diff options
Diffstat (limited to 'images/router')
28 files changed, 854 insertions, 0 deletions
diff --git a/images/router/.gitignore b/images/router/.gitignore new file mode 100644 index 0000000..5224f03 --- /dev/null +++ b/images/router/.gitignore @@ -0,0 +1 @@ +auth/* diff --git a/images/router/Dockerfile b/images/router/Dockerfile new file mode 100644 index 0000000..f7717fe --- /dev/null +++ b/images/router/Dockerfile @@ -0,0 +1,11 @@ +FROM server_runit + +RUN apk add --no-cache nginx nginx-mod-stream bash curl git openssl +RUN git clone --single-branch --depth=1 \ + https://github.com/lukas2511/dehydrated /app/dehydrated + +ADD letsencrypt /app/letsencrypt/ +RUN rm -rf /etc/nginx/conf.d +ADD nginx /etc/nginx/ +ADD auth /app/auth +ADD dhparams.pem /app/ diff --git a/images/router/dhparams.pem b/images/router/dhparams.pem new file mode 100644 index 0000000..3530d79 --- /dev/null +++ b/images/router/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAj8BEpaKdrasUzeqS1KaWlOBJTaLTHHpVzkjUdPgsgKyf3sI18b5X +r6QF4KOu0oU4V23j3Zbc6qHdIAa+HnYvw/A+ShFTC6CkFlmHE5MDgbyABmtXXqCy +HiiGUalmReOZUhWNXI2+VqZHRjFH58ivoMJvkoyAesNjUGM1qq8oVyhUsmWYmU1A +dwC4hGYpRnf6bOHeI0l5/b2q8jSix2UxYWrqQlg0Yi/RovVlk3SEpKclOQ4zrrxi +BUrOpZ3Oedl4tKeIA50dAnkjh05EnYMhG0SPXY9mPyxAQl0xAByh/15aAT+XZ+Zn +gYqh+frTciPPk5LoRZ3Ym7yRbbY8A3Y9iYe1kySEUiN5KKt0wa1RIH3rp6VYlU0J +nYbzNLuVe9HYb9v4hoWcy4p5qPAXzO9cJHJmo3Y7JpcUY/dQBSiarT12LoPlLCHP +72uwxWA9FQZRpI2MPYOyG1SifojX2GIY03mGL3LTnbjdmAbCDx6FpcddCZPbmOXj +y+NhzLGZCzKGprleoY8rI9wMBbyGjE43ikOr8JkUPXc7IhOE5KmYnI8YHgkAHKhn +c9R2k2tAGYoxCfdhh6RdaRgcT/JqtyljEYVJWzYvfKfGHaGE7u+u4AudBCbjKgXs +Ns2e3CRprxvvK8DhcRwVYNJax6ecJqn+5EESrSJ/8EhjEm056rS3PqMCAQI= +-----END DH PARAMETERS----- diff --git a/images/router/letsencrypt/config b/images/router/letsencrypt/config new file mode 100644 index 0000000..e641f19 --- /dev/null +++ b/images/router/letsencrypt/config @@ -0,0 +1,95 @@ +######################################################## +# This is the main config file for dehydrated # +# # +# This file is looked for in the following locations: # +# $SCRIPTDIR/config (next to this script) # +# /usr/local/etc/dehydrated/config # +# /etc/dehydrated/config # +# ${PWD}/config (in current working-directory) # +# # +# Default values of this config are in comments # +######################################################## + +# Resolve names to addresses of IP version only. (curl) +# supported values: 4, 6 +# default: <unset> +#IP_VERSION= + +# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) +CA="https://acme-v01.api.letsencrypt.org/directory" + +# Path to certificate authority license terms redirect (default: https://acme-v01.api.letsencrypt.org/terms) +CA_TERMS="https://acme-v01.api.letsencrypt.org/terms" + +#CA="https://acme-staging.api.letsencrypt.org/directory" +#CA_TERMS="https://acme-staging.api.letsencrypt.org/terms" + +# Path to license agreement (default: <unset>) +#LICENSE="" + +# Which challenge should be used? Currently http-01 and dns-01 are supported +CHALLENGETYPE="http-01" + +# Path to a directory containing additional config files, allowing to override +# the defaults found in the main configuration file. Additional config files +# in this directory needs to be named with a '.sh' ending. +# default: <unset> +#CONFIG_D= + +# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) +#BASEDIR=$SCRIPTDIR + +# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt) +DOMAINS_TXT="/app/letsencrypt/domains.txt" + +# Output directory for generated certificates +CERTDIR="/data/certs" + +# Directory for account keys and registration information +ACCOUNTDIR="/data/accounts" + +# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated) +WELLKNOWN="/data/wellknown/acme-challenge" + +# Default keysize for private keys (default: 4096) +KEYSIZE="4096" + +# Path to openssl config file (default: <unset> - tries to figure out system default) +#OPENSSL_CNF= + +# Program or function called in certain situations +# +# After generating the challenge-response, or after failed challenge (in this case altname is empty) +# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content +# +# After successfully signing certificate +# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem +# +# BASEDIR and WELLKNOWN variables are exported and can be used in an external program +# default: <unset> +#HOOK= + +# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no) +#HOOK_CHAIN="no" + +# Minimum days before expiration to automatically renew certificate (default: 30) +#RENEW_DAYS="30" + +# Regenerate private keys instead of just signing new certificates on renewal (default: yes) +#PRIVATE_KEY_RENEW="yes" + +# Create an extra private key for rollover (default: no) +#PRIVATE_KEY_ROLLOVER="no" + +# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 +#KEY_ALGO=rsa + +# E-mail to use during the registration (default: <unset>) +CONTACT_EMAIL=till@hoeppner.ws + +# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock) +LOCKFILE="/app/letsencrypt/lock" + +# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no) +#OCSP_MUST_STAPLE="no" + diff --git a/images/router/letsencrypt/domains.txt b/images/router/letsencrypt/domains.txt new file mode 100644 index 0000000..d062476 --- /dev/null +++ b/images/router/letsencrypt/domains.txt @@ -0,0 +1 @@ +tx0.co m.tx0.co matrix.tx0.co g.tx0.co git.tx0.co z.tx0.co znc.tx0.co p.tx0.co paste.tx0.co diff --git a/images/router/nginx/fastcgi.conf b/images/router/nginx/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/images/router/nginx/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/images/router/nginx/http.off/matrix b/images/router/nginx/http.off/matrix new file mode 100644 index 0000000..cedd917 --- /dev/null +++ b/images/router/nginx/http.off/matrix @@ -0,0 +1,14 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name m.tx0.co; + + include snippets/ssl; + include snippets/wellknown; + + location /_matrix { + proxy_pass http://matrix:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} diff --git a/images/router/nginx/http.off/pad b/images/router/nginx/http.off/pad new file mode 100644 index 0000000..4aa0e2e --- /dev/null +++ b/images/router/nginx/http.off/pad @@ -0,0 +1,15 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name pad.tx0.co; + + include snippets/ssl; + include snippets/wellknown; + + location / { + auth_basic "pad"; + auth_basic_user_file pad/passwd; + proxy_pass http://etherpad; + } +} diff --git a/images/router/nginx/http.off/redirect b/images/router/nginx/http.off/redirect new file mode 100644 index 0000000..8548646 --- /dev/null +++ b/images/router/nginx/http.off/redirect @@ -0,0 +1,10 @@ +server { + listen 80 default_server deferred; + listen [::]:80 default_server deferred; + + server_name _; + + include snippets/wellknown; + + return 301 https://$server_name$request_uri; +} diff --git a/images/router/nginx/http/git b/images/router/nginx/http/git new file mode 100644 index 0000000..0b14c54 --- /dev/null +++ b/images/router/nginx/http/git @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name g.tx0.co git.tx0.co; + + include snippets/ssl_http; + include snippets/wellknown; + + location / { + proxy_pass http://git; + } +} diff --git a/images/router/nginx/http/paste b/images/router/nginx/http/paste new file mode 100644 index 0000000..4e0c75b --- /dev/null +++ b/images/router/nginx/http/paste @@ -0,0 +1,26 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tx0.co p.tx0.co paste.tx0.co; + + include snippets/ssl_http; + include snippets/wellknown; + + location / { + limit_except GET HEAD { + auth_basic 'Restricted'; + auth_basic_user_file /app/auth/paste; + } + + include snippets/uwsgi_params; + + uwsgi_pass paste:10002; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Fowarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } +} diff --git a/images/router/nginx/http/znc b/images/router/nginx/http/znc new file mode 100644 index 0000000..6028ca9 --- /dev/null +++ b/images/router/nginx/http/znc @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name z.tx0.co znc.tx0.co; + + include snippets/ssl_http; + include snippets/wellknown; + + location / { + proxy_pass http://znc; + } +} diff --git a/images/router/nginx/koi-utf b/images/router/nginx/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/images/router/nginx/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; # + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/images/router/nginx/koi-win b/images/router/nginx/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/images/router/nginx/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; # + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/images/router/nginx/mime.types b/images/router/nginx/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/images/router/nginx/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/images/router/nginx/modules/stream.conf b/images/router/nginx/modules/stream.conf new file mode 100644 index 0000000..9b0cbc3 --- /dev/null +++ b/images/router/nginx/modules/stream.conf @@ -0,0 +1 @@ +load_module "modules/ngx_stream_module.so"; diff --git a/images/router/nginx/nginx.conf b/images/router/nginx/nginx.conf new file mode 100644 index 0000000..cb9b8c8 --- /dev/null +++ b/images/router/nginx/nginx.conf @@ -0,0 +1,67 @@ +worker_processes auto; +pid /run/nginx.pid; + +include modules/stream.conf; + +events { + worker_connections 1024; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + #include /etc/nginx/mime.types; + default_type application/octet-stream; + + include snippets/ssl_ciphers; + ssl_session_cache shared:SSL:25m; + ssl_session_timeout 10m; + + # Gzip + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javasc$ + + # Logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + include snippets/ssl_http; + return 503; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/http/*; +} + +stream { + include snippets/ssl_ciphers; + + ssl_session_cache shared:TCP:25m; + ssl_session_timeout 10m; + + include /etc/nginx/stream/*; +} diff --git a/images/router/nginx/snippets/fastcgi_params b/images/router/nginx/snippets/fastcgi_params new file mode 100644 index 0000000..28decb9 --- /dev/null +++ b/images/router/nginx/snippets/fastcgi_params @@ -0,0 +1,25 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/images/router/nginx/snippets/scgi_params b/images/router/nginx/snippets/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/images/router/nginx/snippets/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/images/router/nginx/snippets/ssl_ciphers b/images/router/nginx/snippets/ssl_ciphers new file mode 100644 index 0000000..6eefe74 --- /dev/null +++ b/images/router/nginx/snippets/ssl_ciphers @@ -0,0 +1,4 @@ + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + diff --git a/images/router/nginx/snippets/ssl_http b/images/router/nginx/snippets/ssl_http new file mode 100644 index 0000000..78d171e --- /dev/null +++ b/images/router/nginx/snippets/ssl_http @@ -0,0 +1,6 @@ +ssl_certificate /data/certs/tx0.co/fullchain.pem; +ssl_certificate_key /data/certs/tx0.co/privkey.pem; + +ssl_dhparam /app/dhparams.pem; + +add_header Strict-Transport-Security "max-age=31536000" always; diff --git a/images/router/nginx/snippets/ssl_tcp b/images/router/nginx/snippets/ssl_tcp new file mode 100644 index 0000000..b59b7bf --- /dev/null +++ b/images/router/nginx/snippets/ssl_tcp @@ -0,0 +1,4 @@ +ssl_certificate /data/certs/tx0.co/fullchain.pem; +ssl_certificate_key /data/certs/tx0.co/privkey.pem; + +ssl_dhparam /app/dhparams.pem; diff --git a/images/router/nginx/snippets/uwsgi_params b/images/router/nginx/snippets/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/images/router/nginx/snippets/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/images/router/nginx/snippets/wellknown b/images/router/nginx/snippets/wellknown new file mode 100644 index 0000000..17aacf7 --- /dev/null +++ b/images/router/nginx/snippets/wellknown @@ -0,0 +1,5 @@ +location ^~ /.well-known/ { + alias /data/wellknown/; + try_files $uri $uri/ =404; + break; +} diff --git a/images/router/nginx/stream/znc b/images/router/nginx/stream/znc new file mode 100644 index 0000000..e496af7 --- /dev/null +++ b/images/router/nginx/stream/znc @@ -0,0 +1,8 @@ +server { + listen 6667 ssl; + listen [::]:6667 ssl; + + include snippets/ssl_tcp; + + proxy_pass znc:6667; +} diff --git a/images/router/nginx/win-utf b/images/router/nginx/win-utf new file mode 100644 index 0000000..ed8bc00 --- /dev/null +++ b/images/router/nginx/win-utf @@ -0,0 +1,126 @@ + +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A ; # single low-9 quotation mark + + 84 E2809E ; # double low-9 quotation mark + 85 E280A6 ; # ellipsis + 86 E280A0 ; # dagger + 87 E280A1 ; # double dagger + 88 E282AC ; # euro + 89 E280B0 ; # per mille + + 91 E28098 ; # left single quotation mark + 92 E28099 ; # right single quotation mark + 93 E2809C ; # left double quotation mark + 94 E2809D ; # right double quotation mark + 95 E280A2 ; # bullet + 96 E28093 ; # en dash + 97 E28094 ; # em dash + + 99 E284A2 ; # trade mark sign + + A0 C2A0 ; # + A1 D18E ; # capital Byelorussian short U + A2 D19E ; # small Byelorussian short u + + A4 C2A4 ; # currency sign + A5 D290 ; # capital Ukrainian soft G + A6 C2A6 ; # borken bar + A7 C2A7 ; # section sign + A8 D081 ; # capital YO + A9 C2A9 ; # (C) + AA D084 ; # capital Ukrainian YE + AB C2AB ; # left-pointing double angle quotation mark + AC C2AC ; # not sign + AD C2AD ; # soft hypen + AE C2AE ; # (R) + AF D087 ; # capital Ukrainian YI + + B0 C2B0 ; # ° + B1 C2B1 ; # plus-minus sign + B2 D086 ; # capital Ukrainian I + B3 D196 ; # small Ukrainian i + B4 D291 ; # small Ukrainian soft g + B5 C2B5 ; # micro sign + B6 C2B6 ; # pilcrow sign + B7 C2B7 ; # · + B8 D191 ; # small yo + B9 E28496 ; # numero sign + BA D194 ; # small Ukrainian ye + BB C2BB ; # right-pointing double angle quotation mark + + BF D197 ; # small Ukrainian yi + + C0 D090 ; # capital A + C1 D091 ; # capital B + C2 D092 ; # capital V + C3 D093 ; # capital G + C4 D094 ; # capital D + C5 D095 ; # capital YE + C6 D096 ; # capital ZH + C7 D097 ; # capital Z + C8 D098 ; # capital I + C9 D099 ; # capital J + CA D09A ; # capital K + CB D09B ; # capital L + CC D09C ; # capital M + CD D09D ; # capital N + CE D09E ; # capital O + CF D09F ; # capital P + + D0 D0A0 ; # capital R + D1 D0A1 ; # capital S + D2 D0A2 ; # capital T + D3 D0A3 ; # capital U + D4 D0A4 ; # capital F + D5 D0A5 ; # capital KH + D6 D0A6 ; # capital TS + D7 D0A7 ; # capital CH + D8 D0A8 ; # capital SH + D9 D0A9 ; # capital SHCH + DA D0AA ; # capital hard sign + DB D0AB ; # capital Y + DC D0AC ; # capital soft sign + DD D0AD ; # capital E + DE D0AE ; # capital YU + DF D0AF ; # capital YA + + E0 D0B0 ; # small a + E1 D0B1 ; # small b + E2 D0B2 ; # small v + E3 D0B3 ; # small g + E4 D0B4 ; # small d + E5 D0B5 ; # small ye + E6 D0B6 ; # small zh + E7 D0B7 ; # small z + E8 D0B8 ; # small i + E9 D0B9 ; # small j + EA D0BA ; # small k + EB D0BB ; # small l + EC D0BC ; # small m + ED D0BD ; # small n + EE D0BE ; # small o + EF D0BF ; # small p + + F0 D180 ; # small r + F1 D181 ; # small s + F2 D182 ; # small t + F3 D183 ; # small u + F4 D184 ; # small f + F5 D185 ; # small kh + F6 D186 ; # small ts + F7 D187 ; # small ch + F8 D188 ; # small sh + F9 D189 ; # small shch + FA D18A ; # small hard sign + FB D18B ; # small y + FC D18C ; # small soft sign + FD D18D ; # small e + FE D18E ; # small yu + FF D18F ; # small ya +} diff --git a/images/router/service/letsencrypt/run b/images/router/service/letsencrypt/run new file mode 100644 index 0000000..7fcc76d --- /dev/null +++ b/images/router/service/letsencrypt/run @@ -0,0 +1,19 @@ +#!/bin/sh + +# wait for nginx to startup, for http challenge +sv start nginx || exit 1 +sleep 10 + +# half a day, 60 * 60 * 12 +INTERVAL=43200 + +mkdir -p /data/wellknown/acme-challenge + +/app/dehydrated/dehydrated --register --accept-terms --config /app/letsencrypt/config + +while true; do + echo "Updating certificates" + /app/dehydrated/dehydrated --cron --config /app/letsencrypt/config + nginx -s reload # certificates might have changed + sleep $INTERVAL +done diff --git a/images/router/service/nginx/run b/images/router/service/nginx/run new file mode 100644 index 0000000..bfc6e24 --- /dev/null +++ b/images/router/service/nginx/run @@ -0,0 +1,16 @@ +#!/bin/sh + +ln -sf /dev/stdout /var/log/nginx/access.log +ln -sf /dev/stderr /var/log/nginx/error.log + +# nginx doesn't start without certificates, +# so generate untrusted ones for startup +if [ ! -d "/data/certs/tx0.co" ]; then + echo "Generating dummy certificates" + mkdir -p /data/certs/tx0.co + openssl req -x509 -nodes -batch -newkey rsa:512 -days 0 \ + -keyout /data/certs/tx0.co/privkey.pem \ + -out /data/certs/tx0.co/fullchain.pem +fi + +exec nginx -g 'daemon off;' |