Updating WebServer deployment
This commit is contained in:
@@ -8,6 +8,8 @@ server {
|
||||
location /
|
||||
{
|
||||
rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html;
|
||||
rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
|
||||
|
||||
location /aninix.xml {
|
||||
proxy_hide_header Content-Type;
|
||||
add_header content-type "application/atom+xml";
|
||||
@@ -39,7 +41,7 @@ server {
|
||||
root /usr/share/webapps/aninix/;
|
||||
try_files $uri /blackpage.html;
|
||||
}
|
||||
|
||||
|
||||
include letsencrypt.conf;
|
||||
|
||||
}
|
||||
22
roles/WebServer/files/conf.d/Core/cyberbrain.conf
Executable file
22
roles/WebServer/files/conf.d/Core/cyberbrain.conf
Executable file
@@ -0,0 +1,22 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name cyberbrain.aninix.net;
|
||||
|
||||
include sec.conf;
|
||||
include default.csp.conf;
|
||||
include letsencrypt.conf;
|
||||
|
||||
location /
|
||||
{
|
||||
auth_basic "Cyberbrain";
|
||||
auth_basic_user_file ../passwords/cyberbrain.htpasswd;
|
||||
proxy_pass http://127.0.0.1:8822;
|
||||
proxy_http_version 1.1;
|
||||
proxy_read_timeout 300;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Real-PORT $remote_port;
|
||||
}
|
||||
}
|
||||
1
roles/WebServer/files/conf/default.csp.conf
Normal file
1
roles/WebServer/files/conf/default.csp.conf
Normal file
@@ -0,0 +1 @@
|
||||
add_header "Content-Security-Policy" "default-src data: 'self' aninix.net foundation.aninix.net; script-src foundation.aninix.net www.gstatic.com www.google.com js.stripe.com unsafe-inline ssl.google-analytics.com 'self' aninix.net foundation.aninix.net data: 'unsafe-inline' 'unsafe-eval'; style-src foundation.aninix.net 'self' aninix.net foundation.aninix.net 'unsafe-inline' fonts.googleapis.com fonts.gstatic.com; img-src foundation.aninix.net 'self' aninix.net foundation.aninix.net upload.wikimedia.org commons.wikimedia.org creativecommons.org www.w3.org stripe.com ssl.google-analytics.com; font-src fonts.gstatic.com data: 'self' aninix.net foundation.aninix.net; connect-src ssl.google-analytics.com js.stripe.com mb3admin.com 'self' aninix.net foundation.aninix.net; media-src blob: 'self' aninix.net foundation.aninix.net ; child-src blob: 'self' js.stripe.com aninix.net foundation.aninix.net www.google.com; form-action 'self' aninix.net foundation.aninix.net; upgrade-insecure-requests;";
|
||||
6
roles/WebServer/files/conf/letsencrypt.conf
Normal file
6
roles/WebServer/files/conf/letsencrypt.conf
Normal file
@@ -0,0 +1,6 @@
|
||||
location ~ ^/.well-known/acme-challenge
|
||||
{
|
||||
allow all;
|
||||
root /var/lib/letsencrypt/;
|
||||
default_type "text/plain";
|
||||
}
|
||||
2
roles/WebServer/files/conf/local.conf
Normal file
2
roles/WebServer/files/conf/local.conf
Normal file
@@ -0,0 +1,2 @@
|
||||
allow 10.0.1.0/24;
|
||||
deny all;
|
||||
22
roles/WebServer/files/conf/sec.conf
Normal file
22
roles/WebServer/files/conf/sec.conf
Normal file
@@ -0,0 +1,22 @@
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
|
||||
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";
|
||||
add_header "X-Content-Type-Options" "nosniff";
|
||||
add_header "Public-Key-Pins" "pin-sha256=\"JYR9Zo608E/dQLErawdAxWfafQJDCOtsLJb+QdneIY0=\"; max-age=315360000; includeSubDomains";
|
||||
add_header "X-XSS-Protection" "1; mode=block";
|
||||
add_header "X-Frame-Options" "SAMEORIGIN";
|
||||
|
||||
# Cross-Origin Resource Sharing
|
||||
# add_header 'Access-Control-Allow-Origin' '*' always;
|
||||
# add_header 'Access-Control-Allow_Credentials' 'true' always;
|
||||
# add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
|
||||
# add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
|
||||
1975
roles/WebServer/files/php.ini
Normal file
1975
roles/WebServer/files/php.ini
Normal file
File diff suppressed because it is too large
Load Diff
14
roles/WebServer/files/webserver.service
Normal file
14
roles/WebServer/files/webserver.service
Normal file
@@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=AniNIX/WebServer | Powered by OpenResty
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/run/openresty.pid
|
||||
ExecStartPre=/opt/openresty/nginx/sbin/nginx -t -q -g 'pid /run/openresty.pid; daemon on; master_process on;'
|
||||
ExecStart=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid; daemon on; master_process on;'
|
||||
ExecReload=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid; daemon on; master_process on;' -s reload
|
||||
ExecStop=/opt/openresty/nginx/sbin/nginx -g 'pid /run/openresty.pid;' -s quit
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user