From df1304cb7e82ccb3982e82d72f8cd6c217a3c1b2 Mon Sep 17 00:00:00 2001 From: Florent Guiotte Date: Mon, 11 Jul 2022 15:28:24 +0200 Subject: [PATCH] Save swag conf --- .gitignore | 9 ++ swag/crontabs/root | 9 ++ swag/fail2ban/jail.local | 59 +++++++++++ swag/nginx/authelia-location.conf | 15 +++ swag/nginx/authelia-server.conf | 52 ++++++++++ swag/nginx/dhparams.pem | Bin 0 -> 790 bytes swag/nginx/ldap.conf | 92 +++++++++++++++++ swag/nginx/nginx.conf | 149 ++++++++++++++++++++++++++++ swag/nginx/proxy.conf | 31 ++++++ swag/nginx/resolver.conf | 3 + swag/nginx/site-confs/default | 160 ++++++++++++++++++++++++++++++ swag/nginx/ssl.conf | 46 +++++++++ swag/php/php-local.ini | 3 + swag/php/www2.conf | 5 + swag/www/502.html | 44 ++++++++ swag/www/index.html | 39 ++++++++ 16 files changed, 716 insertions(+) create mode 100644 .gitignore create mode 100644 swag/crontabs/root create mode 100644 swag/fail2ban/jail.local create mode 100644 swag/nginx/authelia-location.conf create mode 100644 swag/nginx/authelia-server.conf create mode 100644 swag/nginx/dhparams.pem create mode 100644 swag/nginx/ldap.conf create mode 100644 swag/nginx/nginx.conf create mode 100644 swag/nginx/proxy.conf create mode 100644 swag/nginx/resolver.conf create mode 100644 swag/nginx/site-confs/default create mode 100644 swag/nginx/ssl.conf create mode 100644 swag/php/php-local.ini create mode 100644 swag/php/www2.conf create mode 100644 swag/www/502.html create mode 100644 swag/www/index.html diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..32ed50e --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +swag/nginx/proxy-confs/ +swag/dns-conf/ +swag/keys/ +swag/log/ +swag/etc/ +swag/fail2ban/ +swag/.donoteditthisfile.conf +swag/nginx/worker_processes.conf +syncthing/ diff --git a/swag/crontabs/root b/swag/crontabs/root new file mode 100644 index 0000000..c24fea0 --- /dev/null +++ b/swag/crontabs/root @@ -0,0 +1,9 @@ +# do daily/weekly/monthly maintenance +# min hour day month weekday command +*/15 * * * * run-parts /etc/periodic/15min +0 * * * * run-parts /etc/periodic/hourly +0 2 * * * run-parts /etc/periodic/daily +0 3 * * 6 run-parts /etc/periodic/weekly +0 5 1 * * run-parts /etc/periodic/monthly +# renew letsencrypt certs +8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1 diff --git a/swag/fail2ban/jail.local b/swag/fail2ban/jail.local new file mode 100644 index 0000000..ebac564 --- /dev/null +++ b/swag/fail2ban/jail.local @@ -0,0 +1,59 @@ +## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local +# This is the custom version of the jail.conf for fail2ban +# Feel free to modify this and add additional filters +# Then you can drop the new filter conf files into the fail2ban-filters +# folder and restart the container + +[DEFAULT] +# Prevents banning LAN subnets +ignoreip = 10.0.0.0/8 + 192.168.0.0/16 + 172.16.0.0/12 + +# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports". +banaction = iptables-allports + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + + +[ssh] +enabled = false + +[nginx-http-auth] +enabled = true +filter = nginx-http-auth +port = http,https +logpath = /config/log/nginx/error.log + +[nginx-badbots] +enabled = true +port = http,https +filter = nginx-badbots +logpath = /config/log/nginx/access.log +maxretry = 2 + +[nginx-botsearch] +enabled = true +port = http,https +filter = nginx-botsearch +logpath = /config/log/nginx/access.log + +[nginx-deny] +enabled = true +port = http,https +filter = nginx-deny +logpath = /config/log/nginx/error.log + +[nginx-unauthorized] +enabled = true +port = http,https +filter = nginx-unauthorized +logpath = /config/log/nginx/unauthorized.log diff --git a/swag/nginx/authelia-location.conf b/swag/nginx/authelia-location.conf new file mode 100644 index 0000000..e3c1e98 --- /dev/null +++ b/swag/nginx/authelia-location.conf @@ -0,0 +1,15 @@ +## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-location.conf +# Make sure that your authelia container is in the same user defined bridge network and is named authelia +# Make sure that the authelia configuration.yml has 'path: "authelia"' defined + +auth_request /authelia/api/verify; +auth_request_set $target_url $scheme://$http_host$request_uri; +auth_request_set $user $upstream_http_remote_user; +auth_request_set $groups $upstream_http_remote_groups; +auth_request_set $name $upstream_http_remote_name; +auth_request_set $email $upstream_http_remote_email; +proxy_set_header Remote-User $user; +proxy_set_header Remote-Groups $groups; +proxy_set_header Remote-Name $name; +proxy_set_header Remote-Email $email; +error_page 401 =302 https://$http_host/authelia/?rd=$target_url; diff --git a/swag/nginx/authelia-server.conf b/swag/nginx/authelia-server.conf new file mode 100644 index 0000000..8bd63d0 --- /dev/null +++ b/swag/nginx/authelia-server.conf @@ -0,0 +1,52 @@ +## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf +# Make sure that your authelia container is in the same user defined bridge network and is named authelia + +location ^~ /authelia { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_authelia authelia; + proxy_pass http://$upstream_authelia:9091; +} + +location = /authelia/api/verify { + internal; + if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) { + return 401; + } + include /config/nginx/resolver.conf; + set $upstream_authelia authelia; + proxy_pass_request_body off; + proxy_pass http://$upstream_authelia:9091; + proxy_set_header Content-Length ""; + + # Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # [REQUIRED] Needed by Authelia to check authorizations of the resource. + # Provide either X-Original-URL and X-Forwarded-Proto or + # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. + # Those headers will be used by Authelia to deduce the target url of the user. + # Basic Proxy Config + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} diff --git a/swag/nginx/dhparams.pem b/swag/nginx/dhparams.pem new file mode 100644 index 0000000000000000000000000000000000000000..f0ae8d354aff9dd65ce757243872b55ab014ddee GIT binary patch literal 790 zcmV+x1L^z#M@dveQdv+`0CkD+zS%+H{P>G9rg~Uxwxzr7uCH#je_F-9i@61rW5;Xn zz;9xr8}z^I;hsqiMR69e?1M{Pmof^e@|X^NQsR{%UI!lVctdDt zd73x*CNr*dLBfKKXL21z>d48dJX%U+KYm9nBBv&Ey@S+pPtHGox~NQN2?AK<0(YJo zf!^Rj@bVdj2#xc{Q@fOG;Cc{c*DDmEj7*iiS`8C~8FExuK(TOUOU;^RJk$4MfoDF*2T5{C=B z_|@?3sQBZr5hL(}!^U085us54Lh?kVcqe(%=r~&`KM%^{YM{Hg0kXpXcGVL&2sdwB zLag^}(~@G0e;YG_FH>r&Z@l1Um&&W|641=+SwRNx#)?G}88s!VZ?kIeiWOh@PaA4~LRan~H8%jRY6+LBR zv(^xWsP|LCLgnNe<{tkV;{Zav<&^iuyD-D*3T;qnhHHa(p^LoAkFos?ag9MGAj|E_ UX;xuSRV;16<67Mo*f{s5-`?_%W&i*H literal 0 HcmV?d00001 diff --git a/swag/nginx/ldap.conf b/swag/nginx/ldap.conf new file mode 100644 index 0000000..90120c7 --- /dev/null +++ b/swag/nginx/ldap.conf @@ -0,0 +1,92 @@ +## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ldap.conf +## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth +## see the heimdall example in the default site config for info on enabling ldap auth +## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth + + location /ldaplogin { + resolver 127.0.0.11 valid=30s; + set $upstream_auth_app ldap-auth; + set $upstream_auth_port 9000; + set $upstream_auth_proto http; + proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port; + proxy_set_header X-Target $request_uri; + } + + location = /auth { + resolver 127.0.0.11 valid=30s; + set $upstream_auth_app ldap-auth; + set $upstream_auth_port 8888; + set $upstream_auth_proto http; + proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + + #Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config + #proxy_cache auth_cache; + #proxy_cache_valid 200 10m; + #proxy_cache_key "$http_authorization$cookie_nginxauth"; + + # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon + # communicates with a LDAP server, passing in the following + # parameters to specify which user account to authenticate. To + # eliminate the need to modify the Python code, this file contains + # 'proxy_set_header' directives that set the values of the + # parameters. Set or change them as instructed in the comments. + # + # Parameter Proxy header + # ----------- ---------------- + # url X-Ldap-URL + # starttls X-Ldap-Starttls + # basedn X-Ldap-BaseDN + # binddn X-Ldap-BindDN + # bindpasswd X-Ldap-BindPass + # cookiename X-CookieName + # realm X-Ldap-Realm + # template X-Ldap-Template + + # (Required) Set the URL and port for connecting to the LDAP server, + # by replacing 'example.com'. + # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work. + proxy_set_header X-Ldap-URL "ldap://example.com"; + + # (Optional) Establish a TLS-enabled LDAP session after binding to the + # LDAP server. + # This is the 'proper' way to establish encrypted TLS connections, see + # http://www.openldap.org/faq/data/cache/185.html + #proxy_set_header X-Ldap-Starttls "true"; + + # (Required) Set the Base DN, by replacing the value enclosed in + # double quotes. + proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local"; + + # (Required) Set the Bind DN, by replacing the value enclosed in + # double quotes. + # If AD, use "root@test.local" + proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local"; + + # (Required) Set the Bind password, by replacing 'secret'. + proxy_set_header X-Ldap-BindPass "secret"; + + # (Required) The following directives set the cookie name and pass + # it, respectively. They are required for cookie-based + # authentication. Comment them out if using HTTP basic + # authentication. + proxy_set_header X-CookieName "nginxauth"; + proxy_set_header Cookie nginxauth=$cookie_nginxauth; + + # (Required if using Microsoft Active Directory as the LDAP server) + # Set the LDAP template by uncommenting the following directive. + #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)"; + + # (Optional if using OpenLDAP as the LDAP server) Set the LDAP + # template by uncommenting the following directive and replacing + # '(cn=%(username)s)' which is the default set in + # nginx-ldap-auth-daemon.py. + #proxy_set_header X-Ldap-Template "(cn=%(username)s)"; + + # (Optional) Set the realm name, by uncommenting the following + # directive and replacing 'Restricted' which is the default set + # in nginx-ldap-auth-daemon.py. + #proxy_set_header X-Ldap-Realm "Restricted"; + } diff --git a/swag/nginx/nginx.conf b/swag/nginx/nginx.conf new file mode 100644 index 0000000..c6a7504 --- /dev/null +++ b/swag/nginx/nginx.conf @@ -0,0 +1,149 @@ +## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf + +user abc; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; + # multi_accept on; +} + +http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Saves unauthorized log messages to a separate log file + map $status $unauthorized { + default 0; + ~^401 1; + } + access_log /config/log/nginx/unauthorized.log combined if=$unauthorized; + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; + + # Includes virtual hosts configs. + #include /etc/nginx/http.d/*.conf; + + # WARNING: Don't use this directory for virtual hosts anymore. + # This include will be moved to the root context in Alpine 3.14. + #include /etc/nginx/conf.d/*.conf; + + + ## + # Basic Settings + ## + + client_body_buffer_size 128k; + keepalive_timeout 65; + large_client_header_buffers 4 16k; + send_timeout 5m; + tcp_nodelay on; + types_hash_max_size 2048; + variables_hash_max_size 2048; + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## + + #include /etc/nginx/naxsi_core.rules; + + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # Virtual Host Configs + ## + include /config/nginx/site-confs/*; + #Removed lua. Do not remove this comment +} + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} + +daemon off; +pid /run/nginx.pid; diff --git a/swag/nginx/proxy.conf b/swag/nginx/proxy.conf new file mode 100644 index 0000000..f536be0 --- /dev/null +++ b/swag/nginx/proxy.conf @@ -0,0 +1,31 @@ +## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf + +# Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Proxy Connection Settings +proxy_buffers 32 4k; +proxy_connect_timeout 240; +proxy_headers_hash_bucket_size 128; +proxy_headers_hash_max_size 1024; +proxy_http_version 1.1; +proxy_read_timeout 240; +proxy_redirect http:// $scheme://; +proxy_send_timeout 240; + +# Proxy Cache and Cookie Settings +proxy_cache_bypass $cookie_session; +#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps +proxy_no_cache $cookie_session; + +# Proxy Header Settings +proxy_set_header Connection $connection_upgrade; +proxy_set_header Early-Data $ssl_early_data; +proxy_set_header Host $host; +proxy_set_header Proxy ""; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Real-IP $remote_addr; diff --git a/swag/nginx/resolver.conf b/swag/nginx/resolver.conf new file mode 100644 index 0000000..1ae22e7 --- /dev/null +++ b/swag/nginx/resolver.conf @@ -0,0 +1,3 @@ +# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish. + +resolver 127.0.0.11 valid=30s; diff --git a/swag/nginx/site-confs/default b/swag/nginx/site-confs/default new file mode 100644 index 0000000..82e19e8 --- /dev/null +++ b/swag/nginx/site-confs/default @@ -0,0 +1,160 @@ +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default + +error_page 502 /502.html; + +# redirect all traffic to https +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; +} + +# main server block +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + root /config/www; + index index.html index.htm index.php; + + server_name _; + + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; + + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; + + # enable for ldap auth + #include /config/nginx/ldap.conf; + + # enable for Authelia + #include /config/nginx/authelia-server.conf; + + client_max_body_size 0; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable the next two lines for ldap auth + #auth_request /auth; + #error_page 401 =200 /ldaplogin; + + # enable for Authelia + #include /config/nginx/authelia-location.conf; + + try_files $uri $uri/ /index.html /index.php?$args =404; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + +# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" +# notice this is within the same server block as the base +# don't forget to generate the .htpasswd file as described on docker hub +# location ^~ /cp { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050/cp; +# } + +} + +# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above +# notice this is a new server block, you need a new server block for each subdomain +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# +# root /config/www; +# index index.html index.htm index.php; +# +# server_name cp.*; +# +# include /config/nginx/ssl.conf; +# +# client_max_body_size 0; +# +# location / { +# auth_basic "Restricted"; +# auth_basic_user_file /config/nginx/.htpasswd; +# include /config/nginx/proxy.conf; +# proxy_pass http://192.168.1.50:5050; +# } +#} + +# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication +# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info +# notice this is a new server block, you need a new server block for each subdomain +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# +# root /config/www; +# index index.html index.htm index.php; +# +# server_name heimdall.*; +# +# include /config/nginx/ssl.conf; +# +# include /config/nginx/ldap.conf; +# +# client_max_body_size 0; +# +# location / { +# # the next two lines will enable ldap auth along with the included ldap.conf in the server block +# auth_request /auth; +# error_page 401 =200 /ldaplogin; +# +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } +#} + +# sample reverse proxy config for "heimdall" via subdomain, with Authelia +# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml +# notice this is a new server block, you need a new server block for each subdomain +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# +# root /config/www; +# index index.html index.htm index.php; +# +# server_name heimdall.*; +# +# include /config/nginx/ssl.conf; +# +# include /config/nginx/authelia-server.conf; +# +# client_max_body_size 0; +# +# location / { +# # the next line will enable Authelia along with the included authelia-server.conf in the server block +# include /config/nginx/authelia-location.conf; +# +# include /config/nginx/proxy.conf; +# resolver 127.0.0.11 valid=30s; +# set $upstream_app heimdall; +# set $upstream_port 443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; +# } +#} + +# enable subdomain method reverse proxy confs +include /config/nginx/proxy-confs/*.subdomain.conf; +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/swag/nginx/ssl.conf b/swag/nginx/ssl.conf new file mode 100644 index 0000000..204e830 --- /dev/null +++ b/swag/nginx/ssl.conf @@ -0,0 +1,46 @@ +## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf + +### Mozilla Recommendations +# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4 + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + + +### Linuxserver.io Defaults + +# Certificates +ssl_certificate /config/keys/letsencrypt/fullchain.pem; +ssl_certificate_key /config/keys/letsencrypt/privkey.pem; +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem; + +# Diffie-Hellman Parameters +ssl_dhparam /config/nginx/dhparams.pem; + +# Enable TLS 1.3 early data +ssl_early_data on; + +# HSTS, remove # from the line below to enable HSTS +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + +# Optional additional headers +#add_header Cache-Control "no-transform" always; +#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'"; +#add_header Permissions-Policy "interest-cohort=()"; +#add_header Referrer-Policy "same-origin" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; diff --git a/swag/php/php-local.ini b/swag/php/php-local.ini new file mode 100644 index 0000000..3635cdd --- /dev/null +++ b/swag/php/php-local.ini @@ -0,0 +1,3 @@ +; Edit this file to override php.ini directives and restart the container + +date.timezone = CEST diff --git a/swag/php/www2.conf b/swag/php/www2.conf new file mode 100644 index 0000000..13fc59d --- /dev/null +++ b/swag/php/www2.conf @@ -0,0 +1,5 @@ +; Edit this file to override www.conf and php-fpm.conf directives and restart the container + +; Pool name +[www] + diff --git a/swag/www/502.html b/swag/www/502.html new file mode 100644 index 0000000..6e33c60 --- /dev/null +++ b/swag/www/502.html @@ -0,0 +1,44 @@ + + + 502 + + + +
+

502

+

Nginx can not connect to the application

+

Some common reasons are listed here: docs.linuxserver.io

+

For help and support, please visit: linuxserver.io/support

+
+ + diff --git a/swag/www/index.html b/swag/www/index.html new file mode 100644 index 0000000..5bc81ff --- /dev/null +++ b/swag/www/index.html @@ -0,0 +1,39 @@ + + + Welcome to your SWAG instance + + + +
+

Welcome to your SWAG instance

+

A webserver and reverse proxy solution brought to you by linuxserver.io with php support and a built-in Certbot client.

+

We have an article on how to use swag here: docs.linuxserver.io

+

For help and support, please visit: linuxserver.io/support

+
+ +