From 1b6f0402aa374e4033074480e9bc15b81dd6f239 Mon Sep 17 00:00:00 2001 From: tradewind Date: Tue, 25 Jun 2024 11:44:07 +0800 Subject: [PATCH] #update template --- run.sh | 8 ++++ sites-available/9song-api | 47 ++++++++++++------- sites-available/api | 80 +++++++++++++++++++------------- sites-available/bitwarden | 48 ++++++++++++------- sites-available/chat | 59 ++++++++++++++--------- sites-available/emby | 48 ++++++++++++------- sites-available/gitea | 49 +++++++++++-------- sites-available/img | 47 ++++++++++++------- sites-available/jenkins | 47 ++++++++++++------- sites-available/joplin | 64 +++++++++++-------------- sites-available/leanote | 49 ++++++++++++------- sites-available/mozilla_template | 38 +++++++++++++++ sites-available/music | 42 ----------------- sites-available/nas | 53 ++++++++++++--------- sites-available/rss | 31 ------------- sites-available/send | 31 ------------- sites-available/sync | 29 ------------ sites-available/teamcity | 49 +++++++++++-------- sites-available/tr | 48 ++++++++++++------- sites-available/wiznote | 47 ++++++++++++------- sites-available/www | 12 ++++- sites-enabled | 5 -- 22 files changed, 503 insertions(+), 428 deletions(-) create mode 100644 sites-available/mozilla_template delete mode 100644 sites-available/music delete mode 100644 sites-available/rss delete mode 100644 sites-available/send delete mode 100644 sites-available/sync diff --git a/run.sh b/run.sh index 4e5275c..1b4053c 100644 --- a/run.sh +++ b/run.sh @@ -1,5 +1,13 @@ #!/bin/bash +if [ -f /etc/nginx/nginx.conf ] && [ -d /var/log/nginx ];then + echo 'nginx 已安装' +else + sudo apt-get install -y nginx +fi + +# install docker? + rm -rf /etc/nginx/sites-available/* /etc/nginx/sites-enabled/* cd /home/ubuntu/code/nginx-conf || return 1 diff --git a/sites-available/9song-api b/sites-available/9song-api index 2ef299b..fd019bb 100644 --- a/sites-available/9song-api +++ b/sites-available/9song-api @@ -1,4 +1,20 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name 9song-api.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name 9song-api.tradewind.vip; location / { @@ -8,23 +24,20 @@ server { proxy_pass http://127.0.0.1:8000/; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = 9song-api.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name 9song-api.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/api b/sites-available/api index 22c3d73..91e1dc5 100644 --- a/sites-available/api +++ b/sites-available/api @@ -1,36 +1,54 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { - listen 443; - server_name api.tradewind.vip; + listen 80 default_server; + listen [::]:80 default_server; - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - root /var/www/http/tradewind-api/public; - index index.php; - location / { - try_files $uri $uri/ /index.php?$query_string; - } - - location ~ \.php$ { - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; - include fastcgi_params; - } -} - -server { - if ($host = api.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - listen 80; server_name api.tradewind.vip; - return 404; # managed by Certbot + + location / { + return 301 https://$host$request_uri; + } } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name api.tradewind.vip; + + root /var/www/http/tradewind-api/public; + + index index.php; + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + location ~ \.php$ { + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + include fastcgi_params; + } + + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; +} + + diff --git a/sites-available/bitwarden b/sites-available/bitwarden index f735cb6..be6728d 100644 --- a/sites-available/bitwarden +++ b/sites-available/bitwarden @@ -1,4 +1,20 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name bitwarden.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name bitwarden.tradewind.vip; # Allow large attachments @@ -14,23 +30,21 @@ server { proxy_pass http://$router:10060; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = bitwarden.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name bitwarden.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/chat b/sites-available/chat index a3380c9..95374b7 100644 --- a/sites-available/chat +++ b/sites-available/chat @@ -1,26 +1,43 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { - listen 443; - server_name chat.tradewind.vip; + listen 80 default_server; + listen [::]:80 default_server; - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - root /var/www/html/chatchan; - index index.html; - location / { - try_files $uri $uri/ =404; - } -} - -server { - if ($host = chat.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - listen 80; server_name chat.tradewind.vip; - return 404; # managed by Certbot + + location / { + return 301 https://$host$request_uri; + } } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name chat.tradewind.vip; + + root /var/www/html/chatchan; + index index.html; + location / { + try_files $uri $uri/ =404; + } + + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; +} + + diff --git a/sites-available/emby b/sites-available/emby index bff3741..dd4ca70 100644 --- a/sites-available/emby +++ b/sites-available/emby @@ -1,4 +1,20 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name emby.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name emby.tradewind.vip; location / { @@ -10,23 +26,19 @@ server { proxy_pass http://$router:8096; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = emby.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name emby.tradewind.vip; - return 404; # managed by Certbot - + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } diff --git a/sites-available/gitea b/sites-available/gitea index e402025..0d839dd 100644 --- a/sites-available/gitea +++ b/sites-available/gitea @@ -1,8 +1,23 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name gitea.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name gitea.tradewind.vip; location / { - resolver 223.5.5.5; set $router "router.tradewind.vip"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -10,23 +25,19 @@ server { proxy_pass http://$router:10010; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = gitea.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name gitea.tradewind.vip; - return 404; # managed by Certbot - + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } diff --git a/sites-available/img b/sites-available/img index 429cc2d..bda28f7 100644 --- a/sites-available/img +++ b/sites-available/img @@ -1,4 +1,20 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name img.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name img.tradewind.vip; location / { @@ -9,23 +25,20 @@ server { proxy_pass https://txapi.tradewind.vip/release/imgbed/; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = img.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name img.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/jenkins b/sites-available/jenkins index 694bd26..eda022c 100644 --- a/sites-available/jenkins +++ b/sites-available/jenkins @@ -1,4 +1,20 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name jenkins.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name jenkins.tradewind.vip; location / { @@ -9,23 +25,20 @@ server { proxy_pass http://tradewind.myqnapcloud.com:10030/; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = jenkins.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name jenkins.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/joplin b/sites-available/joplin index 4dbdf22..ae1ac73 100644 --- a/sites-available/joplin +++ b/sites-available/joplin @@ -1,8 +1,23 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name joplin.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name joplin.tradewind.vip; location / { - resolver 223.5.5.5; set $router "router.tradewind.vip:22300"; proxy_set_header Host $host; proxy_redirect off; @@ -11,43 +26,20 @@ server { proxy_pass http://$router; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; -} -server { - server_name joplin.tradewind.vip; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; - location / { -resolver 223.5.5.5; -set $router "router.tradewind.vip"; - proxy_set_header Host $host; -# proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://$router:8888; - } - - listen 5000 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = joplin.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name joplin.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/leanote b/sites-available/leanote index 0c96385..04d98d0 100644 --- a/sites-available/leanote +++ b/sites-available/leanote @@ -1,8 +1,23 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name leanote.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name leanote.tradewind.vip; location / { - resolver 223.5.5.5; set $router "router.tradewind.vip"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -12,23 +27,21 @@ server { location /demo { deny all; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = leanote.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name leanote.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/mozilla_template b/sites-available/mozilla_template new file mode 100644 index 0000000..4b87fe2 --- /dev/null +++ b/sites-available/mozilla_template @@ -0,0 +1,38 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /path/to/signed_cert_plus_intermediates; + ssl_certificate_key /path/to/private_key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediatemozilla_templates; + + # replace with the IP address of your resolver + resolver 127.0.0.1; +} diff --git a/sites-available/music b/sites-available/music deleted file mode 100644 index 10f7e27..0000000 --- a/sites-available/music +++ /dev/null @@ -1,42 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server { - server_name music.tradewind.vip; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_pass http://127.0.0.1:8080/; - } - -# listen 80; - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/music.tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/music.tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = music.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - listen 80; - server_name music.tradewind.vip; - return 404; # managed by Certbot -} - -#server { -# listen 8080; -# server_name tradewind.vip; -# return 301 https://music.tradewind.vip; -#} - diff --git a/sites-available/nas b/sites-available/nas index 62ea056..1b66ac4 100644 --- a/sites-available/nas +++ b/sites-available/nas @@ -1,8 +1,23 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name nas.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name nas.tradewind.vip; location / { - resolver 223.5.5.5; set $router "router.tradewind.vip"; proxy_set_header Host $host; proxy_redirect off; @@ -11,28 +26,20 @@ server { proxy_pass http://$router:5000; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -#server { -# listen 80; -# server_name nas.tradewind.vip; -# return 301 https://$host$request_uri; -#} -server { - if ($host = nas.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name nas.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/rss b/sites-available/rss deleted file mode 100644 index e64a391..0000000 --- a/sites-available/rss +++ /dev/null @@ -1,31 +0,0 @@ -server { - server_name rss.tradewind.vip; - - location / { - proxy_set_header Host $host; -# proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://127.0.0.1:1200/; - } - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = rss.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name rss.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/send b/sites-available/send deleted file mode 100644 index 10966ea..0000000 --- a/sites-available/send +++ /dev/null @@ -1,31 +0,0 @@ -server { - server_name send.tradewind.vip; - - location / { - proxy_set_header Host $host; -# proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass https://airportal.cn/; - } - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = send.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name send.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/sync b/sites-available/sync deleted file mode 100644 index d2a7ad1..0000000 --- a/sites-available/sync +++ /dev/null @@ -1,29 +0,0 @@ -server { - server_name sync.tradewind.vip; - - location / { - proxy_set_header Host $host; -# proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://router.tradewind.vip:5007/Sync; - } - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = sync.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name sync.tradewind.vip; - return 404; # managed by Certbot -} diff --git a/sites-available/teamcity b/sites-available/teamcity index e6f2132..b0432de 100644 --- a/sites-available/teamcity +++ b/sites-available/teamcity @@ -1,8 +1,23 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name teamcity.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name teamcity.tradewind.vip; location / { - resolver 223.5.5.5; set $router "router.tradewind.vip"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -10,23 +25,19 @@ server { proxy_pass http://$router:8111; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = teamcity.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name teamcity.tradewind.vip; - return 404; # managed by Certbot - + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } diff --git a/sites-available/tr b/sites-available/tr index 28ffbd8..effbde0 100644 --- a/sites-available/tr +++ b/sites-available/tr @@ -1,8 +1,23 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name tr.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name tr.tradewind.vip; location / { - resolver 223.5.5.5; set $router "router.tradewind.vip"; proxy_set_header Host $host; proxy_redirect off; @@ -11,23 +26,20 @@ server { proxy_pass http://$router:49091; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = tr.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name tr.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/wiznote b/sites-available/wiznote index 549c11a..1701e50 100644 --- a/sites-available/wiznote +++ b/sites-available/wiznote @@ -1,4 +1,20 @@ +# generated 2024-06-16, Mozilla Guideline v5.7, nginx 1.18.0, OpenSSL 3.0.2, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=3.0.2&guideline=5.7 server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name wiznote.tradewind.vip; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name wiznote.tradewind.vip; location / { @@ -9,23 +25,20 @@ server { proxy_pass http://tradewind.myqnapcloud.com:10020/; } - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 223.5.5.5; } -server { - if ($host = wiznote.tradewind.vip) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name wiznote.tradewind.vip; - return 404; # managed by Certbot - - -} diff --git a/sites-available/www b/sites-available/www index c1ed007..92b6b72 100644 --- a/sites-available/www +++ b/sites-available/www @@ -29,8 +29,16 @@ server { ssl_certificate /etc/letsencrypt/live/tradewind.vip/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/tradewind.vip/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 diff --git a/sites-enabled b/sites-enabled index dfa6e42..73fff2c 100644 --- a/sites-enabled +++ b/sites-enabled @@ -1,17 +1,12 @@ -00 -9song-api api bitwarden chat emby gitea img -jenkins joplin leanote nas -rss -sync teamcity tr wiznote