From 91a14cc63cc8e3514b194075ce915d860c91aa8b Mon Sep 17 00:00:00 2001 From: Jakub W Date: Sun, 10 Dec 2023 20:30:32 +0100 Subject: [PATCH 01/15] Added wikijs.subdomain.conf.sample nginx subdomain reverse proxy for wikijs docker container --- wikijs.subdomain.conf.sample | 54 ++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 wikijs.subdomain.conf.sample diff --git a/wikijs.subdomain.conf.sample b/wikijs.subdomain.conf.sample new file mode 100644 index 0000000..42b9f4d --- /dev/null +++ b/wikijs.subdomain.conf.sample @@ -0,0 +1,54 @@ +## Version 2023/05/31 +# make sure that your wikijs container is named wikijs +# make sure that your dns has a cname set for wikijs + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name wikijs.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app wikijs; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } + + location ~ (/wikijs)?/graphql { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app wikijs; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} From c53bb112f612caf8e9f8a5d90c1e5cd75921728a Mon Sep 17 00:00:00 2001 From: Jakub W Date: Sun, 10 Dec 2023 20:37:05 +0100 Subject: [PATCH 02/15] Add trailing newlines --- wikijs.subdomain.conf.sample | 2 ++ 1 file changed, 2 insertions(+) diff --git a/wikijs.subdomain.conf.sample b/wikijs.subdomain.conf.sample index 42b9f4d..ab07313 100644 --- a/wikijs.subdomain.conf.sample +++ b/wikijs.subdomain.conf.sample @@ -41,6 +41,7 @@ server { set $upstream_port 3000; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } location ~ (/wikijs)?/graphql { @@ -50,5 +51,6 @@ server { set $upstream_port 3000; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } } From 6ec92a19fd384610c326992a3196a081df3e5b9a Mon Sep 17 00:00:00 2001 From: samsepi0l Date: Thu, 14 Dec 2023 14:51:48 +0100 Subject: [PATCH 03/15] Secure cookies The cookies are not secure by default with heimdall, we can force it through nginx. --- heimdall.subdomain.conf.sample | 2 ++ 1 file changed, 2 insertions(+) diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample index 8e18aa8..71a2d69 100644 --- a/heimdall.subdomain.conf.sample +++ b/heimdall.subdomain.conf.sample @@ -35,6 +35,8 @@ server { # enable for Authentik (requires authentik-server.conf in the server block) #include /config/nginx/authentik-location.conf; + proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly"; + include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_app heimdall; From e9f3fd5064bccda8679ceea8be7e17945738c287 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Thu, 14 Dec 2023 19:05:14 -0500 Subject: [PATCH 04/15] Create maintainerr.subdomain.conf.sample For [this thing](https://github.com/jorenn92/Maintainerr) --- maintainerr.subdomain.conf.sample | 47 +++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 maintainerr.subdomain.conf.sample diff --git a/maintainerr.subdomain.conf.sample b/maintainerr.subdomain.conf.sample new file mode 100644 index 0000000..ce82dd6 --- /dev/null +++ b/maintainerr.subdomain.conf.sample @@ -0,0 +1,47 @@ +## Version 2023/05/31 +# make sure that your maintainerr container is named maintainerr +# make sure that your dns has a cname set for maintainerr + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name maintainerr.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app maintainerr; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + +} From 196f64197f23f9c501a8f03569484c75472f4483 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Thu, 14 Dec 2023 19:07:17 -0500 Subject: [PATCH 05/15] maintainerr.subdomain.conf.sample: bump date --- maintainerr.subdomain.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maintainerr.subdomain.conf.sample b/maintainerr.subdomain.conf.sample index ce82dd6..170e740 100644 --- a/maintainerr.subdomain.conf.sample +++ b/maintainerr.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/05/31 +## Version 2023/12/14 # make sure that your maintainerr container is named maintainerr # make sure that your dns has a cname set for maintainerr From 1f56b97b892d889a8f89741ce3effd98b89ed348 Mon Sep 17 00:00:00 2001 From: samsepi0l Date: Fri, 15 Dec 2023 22:21:16 +0100 Subject: [PATCH 06/15] Update heimdall.subdomain.conf.sample --- heimdall.subdomain.conf.sample | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample index 71a2d69..9a716e5 100644 --- a/heimdall.subdomain.conf.sample +++ b/heimdall.subdomain.conf.sample @@ -34,8 +34,6 @@ server { # enable for Authentik (requires authentik-server.conf in the server block) #include /config/nginx/authentik-location.conf; - - proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly"; include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; @@ -43,6 +41,7 @@ server { set $upstream_port 443; set $upstream_proto https; proxy_pass $upstream_proto://$upstream_app:$upstream_port; + #proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly"; } } From 09fd8849ea2783105c3d54e7547d3530a7a132c0 Mon Sep 17 00:00:00 2001 From: samsepi0l Date: Fri, 15 Dec 2023 22:26:05 +0100 Subject: [PATCH 07/15] Add description --- heimdall.subdomain.conf.sample | 2 ++ 1 file changed, 2 insertions(+) diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample index 9a716e5..d08beca 100644 --- a/heimdall.subdomain.conf.sample +++ b/heimdall.subdomain.conf.sample @@ -41,6 +41,8 @@ server { set $upstream_port 443; set $upstream_proto https; proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + # Enable to secure cookies. Further reading here -> https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies #proxy_cookie_path / "/; Secure; SameSite=strict; HttpOnly"; } From f66e17edeca49cebec71e38cb89a4cf93932117f Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Wed, 20 Dec 2023 09:27:47 -0600 Subject: [PATCH 08/15] Update heimdall.subdomain.conf.sample --- heimdall.subdomain.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heimdall.subdomain.conf.sample b/heimdall.subdomain.conf.sample index d08beca..a77de5b 100644 --- a/heimdall.subdomain.conf.sample +++ b/heimdall.subdomain.conf.sample @@ -34,7 +34,7 @@ server { # enable for Authentik (requires authentik-server.conf in the server block) #include /config/nginx/authentik-location.conf; - + include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_app heimdall; From 9098730e3025f0d3b4901b8185821d4a5951751e Mon Sep 17 00:00:00 2001 From: Jakub W Date: Thu, 21 Dec 2023 11:42:42 +0100 Subject: [PATCH 09/15] Add location block for API endpoint Add missing location block for influxdb API endpoint --- influxdb.subdomain.conf.sample | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/influxdb.subdomain.conf.sample b/influxdb.subdomain.conf.sample index e772beb..1c2f158 100644 --- a/influxdb.subdomain.conf.sample +++ b/influxdb.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/05/31 +## Version 2023/12/21 # make sure that your influxdb container is named influxdb # make sure that your dns has a cname set for influxdb @@ -41,6 +41,17 @@ server { set $upstream_port 8086; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/influxdb)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app influxdb; + set $upstream_port 8086; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } } From 55520164b48a85983b333c2f36b4f45da78cf669 Mon Sep 17 00:00:00 2001 From: Jakub W Date: Thu, 21 Dec 2023 11:52:24 +0100 Subject: [PATCH 10/15] Revert "Add location block for API endpoint" This reverts commit 9098730e3025f0d3b4901b8185821d4a5951751e. --- influxdb.subdomain.conf.sample | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/influxdb.subdomain.conf.sample b/influxdb.subdomain.conf.sample index 1c2f158..e772beb 100644 --- a/influxdb.subdomain.conf.sample +++ b/influxdb.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/12/21 +## Version 2023/05/31 # make sure that your influxdb container is named influxdb # make sure that your dns has a cname set for influxdb @@ -41,17 +41,6 @@ server { set $upstream_port 8086; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; - - } - - location ~ (/influxdb)?/api { - include /config/nginx/proxy.conf; - include /config/nginx/resolver.conf; - set $upstream_app influxdb; - set $upstream_port 8086; - set $upstream_proto http; - proxy_pass $upstream_proto://$upstream_app:$upstream_port; - } } From 1cd61c9e1a9db9bc7d048423e2cca8c4ed2a0729 Mon Sep 17 00:00:00 2001 From: RagingCub Date: Tue, 26 Dec 2023 16:53:38 -0500 Subject: [PATCH 11/15] Resolve lfs incompatibility with authelia for gitea --- gitea.subdomain.conf.sample | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/gitea.subdomain.conf.sample b/gitea.subdomain.conf.sample index 1d6bdf4..0657314 100644 --- a/gitea.subdomain.conf.sample +++ b/gitea.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/05/31 +## Version 2023/12/26 # make sure that your gitea container is named gitea # make sure that your dns has a cname set for gitea # edit the following parameters in /data/gitea/conf/app.ini @@ -48,4 +48,14 @@ server { proxy_pass $upstream_proto://$upstream_app:$upstream_port; } + + location ~ (/gitea)?/info/lfs { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app gitea; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } } From c09dc5d795ef354a9e658bcd7201b7e49a6df9a4 Mon Sep 17 00:00:00 2001 From: thelamer Date: Wed, 14 Feb 2024 09:44:35 -0800 Subject: [PATCH 12/15] add webtop subfolder example --- webtop.subfolder.conf.sample | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 webtop.subfolder.conf.sample diff --git a/webtop.subfolder.conf.sample b/webtop.subfolder.conf.sample new file mode 100644 index 0000000..0cb4c1a --- /dev/null +++ b/webtop.subfolder.conf.sample @@ -0,0 +1,29 @@ +## Version 2024/02/05 +# make sure that your webtop container is named webtop +# make sure that webtop is set to work with the base url /webtop/ +# works with any KasmVNC based image + +location ^~ /webtop { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app webtop; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + proxy_buffering off; + +} From 955db01c7eefbf7d4cbea66f26927539c0503a7e Mon Sep 17 00:00:00 2001 From: thelamer Date: Wed, 14 Feb 2024 10:01:08 -0800 Subject: [PATCH 13/15] update date --- webtop.subfolder.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webtop.subfolder.conf.sample b/webtop.subfolder.conf.sample index 0cb4c1a..526525c 100644 --- a/webtop.subfolder.conf.sample +++ b/webtop.subfolder.conf.sample @@ -1,4 +1,4 @@ -## Version 2024/02/05 +## Version 2024/02/14 # make sure that your webtop container is named webtop # make sure that webtop is set to work with the base url /webtop/ # works with any KasmVNC based image From 65870080e16d6b2aeccc9872292d46c6767298a0 Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Tue, 20 Feb 2024 08:33:32 -0500 Subject: [PATCH 14/15] Create speedtest-tracker.subdomain.conf.sample --- speedtest-tracker.subdomain.conf.sample | 47 +++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 speedtest-tracker.subdomain.conf.sample diff --git a/speedtest-tracker.subdomain.conf.sample b/speedtest-tracker.subdomain.conf.sample new file mode 100644 index 0000000..565e4f2 --- /dev/null +++ b/speedtest-tracker.subdomain.conf.sample @@ -0,0 +1,47 @@ +## Version 2024/02/20 +# make sure that your speedtest-tracker container is named speedtest-tracker +# make sure that your dns has a cname set for speedtest-tracker + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name speedtest-tracker.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app speedtest-tracker; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + +} From 8142019d5b8b85e61f3dc89946a9659c82585e49 Mon Sep 17 00:00:00 2001 From: driz <40674481+drizuid@users.noreply.github.com> Date: Fri, 23 Feb 2024 09:14:23 -0500 Subject: [PATCH 15/15] Create stirling-pdf.subdomain.conf.sample --- stirling-pdf.subdomain.conf.sample | 47 ++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 stirling-pdf.subdomain.conf.sample diff --git a/stirling-pdf.subdomain.conf.sample b/stirling-pdf.subdomain.conf.sample new file mode 100644 index 0000000..81d8363 --- /dev/null +++ b/stirling-pdf.subdomain.conf.sample @@ -0,0 +1,47 @@ +## Version 2024/02/23 +# make sure that your stirling-pdf container is named stirling-pdf +# make sure that your dns has a cname set for stirling-pdf + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name stirling-pdf.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app stirling-pdf; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + +}