florent/docker
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update swag

Browse Source
This commit is contained in:
Florent Guiotte 2024-08-11 22:18:13 +02:00
parent 560f291db9
commit 2636be1184
6 changed files with 148 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose.yml
View File

@ -148,9 +148,11 @@ services:
<<: *common-environment <<: *common-environment
FILE__DB_PASSWORD: /run/secrets/lychee-db-pw FILE__DB_PASSWORD: /run/secrets/lychee-db-pw
DB_HOST: lychee-db DB_HOST: lychee-db
DB_CONNECTION: mysql
DB_USERNAME: lychee DB_USERNAME: lychee
DB_DATABASE: lychee DB_DATABASE: lychee
DB_PORT: 3306 DB_PORT: 3306
APP_URL: https://photos.guiotte.fr
secrets: secrets:
- lychee-db-pw - lychee-db-pw

103
swag/nginx/nginx.conf
View File

@ -1,4 +1,7 @@
## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf ## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
### Based on alpine defaults
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.19-stable
user abc; user abc;
@ -14,11 +17,13 @@ error_log /config/log/nginx/error.log;
# Includes files with directives to load dynamic modules. # Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf; include /etc/nginx/modules/*.conf;
# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;
events { events {
# The maximum number of simultaneous connections that can be opened by # The maximum number of simultaneous connections that can be opened by
# a worker process. # a worker process.
worker_connections 1024; worker_connections 1024;
# multi_accept on;
} }
http { http {
@ -49,101 +54,29 @@ http {
# instead of using partial frames. Default is 'off'. # instead of using partial frames. Default is 'off'.
tcp_nopush on; tcp_nopush on;
# all ssl related config moved to ssl.conf
# included in server blocks where listen 443 is defined
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
# Helper variable for proxying websockets. # Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
} }
# Saves unauthorized log messages to a separate log file
map $status $unauthorized {
default 0;
~^401 1;
}
access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
# Sets the path, format, and configuration for a buffered log write. # Sets the path, format, and configuration for a buffered log write.
access_log /config/log/nginx/access.log; access_log /config/log/nginx/access.log;
# Includes virtual hosts configs. # Includes virtual hosts configs.
#include /etc/nginx/http.d/*.conf; include /etc/nginx/http.d/*.conf;
# WARNING: Don't use this directory for virtual hosts anymore.
# This include will be moved to the root context in Alpine 3.14.
#include /etc/nginx/conf.d/*.conf;
##
# Basic Settings
##
client_body_buffer_size 128k;
keepalive_timeout 65;
large_client_header_buffers 4 16k;
send_timeout 5m;
tcp_nodelay on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /config/nginx/site-confs/*.conf; include /config/nginx/site-confs/*.conf;
#Removed lua. Do not remove this comment
} }
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off; daemon off;
pid /run/nginx.pid; pid /run/nginx.pid;

26
swag/nginx/proxy-confs/lychee.subdomain.conf
View File

@ -1,9 +1,10 @@
## Version 2021/05/18 ## Version 2023/05/31
# make sure that your lychee container is named lychee
# make sure that your dns has a cname set for lychee # make sure that your dns has a cname set for lychee
server { server {
listen 443 ssl; listen 443 ssl http2;
listen [::]:443 ssl; listen [::]:443 ssl http2;
server_name photos.*; server_name photos.*;
@ -11,24 +12,29 @@ server {
client_max_body_size 0; client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf # enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap.conf; #include /config/nginx/ldap-server.conf;
# enable for Authelia # enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf; #include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / { location / {
# enable the next two lines for http auth # enable the next two lines for http auth
#auth_basic "Restricted"; #auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd; #auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth # enable for ldap auth (requires ldap-server.conf in the server block)
#auth_request /auth; #include /config/nginx/ldap-location.conf;
#error_page 401 =200 /ldaplogin;
# enable for Authelia # enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf; #include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf; include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf; include /config/nginx/resolver.conf;
set $upstream_app lychee; set $upstream_app lychee;

13
swag/nginx/proxy.conf
View File

@ -1,4 +1,4 @@
## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf ## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
# Timeout if the real server is dead # Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@ -10,7 +10,7 @@ proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024; proxy_headers_hash_max_size 1024;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_read_timeout 240; proxy_read_timeout 240;
proxy_redirect http:// $scheme://; proxy_redirect http:// $scheme://;
proxy_send_timeout 240; proxy_send_timeout 240;
# Proxy Cache and Cookie Settings # Proxy Cache and Cookie Settings
@ -26,6 +26,13 @@ proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

85
swag/nginx/site-confs/default.conf Normal file
View File

@ -0,0 +1,85 @@
## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
include /config/nginx/ssl.conf;
root /config/www;
index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

40
swag/nginx/ssl.conf
View File

@ -1,46 +1,40 @@
## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf ## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
### Mozilla Recommendations ### Mozilla Recommendations
# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration # generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4 # https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off; ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;
# intermediate configuration # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling # OCSP stapling
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
### Linuxserver.io Defaults
# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem; ssl_trusted_certificate /config/keys/cert.crt;
# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;
# Enable TLS 1.3 early data
ssl_early_data on;
# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Optional additional headers # Optional additional headers
#add_header Cache-Control "no-transform" always; #add_header Cache-Control "no-transform" always;
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; #add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
#add_header Permissions-Policy "interest-cohort=()"; #add_header Permissions-Policy "interest-cohort=()" always;
#add_header Referrer-Policy "same-origin" always; #add_header Referrer-Policy "same-origin" always;
#add_header X-Content-Type-Options "nosniff" always; #add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN" always; #add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-UA-Compatible "IE=Edge" always; #add_header X-UA-Compatible "IE=Edge" always;
#add_header X-XSS-Protection "1; mode=block" always; #add_header X-XSS-Protection "1; mode=block" always;