diff --git a/root/defaults/nginx/location-confs/ldap-location.conf.sample b/root/defaults/nginx/location-confs/ldap-location.conf.sample new file mode 100644 index 0000000..14babc5 --- /dev/null +++ b/root/defaults/nginx/location-confs/ldap-location.conf.sample @@ -0,0 +1,4 @@ +## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/location-confs/ldap-location.conf.sample + +auth_request /auth; +error_page 401 =200 /ldaplogin; diff --git a/root/defaults/nginx/location-confs/proxy.conf.sample b/root/defaults/nginx/location-confs/proxy.conf.sample index b98667e..94517b3 100644 --- a/root/defaults/nginx/location-confs/proxy.conf.sample +++ b/root/defaults/nginx/location-confs/proxy.conf.sample @@ -10,7 +10,7 @@ proxy_headers_hash_bucket_size 128; proxy_headers_hash_max_size 1024; proxy_http_version 1.1; proxy_read_timeout 240; -proxy_redirect http:// $scheme://; +proxy_redirect http:// $scheme://; proxy_send_timeout 240; # Proxy Cache and Cookie Settings @@ -25,7 +25,11 @@ proxy_set_header Host $host; proxy_set_header Proxy ""; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Host $host; -proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-Host $host:$server_port; +proxy_set_header X-Forwarded-Method $request_method; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; diff --git a/root/defaults/nginx/server-confs/authelia-server.conf.sample b/root/defaults/nginx/server-confs/authelia-server.conf.sample index 3690528..d18a544 100644 --- a/root/defaults/nginx/server-confs/authelia-server.conf.sample +++ b/root/defaults/nginx/server-confs/authelia-server.conf.sample @@ -3,9 +3,11 @@ location ^~ /authelia { include /config/nginx/location-confs/*.conf; - include /config/nginx/resolver.conf; - set $upstream_authelia authelia; - proxy_pass http://$upstream_authelia:9091; + + set $upstream_app authelia; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; } location = /authelia/api/verify { @@ -13,40 +15,19 @@ location = /authelia/api/verify { if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) { return 401; } - include /config/nginx/resolver.conf; - set $upstream_authelia authelia; - proxy_pass_request_body off; - proxy_pass http://$upstream_authelia:9091; - proxy_set_header Content-Length ""; + include /config/nginx/location-confs/*.conf; + + set $upstream_app authelia; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - # [REQUIRED] Needed by Authelia to check authorizations of the resource. - # Provide either X-Original-URL and X-Forwarded-Proto or - # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. - # Those headers will be used by Authelia to deduce the target url of the user. - # Basic Proxy Config client_body_buffer_size 128k; - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Method $request_method; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; proxy_buffers 4 32k; - - # Advanced Proxy Config + proxy_pass_request_body off; + proxy_set_header Content-Length ""; send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; } diff --git a/root/defaults/nginx/server-confs/geoip2.conf.sample b/root/defaults/nginx/server-confs/geoip2.conf.sample index 35e6bcd..8627f9a 100644 --- a/root/defaults/nginx/server-confs/geoip2.conf.sample +++ b/root/defaults/nginx/server-confs/geoip2.conf.sample @@ -5,13 +5,13 @@ geoip2 /config/geoip2db/GeoLite2-City.mmdb { auto_reload 1w; - $geoip2_data_city_name city names en; + $geoip2_data_city_name city names en; $geoip2_data_postal_code postal code; - $geoip2_data_latitude location latitude; - $geoip2_data_longitude location longitude; - $geoip2_data_state_name subdivisions 0 names en; - $geoip2_data_state_code subdivisions 0 iso_code; - $geoip2_data_continent_code continent code; + $geoip2_data_latitude location latitude; + $geoip2_data_longitude location longitude; + $geoip2_data_state_name subdivisions 0 names en; + $geoip2_data_state_code subdivisions 0 iso_code; + $geoip2_data_continent_code continent code; $geoip2_data_country_iso_code country iso_code; } @@ -43,7 +43,7 @@ map $geoip2_data_city_name $allowed_city { # ALLOW LOCAL ACCESS geo $allow_list { - default yes; # Set this to no if $allowed_country or $allowed_city default is no. + default yes; # Set this to no if $allowed_country or $allowed_city default is no. # IP/CIDR yes; # e.g. 192.168.1.0/24 yes; } @@ -58,7 +58,6 @@ geo $allow_list { # return 444; # } ######################################### - # Add the following if statements inside any server context where you want to geo block cities. ######################################## # if ($allow_list = yes) { @@ -71,43 +70,35 @@ geo $allow_list { # Example using a config from proxy-confs -#server { -# listen 443 ssl; -# listen [::]:443 ssl; -# -# server_name unifi.*; -# -# include /config/nginx/server-confs/*.conf; -# -# client_max_body_size 0; +# server { +# include /config/nginx/server-confs/*.conf; -# # Allow lan access if default is set to no -# if ($allow_list = yes) { -# set $allowed_country yes; -# } -# # Country geo block -# if ($allowed_country = no) { -# return 444; -# } +# server_name unifi.*; +# client_max_body_size 0; -# -# location / { -# # enable the next two lines for http auth -# #auth_basic "Restricted"; -# #auth_basic_user_file /config/nginx/.htpasswd; -# -# # enable the next two lines for ldap auth -# #auth_request /auth; -# #error_page 401 =200 /ldaplogin; -# -# include /config/nginx/location-confs/*.conf; -# resolver 127.0.0.11 valid=30s; -# set $upstream_app unifi-controller; -# set $upstream_port 8443; -# set $upstream_proto https; -# proxy_pass $upstream_proto://$upstream_app:$upstream_port; -# -# proxy_buffering off; -# } -#} +# # Allow lan access if default is set to no +# if ($allow_list = yes) { +# set $allowed_country yes; +# } +# # Country geo block +# if ($allowed_country = no) { +# return 444; +# } + +# set $htpasswd_file /config/nginx/.htpasswd; +# set $auth_basic "Restricted"; +# if (!-f $htpasswd_file) { +# set $auth_basic off; +# } +# location / { +# include /config/nginx/location-confs/*.conf; + +# set $upstream_app unifi-controller; +# set $upstream_port 8443; +# set $upstream_proto https; +# proxy_pass $upstream_proto://$upstream_app:$upstream_port; + +# proxy_buffering off; +# } +# } diff --git a/root/defaults/nginx/server-confs/ldap-server.conf.sample b/root/defaults/nginx/server-confs/ldap-server.conf.sample new file mode 100644 index 0000000..482ba4c --- /dev/null +++ b/root/defaults/nginx/server-confs/ldap-server.conf.sample @@ -0,0 +1,92 @@ +## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ldap.conf.sample +## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth +## see the heimdall example in the default site config for info on enabling ldap auth +## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth + +location /ldaplogin { + include /config/nginx/server-confs/*.conf; + + set $upstream_auth_app ldap-auth; + set $upstream_auth_port 9000; + set $upstream_auth_proto http; + proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port; + proxy_set_header X-Target $request_uri; +} + +location = /auth { + include /config/nginx/server-confs/*.conf; + + set $upstream_auth_app ldap-auth; + set $upstream_auth_port 8888; + set $upstream_auth_proto http; + proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + + #Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config + #proxy_cache auth_cache; + #proxy_cache_valid 200 10m; + #proxy_cache_key "$http_authorization$cookie_nginxauth"; + + # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon + # communicates with a LDAP server, passing in the following + # parameters to specify which user account to authenticate. To + # eliminate the need to modify the Python code, this file contains + # 'proxy_set_header' directives that set the values of the + # parameters. Set or change them as instructed in the comments. + # + # Parameter Proxy header + # ----------- ---------------- + # url X-Ldap-URL + # starttls X-Ldap-Starttls + # basedn X-Ldap-BaseDN + # binddn X-Ldap-BindDN + # bindpasswd X-Ldap-BindPass + # cookiename X-CookieName + # realm X-Ldap-Realm + # template X-Ldap-Template + # (Required) Set the URL and port for connecting to the LDAP server, + # by replacing 'example.com'. + # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work. + proxy_set_header X-Ldap-URL "ldap://example.com"; + + # (Optional) Establish a TLS-enabled LDAP session after binding to the + # LDAP server. + # This is the 'proper' way to establish encrypted TLS connections, see + # http://www.openldap.org/faq/data/cache/185.html + #proxy_set_header X-Ldap-Starttls "true"; + + # (Required) Set the Base DN, by replacing the value enclosed in + # double quotes. + proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local"; + + # (Required) Set the Bind DN, by replacing the value enclosed in + # double quotes. + # If AD, use "root@test.local" + proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local"; + + # (Required) Set the Bind password, by replacing 'secret'. + proxy_set_header X-Ldap-BindPass "secret"; + + # (Required) The following directives set the cookie name and pass + # it, respectively. They are required for cookie-based + # authentication. Comment them out if using HTTP basic + # authentication. + proxy_set_header X-CookieName "nginxauth"; + proxy_set_header Cookie nginxauth=$cookie_nginxauth; + + # (Required if using Microsoft Active Directory as the LDAP server) + # Set the LDAP template by uncommenting the following directive. + #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)"; + + # (Optional if using OpenLDAP as the LDAP server) Set the LDAP + # template by uncommenting the following directive and replacing + # '(cn=%(username)s)' which is the default set in + # nginx-ldap-auth-daemon.py. + #proxy_set_header X-Ldap-Template "(cn=%(username)s)"; + # (Optional) Set the realm name, by uncommenting the following + # directive and replacing 'Restricted' which is the default set + # in nginx-ldap-auth-daemon.py. + #proxy_set_header X-Ldap-Realm "Restricted"; +} diff --git a/root/defaults/nginx/server-confs/ldap.conf.sample b/root/defaults/nginx/server-confs/ldap.conf.sample deleted file mode 100644 index fd44aa3..0000000 --- a/root/defaults/nginx/server-confs/ldap.conf.sample +++ /dev/null @@ -1,92 +0,0 @@ -## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ldap.conf.sample -## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth -## see the heimdall example in the default site config for info on enabling ldap auth -## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth - - location /ldaplogin { - resolver 127.0.0.11 valid=30s; - set $upstream_auth_app ldap-auth; - set $upstream_auth_port 9000; - set $upstream_auth_proto http; - proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port; - proxy_set_header X-Target $request_uri; - } - - location = /auth { - resolver 127.0.0.11 valid=30s; - set $upstream_auth_app ldap-auth; - set $upstream_auth_port 8888; - set $upstream_auth_proto http; - proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port; - - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - - #Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config - #proxy_cache auth_cache; - #proxy_cache_valid 200 10m; - #proxy_cache_key "$http_authorization$cookie_nginxauth"; - - # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon - # communicates with a LDAP server, passing in the following - # parameters to specify which user account to authenticate. To - # eliminate the need to modify the Python code, this file contains - # 'proxy_set_header' directives that set the values of the - # parameters. Set or change them as instructed in the comments. - # - # Parameter Proxy header - # ----------- ---------------- - # url X-Ldap-URL - # starttls X-Ldap-Starttls - # basedn X-Ldap-BaseDN - # binddn X-Ldap-BindDN - # bindpasswd X-Ldap-BindPass - # cookiename X-CookieName - # realm X-Ldap-Realm - # template X-Ldap-Template - - # (Required) Set the URL and port for connecting to the LDAP server, - # by replacing 'example.com'. - # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work. - proxy_set_header X-Ldap-URL "ldap://example.com"; - - # (Optional) Establish a TLS-enabled LDAP session after binding to the - # LDAP server. - # This is the 'proper' way to establish encrypted TLS connections, see - # http://www.openldap.org/faq/data/cache/185.html - #proxy_set_header X-Ldap-Starttls "true"; - - # (Required) Set the Base DN, by replacing the value enclosed in - # double quotes. - proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local"; - - # (Required) Set the Bind DN, by replacing the value enclosed in - # double quotes. - # If AD, use "root@test.local" - proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local"; - - # (Required) Set the Bind password, by replacing 'secret'. - proxy_set_header X-Ldap-BindPass "secret"; - - # (Required) The following directives set the cookie name and pass - # it, respectively. They are required for cookie-based - # authentication. Comment them out if using HTTP basic - # authentication. - proxy_set_header X-CookieName "nginxauth"; - proxy_set_header Cookie nginxauth=$cookie_nginxauth; - - # (Required if using Microsoft Active Directory as the LDAP server) - # Set the LDAP template by uncommenting the following directive. - #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)"; - - # (Optional if using OpenLDAP as the LDAP server) Set the LDAP - # template by uncommenting the following directive and replacing - # '(cn=%(username)s)' which is the default set in - # nginx-ldap-auth-daemon.py. - #proxy_set_header X-Ldap-Template "(cn=%(username)s)"; - - # (Optional) Set the realm name, by uncommenting the following - # directive and replacing 'Restricted' which is the default set - # in nginx-ldap-auth-daemon.py. - #proxy_set_header X-Ldap-Realm "Restricted"; - } diff --git a/root/defaults/nginx/server-confs/ssl.conf.sample b/root/defaults/nginx/server-confs/ssl.conf.sample index b2b7c74..1c7ac94 100644 --- a/root/defaults/nginx/server-confs/ssl.conf.sample +++ b/root/defaults/nginx/server-confs/ssl.conf.sample @@ -10,7 +10,7 @@ listen [::]:443 ssl http2; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index f72a9ce..8ea9462 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -14,13 +14,15 @@ server { # main server block server { + include /config/nginx/server-confs/*.conf; + + server_name _; + root /config/www; index index.html index.htm index.php; # enable subfolder method reverse proxy confs - include /config/nginx/subfolder-confs/*.subfolder.conf; - - include /config/nginx/server-confs/*.conf; + include /config/nginx/subfolder-confs/*.conf; set $htpasswd_file /config/nginx/.htpasswd; set $auth_basic "Restricted"; @@ -28,21 +30,16 @@ server { set $auth_basic off; } location / { + include /config/nginx/location-confs/*.conf; + auth_basic $auth_basic; auth_basic_user_file $htpasswd_file; - # enable the next two lines for ldap auth - #auth_request /auth; - #error_page 401 =200 /ldaplogin; - - # enable for Authelia - #include /config/nginx/location-confs/authelia-location.conf; - try_files $uri $uri/ /index.html /index.php?$args =404; } - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; + location ~ ^(.+\.php)(.*)$ { + fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; @@ -50,11 +47,11 @@ server { # deny access to .htaccess/.htpasswd files location ~ /\.ht { - deny all; + deny all; } } # enable subdomain method reverse proxy confs -include /config/nginx/subdomain-confs/*.subdomain.conf; +include /config/nginx/subdomain-confs/*.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m;