$host$request_uri; 48 | } 49 | 50 | ## Main server block for HTTPS 51 | server { 52 | listen 443 ssl; 53 | server_name ; 54 | 55 | root /config/www; 56 | index index.html index.htm index.php; 57 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 58 | 59 | location / { 60 | proxy_pass http://:7878; ## Default is 7878, adjust if necessary 61 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 62 | } 63 | ``` 64 | ### proxy.conf 65 | ```nginx 66 | client_max_body_size 10m; 67 | client_body_buffer_size 128k; 68 | 69 | #Timeout if the real server is dead 70 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 71 | 72 | # Advanced Proxy Config 73 | send_timeout 5m; 74 | proxy_read_timeout 240; 75 | proxy_send_timeout 240; 76 | proxy_connect_timeout 240; 77 | 78 | # Basic Proxy Config 79 | proxy_set_header Host $host:$server_port; 80 | proxy_set_header X-Real-IP $remote_addr; 81 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 82 | proxy_set_header X-Forwarded-Proto $scheme; 83 | proxy_redirect http:// $scheme://; 84 | proxy_http_version 1.1; 85 | proxy_set_header Connection ""; 86 | proxy_cache_bypass $cookie_session; 87 | proxy_no_cache $cookie_session; 88 | proxy_buffers 32 4k; 89 | ``` 90 | ### ssl.conf 91 | ```nginx 92 | ## Certificates from LE container placement 93 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 94 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 95 | 96 | ## Strong Security recommended settings per cipherli.st 97 | ssl_dhparam /config/nginx/dhparams.pem; 98 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 99 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 100 | ssl_session_timeout 10m; 101 | 102 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 103 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 104 | add_header X-Content-Type-Options nosniff; 105 | add_header X-XSS-Protection "1; mode=block"; 106 | add_header X-Robots-Tag none; 107 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 108 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 109 | add_header Referrer-Policy "strict-origin"; 110 | proxy_cookie_path / "/; HTTPOnly; Secure"; 111 | more_set_headers "Server: Classified"; 112 | more_clear_headers 'X-Powered-By'; 113 | ``` 114 | 115 |

116 | 117 | 118 | ## Sub-Domain Configuration 119 | 120 |

121 | 122 |

Expand for Code

123 | 124 | ```nginx 125 | N/A 126 | ``` 127 | 128 |

129 | -------------------------------------------------------------------------------- /apps/sonarr/sonarr.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Sonarr](https://sonarr.tv) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/Sonarr/Sonarr/wiki/Reverse-Proxy#nginx-conf) 8 | 9 | 10 | 11 | 12 | Block Details | Supported | Notes 13 | ------ | ------ | ------ 14 | authentication | Yes | 15 | sub-directory | Yes | Be sure to set the baseurl 16 | sub-domain | Untested | 17 | base URL | Yes | 18 | iFrame | Yes | 19 | 20 | 21 | ## Location Directive 22 | ```nginx 23 | location / { 24 | proxy_pass http://:8989; ## Default is 8989, adjust if necessary 25 | 26 | # Basic Proxy Config 27 | proxy_set_header X-Real-IP $remote_addr; 28 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | proxy_http_version 1.1; 31 | proxy_no_cache $cookie_session; 32 | } 33 | ``` 34 | 35 | ## Sub-Directory Configuration 36 | 37 |

38 | 39 |

Expand for Code

40 | 41 | ### sonarr.conf 42 | ```nginx 43 | ## Main server block to redirect traffic from HTTP to HTTPS 44 | server { 45 | listen 80; 46 | server_name ; 47 | return 301 https://$host$request_uri; 48 | } 49 | 50 | ## Main server block for HTTPS 51 | server { 52 | listen 443 ssl; 53 | server_name ; 54 | 55 | root /config/www; 56 | index index.html index.htm index.php; 57 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 58 | 59 | location / { 60 | proxy_pass http://:8989; ## Default is 8989, adjust if necessary 61 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 62 | } 63 | ``` 64 | ### proxy.conf 65 | ```nginx 66 | client_max_body_size 10m; 67 | client_body_buffer_size 128k; 68 | 69 | #Timeout if the real server is dead 70 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 71 | 72 | # Advanced Proxy Config 73 | send_timeout 5m; 74 | proxy_read_timeout 240; 75 | proxy_send_timeout 240; 76 | proxy_connect_timeout 240; 77 | 78 | # Basic Proxy Config 79 | proxy_set_header Host $host:$server_port; 80 | proxy_set_header X-Real-IP $remote_addr; 81 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 82 | proxy_set_header X-Forwarded-Proto $scheme; 83 | proxy_redirect http:// $scheme://; 84 | proxy_http_version 1.1; 85 | proxy_set_header Connection ""; 86 | proxy_cache_bypass $cookie_session; 87 | proxy_no_cache $cookie_session; 88 | proxy_buffers 32 4k; 89 | ``` 90 | ### ssl.conf 91 | ```nginx 92 | ## Certificates from LE container placement 93 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 94 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 95 | 96 | ## Strong Security recommended settings per cipherli.st 97 | ssl_dhparam /config/nginx/dhparams.pem; 98 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 99 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 100 | ssl_session_timeout 10m; 101 | 102 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 103 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 104 | add_header X-Content-Type-Options nosniff; 105 | add_header X-XSS-Protection "1; mode=block"; 106 | add_header X-Robots-Tag none; 107 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 108 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 109 | add_header Referrer-Policy "strict-origin"; 110 | proxy_cookie_path / "/; HTTPOnly; Secure"; 111 | more_set_headers "Server: Classified"; 112 | more_clear_headers 'X-Powered-By'; 113 | ``` 114 | 115 |

116 | 117 | 118 | ## Sub-Domain Configuration 119 | 120 |

121 | 122 |

Expand for Code

123 | 124 | ```nginx 125 | N/A 126 | ``` 127 | 128 |

129 | -------------------------------------------------------------------------------- /apps/tautulli/tautulli.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Tautulli](http://tautulli.com) 4 | 5 | ## Application notes 6 | 7 | [Official Proxy Documentation](https://github.com/JonnyWong16/plexpy/wiki/Frequently-Asked-Questions-(FAQ)#q-why-does-plexpy-not-work-with-my-reverse-proxy-setup) 8 | 9 | 10 | This app was once known as PlexPy but now goes by Tautulli. You may see varying mixtures of these names throughout content around this app. It is listed both ways in this collection. 11 | 12 | Block Details | Supported | Notes 13 | ------ | ------ | ------ 14 | authentication | Yes | Supports auth, but if using it may be best to turn off Tautulli auth or vice versa 15 | sub-directory | Yes | Be sure to set the baseurl 16 | sub-domain | Untested | 17 | base URL | Yes | 18 | iFrame | Yes | 19 | 20 | 21 | ## Location Directive 22 | ```nginx 23 | location // { 24 | proxy_pass http://:8181/; ## Default is 8181, adjust if necessary 25 | proxy_set_header X-Forwarded-Host $server_name; 26 | 27 | # Basic Proxy Config 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | proxy_set_header X-Forwarded-Proto $scheme; 31 | proxy_http_version 1.1; 32 | proxy_no_cache $cookie_session; 33 | } 34 | ``` 35 | 36 | ## Sub-Directory Configuration 37 | 38 |

39 | 40 |

Expand for Code

41 | 42 | ### tautulli.conf 43 | ```nginx 44 | ## Main server block to redirect traffic from HTTP to HTTPS 45 | server { 46 | listen 80; 47 | server_name ; 48 | return 301 https://$host$request_uri; 49 | } 50 | 51 | ## Main server block for HTTPS 52 | server { 53 | listen 443 ssl; 54 | server_name ; 55 | 56 | root /config/www; 57 | index index.html index.htm index.php; 58 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 59 | 60 | location // { 61 | proxy_pass http://:8181/; ## Default is 8181, adjust if necessary 62 | proxy_set_header X-Forwarded-Host $server_name; 63 | include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings 64 | } 65 | ``` 66 | ### proxy.conf 67 | ```nginx 68 | client_max_body_size 10m; 69 | client_body_buffer_size 128k; 70 | 71 | #Timeout if the real server is dead 72 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 73 | 74 | # Advanced Proxy Config 75 | send_timeout 5m; 76 | proxy_read_timeout 240; 77 | proxy_send_timeout 240; 78 | proxy_connect_timeout 240; 79 | 80 | # Basic Proxy Config 81 | proxy_set_header Host $host:$server_port; 82 | proxy_set_header X-Real-IP $remote_addr; 83 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 84 | proxy_set_header X-Forwarded-Proto $scheme; 85 | proxy_redirect http:// $scheme://; 86 | proxy_http_version 1.1; 87 | proxy_set_header Connection ""; 88 | proxy_cache_bypass $cookie_session; 89 | proxy_no_cache $cookie_session; 90 | proxy_buffers 32 4k; 91 | ``` 92 | ### ssl.conf 93 | ```nginx 94 | ## Certificates from LE container placement 95 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 96 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 97 | 98 | ## Strong Security recommended settings per cipherli.st 99 | ssl_dhparam /config/nginx/dhparams.pem; 100 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 101 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 102 | ssl_session_timeout 10m; 103 | 104 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 105 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 106 | add_header X-Content-Type-Options nosniff; 107 | add_header X-XSS-Protection "1; mode=block"; 108 | add_header X-Robots-Tag none; 109 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 110 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 111 | add_header Referrer-Policy "strict-origin"; 112 | proxy_cookie_path / "/; HTTPOnly; Secure"; 113 | more_set_headers "Server: Classified"; 114 | more_clear_headers 'X-Powered-By'; 115 | ``` 116 | 117 |

118 | 119 | 120 | ## Sub-Domain Configuration 121 | 122 |

123 | 124 |

Expand for Code

125 | 126 | ```nginx 127 | N/A 128 | ``` 129 | 130 |

131 | -------------------------------------------------------------------------------- /apps/unifi_controller/unifi_controller.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # [Unifi Controller](https://www.ubnt.com/software/) 4 | 5 | ## Application notes 6 | 7 | 8 | 9 | 10 | The controller software is not known to work as a sub-directory. This could be incorrect if someone has a working configuration, but many forum conversations come to the same conclusion that it must reside on a sub-domain vs a sub-directory. 11 | 12 | 13 | Block Details | Supported | Notes 14 | ------ | ------ | ------ 15 | authentication | Yes | The built in authentication should be used, if using other authentication you will have to login twice. 16 | sub-directory | No | 17 | sub-domain | Yes | 18 | base URL | N/A | Being that his works on a sub-domain only, no Base URL is needed 19 | iFrame | No | The app by default is no iFrame friendly. You must use a proxy_hide_header directive to remove this issue. 20 | 21 | 22 | ## Location Directive 23 | ```nginx 24 | location / { 25 | proxy_pass http://:8443; ## Default is 8443, adjust if necessary 26 | proxy_buffering off; 27 | proxy_set_header Host $host; 28 | proxy_hide_header X-Frame-Options; 29 | 30 | # Enables use of Websockets communication 31 | proxy_set_header Upgrade $http_upgrade; 32 | proxy_set_header Connection "upgrade"; 33 | 34 | # Basic Proxy Config 35 | proxy_set_header X-Real-IP $remote_addr; 36 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 37 | proxy_set_header X-Forwarded-Proto $scheme; 38 | proxy_http_version 1.1; 39 | proxy_no_cache $cookie_session; 40 | } 41 | location /ws/ { ## Websockets 42 | proxy_pass http://:8443/ws/; ## Default is 8443, adjust if necessary 43 | proxy_set_header Upgrade $http_upgrade; 44 | proxy_set_header Connection "upgrade"; 45 | } 46 | ``` 47 | 48 | ## Sub-Directory Configuration 49 | 50 | **Not supported** 51 | 52 | 53 | ## Sub-Domain Configuration 54 | 55 |

56 | 57 |

Expand for Code

58 | 59 | ### unifi_controller.conf 60 | ```nginx 61 | ## Main server block to redirect traffic from HTTP to HTTPS 62 | server { 63 | listen 80; 64 | server_name ; 65 | return 301 https://$host$request_uri; 66 | } 67 | 68 | ## Main server block for HTTPS 69 | server { 70 | listen 443 ssl; 71 | server_name ; 72 | 73 | root /config/www; 74 | index index.html index.htm index.php; 75 | include /config/nginx/ssl.conf ## Using a single include for all SSL related items 76 | 77 | location / { 78 | proxy_pass http://:8443; ## Default is 8443, adjust if necessary 79 | proxy_buffering off; 80 | proxy_set_header Host $host; 81 | proxy_hide_header X-Frame-Options; 82 | include /config/nginx/proxy.conf 83 | 84 | # Enables use of Websockets communication 85 | proxy_set_header Upgrade $http_upgrade; 86 | proxy_set_header Connection "upgrade"; 87 | } 88 | location /ws/ { ## Websockets 89 | proxy_pass http://:8443/ws/; ## Default is 8443, adjust if necessary 90 | proxy_set_header Upgrade $http_upgrade; 91 | proxy_set_header Connection "upgrade"; 92 | } 93 | ``` 94 | ### proxy.conf 95 | ```nginx 96 | client_max_body_size 10m; 97 | client_body_buffer_size 128k; 98 | 99 | #Timeout if the real server is dead 100 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 101 | 102 | # Advanced Proxy Config 103 | send_timeout 5m; 104 | proxy_read_timeout 240; 105 | proxy_send_timeout 240; 106 | proxy_connect_timeout 240; 107 | 108 | # Basic Proxy Config 109 | proxy_set_header Host $host:$server_port; 110 | proxy_set_header X-Real-IP $remote_addr; 111 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 112 | proxy_set_header X-Forwarded-Proto $scheme; 113 | proxy_redirect http:// $scheme://; 114 | proxy_http_version 1.1; 115 | proxy_set_header Connection ""; 116 | proxy_cache_bypass $cookie_session; 117 | proxy_no_cache $cookie_session; 118 | proxy_buffers 32 4k; 119 | ``` 120 | ### ssl.conf 121 | ```nginx 122 | ## Certificates from LE container placement 123 | ssl_certificate /config/keys/letsencrypt/fullchain.pem; 124 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem; 125 | 126 | ## Strong Security recommended settings per cipherli.st 127 | ssl_dhparam /config/nginx/dhparams.pem; 128 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; 129 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 130 | ssl_session_timeout 10m; 131 | 132 | ## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com) 133 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 134 | add_header X-Content-Type-Options nosniff; 135 | add_header X-XSS-Protection "1; mode=block"; 136 | add_header X-Robots-Tag none; 137 | add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com 138 | add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com 139 | add_header Referrer-Policy "strict-origin"; 140 | proxy_cookie_path / "/; HTTPOnly; Secure"; 141 | more_set_headers "Server: Classified"; 142 | more_clear_headers 'X-Powered-By'; 143 | ``` 144 | 145 |

146 | -------------------------------------------------------------------------------- /contributing.md: -------------------------------------------------------------------------------- 1 | # Contribution Guidelines 2 | 1. Search for the configuration first and validate it does not exist - if it does, modify the current config with appropriate notes as to why this needs to be altered/updated. 3 | 2. Ensure ALL documentation has been created per the formatting rules. 4 | 3. All Pull Requests must have valuable titles and notes. Leaving defaults and not properly updating will be denied. 5 | 4. Provide proof where available - if you have a working config for a publicly facing site - share that URL in the pull request to validate it's functioning. 6 | 5. Please do not leave ANY FQDN/HOSTNAME/IP in your file. Follow the directions about replacing these entries. 7 | 6. Entries for the main page with the list of configs should be in `[Name of App](/appname/appname.md)` format to link to your addition once the pull request is approved. 8 | 7. Where possible, add notes using `## Your note here` in the configuration files explaining what things are doing. This will help educate everyone in why certain lines may be needed, what they're doing, or how something works. 9 | 10 | ## Format 11 | Each configuration will be placed into a folder under the apps directory of this repo, with the folder name matching the application. This will help to make it easier for everyone to find the specific configuration they are looking for. The short term goal is to add markdown based docs with the details for quick copy/paste and visual browsing. The long term plan is to adjust this repo to also include downloadable config files ready to drop into your configuration. 12 | 13 | Each configuration MUST have the following: 14 | - **appname.md** - This will be your landing page details for the base proxy details. You can view the [template](/-template/appname.md) and see all the below details and the formatting required. Please do not deviate from the format. 15 | - **Name of Application** - name of the app with a `[Name of App](https://url.of.app)` format to allow easy clickthrough for discovery. 16 | - **Official Proxy Documentation** - if the app has any details about using a proxy, provide a link to this documentation (wikis, articles, references, etc) in the first line of application notes below. 17 | - *PLEASE NOTE: This should not be some random Reddit post or forum post, but actual solid documentation by the app provider.* 18 | - **Application Notes** - anything of importance that should be noted: partially working, certain resources not loading, cautions about security, implications of use, etc. Also ensure that there is information regarding the version of an app that this has worked with. Variations may happen between versions and can help illustrate reasons why a config may not work. 19 | - **Authentication Support** - if this configuration supports authentication and whether there are any gotchas when trying to use authentication (i.e. App has authentication by default, must disable, double auth with app and nginx, etc) 20 | - **Sub-domain Compatible** - whether the app supports being placed in sub-domain (yes / no / untested) - if untested, be sure to mark the code section of the doc with an N/A 21 | - *NOTE: only use NO when you know for sure it will break or the app has acknowledged as such, not just because you couldn't get it to work* 22 | - **Sub-directory Compatible** - whether the app supports being placed in sub-directory blocks (yes / no / untested) - if untested, be sure to mark the code section of the doc with an N/A 23 | - *NOTE: only use NO when you know for sure it will break or the app has acknowledged as such, not just because you couldn't get it to work* 24 | 25 | - **Location Directive** - The most frequent use of nginx is to add multiple sites to a single host. This allows easy access to multiple services/systems on a single host. For this reason, the Location Directive will be outlined at the top of each configuration set. This is because most users will be looking for this information. To keep this uniform, please be sure of the following: 26 | - Do not use INCLUDE files - if there are, be sure to include all relevant details from them (i.e. proxy.conf) 27 | - All information that would be substituted (as seen below in appname.conf explanation - Rule 5 above) is substituted 28 | - If NOT providing detail for a sub-directory entry, simply input `NO LOCATION DIRECTIVE` into the code section 29 | - If there are relevant If blocks, rewrites, etc outside the location - they should be included here as they would be in the server config file 30 | 31 | The following sections should be contained within the `

` blocks below the sub-domain / sub-directory sections. This is intended to allow users an easy way to quickly view the code with proper syntax highlighting. If adding new sections, please be sure to use ` ```nginx` at the top of the section for proper highlighting. In the future, the goal will be to mirror these files into the app folder. This will allow a user to also download the configs directly if needed for quick drag and drop into their nginx config folders. 32 | 33 | - **appname.conf** - This file will have the appropriate configuration details 34 | - All places where an FQDN should be placed, should be replaced with `` 35 | - All places where a hostname/IP should be placed, should be replaced with `` 36 | - All places where a baseURL should be placed, should be replaced with `` 37 | - Please use discretion in the use of Ports - only specify ports that are necessary due to the config or known port for the app to operate on. If any ports are specified, please note this in the **Application Notes** section as to why this port was used. 38 | - **proxy.conf / nginx.conf / other.conf** - If using references like `include`, be sure to link the appropriate files as well. Where possible, it would be best to remove all include lines and just add in your relevant content to the core `appname.conf` file. A user should be able to view your addition and see ALL information needed for this to work. 39 | -------------------------------------------------------------------------------- /instructions.md: -------------------------------------------------------------------------------- 1 | # Usage Instructions 2 | 3 | Please be aware that these configurations are going to be supplied by many different users potentially, among different file structures, versions, and even platforms. For this reason it is important to realize that you may not be able to simply drag/drop these configs into your files and have it work. For this reason you need to be aware of this and try to analyze each config for potential differences. The below list will highlight some of these and remind you to validate them before using a configuration. 4 | 5 | - **include** - these are lines that are often used to shorten the config file with commonly used parameters. If there are lines that start with `include` in the configurations, be sure to adjust these accordingly. If you are on a different platform or version than the author, you may very well need to adjust this. 6 | - **root** - this setting is used to indicate the root directory for files/content to be served. Be aware that others may be doing different thigns on there servers, have relocated error pages, or other various content. For this reason, be sure to validate your root seems to be ok. 7 | - **default_server** - if this option is used at the top of a server block, beware. You may have this used in another file already and may not be able to use it in more than one place. Check to ensure this is not used in more than one configuration or more than one place in a configuration. 8 | - **listen** - if you see lines using the listen directive, you may need to adjust this for your own setup. Some users may simply listen on 80, others 443, other both. There are many cases as well where someone may be listening on non-standard ports or perhaps you need to listen on non-standard ports. Be sure to match this with your setup. 9 | --------------------------------------------------------------------------------