├── .gitattributes ├── .gitignore ├── Apps ├── bazarr.conf ├── calibre.conf ├── couchpotato.conf ├── deluge.conf ├── duplicati.conf ├── emby.conf ├── flood.conf ├── jackett.conf ├── lazylibrarian.conf ├── lidarr.conf ├── mediabutler.conf ├── netdata.conf ├── nzbget.conf ├── nzbhydra2.conf ├── ombiv2.conf ├── ombiv3.conf ├── phpapp.conf ├── plex.conf ├── portainer.conf ├── qbittorrent.conf ├── radarr.conf ├── rutorrent.conf ├── sabnzbd.conf ├── sickrage.conf ├── sonarr.conf ├── tautulli.conf └── transmission.conf ├── Docker └── default.conf ├── Examples ├── Example A │ ├── EXAMPLEA-FULL.conf │ ├── mime-types.conf │ ├── nginx.conf │ ├── sites-enabled │ │ ├── EXAMPLEA.TLD.conf │ │ └── catchall.conf │ └── snippets │ │ ├── ExampleA-Apps.conf │ │ ├── fastcgi-php.conf │ │ ├── organizr │ │ ├── auth-v2.conf │ │ └── error-v2.conf │ │ ├── proxy.conf │ │ ├── snakeoil.conf │ │ ├── strong-ssl-clients.conf │ │ └── strong-ssl.conf └── README.md ├── LICENSE ├── README.md ├── Snippets ├── Organizr │ ├── Auth Blocks │ │ ├── authV1.conf │ │ ├── authV1subdomain.conf │ │ ├── authV2.conf │ │ └── authV2subdomain.conf │ └── Error Pages │ │ ├── errorV1.conf │ │ ├── errorV1subdomain.conf │ │ ├── errorV2.conf │ │ └── errorV2subdomain.conf ├── PHP │ └── phpfpm.conf ├── fastcgi-php.conf ├── proxy examples.conf ├── proxy_websocket.conf ├── strong-ssl-noframe.conf └── strong-ssl.conf └── Subdomains ├── bitwarden.conf ├── deluge.conf ├── duplicati.conf ├── emby.conf ├── filebrowser.conf ├── goaccess.conf ├── grafana.conf ├── guacamole.conf ├── heimdall.conf ├── homeassistant.conf ├── moodle.conf ├── nexcloud.conf ├── ombi.conf ├── organizr.conf ├── pihole.conf ├── plex.conf ├── qbittorrent.conf ├── radarr.conf ├── rutorrent.conf ├── sonarr.conf ├── syncloungeV2.conf ├── tautulli.conf ├── tautulli.newsletter.conf └── unifi.controller.conf /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /Apps/bazarr.conf: -------------------------------------------------------------------------------- 1 | # Bazarr Reverse Proxy 2 | # Be sure to set your Base-URL in Bazarr 3 | location /bazarr { 4 | proxy_pass http://127.0.0.1:6767/bazarr; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header Host $http_host; 7 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 8 | proxy_set_header X-Forwarded-Proto $scheme; 9 | proxy_http_version 1.1; 10 | proxy_set_header Upgrade $http_upgrade; 11 | proxy_set_header Connection "Upgrade"; 12 | proxy_redirect off; 13 | # Allow the Bazarr API through if you enable Auth on the block above 14 | location /bazarr/api { auth_request off; 15 | proxy_pass http://127.0.0.1:6767/bazarr/api; 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /Apps/calibre.conf: -------------------------------------------------------------------------------- 1 | # Calibre-Web 2 | location /calibre { 3 | proxy_pass http://127.0.0.1:8083; 4 | proxy_set_header Host $http_host; 5 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 6 | proxy_set_header X-Scheme $scheme; 7 | proxy_set_header X-Script-Name /calibre; 8 | } 9 | -------------------------------------------------------------------------------- /Apps/couchpotato.conf: -------------------------------------------------------------------------------- 1 | # CouchPotato Reverse Proxy 2 | # Be sure to set your Base-URL in CouchPotato 3 | location /couchpotato { 4 | proxy_pass http://127.0.0.1:5050; 5 | proxy_set_header Host $host; 6 | proxy_set_header X-Real-IP $remote_addr; 7 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 8 | } 9 | -------------------------------------------------------------------------------- /Apps/deluge.conf: -------------------------------------------------------------------------------- 1 | # Deluge Reverse Proxy 2 | location /deluge { 3 | return 301 $scheme://$host/deluge/; 4 | } 5 | location /deluge/ { 6 | proxy_pass http://127.0.0.1:8112/; 7 | proxy_set_header X-Deluge-Base "/deluge/"; 8 | add_header X-Frame-Options SAMEORIGIN; 9 | rewrite /deluge(.*) $1 break; 10 | } 11 | -------------------------------------------------------------------------------- /Apps/duplicati.conf: -------------------------------------------------------------------------------- 1 | # First go into duplicati settings, under "General" set the URL Base to /duplicati and restart the duplicati container 2 | 3 | location /duplicati { 4 | return 301 $scheme://$host/duplicati/; 5 | } 6 | location ^~ /duplicati/ { 7 | # Enable the next two lines for http auth 8 | #auth_basic "Restricted"; 9 | #auth_basic_user_file /config/nginx/.htpasswd; 10 | # Enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf 11 | #auth_request /auth; 12 | #error_page 401 =200 /login; 13 | #include /config/nginx/proxy.conf; 14 | resolver 127.0.0.11 valid=30s; 15 | # Change duplicati to the correct container name or to the corresponding IP 16 | set $upstream_duplicati duplicati; 17 | rewrite /duplicati(.*) $1 break; 18 | proxy_pass http://$upstream_duplicati:8200; 19 | } 20 | -------------------------------------------------------------------------------- /Apps/emby.conf: -------------------------------------------------------------------------------- 1 | # EMBY Reverse Proxy 2 | location /emby { 3 | proxy_pass http://127.0.0.1:8096; 4 | proxy_set_header Host $host; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | } 8 | -------------------------------------------------------------------------------- /Apps/flood.conf: -------------------------------------------------------------------------------- 1 | #Need to set "/flood/" as baseurl in your flood/config.js 2 | location /flood/ { 3 | auth_request /auth-0; 4 | port_in_redirect off; 5 | rewrite ^/flood/(.*) /$1 break; 6 | proxy_pass http://10.0.0.11:3000; 7 | } 8 | -------------------------------------------------------------------------------- /Apps/jackett.conf: -------------------------------------------------------------------------------- 1 | # Reverse Proxy for Jackett 2 | location /jackett/ { 3 | proxy_pass http://127.0.0.1:9117/jackett/; 4 | proxy_set_header Host $host; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | proxy_set_header X-Forwarded-Proto https; 8 | proxy_redirect http:// $scheme://; 9 | proxy_http_version 1.1; 10 | proxy_set_header Connection ""; 11 | proxy_cache_bypass $cookie_session; 12 | proxy_no_cache $cookie_session; 13 | proxy_buffers 32 4k; 14 | } 15 | -------------------------------------------------------------------------------- /Apps/lazylibrarian.conf: -------------------------------------------------------------------------------- 1 | # Reverse Proxy for Lazy Librarian 2 | location /lazylibrarian/ { 3 | proxy_pass http://127.0.0.1:5299/lazylibrarian/; 4 | proxy_set_header Host $host:$server_port; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | proxy_set_header X-Forwarded-Proto $scheme; 8 | proxy_redirect http:// https://; 9 | } 10 | -------------------------------------------------------------------------------- /Apps/lidarr.conf: -------------------------------------------------------------------------------- 1 | # Lidarr reverse proxy 2 | # Be sure to set your URL-Base in Lidarr 3 | location /lidarr/ { 4 | proxy_pass http://127.0.0.1:8686/lidarr/; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | proxy_set_header X-Forwarded-Proto $scheme; 8 | proxy_http_version 1.1; 9 | proxy_no_cache $cookie_session; 10 | location /lidarr/api { auth_request off; 11 | proxy_pass http://127.0.0.1:8686/lidarr/api; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /Apps/mediabutler.conf: -------------------------------------------------------------------------------- 1 | ## Mediabutler Reverse Proxy 2 | location /mediabutler/ { 3 | proxy_pass http://127.0.0.1:9876/; 4 | proxy_set_header Upgrade $http_upgrade; 5 | proxy_set_header Connection "upgrade"; 6 | proxy_http_version 1.1; 7 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 8 | proxy_set_header Host $host; 9 | add_header X-Frame-Options SAMEORIGIN; 10 | proxy_set_header X-Real-IP $remote_addr; 11 | proxy_set_header X-Forwarded-Proto $remote_addr; 12 | proxy_set_header X-Forwarded-Protocol $scheme; 13 | proxy_redirect off; 14 | } 15 | -------------------------------------------------------------------------------- /Apps/netdata.conf: -------------------------------------------------------------------------------- 1 | # NetData Reverse Proxy 2 | location = /netdata { 3 | return 301 /netdata/; 4 | } 5 | location ~ /netdata/(?.*) { 6 | proxy_redirect off; 7 | proxy_set_header Host $host; 8 | proxy_set_header X-Forwarded-Host $host; 9 | proxy_set_header X-Forwarded-Server $host; 10 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 11 | proxy_http_version 1.1; 12 | proxy_pass_request_headers on; 13 | proxy_set_header Connection "keep-alive"; 14 | proxy_store off; 15 | proxy_pass http://127.0.0.1:19999/$ndpath$is_args$args; 16 | 17 | gzip on; 18 | gzip_proxied any; 19 | gzip_types *; 20 | } 21 | -------------------------------------------------------------------------------- /Apps/nzbget.conf: -------------------------------------------------------------------------------- 1 | # NZBGet Reverse Proxy 2 | location /nzbget { 3 | proxy_pass http://127.0.0.1:6789; 4 | proxy_set_header X-Real-IP $remote_addr; 5 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 6 | proxy_set_header X-Forwarded-Proto $scheme; 7 | proxy_http_version 1.1; 8 | proxy_no_cache $cookie_session; 9 | proxy_set_header Accept-Encoding ""; 10 | proxy_set_header Host $host; 11 | # USE NZBGET API 12 | location /nzbget/xmlrpc { auth_request off; 13 | proxy_pass http://127.0.0.1:6789/nzbget/xmlrpc; 14 | } 15 | location /nzbget/jsonrpc { auth_request off; 16 | proxy_pass http://127.0.0.1:6789/nzbget/jsonrpc; 17 | } 18 | location /nzbget/jsonprpc { auth_request off; 19 | proxy_pass http://127.0.0.1:6789/nzbget/jsonprpc; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Apps/nzbhydra2.conf: -------------------------------------------------------------------------------- 1 | # Nzbhydra 2 Reverse Proxy 2 | location /nzbhydra { 3 | proxy_pass http://127.0.0.1:5076/nzbhydra/; 4 | proxy_set_header X-Real-IP $remote_addr; 5 | proxy_set_header Host $host; 6 | proxy_set_header Scheme $scheme; 7 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 8 | proxy_set_header X-Forwarded-Proto $scheme; 9 | proxy_set_header X-Forwarded-Host $host; 10 | proxy_redirect off; 11 | } 12 | -------------------------------------------------------------------------------- /Apps/ombiv2.conf: -------------------------------------------------------------------------------- 1 | # Ombi Requests v2 2 | # Be sure to set your Base-URL in Ombi v2 3 | # !! THIS WILL NOT WORK FOR v3 !! 4 | location /ombi { 5 | proxy_pass http://127.0.0.1:3579; 6 | proxy_set_header Host $host; 7 | proxy_set_header X-Real-IP $remote_addr; 8 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 9 | } 10 | -------------------------------------------------------------------------------- /Apps/ombiv3.conf: -------------------------------------------------------------------------------- 1 | # Ombi v3 Reverse proxy 2 | # Be sure to set your Base-URL in Ombi v3 3 | location /ombi { 4 | proxy_pass http://127.0.0.1:5000; 5 | proxy_http_version 1.1; 6 | proxy_set_header Upgrade $http_upgrade; 7 | proxy_set_header Connection keep-alive; 8 | proxy_set_header Host $host; 9 | proxy_cache_bypass $http_upgrade; 10 | # OMBI ALLOW API 11 | location /ombi/api { auth_request off; 12 | proxy_pass http://127.0.0.1:5000/ombi/api; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /Apps/phpapp.conf: -------------------------------------------------------------------------------- 1 | # This block is used for a PHP app that is not in your main root 2 | location /yourapp { 3 | alias /var/www/appname/; 4 | location ~ \.php$ { 5 | fastcgi_pass unix:/run/php/php7.0-fpm.sock; 6 | include snippets/fastcgi-php.conf; 7 | fastcgi_param SCRIPT_FILENAME $request_filename; 8 | include fastcgi_params; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /Apps/plex.conf: -------------------------------------------------------------------------------- 1 | # Plex Reverse Proxy 2 | # Update the 192.168.1.103 IP to your Plex Server's IP 3 | 4 | location /plex { 5 | return 301 $scheme://$host/plex/; 6 | } 7 | location ^~ /plex/ { 8 | rewrite /plex(.*) $1 break; 9 | proxy_pass http://192.168.1.103:32400; 10 | proxy_intercept_errors off; 11 | proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; 12 | proxy_set_header X-Plex-Device $http_x_plex_device; 13 | proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; 14 | proxy_set_header X-Plex-Platform $http_x_plex_platform; 15 | proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; 16 | proxy_set_header X-Plex-Product $http_x_plex_product; 17 | proxy_set_header X-Plex-Token $http_x_plex_token; 18 | proxy_set_header X-Plex-Version $http_x_plex_version; 19 | proxy_set_header X-Plex-Nocache $http_x_plex_nocache; 20 | proxy_set_header X-Plex-Provides $http_x_plex_provides; 21 | proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; 22 | proxy_set_header X-Plex-Model $http_x_plex_model; 23 | } 24 | if ($http_referer ~* /plex) { 25 | rewrite ^/web/(.*) /plex/web/$1? redirect; 26 | } 27 | -------------------------------------------------------------------------------- /Apps/portainer.conf: -------------------------------------------------------------------------------- 1 | # Portainer redirect location block 2 | location /portainer { 3 | return 301 /portainer/; 4 | } 5 | 6 | # Portainer location block 7 | location /portainer/ { 8 | proxy_intercept_errors on; 9 | proxy_set_header Connection ""; 10 | proxy_pass http://127.0.0.1:9000/; 11 | } 12 | 13 | # Portainer websocket location block 14 | location /portainer/api/websocket/ { 15 | proxy_set_header Upgrade $http_upgrade; 16 | proxy_set_header Connection "upgrade"; 17 | proxy_pass http://127.0.0.1:9000/api/websocket/; 18 | } 19 | -------------------------------------------------------------------------------- /Apps/qbittorrent.conf: -------------------------------------------------------------------------------- 1 | #qBittorrent Reverse Proxy 2 | location /qbt/ { 3 | 4 | #Org Auth 5 | #auth_request /auth-0; #=Admin 6 | 7 | proxy_pass http://127.0.0.1:8080/; 8 | #include C:/nginx/conf/proxy.conf; 9 | proxy_set_header X-Forwarded-Host $server_name:$server_port; 10 | proxy_hide_header Referer; 11 | proxy_hide_header Origin; 12 | proxy_set_header Referer ''; 13 | proxy_set_header Origin ''; 14 | #add_header X-Frame-Options "SAMEORIGIN"; #See comment at the end 15 | 16 | #nzb360 Auth off 17 | location ^~ /qbt/api { 18 | auth_request off; 19 | rewrite /qbt(.*) $1 break; 20 | proxy_pass http://127.0.0.1:8080; 21 | } 22 | 23 | location ^~ /qbt/command { 24 | auth_request off; 25 | rewrite /qbt(.*) $1 break; 26 | proxy_pass http://127.0.0.1:8080; 27 | } 28 | 29 | location ^~ /qbt/query { 30 | auth_request off; 31 | rewrite /qbt(.*) $1 break; 32 | proxy_pass http://127.0.0.1:8080; 33 | } 34 | 35 | location ^~ /qbt/login { 36 | auth_request off; 37 | rewrite /qbt(.*) $1 break; 38 | proxy_pass http://127.0.0.1:8080; 39 | } 40 | 41 | location ^~ /qbt/sync { 42 | auth_request off; 43 | rewrite /qbt(.*) $1 break; 44 | proxy_pass http://127.0.0.1:8080; 45 | } 46 | } 47 | 48 | ## Note: For some users, several windows in the Web UI will still be blank, such as when adding a new torrent from a URL/magnet or local file. 49 | ## If so, try adding the following line to the location block: 50 | ## add_header X-Frame-Options "SAMEORIGIN"; 51 | -------------------------------------------------------------------------------- /Apps/radarr.conf: -------------------------------------------------------------------------------- 1 | # Radarr Reverse Proxy 2 | # Be sure to set your Base-URL in Radarr 3 | location /radarr { 4 | proxy_pass http://127.0.0.1:7878/radarr; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | proxy_set_header X-Forwarded-Proto $scheme; 8 | proxy_http_version 1.1; 9 | proxy_no_cache $cookie_session; 10 | # Allow the Radarr API through if you enable Auth on the block above 11 | location /radarr/api { auth_request off; 12 | proxy_pass http://127.0.0.1:7878/radarr/api; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /Apps/rutorrent.conf: -------------------------------------------------------------------------------- 1 | ### Pointing to a rutorrent docker 2 | location /rutorrent/ { 3 | auth_request /auth-0; 4 | proxy_pass http://10.0.0.11:9080; 5 | include /config/nginx/proxy.conf; #LSIO LE default proxy.conf 6 | rewrite /rutorrent(.*) $1 break; 7 | } 8 | -------------------------------------------------------------------------------- /Apps/sabnzbd.conf: -------------------------------------------------------------------------------- 1 | # SABNZBD reverse proxy 2 | location /sabnzbd { 3 | proxy_pass http://127.0.0.1:8085; 4 | proxy_set_header Host $host; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | proxy_redirect http:// $scheme://; 8 | } 9 | -------------------------------------------------------------------------------- /Apps/sickrage.conf: -------------------------------------------------------------------------------- 1 | # Sickrage Reverse Proxy 2 | # Be sure to set your Base-URL in Sickrage 3 | location /sickrage { 4 | proxy_pass http://127.0.0.1:8081; 5 | proxy_set_header Host $host; 6 | proxy_set_header X-Real-IP $remote_addr; 7 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 8 | } 9 | -------------------------------------------------------------------------------- /Apps/sonarr.conf: -------------------------------------------------------------------------------- 1 | # Sonarr Reverse Proxy 2 | # Be sure to set your Base-URL in Sonarr 3 | location /sonarr { 4 | proxy_pass http://127.0.0.1:8989/sonarr; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 7 | proxy_set_header X-Forwarded-Proto $scheme; 8 | proxy_http_version 1.1; 9 | proxy_no_cache $cookie_session; 10 | # Allow the Sonarr API through if you enable Auth on the block above 11 | location /sonarr/api { auth_request off; 12 | proxy_pass http://127.0.0.1:8989/sonarr/api; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /Apps/tautulli.conf: -------------------------------------------------------------------------------- 1 | # Tautulli Reverse proxy 2 | # Be sure to set your Base-URL in Tautulli 3 | location /tautulli { 4 | proxy_pass http://127.0.0.1:8181; 5 | proxy_set_header Host $host; 6 | proxy_set_header X-Real-IP $remote_addr; 7 | proxy_set_header X-Forwarded-Host $server_name; 8 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 9 | proxy_set_header X-Forwarded-Proto $scheme; 10 | proxy_set_header X-Forwarded-Ssl on; 11 | proxy_redirect http:// $scheme://; 12 | proxy_hide_header X-Frame-Options; 13 | # TAUTULLI ALLOW API 14 | location /tautulli/api { auth_request off; 15 | proxy_pass http://127.0.0.1:8181/tautulli/api; 16 | } 17 | # TAUTULLI ALLOW SELFHOSTED NEWLETTER 18 | location /tautulli/newsletter { auth_request off; 19 | proxy_pass http://127.0.0.1:8181/tautulli/newsletter; 20 | } 21 | # TAUTULLI ALLOW SELFHOSTED IMAGES 22 | location /tautulli/image { auth_request off; 23 | proxy_pass http://127.0.0.1:8181/tautulli/image; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /Apps/transmission.conf: -------------------------------------------------------------------------------- 1 | # Transmission Reverse proxy 2 | location /transmission { 3 | proxy_pass http://127.0.0.1:9091; 4 | proxy_set_header Host $host; 5 | proxy_set_header X-Real-IP $remote_addr; 6 | proxy_set_header X-Forwarded-Host $server_name; 7 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 8 | } 9 | -------------------------------------------------------------------------------- /Docker/default.conf: -------------------------------------------------------------------------------- 1 | # This is a basic, default Nginx file to work with the LetsEncrypt and Organizr v2 Docker containers. LetsEncrypt will be your main 2 | # Nginx Web Server and that is where all config changes should be made. 3 | 4 | # Redirect all traffic to https 5 | server { 6 | listen 80; 7 | listen [::]:80; 8 | server_name _; # This will respond to any domain/subdomain that isn't specified in another config 9 | return 301 https://$host$request_uri; 10 | } 11 | 12 | # Main server block 13 | server { 14 | listen 443 ssl http2 default_server; 15 | listen [::]:443 ssl http2 default_server; 16 | 17 | index index.html index.htm index.php; 18 | server_name _; # This will respond to any domain/subdomain that isn't specified in another config 19 | 20 | # Enable subfolder method reverse proxy confs 21 | include /config/nginx/proxy-confs/*.subfolder.conf; 22 | 23 | # All ssl related config moved to ssl.conf 24 | include /config/nginx/ssl.conf; 25 | 26 | # Custom Org v2 error pages 27 | error_page 400 403 404 405 408 500 502 503 504 =200 /?error=$status; 28 | error_page 401 =200 /?error=$status&return=$request_uri; 29 | 30 | # Proxy origin IP 31 | proxy_bind $server_addr; 32 | 33 | # Org v2 Server Auth 34 | location ~ /auth-([0-9]+) { 35 | internal; 36 | include /config/nginx/proxy.conf; 37 | resolver 127.0.0.11 valid=30s; 38 | # Change organizr to the correct container name or to the corresponding IP 39 | set $upstream_organizr organizr; 40 | proxy_pass http://$upstream_organizr:80/api/?v1/auth&group=$1; 41 | proxy_set_header Content-Length ""; 42 | 43 | # Do not uncomment the lines below, these are examples for usue in other proxy configs 44 | #auth_request /auth-0; #=Admin 45 | #auth_request /auth-1; #=Co-Admin 46 | #auth_request /auth-2; #=Super User 47 | #auth_request /auth-3; #=Power User 48 | #auth_request /auth-4; #=User 49 | #auth_request /auth-998; #=Logged In 50 | #auth_request /auth-999; #=Guest 51 | } 52 | 53 | # Deny access to all .ht files 54 | location ~ /\.ht { 55 | deny all; 56 | } 57 | 58 | # Deny access to Org Dashboard files 59 | location ~ /org.db|organizrLog.json|organizrLoginLog.json { 60 | deny all; 61 | } 62 | 63 | # Home location block (Organizr v2) 64 | location / { 65 | include /config/nginx/proxy.conf; 66 | resolver 127.0.0.11 valid=30s; 67 | # Change organizr to the correct container name or to the corresponding IP 68 | set $upstream_organizr organizr; 69 | proxy_pass http://$upstream_organizr:80; 70 | } 71 | } 72 | 73 | # Enable subdomain method reverse proxy confs 74 | include /config/nginx/proxy-confs/*.subdomain.conf; 75 | # enable proxy cache for auth 76 | proxy_cache_path cache/ keys_zone=auth_cache:10m; 77 | -------------------------------------------------------------------------------- /Examples/Example A/EXAMPLEA-FULL.conf: -------------------------------------------------------------------------------- 1 | ## EXAMPLE ## 2 | ## This is an example of how everythign looks with no includes 3 | ## Use this as a reference when trying to learn how nginx works 4 | user www-data; 5 | worker_processes auto; 6 | pid /run/nginx.pid; 7 | include /etc/nginx/modules-enabled/*.conf; 8 | 9 | events { 10 | worker_connections 768; 11 | # multi_accept on; 12 | } 13 | 14 | http { 15 | geoip_country /usr/share/GeoIP/GeoIP.dat; 16 | 17 | 18 | # GEO IP BLOCK SITE 1 - JUST North America 19 | map $geoip_country_code $allowed_country { default no; 20 | US yes; 21 | CA yes; 22 | MX yes; 23 | } 24 | # GEO IP BLOCK SITE 2 - Blacklist 25 | map $geoip_country_code $allowed_country2 { default yes; 26 | CN no; #China 27 | RU no; #Russia 28 | HK no; #Hong Kong 29 | IN no; #India 30 | IR no; #Iran 31 | VN no; #Vietnam 32 | TR no; #Turkey 33 | EG no; #Egypt 34 | JP no; #Japan 35 | KR no; #South Korea 36 | KP no; #North Korea :) 37 | PE no; #Peru 38 | BR no; #Brazil 39 | UA no; #Ukraine 40 | ID no; #Indonesia 41 | TH no; #Thailand 42 | } 43 | 44 | ## 45 | # Basic Settings 46 | ## 47 | 48 | sendfile on; 49 | tcp_nopush on; 50 | tcp_nodelay on; 51 | keepalive_timeout 65; 52 | types_hash_max_size 2048; 53 | # server_tokens off; 54 | 55 | # server_names_hash_bucket_size 64; 56 | # server_name_in_redirect off; 57 | 58 | 59 | types { 60 | text/html html htm shtml; 61 | text/css css; 62 | text/xml xml; 63 | image/gif gif; 64 | image/jpeg jpeg jpg; 65 | application/javascript js; 66 | application/atom+xml atom; 67 | application/rss+xml rss; 68 | 69 | text/mathml mml; 70 | text/plain txt; 71 | text/vnd.sun.j2me.app-descriptor jad; 72 | text/vnd.wap.wml wml; 73 | text/x-component htc; 74 | 75 | image/png png; 76 | image/tiff tif tiff; 77 | image/vnd.wap.wbmp wbmp; 78 | image/x-icon ico; 79 | image/x-jng jng; 80 | image/x-ms-bmp bmp; 81 | image/svg+xml svg svgz; 82 | image/webp webp; 83 | 84 | application/font-woff woff; 85 | application/java-archive jar war ear; 86 | application/json json; 87 | application/mac-binhex40 hqx; 88 | application/msword doc; 89 | application/pdf pdf; 90 | application/postscript ps eps ai; 91 | application/rtf rtf; 92 | application/vnd.apple.mpegurl m3u8; 93 | application/vnd.ms-excel xls; 94 | application/vnd.ms-fontobject eot; 95 | application/vnd.ms-powerpoint ppt; 96 | application/vnd.wap.wmlc wmlc; 97 | application/vnd.google-earth.kml+xml kml; 98 | application/vnd.google-earth.kmz kmz; 99 | application/x-7z-compressed 7z; 100 | application/x-cocoa cco; 101 | application/x-java-archive-diff jardiff; 102 | application/x-java-jnlp-file jnlp; 103 | application/x-makeself run; 104 | application/x-perl pl pm; 105 | application/x-pilot prc pdb; 106 | application/x-rar-compressed rar; 107 | application/x-redhat-package-manager rpm; 108 | application/x-sea sea; 109 | application/x-shockwave-flash swf; 110 | application/x-stuffit sit; 111 | application/x-tcl tcl tk; 112 | application/x-x509-ca-cert der pem crt; 113 | application/x-xpinstall xpi; 114 | application/xhtml+xml xhtml; 115 | application/xspf+xml xspf; 116 | application/zip zip; 117 | 118 | application/octet-stream bin exe dll; 119 | application/octet-stream deb; 120 | application/octet-stream dmg; 121 | application/octet-stream iso img; 122 | application/octet-stream msi msp msm; 123 | 124 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; 125 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; 126 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; 127 | 128 | audio/midi mid midi kar; 129 | audio/mpeg mp3; 130 | audio/ogg ogg; 131 | audio/x-m4a m4a; 132 | audio/x-realaudio ra; 133 | 134 | video/3gpp 3gpp 3gp; 135 | video/mp2t ts; 136 | video/mp4 mp4; 137 | video/mpeg mpeg mpg; 138 | video/quicktime mov; 139 | video/webm webm; 140 | video/x-flv flv; 141 | video/x-m4v m4v; 142 | video/x-mng mng; 143 | video/x-ms-asf asx asf; 144 | video/x-ms-wmv wmv; 145 | video/x-msvideo avi; 146 | } 147 | default_type application/octet-stream; 148 | 149 | ## 150 | # SSL Settings 151 | ## 152 | 153 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE 154 | ssl_prefer_server_ciphers on; 155 | 156 | ## 157 | # Logging Settings 158 | ## 159 | 160 | access_log /var/log/nginx/access.log; 161 | error_log /var/log/nginx/error.log; 162 | 163 | ## 164 | # Gzip Settings 165 | ## 166 | 167 | gzip on; 168 | 169 | gzip_vary on; 170 | gzip_proxied any; 171 | gzip_comp_level 6; 172 | gzip_buffers 16 8k; 173 | gzip_http_version 1.1; 174 | gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 175 | 176 | ## 177 | # Virtual Host Configs 178 | ## 179 | 180 | # CATCH ALL CONF FOR ROGUE IP DATA 181 | server { 182 | listen 80 default_server; 183 | listen [::]:80 default_server; 184 | server_name _; 185 | server_name_in_redirect off; 186 | log_not_found off; 187 | return 301 http://geektyper.com/nasa/; 188 | } 189 | server { 190 | listen 443 ssl default_server; 191 | listen [::]:443 default_server; 192 | server_name _; 193 | 194 | ssl_certificate /etc/nginx/ssl/nginx.crt; 195 | ssl_certificate_key /etc/nginx/ssl/nginx.key; 196 | 197 | server_name_in_redirect off; 198 | log_not_found off; 199 | 200 | return 301 https://hackertyper.net/; 201 | 202 | } 203 | 204 | ## EXAMPLEA.TLD ## 205 | # REDIRECT WWW TO https://[domain.com] 206 | server { listen 80; listen 443 ssl http2; 207 | server_name www.EXAMPLEA.TLD; 208 | return 301 https://EXAMPLEA$request_uri; 209 | 210 | ssl_certificate /etc/letsencrypt/live/EXAMPLEA.TLD/fullchain.pem; # managed by Certbot 211 | ssl_certificate_key /etc/letsencrypt/live/EXAMPLEA.TLD/privkey.pem; # managed by Certbot 212 | } 213 | 214 | server { listen 80; listen [::]:80; 215 | server_name EXAMPLEA.TLD; 216 | return 301 https://$host$request_uri; 217 | } 218 | 219 | server {listen 443 ssl http2; listen [::]:443 ssl http2; 220 | server_name EXAMPLEA.TLD; 221 | # Strong SSL With iFrame Blocking 222 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 223 | ssl_prefer_server_ciphers on; 224 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 225 | ssl_ecdh_curve secp384r1; 226 | ssl_session_cache shared:SSL:10m; 227 | ssl_session_tickets off; 228 | ssl_stapling on; 229 | ssl_stapling_verify on; 230 | 231 | # Set Google's public DNS servers as upstream resolver 232 | resolver 8.8.8.8 8.8.4.4 valid=300s; 233 | resolver_timeout 5s; 234 | 235 | # HSTS 236 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; 237 | 238 | # Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc. 239 | #add_header X-Frame-Options SAMEORIGIN; 240 | 241 | add_header X-Content-Type-Options nosniff; # no sniffing 242 | 243 | add_header X-XSS-Protection "1; mode=block" always; # force cross site protection if needed 244 | 245 | add_header Referrer-Policy "same-origin"; # no trails 246 | proxy_cookie_path / "/; HTTPOnly; Secure"; # cookie secure stuff 247 | add_header X-Robots-Tag none; 248 | 249 | # Use the 2048 bit DH key 250 | ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 251 | 252 | # Fun Stuff 253 | server_tokens off; # hide server tokens 254 | more_set_headers 'Server: Mars'; # Set Server Name 255 | add_header X-Powered-By "Fusion Power"; # Set Server Engine 256 | more_clear_headers 'X-Powered-By'; 257 | ssl_certificate /etc/letsencrypt/live/EXAMPLEA.TLD/fullchain.pem; # managed by Certbot 258 | ssl_certificate_key /etc/letsencrypt/live/EXAMPLEA.TLD/privkey.pem; # managed by Certbot 259 | ssl_trusted_certificate /etc/letsencrypt/live/EXAMPLEA.TLD/chain.pem; 260 | 261 | # Home location block (Organizr v2) 262 | location / { 263 | proxy_pass http://192.168.1.2:81/; 264 | client_max_body_size 10m; 265 | client_body_buffer_size 128k; 266 | 267 | #Timeout if the real server is dead 268 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 269 | 270 | # Advanced Proxy Config 271 | send_timeout 5m; 272 | proxy_read_timeout 240; 273 | proxy_send_timeout 240; 274 | proxy_connect_timeout 240; 275 | 276 | # Basic Proxy Config 277 | proxy_set_header Host $host:$server_port; 278 | proxy_set_header X-Real-IP $remote_addr; 279 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 280 | proxy_set_header X-Forwarded-Proto https; 281 | proxy_set_header X-Forwarded-Host $host; 282 | proxy_set_header X-Forwarded-Ssl on; 283 | proxy_redirect http:// $scheme://; 284 | proxy_http_version 1.1; 285 | proxy_set_header Connection ""; 286 | #proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps 287 | proxy_cache_bypass $cookie_session; 288 | proxy_no_cache $cookie_session; 289 | proxy_buffers 32 4k; 290 | } 291 | ## To utilize the block drop "auth_request /auth-x;" within your location block, where x=OrgV2 group_id 292 | #auth_request /auth-0; #=Admin 293 | #auth_request /auth-1; #=Co-Admin 294 | #auth_request /auth-2; #=Super User 295 | #auth_request /auth-3; #=Power User 296 | #auth_request /auth-4; #=User 297 | #auth_request /auth-999; #=Guest 298 | 299 | location ~ /auth-(.*) {internal; 300 | proxy_pass http://192.168.1.2:81/api/?v1/auth&group=$1; 301 | proxy_set_header Content-Length ""; 302 | } 303 | error_page 400 401 402 403 404 405 408 500 502 503 504 $scheme://DOMAIN.TLD/?error=$status; #org 2 304 | #proxy_intercept_errors on; #For custom Organizr error pages 305 | ### WEB SERVER ### 192.168.1.2 306 | ## PORTAINER WEBSERVER ### 307 | location /portainer/ { 308 | proxy_http_version 1.1; 309 | proxy_set_header Connection ""; 310 | proxy_pass http://192.168.1.2:9000/; 311 | proxy_hide_header X-Frame-Options; 312 | } 313 | location /portainer/api/websocket/ { 314 | proxy_set_header Upgrade $http_upgrade; 315 | proxy_set_header Connection "upgrade"; 316 | proxy_http_version 1.1; 317 | proxy_pass http://192.168.1.2:9000/api/websocket/; 318 | proxy_hide_header X-Frame-Options; 319 | } 320 | 321 | ############### 322 | ### PLEX VM ### 192.168.1.3 323 | ## PLEX ## 324 | location /plex/ { 325 | proxy_pass http://192.168.1.3:32400/; 326 | proxy_set_header Host $host; 327 | proxy_set_header X-Real-IP $remote_addr; 328 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 329 | proxy_http_version 1.1; 330 | proxy_set_header Upgrade $http_upgrade; 331 | proxy_set_header Connection "upgrade"; 332 | sub_filter '' ' '; 333 | sub_filter_once on; 334 | } 335 | if ($http_referer ~* /plex/) {rewrite ^/web/(.*) /plex/web/$1? redirect;} 336 | 337 | ## PLEX WEB TOOLS ## 338 | location /pwt { 339 | auth_request /auth-1; 340 | proxy_pass http://192.168.1.3:33400; 341 | proxy_http_version 1.1; 342 | proxy_set_header Upgrade $http_upgrade; 343 | proxy_set_header Connection keep-alive; 344 | proxy_set_header Host $host; 345 | proxy_cache_bypass $http_upgrade; 346 | } 347 | ## TAUTULLI ## 348 | location /tautulli { 349 | auth_request /auth-1; 350 | proxy_pass http://192.168.1.3:8181; 351 | proxy_set_header Host $host; 352 | proxy_set_header X-Real-IP $remote_addr; 353 | proxy_set_header X-Forwarded-Host $server_name; 354 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 355 | proxy_set_header X-Forwarded-Proto $scheme; 356 | proxy_set_header X-Forwarded-Ssl on; 357 | proxy_http_version 1.1; 358 | proxy_no_cache $cookie_session; 359 | location /tautulli/api {auth_request off; 360 | proxy_pass http://192.168.1.3:8181/tautulli/api; 361 | } 362 | location /tautulli/newsletter {auth_request off; 363 | proxy_pass http://192.168.1.3:8181/tautulli/newsletter; 364 | } 365 | location /tautulli/image {auth_request off; 366 | proxy_pass http://192.168.1.3:8181/tautulli/image; 367 | } 368 | } 369 | 370 | ############### 371 | ### SEED VM ### 192.168.1.4 372 | ## Sonarr - Television ## 373 | location /sonarr { 374 | auth_request /auth-1; 375 | proxy_pass http://192.168.1.4:8989/sonarr; 376 | proxy_set_header X-Real-IP $remote_addr; 377 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 378 | proxy_set_header X-Forwarded-Proto $scheme; 379 | proxy_http_version 1.1; 380 | proxy_no_cache $cookie_session; 381 | # proxy_set_header Accept-Encoding ""; 382 | # sub_filter '' ''; 383 | # sub_filter_once on; 384 | location /sonarr/api {auth_request off; 385 | proxy_pass http://192.168.1.4:8989/sonarr/api; 386 | } 387 | } 388 | 389 | ## Sonarr - 4K Television ## 390 | location /sonarr4k { 391 | auth_request /auth-1; 392 | proxy_pass http://192.168.1.4:9898/sonarr4k; 393 | proxy_set_header X-Real-IP $remote_addr; 394 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 395 | proxy_set_header X-Forwarded-Proto $scheme; 396 | proxy_http_version 1.1; 397 | proxy_no_cache $cookie_session; 398 | proxy_set_header Accept-Encoding ""; 399 | sub_filter '' ''; 400 | sub_filter_once on; 401 | location /sonarr4k/api {auth_request off; 402 | proxy_pass http://192.168.1.4:9898/sonarr4k/api; 403 | } 404 | } 405 | 406 | ## Radarr - Movies ## 407 | location /radarr { 408 | auth_request /auth-1; 409 | proxy_pass http://192.168.1.4:7878/radarr; 410 | proxy_set_header X-Real-IP $remote_addr; 411 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 412 | proxy_set_header X-Forwarded-Proto $scheme; 413 | proxy_http_version 1.1; 414 | proxy_no_cache $cookie_session; 415 | # proxy_set_header Accept-Encoding ""; 416 | # sub_filter '' ''; 417 | # sub_filter_once on; 418 | location /radarr/api {auth_request off; 419 | proxy_pass http://192.168.1.4:7878/radarr/api; 420 | } 421 | } 422 | ## Radarr - 4K Movies ## 423 | location /radarr4k { 424 | auth_request /auth-1; 425 | proxy_pass http://192.168.1.4:8787/radarr4k; 426 | proxy_set_header X-Real-IP $remote_addr; 427 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 428 | proxy_set_header X-Forwarded-Proto $scheme; 429 | proxy_http_version 1.1; 430 | proxy_no_cache $cookie_session; 431 | proxy_set_header Accept-Encoding ""; 432 | sub_filter '' ''; 433 | sub_filter_once on; 434 | location /radarr4k/api {auth_request off; 435 | proxy_pass http://192.168.1.4:8787/radarr4k/api; 436 | } 437 | } 438 | ## Radarr - 3D Movies ## 439 | location /radarr3d { 440 | auth_request /auth-1; 441 | proxy_pass http://192.168.1.4:8887/radarr3d; 442 | proxy_set_header X-Real-IP $remote_addr; 443 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 444 | proxy_set_header X-Forwarded-Proto $scheme; 445 | proxy_http_version 1.1; 446 | proxy_no_cache $cookie_session; 447 | # proxy_set_header Accept-Encoding ""; 448 | # sub_filter '' ''; 449 | # sub_filter_once on; 450 | location /radarr3d/api {auth_request off; 451 | proxy_pass http://192.168.1.4:8887/radarr3d/api; 452 | } 453 | } 454 | 455 | ## Lidarr - Music ## 456 | location /lidarr { 457 | auth_request /auth-1; 458 | proxy_pass http://192.168.1.4:8686/lidarr; 459 | proxy_set_header X-Real-IP $remote_addr; 460 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 461 | proxy_set_header X-Forwarded-Proto $scheme; 462 | proxy_http_version 1.1; 463 | proxy_no_cache $cookie_session; 464 | # proxy_set_header Accept-Encoding ""; 465 | # sub_filter '' ''; 466 | # sub_filter_once on; 467 | location /lidarr/api {auth_request off; 468 | proxy_pass http://192.168.1.4:8686/lidarr/api; 469 | } 470 | } 471 | 472 | ## Bazarr - Subtitles ## 473 | location /bazarr { 474 | auth_request /auth-1; 475 | proxy_pass http://192.168.1.4:6767/bazarr; 476 | proxy_set_header X-Real-IP $remote_addr; 477 | proxy_set_header Host $host; 478 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 479 | proxy_set_header X-Forwarded-Proto $scheme; 480 | proxy_redirect off; 481 | } 482 | 483 | ## Bazarr - Subtitles 4K ## 484 | location /bazarr4k { 485 | auth_request /auth-1; 486 | proxy_pass http://192.168.1.4:7676/bazarr4k; 487 | proxy_set_header X-Real-IP $remote_addr; 488 | proxy_set_header Host $host; 489 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 490 | proxy_set_header X-Forwarded-Proto $scheme; 491 | proxy_redirect off; 492 | } 493 | 494 | ## NZBHydra 2 ## 495 | location /nzbhydra2/ { 496 | proxy_pass http://192.168.1.4:5077/nzbhydra2/; 497 | proxy_set_header Host $host; 498 | proxy_set_header X-Real-IP $remote_addr; 499 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 500 | proxy_hide_header X-Frame-Options; 501 | proxy_hide_header X-XSRF-TOKEN; 502 | } 503 | 504 | ## NZBGET ## 505 | location /nzbget/ { 506 | auth_request /auth-1; 507 | proxy_pass http://192.168.1.4:6789/nzbget/; 508 | proxy_set_header X-Real-IP $remote_addr; 509 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 510 | proxy_set_header X-Forwarded-Proto $scheme; 511 | proxy_http_version 1.1; 512 | proxy_no_cache $cookie_session; 513 | proxy_set_header Accept-Encoding ""; 514 | proxy_set_header Host $host; 515 | location /nzbget/xmlrpc {auth_request off; 516 | proxy_pass http://192.168.1.4:6789/nzbget/xmlrpc; 517 | } 518 | location /nzbget/jsonrpc {auth_request off; 519 | proxy_pass http://192.168.1.4:6789/nzbget/jsonrpc; 520 | } 521 | location /nzbget/jsonprpc {auth_request off; 522 | proxy_pass http://192.168.1.4:6789/nzbget/jsonprpc; 523 | } 524 | } 525 | 526 | ## OMBI v3 ## 527 | location /ombi/ { 528 | auth_request /auth-4; 529 | proxy_pass http://192.168.1.4:5000; 530 | proxy_http_version 1.1; 531 | proxy_set_header Upgrade $http_upgrade; 532 | proxy_set_header Connection keep-alive; 533 | proxy_set_header Host $host; 534 | proxy_cache_bypass $http_upgrade; 535 | } 536 | 537 | ## MEDIABUTLER ## 538 | location /mediabutler/ { 539 | proxy_pass http://192.168.1.4:9876/; 540 | proxy_set_header Upgrade $http_upgrade; 541 | proxy_set_header Connection "upgrade"; 542 | proxy_http_version 1.1; 543 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 544 | proxy_set_header Host $host; 545 | add_header X-Frame-Options SAMEORIGIN; 546 | proxy_set_header X-Real-IP $remote_addr; 547 | proxy_set_header X-Forwarded-Proto $remote_addr; 548 | proxy_set_header X-Forwarded-Protocol $scheme; 549 | proxy_redirect off; 550 | } 551 | 552 | if ($allowed_country2 = no) { return 403; } 553 | 554 | 555 | } 556 | 557 | include /etc/nginx/conf.d/*.conf; 558 | include /etc/nginx/sites-enabled/*; 559 | } 560 | 561 | 562 | #mail { 563 | # # See sample authentication script at: 564 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript 565 | # 566 | # # auth_http localhost/auth.php; 567 | # # pop3_capabilities "TOP" "USER"; 568 | # # imap_capabilities "IMAP4rev1" "UIDPLUS"; 569 | # 570 | # server { 571 | # listen localhost:110; 572 | # protocol pop3; 573 | # proxy on; 574 | # } 575 | # 576 | # server { 577 | # listen localhost:143; 578 | # protocol imap; 579 | # proxy on; 580 | # } 581 | #} 582 | -------------------------------------------------------------------------------- /Examples/Example A/mime-types.conf: -------------------------------------------------------------------------------- 1 | 2 | types { 3 | text/html html htm shtml; 4 | text/css css; 5 | text/xml xml; 6 | image/gif gif; 7 | image/jpeg jpeg jpg; 8 | application/javascript js; 9 | application/atom+xml atom; 10 | application/rss+xml rss; 11 | 12 | text/mathml mml; 13 | text/plain txt; 14 | text/vnd.sun.j2me.app-descriptor jad; 15 | text/vnd.wap.wml wml; 16 | text/x-component htc; 17 | 18 | image/png png; 19 | image/tiff tif tiff; 20 | image/vnd.wap.wbmp wbmp; 21 | image/x-icon ico; 22 | image/x-jng jng; 23 | image/x-ms-bmp bmp; 24 | image/svg+xml svg svgz; 25 | image/webp webp; 26 | 27 | application/font-woff woff; 28 | application/java-archive jar war ear; 29 | application/json json; 30 | application/mac-binhex40 hqx; 31 | application/msword doc; 32 | application/pdf pdf; 33 | application/postscript ps eps ai; 34 | application/rtf rtf; 35 | application/vnd.apple.mpegurl m3u8; 36 | application/vnd.ms-excel xls; 37 | application/vnd.ms-fontobject eot; 38 | application/vnd.ms-powerpoint ppt; 39 | application/vnd.wap.wmlc wmlc; 40 | application/vnd.google-earth.kml+xml kml; 41 | application/vnd.google-earth.kmz kmz; 42 | application/x-7z-compressed 7z; 43 | application/x-cocoa cco; 44 | application/x-java-archive-diff jardiff; 45 | application/x-java-jnlp-file jnlp; 46 | application/x-makeself run; 47 | application/x-perl pl pm; 48 | application/x-pilot prc pdb; 49 | application/x-rar-compressed rar; 50 | application/x-redhat-package-manager rpm; 51 | application/x-sea sea; 52 | application/x-shockwave-flash swf; 53 | application/x-stuffit sit; 54 | application/x-tcl tcl tk; 55 | application/x-x509-ca-cert der pem crt; 56 | application/x-xpinstall xpi; 57 | application/xhtml+xml xhtml; 58 | application/xspf+xml xspf; 59 | application/zip zip; 60 | 61 | application/octet-stream bin exe dll; 62 | application/octet-stream deb; 63 | application/octet-stream dmg; 64 | application/octet-stream iso img; 65 | application/octet-stream msi msp msm; 66 | 67 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; 68 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; 69 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; 70 | 71 | audio/midi mid midi kar; 72 | audio/mpeg mp3; 73 | audio/ogg ogg; 74 | audio/x-m4a m4a; 75 | audio/x-realaudio ra; 76 | 77 | video/3gpp 3gpp 3gp; 78 | video/mp2t ts; 79 | video/mp4 mp4; 80 | video/mpeg mpeg mpg; 81 | video/quicktime mov; 82 | video/webm webm; 83 | video/x-flv flv; 84 | video/x-m4v m4v; 85 | video/x-mng mng; 86 | video/x-ms-asf asx asf; 87 | video/x-ms-wmv wmv; 88 | video/x-msvideo avi; 89 | } 90 | -------------------------------------------------------------------------------- /Examples/Example A/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | include /etc/nginx/modules-enabled/*.conf; 5 | 6 | events { 7 | worker_connections 768; 8 | # multi_accept on; 9 | } 10 | 11 | http { 12 | geoip_country /usr/share/GeoIP/GeoIP.dat; 13 | 14 | 15 | # GEO IP BLOCK SITE 1 - JUST North America 16 | map $geoip_country_code $allowed_country { default no; 17 | US yes; 18 | CA yes; 19 | MX yes; 20 | } 21 | # GEO IP BLOCK SITE 2 - Blacklist 22 | map $geoip_country_code $allowed_country2 { default yes; 23 | CN no; #China 24 | RU no; #Russia 25 | HK no; #Hong Kong 26 | IN no; #India 27 | IR no; #Iran 28 | VN no; #Vietnam 29 | TR no; #Turkey 30 | EG no; #Egypt 31 | JP no; #Japan 32 | KR no; #South Korea 33 | KP no; #North Korea :) 34 | PE no; #Peru 35 | BR no; #Brazil 36 | UA no; #Ukraine 37 | ID no; #Indonesia 38 | TH no; #Thailand 39 | } 40 | 41 | ## 42 | # Basic Settings 43 | ## 44 | 45 | sendfile on; 46 | tcp_nopush on; 47 | tcp_nodelay on; 48 | keepalive_timeout 65; 49 | types_hash_max_size 2048; 50 | # server_tokens off; 51 | 52 | # server_names_hash_bucket_size 64; 53 | # server_name_in_redirect off; 54 | 55 | include /etc/nginx/mime.types; 56 | default_type application/octet-stream; 57 | 58 | ## 59 | # SSL Settings 60 | ## 61 | 62 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE 63 | ssl_prefer_server_ciphers on; 64 | 65 | ## 66 | # Logging Settings 67 | ## 68 | 69 | access_log /var/log/nginx/access.log; 70 | error_log /var/log/nginx/error.log; 71 | 72 | ## 73 | # Gzip Settings 74 | ## 75 | 76 | gzip on; 77 | 78 | gzip_vary on; 79 | gzip_proxied any; 80 | gzip_comp_level 6; 81 | gzip_buffers 16 8k; 82 | gzip_http_version 1.1; 83 | gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 84 | 85 | ## 86 | # Virtual Host Configs 87 | ## 88 | 89 | include /etc/nginx/conf.d/*.conf; 90 | include /etc/nginx/sites-enabled/*; 91 | } 92 | 93 | 94 | #mail { 95 | # # See sample authentication script at: 96 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript 97 | # 98 | # # auth_http localhost/auth.php; 99 | # # pop3_capabilities "TOP" "USER"; 100 | # # imap_capabilities "IMAP4rev1" "UIDPLUS"; 101 | # 102 | # server { 103 | # listen localhost:110; 104 | # protocol pop3; 105 | # proxy on; 106 | # } 107 | # 108 | # server { 109 | # listen localhost:143; 110 | # protocol imap; 111 | # proxy on; 112 | # } 113 | #} 114 | -------------------------------------------------------------------------------- /Examples/Example A/sites-enabled/EXAMPLEA.TLD.conf: -------------------------------------------------------------------------------- 1 | ## DOMAIN.TLD ## 2 | # REDIRECT WWW TO https://[domain.com] 3 | server { listen 80; listen 443 ssl http2; 4 | server_name www.EXAMPLEA.TLD; 5 | return 301 https://EXAMPLEA$request_uri; 6 | 7 | ssl_certificate /etc/letsencrypt/live/EXAMPLEA.TLD/fullchain.pem; # managed by Certbot 8 | ssl_certificate_key /etc/letsencrypt/live/EXAMPLEA.TLD/privkey.pem; # managed by Certbot 9 | } 10 | 11 | server { listen 80; listen [::]:80; 12 | server_name EXAMPLEA.TLD; 13 | return 301 https://$host$request_uri; 14 | } 15 | 16 | server {listen 443 ssl http2; listen [::]:443 ssl http2; 17 | server_name EXAMPLEA.TLD; 18 | include snippets/strong-ssl.conf; 19 | ssl_certificate /etc/letsencrypt/live/EXAMPLEA.TLD/fullchain.pem; # managed by Certbot 20 | ssl_certificate_key /etc/letsencrypt/live/EXAMPLEA.TLD/privkey.pem; # managed by Certbot 21 | ssl_trusted_certificate /etc/letsencrypt/live/EXAMPLEA.TLD/chain.pem; 22 | 23 | #Home location block (Organizr v2) 24 | location / { 25 | proxy_pass http://192.168.1.2:81/; 26 | include snippets/proxy.conf; 27 | } 28 | include snippets/organizr/auth-v2.conf; 29 | include snippets/organizr/error-v2.conf; 30 | include snippets/ExampleA-apps.conf; # reverse proxies 31 | 32 | if ($allowed_country2 = no) { return 403; } 33 | 34 | 35 | } 36 | -------------------------------------------------------------------------------- /Examples/Example A/sites-enabled/catchall.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Organizr/Config-Collections-for-Nginx/21a90b4dff86d861a43644b135ddcce26d438568/Examples/Example A/sites-enabled/catchall.conf -------------------------------------------------------------------------------- /Examples/Example A/snippets/ExampleA-Apps.conf: -------------------------------------------------------------------------------- 1 | ### WEB SERVER ### 192.168.1.2 2 | ## PORTAINER WEBSERVER ### 3 | location /portainer/ { 4 | proxy_http_version 1.1; 5 | proxy_set_header Connection ""; 6 | proxy_pass http://192.168.1.2:9000/; 7 | proxy_hide_header X-Frame-Options; 8 | } 9 | location /portainer/api/websocket/ { 10 | proxy_set_header Upgrade $http_upgrade; 11 | proxy_set_header Connection "upgrade"; 12 | proxy_http_version 1.1; 13 | proxy_pass http://192.168.1.2:9000/api/websocket/; 14 | proxy_hide_header X-Frame-Options; 15 | } 16 | 17 | ############### 18 | ### PLEX VM ### 192.168.1.3 19 | ## PLEX ## 20 | location /plex/ { 21 | proxy_pass http://192.168.1.3:32400/; 22 | proxy_set_header Host $host; 23 | proxy_set_header X-Real-IP $remote_addr; 24 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 25 | proxy_http_version 1.1; 26 | proxy_set_header Upgrade $http_upgrade; 27 | proxy_set_header Connection "upgrade"; 28 | sub_filter '' ' '; 29 | sub_filter_once on; 30 | } 31 | if ($http_referer ~* /plex/) {rewrite ^/web/(.*) /plex/web/$1? redirect;} 32 | 33 | ## PLEX WEB TOOLS ## 34 | location /pwt { 35 | auth_request /auth-1; 36 | proxy_pass http://192.168.1.3:33400; 37 | proxy_http_version 1.1; 38 | proxy_set_header Upgrade $http_upgrade; 39 | proxy_set_header Connection keep-alive; 40 | proxy_set_header Host $host; 41 | proxy_cache_bypass $http_upgrade; 42 | } 43 | ## TAUTULLI ## 44 | location /tautulli { 45 | auth_request /auth-1; 46 | proxy_pass http://192.168.1.3:8181; 47 | proxy_set_header Host $host; 48 | proxy_set_header X-Real-IP $remote_addr; 49 | proxy_set_header X-Forwarded-Host $server_name; 50 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 51 | proxy_set_header X-Forwarded-Proto $scheme; 52 | proxy_set_header X-Forwarded-Ssl on; 53 | proxy_http_version 1.1; 54 | proxy_no_cache $cookie_session; 55 | location /tautulli/api {auth_request off; 56 | proxy_pass http://192.168.1.3:8181/tautulli/api; 57 | } 58 | location /tautulli/newsletter {auth_request off; 59 | proxy_pass http://192.168.1.3:8181/tautulli/newsletter; 60 | } 61 | location /tautulli/image {auth_request off; 62 | proxy_pass http://192.168.1.3:8181/tautulli/image; 63 | } 64 | } 65 | 66 | ############### 67 | ### SEED VM ### 192.168.1.4 68 | ## Sonarr - Television ## 69 | location /sonarr { 70 | auth_request /auth-1; 71 | proxy_pass http://192.168.1.4:8989/sonarr; 72 | proxy_set_header X-Real-IP $remote_addr; 73 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 74 | proxy_set_header X-Forwarded-Proto $scheme; 75 | proxy_http_version 1.1; 76 | proxy_no_cache $cookie_session; 77 | # proxy_set_header Accept-Encoding ""; 78 | # sub_filter '' ''; 79 | # sub_filter_once on; 80 | location /sonarr/api {auth_request off; 81 | proxy_pass http://192.168.1.4:8989/sonarr/api; 82 | } 83 | } 84 | 85 | ## Sonarr - 4K Television ## 86 | location /sonarr4k { 87 | auth_request /auth-1; 88 | proxy_pass http://192.168.1.4:9898/sonarr4k; 89 | proxy_set_header X-Real-IP $remote_addr; 90 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 91 | proxy_set_header X-Forwarded-Proto $scheme; 92 | proxy_http_version 1.1; 93 | proxy_no_cache $cookie_session; 94 | proxy_set_header Accept-Encoding ""; 95 | sub_filter '' ''; 96 | sub_filter_once on; 97 | location /sonarr4k/api {auth_request off; 98 | proxy_pass http://192.168.1.4:9898/sonarr4k/api; 99 | } 100 | } 101 | 102 | ## Radarr - Movies ## 103 | location /radarr { 104 | auth_request /auth-1; 105 | proxy_pass http://192.168.1.4:7878/radarr; 106 | proxy_set_header X-Real-IP $remote_addr; 107 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 108 | proxy_set_header X-Forwarded-Proto $scheme; 109 | proxy_http_version 1.1; 110 | proxy_no_cache $cookie_session; 111 | # proxy_set_header Accept-Encoding ""; 112 | # sub_filter '' ''; 113 | # sub_filter_once on; 114 | location /radarr/api {auth_request off; 115 | proxy_pass http://192.168.1.4:7878/radarr/api; 116 | } 117 | } 118 | ## Radarr - 4K Movies ## 119 | location /radarr4k { 120 | auth_request /auth-1; 121 | proxy_pass http://192.168.1.4:8787/radarr4k; 122 | proxy_set_header X-Real-IP $remote_addr; 123 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 124 | proxy_set_header X-Forwarded-Proto $scheme; 125 | proxy_http_version 1.1; 126 | proxy_no_cache $cookie_session; 127 | proxy_set_header Accept-Encoding ""; 128 | sub_filter '' ''; 129 | sub_filter_once on; 130 | location /radarr4k/api {auth_request off; 131 | proxy_pass http://192.168.1.4:8787/radarr4k/api; 132 | } 133 | } 134 | ## Radarr - 3D Movies ## 135 | location /radarr3d { 136 | auth_request /auth-1; 137 | proxy_pass http://192.168.1.4:8887/radarr3d; 138 | proxy_set_header X-Real-IP $remote_addr; 139 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 140 | proxy_set_header X-Forwarded-Proto $scheme; 141 | proxy_http_version 1.1; 142 | proxy_no_cache $cookie_session; 143 | # proxy_set_header Accept-Encoding ""; 144 | # sub_filter '' ''; 145 | # sub_filter_once on; 146 | location /radarr3d/api {auth_request off; 147 | proxy_pass http://192.168.1.4:8887/radarr3d/api; 148 | } 149 | } 150 | 151 | ## Lidarr - Music ## 152 | location /lidarr { 153 | auth_request /auth-1; 154 | proxy_pass http://192.168.1.4:8686/lidarr; 155 | proxy_set_header X-Real-IP $remote_addr; 156 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 157 | proxy_set_header X-Forwarded-Proto $scheme; 158 | proxy_http_version 1.1; 159 | proxy_no_cache $cookie_session; 160 | # proxy_set_header Accept-Encoding ""; 161 | # sub_filter '' ''; 162 | # sub_filter_once on; 163 | location /lidarr/api {auth_request off; 164 | proxy_pass http://192.168.1.4:8686/lidarr/api; 165 | } 166 | } 167 | 168 | ## Bazarr - Subtitles ## 169 | location /bazarr { 170 | auth_request /auth-1; 171 | proxy_pass http://192.168.1.4:6767/bazarr; 172 | proxy_set_header X-Real-IP $remote_addr; 173 | proxy_set_header Host $host; 174 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 175 | proxy_set_header X-Forwarded-Proto $scheme; 176 | proxy_redirect off; 177 | } 178 | 179 | ## Bazarr - Subtitles 4K ## 180 | location /bazarr4k { 181 | auth_request /auth-1; 182 | proxy_pass http://192.168.1.4:7676/bazarr4k; 183 | proxy_set_header X-Real-IP $remote_addr; 184 | proxy_set_header Host $host; 185 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 186 | proxy_set_header X-Forwarded-Proto $scheme; 187 | proxy_redirect off; 188 | } 189 | 190 | ## NZBHydra 2 ## 191 | location /nzbhydra2/ { 192 | proxy_pass http://192.168.1.4:5077/nzbhydra2/; 193 | proxy_set_header Host $host; 194 | proxy_set_header X-Real-IP $remote_addr; 195 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 196 | proxy_hide_header X-Frame-Options; 197 | proxy_hide_header X-XSRF-TOKEN; 198 | } 199 | 200 | ## NZBGET ## 201 | location /nzbget/ { 202 | auth_request /auth-1; 203 | proxy_pass http://192.168.1.4:6789/nzbget/; 204 | proxy_set_header X-Real-IP $remote_addr; 205 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 206 | proxy_set_header X-Forwarded-Proto $scheme; 207 | proxy_http_version 1.1; 208 | proxy_no_cache $cookie_session; 209 | proxy_set_header Accept-Encoding ""; 210 | proxy_set_header Host $host; 211 | location /nzbget/xmlrpc {auth_request off; 212 | proxy_pass http://192.168.1.4:6789/nzbget/xmlrpc; 213 | } 214 | location /nzbget/jsonrpc {auth_request off; 215 | proxy_pass http://192.168.1.4:6789/nzbget/jsonrpc; 216 | } 217 | location /nzbget/jsonprpc {auth_request off; 218 | proxy_pass http://192.168.1.4:6789/nzbget/jsonprpc; 219 | } 220 | } 221 | 222 | ## OMBI v3 ## 223 | location /ombi/ { 224 | auth_request /auth-4; 225 | proxy_pass http://192.168.1.4:5000; 226 | proxy_http_version 1.1; 227 | proxy_set_header Upgrade $http_upgrade; 228 | proxy_set_header Connection keep-alive; 229 | proxy_set_header Host $host; 230 | proxy_cache_bypass $http_upgrade; 231 | } 232 | 233 | ## MEDIABUTLER ## 234 | location /mediabutler/ { 235 | proxy_pass http://192.168.1.4:9876/; 236 | proxy_set_header Upgrade $http_upgrade; 237 | proxy_set_header Connection "upgrade"; 238 | proxy_http_version 1.1; 239 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 240 | proxy_set_header Host $host; 241 | add_header X-Frame-Options SAMEORIGIN; 242 | proxy_set_header X-Real-IP $remote_addr; 243 | proxy_set_header X-Forwarded-Proto $remote_addr; 244 | proxy_set_header X-Forwarded-Protocol $scheme; 245 | proxy_redirect off; 246 | } 247 | -------------------------------------------------------------------------------- /Examples/Example A/snippets/fastcgi-php.conf: -------------------------------------------------------------------------------- 1 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path 2 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 3 | 4 | # Check that the PHP script exists before passing it 5 | try_files $fastcgi_script_name =404; 6 | 7 | # Bypass the fact that try_files resets $fastcgi_path_info 8 | # see: http://trac.nginx.org/nginx/ticket/321 9 | set $path_info $fastcgi_path_info; 10 | fastcgi_param PATH_INFO $path_info; 11 | 12 | fastcgi_index index.php; 13 | include fastcgi.conf; 14 | -------------------------------------------------------------------------------- /Examples/Example A/snippets/organizr/auth-v2.conf: -------------------------------------------------------------------------------- 1 | ## To utilize the block drop "auth_request /auth-x;" within your location block, where x=OrgV2 group_id 2 | #auth_request /auth-0; #=Admin 3 | #auth_request /auth-1; #=Co-Admin 4 | #auth_request /auth-2; #=Super User 5 | #auth_request /auth-3; #=Power User 6 | #auth_request /auth-4; #=User 7 | #auth_request /auth-999; #=Guest 8 | 9 | location ~ /auth-(.*) { 10 | internal; 11 | proxy_pass http://192.168.1.2:81/api/?v1/auth&group=$1; 12 | proxy_set_header Content-Length ""; 13 | } 14 | -------------------------------------------------------------------------------- /Examples/Example A/snippets/organizr/error-v2.conf: -------------------------------------------------------------------------------- 1 | error_page 400 401 402 403 404 405 408 500 502 503 504 $scheme://DOMAIN.TLD/?error=$status; #org 2 2 | #proxy_intercept_errors on; #For custom Organizr error pages 3 | -------------------------------------------------------------------------------- /Examples/Example A/snippets/proxy.conf: -------------------------------------------------------------------------------- 1 | client_max_body_size 10m; 2 | client_body_buffer_size 128k; 3 | 4 | #Timeout if the real server is dead 5 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 6 | 7 | # Advanced Proxy Config 8 | send_timeout 5m; 9 | proxy_read_timeout 240; 10 | proxy_send_timeout 240; 11 | proxy_connect_timeout 240; 12 | 13 | # Basic Proxy Config 14 | proxy_set_header Host $host:$server_port; 15 | proxy_set_header X-Real-IP $remote_addr; 16 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 17 | proxy_set_header X-Forwarded-Proto https; 18 | proxy_set_header X-Forwarded-Host $host; 19 | proxy_set_header X-Forwarded-Ssl on; 20 | proxy_redirect http:// $scheme://; 21 | proxy_http_version 1.1; 22 | proxy_set_header Connection ""; 23 | #proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps 24 | proxy_cache_bypass $cookie_session; 25 | proxy_no_cache $cookie_session; 26 | proxy_buffers 32 4k; 27 | -------------------------------------------------------------------------------- /Examples/Example A/snippets/snakeoil.conf: -------------------------------------------------------------------------------- 1 | # Self signed certificates generated by the ssl-cert package 2 | # Don't use them in a production server! 3 | 4 | ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; 5 | ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 6 | -------------------------------------------------------------------------------- /Examples/Example A/snippets/strong-ssl-clients.conf: -------------------------------------------------------------------------------- 1 | # Strong SSL With iFrame Blocking 2 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 3 | ssl_prefer_server_ciphers on; 4 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 5 | ssl_ecdh_curve secp384r1; 6 | ssl_session_cache shared:SSL:10m; 7 | ssl_session_tickets off; 8 | ssl_session_timeout 10m; 9 | ssl_stapling on; 10 | ssl_stapling_verify on; 11 | 12 | 13 | # Set Google's public DNS servers as upstream resolver 14 | resolver 8.8.8.8 8.8.4.4 valid=300s; 15 | resolver_timeout 5s; 16 | 17 | # HSTS 18 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 19 | 20 | # Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc. 21 | add_header X-Frame-Options SAMEORIGIN; 22 | 23 | add_header X-Content-Type-Options nosniff; # no sniffing 24 | add_header X-XSS-Protection "1; mode=block" always; # force cross site protection if needed 25 | add_header Referrer-Policy "strict-origin"; # no trails 26 | proxy_cookie_path / "/; HTTPOnly; Secure"; # cookie secure stuff 27 | add_header X-Robots-Tag index; 28 | 29 | # Use the 2048 bit DH key 30 | ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 31 | 32 | # Fun Stuff 33 | server_tokens off; # hide server tokens 34 | more_set_headers 'Server: Classified'; # Set Server Name 35 | add_header X-Powered-By "Classified"; # Set Server Engine 36 | more_clear_headers 'X-Powered-By'; 37 | -------------------------------------------------------------------------------- /Examples/Example A/snippets/strong-ssl.conf: -------------------------------------------------------------------------------- 1 | # Strong SSL With iFrame Blocking 2 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 3 | ssl_prefer_server_ciphers on; 4 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 5 | ssl_ecdh_curve secp384r1; 6 | ssl_session_cache shared:SSL:10m; 7 | ssl_session_tickets off; 8 | ssl_stapling on; 9 | ssl_stapling_verify on; 10 | 11 | # Set Google's public DNS servers as upstream resolver 12 | resolver 8.8.8.8 8.8.4.4 valid=300s; 13 | resolver_timeout 5s; 14 | 15 | # HSTS 16 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; 17 | 18 | # Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc. 19 | #add_header X-Frame-Options SAMEORIGIN; 20 | 21 | add_header X-Content-Type-Options nosniff; # no sniffing 22 | 23 | add_header X-XSS-Protection "1; mode=block" always; # force cross site protection if needed 24 | 25 | add_header Referrer-Policy "same-origin"; # no trails 26 | proxy_cookie_path / "/; HTTPOnly; Secure"; # cookie secure stuff 27 | add_header X-Robots-Tag none; 28 | 29 | # Use the 2048 bit DH key 30 | ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 31 | 32 | # Fun Stuff 33 | server_tokens off; # hide server tokens 34 | more_set_headers 'Server: Mars'; # Set Server Name 35 | add_header X-Powered-By "Fusion Power"; # Set Server Engine 36 | more_clear_headers 'X-Powered-By'; 37 | -------------------------------------------------------------------------------- /Examples/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Organizr/Config-Collections-for-Nginx/21a90b4dff86d861a43644b135ddcce26d438568/Examples/README.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | {one line to give the program's name and a brief idea of what it does.} 635 | Copyright (C) 2018 {name of author} 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Nginx Collections Copyright (C) 2018 jonfinley 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Config Collections for Nginx 2 | A Collection of Functioning Nginx Configurations 3 | 4 | - **Apps** is for typical web application subfolder proxies 5 | - **Docker** is for docker examples 6 | - **Examples** is where we host working site configurations 7 | - **Snippets** is little things that can help you keep your .confs clean 8 | - **Subdomains** is for typical web application subdomain proxies. 9 | 10 | If we are missing something you wish added, let us know. Thanks! 11 | 12 | Last Edit: @jonfinley 01.02.2019 13 | -------------------------------------------------------------------------------- /Snippets/Organizr/Auth Blocks/authV1.conf: -------------------------------------------------------------------------------- 1 | ###################### Only for Organizr v1.x 2 | # Organizr Auth v1 # 3 | ###################### 4 | location /auth-admin { 5 | internal; 6 | rewrite ^ /auth.php?admin&whitelist=; #IP or URL separated by ',' 7 | } 8 | location /auth-user { 9 | internal; 10 | rewrite ^ /auth.php?user; 11 | } 12 | -------------------------------------------------------------------------------- /Snippets/Organizr/Auth Blocks/authV1subdomain.conf: -------------------------------------------------------------------------------- 1 | ###################### Only for Organizr v1.x 2 | # Organizr Auth v1 # This helps use auth for a sub.domain.tld 3 | ###################### 4 | location /auth-admin { 5 | internal; 6 | proxy_pass https://ORGDOMAIN/auth.php?admin; 7 | proxy_set_header Content-Length ""; 8 | } 9 | location /auth-user { 10 | internal; 11 | proxy_pass https://ORGDOMAIN/auth.php?user; 12 | proxy_set_header Content-Length ""; 13 | } 14 | -------------------------------------------------------------------------------- /Snippets/Organizr/Auth Blocks/authV2.conf: -------------------------------------------------------------------------------- 1 | ###################### Only for Organizr v2.x 2 | # Organizr Auth v2 # 3 | ###################### 4 | #auth_request /auth-0; #=Admin 5 | #auth_request /auth-1; #=Co-Admin 6 | #auth_request /auth-2; #=Super User 7 | #auth_request /auth-3; #=Power User 8 | #auth_request /auth-4; #=User 9 | #auth_request /auth-998; # logged in 10 | #auth_request /auth-999; #=Guest 11 | 12 | location ~ /auth-(.*) { 13 | internal; 14 | rewrite ^/auth-(.*) /api/?v1/auth&group=$1; 15 | } 16 | -------------------------------------------------------------------------------- /Snippets/Organizr/Auth Blocks/authV2subdomain.conf: -------------------------------------------------------------------------------- 1 | ###################### Only for Organizr v2.x 2 | # Organizr Auth v2 # This Helps for auth on sub.domain.tld 3 | ###################### 4 | #auth_request /auth-0; #=Admin 5 | #auth_request /auth-1; #=Co-Admin 6 | #auth_request /auth-2; #=Super User 7 | #auth_request /auth-3; #=Power User 8 | #auth_request /auth-4; #=User 9 | #auth_request /auth-998; # logged in 10 | #auth_request /auth-999; #=Guest 11 | 12 | location ~ /auth-(.*) { 13 | internal; 14 | proxy_pass https://ORGDOMAIN/api/?v1/auth&group=$1; 15 | } 16 | -------------------------------------------------------------------------------- /Snippets/Organizr/Error Pages/errorV1.conf: -------------------------------------------------------------------------------- 1 | error_page 400 401 402 403 404 500 502 503 504 $scheme://$server_name/error.php?error=$status; 2 | 3 | error_log /var/log/nginx/DOMAIN.error.log; 4 | access_log /var/log/nginx/DOMAIN.access.log; 5 | -------------------------------------------------------------------------------- /Snippets/Organizr/Error Pages/errorV1subdomain.conf: -------------------------------------------------------------------------------- 1 | error_page 400 401 402 403 404 500 502 503 504 https://DOMAIN/error.php?error=$status; 2 | 3 | error_log /var/log/nginx/DOMAIN.error.log; 4 | access_log /var/log/nginx/DOMAIN.access.log; 5 | -------------------------------------------------------------------------------- /Snippets/Organizr/Error Pages/errorV2.conf: -------------------------------------------------------------------------------- 1 | error_page 400 401 402 403 404 500 502 503 504 $scheme://$server_name/?error=$status; 2 | 3 | error_log /var/log/nginx/DOMAIN.error.log; 4 | access_log /var/log/nginx/DOMAIN.access.log; 5 | -------------------------------------------------------------------------------- /Snippets/Organizr/Error Pages/errorV2subdomain.conf: -------------------------------------------------------------------------------- 1 | error_page 400 401 402 403 404 500 502 503 504 $scheme://ORGDOMAIN/?error=$status; 2 | 3 | error_log /var/log/nginx/DOMAIN.error.log; 4 | access_log /var/log/nginx/DOMAIN.access.log; 5 | -------------------------------------------------------------------------------- /Snippets/PHP/phpfpm.conf: -------------------------------------------------------------------------------- 1 | # PHP EXAMPLE 2 | location ~ \.php$ { 3 | try_files $uri =500; 4 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 5 | fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; 6 | fastcgi_index index.php; 7 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 8 | include fastcgi_params; 9 | } 10 | -------------------------------------------------------------------------------- /Snippets/fastcgi-php.conf: -------------------------------------------------------------------------------- 1 | # FastCGI for php 2 | # Likely already on your machine. 3 | 4 | # regex to split $uri to $fastcgi_script_name and $fastcgi_path 5 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 6 | 7 | # Check that the PHP script exists before passing it 8 | try_files $fastcgi_script_name =404; 9 | 10 | # Bypass the fact that try_files resets $fastcgi_path_info 11 | # see: http://trac.nginx.org/nginx/ticket/321 12 | set $path_info $fastcgi_path_info; 13 | fastcgi_param PATH_INFO $path_info; 14 | 15 | fastcgi_index index.php; 16 | include fastcgi.conf; 17 | -------------------------------------------------------------------------------- /Snippets/proxy examples.conf: -------------------------------------------------------------------------------- 1 | #Timeout if the real server is dead 2 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 3 | 4 | send_timeout 5m; 5 | proxy_send_timeout 240; 6 | proxy_read_timeout 240; 7 | proxy_connect_timeout 240; 8 | 9 | proxy_set_header Host $host:$server_port; 10 | proxy_set_header X-Real-IP $remote_addr; 11 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 12 | proxy_set_header X-Forwarded-Proto https; 13 | proxy_set_header Upgrade $http_upgrade; 14 | proxy_set_header Connection "upgrade"; 15 | 16 | proxy_redirect http:// $scheme://; 17 | proxy_http_version 1.1; 18 | proxy_cache_bypass $cookie_session; 19 | proxy_no_cache $cookie_session; 20 | proxy_buffers 32 4k; 21 | 22 | client_max_body_size 10m; 23 | client_body_buffer_size 128k; 24 | proxy_bind $server_addr; 25 | proxy_hide_header X-Frame-Options; 26 | -------------------------------------------------------------------------------- /Snippets/proxy_websocket.conf: -------------------------------------------------------------------------------- 1 | # Used if your app has Websockets 2 | # Example wss:// ws:// /ws/ 3 | 4 | proxy_http_version 1.1; 5 | proxy_set_header Upgrade $http_upgrade; 6 | proxy_set_header Connection "upgrade"; 7 | -------------------------------------------------------------------------------- /Snippets/strong-ssl-noframe.conf: -------------------------------------------------------------------------------- 1 | # Strong SSL With No iFrame Blocking 2 | ssl_protocols TLSv1.2; 3 | ssl_prefer_server_ciphers on; 4 | ssl_ciphers HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128; 5 | ssl_ecdh_curve secp384r1; 6 | ssl_session_cache shared:SSL:10m; 7 | ssl_session_tickets off; 8 | ssl_stapling on; 9 | ssl_stapling_verify on; 10 | 11 | # Set Google's public DNS servers as upstream resolver 12 | resolver 8.8.8.8 8.8.4.4 valid=300s; 13 | resolver_timeout 5s; 14 | 15 | # HSTS 16 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 17 | 18 | # Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc. 19 | #add_header X-Frame-Options SAMEORIGIN; 20 | 21 | add_header X-Content-Type-Options nosniff; # no sniffing 22 | 23 | add_header X-Xss-Protection "1; mode=block" always; # force cross site protection if needed 24 | 25 | add_header Referrer-Policy "same-origin"; # no trails 26 | proxy_cookie_path / "/; HTTPOnly; Secure"; # cookie secure stuff 27 | # Use the 2048 bit DH key 28 | ssl_dhparam /etc/ssl/certs/dhparam.pem; 29 | 30 | # Fun Stuff 31 | server_tokens off; # hide server tokens 32 | # more_set_headers 'Server: Mars'; # Set Server Name 33 | # add_header X-Powered-By "Fusion Power"; # Set Server Engine 34 | -------------------------------------------------------------------------------- /Snippets/strong-ssl.conf: -------------------------------------------------------------------------------- 1 | # Strong SSL With iFrame Blocking 2 | ssl_protocols TLSv1.2; 3 | ssl_prefer_server_ciphers on; 4 | ssl_ciphers HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128; 5 | ssl_ecdh_curve secp384r1; 6 | ssl_session_cache shared:SSL:10m; 7 | ssl_session_tickets off; 8 | ssl_stapling on; 9 | ssl_stapling_verify on; 10 | 11 | # Set Google's public DNS servers as upstream resolver 12 | resolver 8.8.8.8 8.8.4.4 valid=300s; 13 | resolver_timeout 5s; 14 | 15 | # HSTS 16 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 17 | 18 | # Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc. 19 | add_header X-Frame-Options SAMEORIGIN; 20 | 21 | add_header X-Content-Type-Options nosniff; # no sniffing 22 | 23 | add_header X-Xss-Protection "1; mode=block" always; # force cross site protection if needed 24 | 25 | add_header Referrer-Policy "same-origin"; # no trails 26 | proxy_cookie_path / "/; HTTPOnly; Secure"; # cookie secure stuff 27 | # Use the 2048 bit DH key 28 | ssl_dhparam /etc/ssl/certs/dhparam.pem; 29 | 30 | # Fun Stuff 31 | server_tokens off; # hide server tokens 32 | # more_set_headers 'Server: Mars'; # Set Server Name 33 | # add_header X-Powered-By "Fusion Power"; # Set Server Engine 34 | -------------------------------------------------------------------------------- /Subdomains/bitwarden.conf: -------------------------------------------------------------------------------- 1 | # Bitwarden Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | # Replace 192.168.1.103 with your Server's IP address 4 | server { 5 | listen 80; 6 | server_name bitwarden.DOMAIN.TLD; 7 | return 301 https://$server_name$request_uri; 8 | } 9 | 10 | server { 11 | listen 443 ssl http2; 12 | 13 | server_name bitwarden.DOMAIN.TLD; 14 | server_tokens off; 15 | 16 | include /config/nginx/proxy.conf; 17 | 18 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 19 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 20 | 21 | ssl on; 22 | ssl_session_cache builtin:1000 shared:SSL:10m; 23 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 24 | ssl_prefer_server_ciphers on; 25 | 26 | gzip on; 27 | gzip_vary on; 28 | gzip_min_length 1000; 29 | gzip_proxied any; 30 | gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; 31 | gzip_disable "MSIE [1-6]\."; 32 | 33 | location / { 34 | proxy_pass http://192.168.1.103:8484; 35 | proxy_redirect off; 36 | proxy_set_header Host $http_host; 37 | proxy_set_header X-Real-IP $remote_addr; 38 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 39 | proxy_set_header X-Forwarded-Proto $scheme; 40 | proxy_set_header X-Forwarded-Protocol $scheme; 41 | proxy_set_header X-Url-Scheme $scheme; 42 | proxy_hide_header Content-Security-Policy; 43 | if ($request_uri ~ /(.*)/register) { 44 | return 301 https://DOMAIN.TLD/?error=401; 45 | } 46 | } 47 | 48 | location /notifications/hub { 49 | proxy_pass http://192.168.1.103:3012; 50 | proxy_set_header Upgrade $http_upgrade; 51 | proxy_set_header Connection "upgrade"; 52 | } 53 | 54 | location /notifications/hub/negotiate { 55 | proxy_pass http://192.168.1.103:8484; 56 | } 57 | } -------------------------------------------------------------------------------- /Subdomains/deluge.conf: -------------------------------------------------------------------------------- 1 | # Deluge Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name deluge.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/deluge.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:8112; 25 | proxy_set_header X-Forwarded-Host $server_name; 26 | proxy_set_header X-Real-IP $remote_addr; 27 | proxy_set_header X-Forwarded-Proto $scheme; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /Subdomains/duplicati.conf: -------------------------------------------------------------------------------- 1 | # Make sure that your dns has a cname set for duplicati and that your duplicati container is not using a base url 2 | 3 | server { 4 | listen 443 ssl; 5 | server_name duplicati.*; 6 | include /config/nginx/ssl.conf; 7 | client_max_body_size 0; 8 | # Enable for ldap auth, fill in ldap details in ldap.conf 9 | #include /config/nginx/ldap.conf; 10 | 11 | location / { 12 | # Enable the next two lines for http auth 13 | #auth_basic "Restricted"; 14 | #auth_basic_user_file /config/nginx/.htpasswd; 15 | 16 | # Enable the next two lines for ldap auth 17 | #auth_request /auth; 18 | #error_page 401 =200 /login; 19 | 20 | #include /config/nginx/proxy.conf; 21 | resolver 127.0.0.11 valid=30s; 22 | # Change duplicati to the correct container name or to the corresponding IP 23 | set $upstream_duplicati duplicati; 24 | proxy_pass http://$upstream_duplicati:8200; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Subdomains/emby.conf: -------------------------------------------------------------------------------- 1 | # Emby Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name emby.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/emby.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:8096; 25 | proxy_hide_header X-Powered-By; 26 | proxy_set_header Range $http_range; 27 | proxy_set_header If-Range $http_if_range; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header Host $host; 30 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 31 | 32 | proxy_http_version 1.1; 33 | proxy_set_header Upgrade $http_upgrade; 34 | proxy_set_header Connection "upgrade"; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Subdomains/filebrowser.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name filebrowser.domain.com; 4 | return 301 https://$server_name$request_uri; 5 | } 6 | 7 | server { 8 | listen 443 ssl http2; 9 | server_name filebrowser.*; 10 | 11 | include /config/nginx/ssl.conf; 12 | 13 | gzip on; 14 | gzip_vary on; 15 | gzip_min_length 1000; 16 | gzip_proxied any; 17 | gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; 18 | gzip_disable "MSIE [1-6]\."; 19 | 20 | location / { 21 | proxy_pass http://10.0.0.18:86; 22 | proxy_set_header Host $host; 23 | proxy_set_header X-Real-IP $remote_addr; 24 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 25 | proxy_set_header Upgrade $http_upgrade; 26 | proxy_set_header Connection "upgrade"; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /Subdomains/goaccess.conf: -------------------------------------------------------------------------------- 1 | # Goaccess Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | 4 | server { 5 | listen 443 ssl http2; 6 | server_name goaccess.DOMAIN.TLD; 7 | 8 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 9 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 10 | 11 | ssl on; 12 | ssl_session_cache builtin:1000 shared:SSL:10m; 13 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 14 | ssl_prefer_server_ciphers on; 15 | 16 | 17 | location / { 18 | proxy_pass http://127.0.0.1:7889/; 19 | proxy_connect_timeout 5m; 20 | proxy_send_timeout 5m; 21 | proxy_read_timeout 5m; 22 | proxy_set_header Upgrade $http_upgrade; 23 | proxy_set_header Connection "upgrade"; 24 | proxy_set_header Connection "keep-alive"; 25 | proxy_pass_request_headers on; 26 | proxy_http_version 1.1; 27 | } 28 | location /ws/ { 29 | proxy_pass http://127.0.0.1:7889/ws/; 30 | proxy_connect_timeout 5m; 31 | proxy_send_timeout 5m; 32 | proxy_read_timeout 5m; 33 | proxy_set_header Upgrade $http_upgrade; 34 | proxy_set_header Connection "upgrade"; 35 | proxy_set_header Connection "keep-alive"; 36 | proxy_pass_request_headers on; 37 | proxy_http_version 1.1; 38 | } 39 | location /wss/ { 40 | proxy_pass http://127.0.0.1:7889/wss/; 41 | proxy_connect_timeout 5m; 42 | proxy_send_timeout 5m; 43 | proxy_read_timeout 5m; 44 | proxy_set_header Upgrade $http_upgrade; 45 | proxy_set_header Connection "upgrade"; 46 | proxy_set_header Connection "keep-alive"; 47 | proxy_pass_request_headers on; 48 | proxy_http_version 1.1; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /Subdomains/grafana.conf: -------------------------------------------------------------------------------- 1 | # Grafana Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443 ssl; 11 | server_name grafana.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl_session_cache builtin:1000 shared:SSL:10m; 17 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 18 | ssl_prefer_server_ciphers on; 19 | 20 | access_log /var/log/nginx/grafana.access.log; 21 | 22 | location / { 23 | proxy_pass http://127.0.0.1:3000; 24 | proxy_set_header X-Forwarded-Host $server_name; 25 | proxy_set_header X-Real-IP $remote_addr; 26 | proxy_set_header X-Forwarded-Proto $scheme; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /Subdomains/guacamole.conf: -------------------------------------------------------------------------------- 1 | # Guacamole Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name guacamole.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/guacamole.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:8080; 25 | proxy_buffering off; 26 | proxy_set_header Upgrade $http_upgrade; 27 | proxy_set_header Connection $http_connection; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | proxy_set_header X-Forwarded-Proto $scheme; 31 | proxy_http_version 1.1; 32 | proxy_no_cache $cookie_session; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Subdomains/heimdall.conf: -------------------------------------------------------------------------------- 1 | # Heimdall Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443 ssl http2; 11 | server_name heimdall.DOMAIN.TLD; 12 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 13 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 14 | 15 | ssl on; 16 | ssl_session_cache builtin:1000 shared:SSL:10m; 17 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 18 | ssl_prefer_server_ciphers on; 19 | 20 | root /var/www/html/Heimdall/public; 21 | index index.php; 22 | 23 | access_log /var/log/nginx/heimdall.access.log; 24 | error_log /var/log/nginx/heimdall.error.log; 25 | 26 | location / { try_files $uri $uri/ /index.php?$query_string; } 27 | location ~ /\.ht { deny all; } 28 | location ~ \.php$ { 29 | include snippets/fastcgi-php.conf; 30 | fastcgi_pass unix:/run/php/php7.0-fpm.sock; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /Subdomains/homeassistant.conf: -------------------------------------------------------------------------------- 1 | #HTTP SERVER BLOCK - Redirect HTTP to HTTPS 2 | 3 | server { 4 | listen 80; 5 | server_name sub.domain.com; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | #HTTPS SERVER BLOCK 10 | 11 | server { 12 | listen 443 ssl http2; 13 | 14 | server_name sub.domain.com; 15 | root /config/www; 16 | index index.html index.htm index.php; 17 | 18 | error_page 400 401 402 403 404 500 502 503 504 https:///error.php?error=$status; ## User Organizr error pages 19 | 20 | include /config/nginx/ssl.conf; ## Include SSL parameters from SSL.conf - cert, options, dh, ciphers 21 | include /config/nginx/auth/org2-auth.conf; ## Enable Organizr authentication 22 | 23 | 24 | location / { 25 | proxy_pass http://:8123; 26 | include /config/nginx/auth/auth-local.conf; 27 | include /config/nginx/proxy.conf; 28 | include /config/nginx/websockets.conf; 29 | } 30 | 31 | location /api { 32 | proxy_pass http://:8123; 33 | # include /config/nginx/auth/auth-local.conf; 34 | include /config/nginx/proxy.conf; 35 | include /config/nginx/websockets.conf; 36 | } 37 | 38 | location /api/websocket { 39 | proxy_pass http://:8123; 40 | # include /config/nginx/auth/auth-local.conf; 41 | include /config/nginx/proxy.conf; 42 | include /config/nginx/websockets.conf; 43 | } 44 | 45 | location /auth { 46 | proxy_pass http://:8123; 47 | # include /config/nginx/auth/auth-local.conf; 48 | include /config/nginx/proxy.conf; 49 | include /config/nginx/websockets.conf; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /Subdomains/moodle.conf: -------------------------------------------------------------------------------- 1 | ## Moodle Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | return 301 http://$server_name$request_uri; 6 | } 7 | server { 8 | listen 443; 9 | server_name moodle.DOMAIN.TLD; 10 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 11 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 12 | 13 | ssl on; 14 | ssl_session_cache builtin:1000 shared:SSL:10m; 15 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 16 | ssl_prefer_server_ciphers on; 17 | 18 | root /var/www/html/moodle; 19 | index index.php; 20 | 21 | access_log /var/log/nginx/moodle.access.log; 22 | error_log /var/log/nginx/moodle.error.log; 23 | 24 | location / { try_files $uri $uri/ =404; } 25 | location /dataroot/ { internal; alias /var/www/DOMAIN.TLD/moodledata/; } 26 | location ~ [^/]\.php(/|$) { 27 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 28 | fastcgi_index index.php; 29 | fastcgi_pass unix:/run/php/php7.0-fpm.sock; 30 | include fastcgi_params; 31 | fastcgi_param PATH_INFO $fastcgi_path_info; 32 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /Subdomains/nexcloud.conf: -------------------------------------------------------------------------------- 1 | # Nextcloud Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name nextcloud.DOMAIN.TLD; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443 ssl http2; 11 | server_name nextcloud.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/nextcloud.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:7879; 25 | proxy_max_temp_file_size 2048m; 26 | proxy_hide_header X-Frame-Options; 27 | proxy_set_header X-Forwarded-Host $server_name; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /Subdomains/ombi.conf: -------------------------------------------------------------------------------- 1 | # Ombi v3 Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name ombi.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/ombi.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:5000; 25 | proxy_set_header Host $host; 26 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 27 | proxy_set_header X-Forwarded-Host $server_name; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | } 31 | 32 | } 33 | -------------------------------------------------------------------------------- /Subdomains/organizr.conf: -------------------------------------------------------------------------------- 1 | # Organizr Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443 ssl http2; 11 | server_name organizr.DOMAIN.TLD; 12 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 13 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 14 | 15 | ssl on; 16 | ssl_session_cache builtin:1000 shared:SSL:10m; 17 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 18 | ssl_prefer_server_ciphers on; 19 | 20 | root /var/www/html/Organizr; 21 | index index.php; 22 | 23 | access_log /var/log/nginx/organizr.access.log; 24 | error_log /var/log/nginx/organizr.error.log; 25 | 26 | location ~ ^.+?\.php(/.*)?$ { 27 | fastcgi_pass unix:/run/php/php7.0-fpm.sock; 28 | fastcgi_split_path_info ^(.+\.php)(/.*)$; 29 | fastcgi_param PATH_INFO $fastcgi_path_info; 30 | include fastcgi_params; 31 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /Subdomains/pihole.conf: -------------------------------------------------------------------------------- 1 | # PiHole Admin Console 2 | 3 | server { 4 | listen 80; 5 | server_name pihole.domain.com; 6 | return 301 https://pihole.domain.com; 7 | } 8 | 9 | server { 10 | listen 443 ssl http2; 11 | server_name pihole.domain.com; 12 | include /config/nginx/ssl.conf; 13 | 14 | location = /robots.txt { 15 | add_header Content-Type text/plain; 16 | return 200 "User-agent: *\nDisallow: /\n"; 17 | } 18 | 19 | # Root Directory 20 | location / { 21 | auth_request /auth-1; 22 | proxy_intercept_errors on; 23 | proxy_pass http://192.168.1.7/admin; 24 | try_files $uri $uri/ =404; 25 | proxy_hide_header X-Frame-Options; 26 | include /config/nginx/proxy.conf; 27 | } 28 | # Blocking access to hidden files/folders 29 | location ~ /\. { 30 | return 404; 31 | } 32 | # Sub-Directories 33 | location /*.js { 34 | index pihole/index.js; 35 | } 36 | location /admin { 37 | proxy_pass http://192.168.1.7/admin; 38 | proxy_intercept_errors on; 39 | root /var/www/html; 40 | index index.php index.html index.htm; 41 | proxy_hide_header X-Frame-Options; 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /Subdomains/plex.conf: -------------------------------------------------------------------------------- 1 | # Plex Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | ssl_session_cache shared:SSL:10m; 4 | ssl_session_timeout 10m; 5 | upstream plex_backend { server 127.0.0.1:32400; keepalive 32; } 6 | 7 | server { 8 | listen 80; 9 | server_name _; 10 | return 301 https://$host$request_uri; 11 | } 12 | 13 | server { 14 | listen 443 ssl http2; #http2 can provide a substantial improvement for streaming: https://blog.cloudflare.com/introducing-http2/ 15 | server_name plex.DOMAIN.TLD; 16 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 17 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 18 | 19 | ssl on; 20 | ssl_session_cache builtin:1000 shared:SSL:10m; 21 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 22 | ssl_prefer_server_ciphers on; 23 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 24 | 25 | ssl_session_tickets off; 26 | ssl_dhparam /etc/ssl/certs/dhparam.pem; 27 | ssl_ecdh_curve secp384r1; 28 | resolver 8.8.4.4 8.8.8.8 valid=300s; 29 | resolver_timeout 10s; 30 | 31 | gzip on; 32 | gzip_vary on; 33 | gzip_min_length 1000; 34 | gzip_proxied any; 35 | gzip_types text/plain text/html text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; 36 | gzip_disable "MSIE [1-6]\."; 37 | 38 | client_max_body_size 100M; 39 | 40 | proxy_set_header Host $host; 41 | proxy_set_header X-Real-IP $remote_addr; 42 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 43 | proxy_set_header X-Forwarded-Proto $scheme; 44 | proxy_http_version 1.1; 45 | proxy_set_header Upgrade $http_upgrade; 46 | proxy_set_header Connection "upgrade"; 47 | proxy_redirect off; 48 | proxy_buffering off; 49 | 50 | location / { proxy_pass http://plex_backend; } 51 | } 52 | -------------------------------------------------------------------------------- /Subdomains/qbittorrent.conf: -------------------------------------------------------------------------------- 1 | #qbittorrent Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name qbittorrent.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/qbittorrent.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:8080; 25 | proxy_set_header X-Forwarded-Host $host:$server_port; 26 | proxy_hide_header Referer; 27 | proxy_hide_header Origin; 28 | proxy_set_header Referer ''; 29 | proxy_set_header Origin ''; 30 | add_header X-Frame-Options "SAMEORIGIN"; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /Subdomains/radarr.conf: -------------------------------------------------------------------------------- 1 | # Radarr Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name radarr.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/radarr.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:7879; 25 | proxy_set_header X-Forwarded-Host $server_name; 26 | proxy_set_header X-Real-IP $remote_addr; 27 | proxy_set_header X-Forwarded-Proto $scheme; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /Subdomains/rutorrent.conf: -------------------------------------------------------------------------------- 1 | # ruTorrent Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name rutorrent.DOMAIN.TLD; 6 | return 301 https://$http_host$request_uri; 7 | } 8 | 9 | ## HTTPS host 10 | server { 11 | listen 443 ssl http2; 12 | server_name rutorrent.DOMAIN.TLD; 13 | 14 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 15 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 16 | 17 | ssl on; 18 | ssl_session_cache builtin:1000 shared:SSL:10m; 19 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 20 | ssl_prefer_server_ciphers on; 21 | 22 | access_log /var/log/nginx/rutorrent.access.log; 23 | 24 | location / { 25 | proxy_set_header X-Real-IP $remote_addr; 26 | proxy_set_header X-Forwarded-Host $server_name; 27 | proxy_set_header X-Forwarded-Proto $scheme; 28 | proxy_pass http://192.168.1.103:9080; 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /Subdomains/sonarr.conf: -------------------------------------------------------------------------------- 1 | # Sonarr Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443 ssl; 11 | server_name sonarr.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl_session_cache builtin:1000 shared:SSL:10m; 17 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 18 | ssl_prefer_server_ciphers on; 19 | 20 | access_log /var/log/nginx/sonarr.access.log; 21 | 22 | location / { 23 | proxy_pass http://127.0.0.1:8989; 24 | proxy_set_header X-Forwarded-Host $server_name; 25 | proxy_set_header X-Real-IP $remote_addr; 26 | proxy_set_header X-Forwarded-Proto $scheme; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /Subdomains/syncloungeV2.conf: -------------------------------------------------------------------------------- 1 | # SyncLounge Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name pt.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/synclounge.access.log; 22 | 23 | location / { 24 | add_header Strict-Transport-Security max-age=31536000; #Remove if you are not enforcing secure connections 25 | add_header X-Frame-Options SAMEORIGIN; 26 | proxy_set_header X-Real-IP $remote_addr; 27 | proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; 28 | proxy_set_header Host $host; 29 | proxy_set_header X-Forwarded-Proto $remote_addr; 30 | proxy_set_header X-Forwarded-Protocol $scheme; 31 | proxy_redirect off; 32 | # Send websocket data to the backend aswell 33 | proxy_http_version 1.1; 34 | proxy_set_header Upgrade $http_upgrade; 35 | proxy_set_header Connection "upgrade"; 36 | proxy_pass http://10.0.0.11:8088/; 37 | } 38 | 39 | 40 | location /slweb { 41 | proxy_pass http://10.0.0.11:8088/slweb; 42 | add_header Strict-Transport-Security max-age=31536000; #Remove if you are not enforcing secure connections 43 | add_header X-Frame-Options SAMEORIGIN; 44 | proxy_set_header X-Real-IP $remote_addr; 45 | proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; 46 | proxy_set_header Host $host; 47 | proxy_set_header X-Forwarded-Proto $remote_addr; 48 | proxy_set_header X-Forwarded-Protocol $scheme; 49 | proxy_redirect off; 50 | # Send websocket data to the backend aswell 51 | proxy_http_version 1.1; 52 | proxy_set_header Upgrade $http_upgrade; 53 | proxy_set_header Connection "upgrade"; 54 | } 55 | 56 | location ~ ^/(slserver|socket\.io) { 57 | proxy_pass http://10.0.0.11:8089; 58 | add_header Strict-Transport-Security max-age=31536000; #Remove if you are not enforcing secure connections 59 | add_header X-Frame-Options SAMEORIGIN; 60 | proxy_set_header X-Real-IP $remote_addr; 61 | #proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; 62 | proxy_set_header Host $host; 63 | proxy_set_header X-Forwarded-Proto $remote_addr; 64 | proxy_set_header X-Forwarded-Protocol $scheme; 65 | proxy_redirect off; 66 | # Send websocket data to the backend aswell 67 | proxy_http_version 1.1; 68 | proxy_set_header Upgrade $http_upgrade; 69 | proxy_set_header Connection "upgrade"; 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /Subdomains/tautulli.conf: -------------------------------------------------------------------------------- 1 | # Tautulli Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name tautulli.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/tautulli.access.log; 22 | 23 | location / { 24 | proxy_pass http://127.0.0.1:8181; 25 | proxy_set_header Host $host; 26 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 27 | proxy_set_header X-Forwarded-Host $server_name; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /Subdomains/tautulli.newsletter.conf: -------------------------------------------------------------------------------- 1 | # Tautuli Newsletter Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | server { 4 | listen 80; 5 | server_name _; 6 | return 301 https://$host$request_uri; 7 | } 8 | 9 | server { 10 | listen 443; 11 | server_name news.DOMAIN.TLD; 12 | 13 | ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; 14 | ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; 15 | 16 | ssl on; 17 | ssl_session_cache builtin:1000 shared:SSL:10m; 18 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | access_log /var/log/nginx/tautulli.newsletter.access.log; 22 | 23 | # THIS WILL BLOCK REGULAR ACCESS TO TAUTULLI 24 | location / { 25 | return 444; 26 | } 27 | 28 | # TAUTULLI ALLOW SELFHOSTED NEWSLETTER 29 | location /tautulli/newsletter { 30 | proxy_pass http://127.0.0.1:8181/tautulli/newsletter; 31 | proxy_set_header Host $host; 32 | proxy_set_header X-Real-IP $remote_addr; 33 | proxy_set_header X-Forwarded-Host $server_name; 34 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 35 | # SSL proxying headers 36 | proxy_set_header X-Forwarded-Proto $scheme; 37 | proxy_set_header X-Forwarded-Ssl on; 38 | } 39 | 40 | # TAUTULLI ALLOW SELFHOSTED IMAGES 41 | location /tautulli/image { 42 | proxy_pass http://127.0.0.1:8181/tautulli/image; 43 | proxy_set_header Host $host; 44 | proxy_set_header X-Real-IP $remote_addr; 45 | proxy_set_header X-Forwarded-Host $server_name; 46 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 47 | # SSL proxying headers 48 | proxy_set_header X-Forwarded-Proto $scheme; 49 | proxy_set_header X-Forwarded-Ssl on; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /Subdomains/unifi.controller.conf: -------------------------------------------------------------------------------- 1 | #UniFi Controller Subdomain 2 | # Replace DOMAIN.TLD with your domain 3 | # Replace 192.168.1.30 with your Unifi Controller's IP address 4 | 5 | server { 6 | listen 80; 7 | server_name unifi.DOMAIN.TLD; 8 | return 301 https://unifi.DOMAIN.TLD; 9 | } 10 | 11 | server { 12 | listen 443 ssl http2; 13 | server_name unifi.DOMAIN.TLD; 14 | include /config/nginx/ssl.conf; 15 | 16 | location = /robots.txt { 17 | add_header Content-Type text/plain; 18 | return 200 "User-agent: *\nDisallow: /\n"; 19 | } 20 | 21 | location / { 22 | auth_request /auth-1; 23 | proxy_pass https://192.168.1.30:8443; 24 | # Advanced Proxy Config 25 | send_timeout 5m; 26 | proxy_read_timeout 300; 27 | proxy_send_timeout 300; 28 | proxy_connect_timeout 300; 29 | 30 | # Basic Proxy Config 31 | proxy_intercept_errors off; 32 | proxy_set_header Host $host:$server_port; 33 | proxy_set_header X-Real-IP $remote_addr; 34 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 35 | proxy_set_header X-Forwarded-Proto https; 36 | proxy_set_header X-Forwarded-Host $host; 37 | proxy_set_header X-Forwarded-Ssl on; 38 | proxy_redirect http:// $scheme://; 39 | proxy_http_version 1.1; 40 | proxy_set_header Connection ""; 41 | 42 | # Websockets 43 | proxy_set_header Upgrade $http_upgrade; 44 | proxy_set_header Connection "upgrade"; 45 | proxy_cache_bypass $cookie_session; 46 | proxy_no_cache $cookie_session; 47 | proxy_buffers 32 4k; 48 | proxy_hide_header X-Frame-Options; 49 | proxy_buffering off; 50 | } 51 | location ^~(/wss|/manage|/login|/status|/templates|/src|/services|/directives|/api) { 52 | proxy_intercept_errors off; 53 | proxy_pass https://192.168.1.30:8443; 54 | proxy_buffering off; 55 | } 56 | } 57 | --------------------------------------------------------------------------------