From 757bc6118b5d03c89f732246bb613ee95c0a5d13 Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Wed, 21 Jun 2023 13:56:51 -0400 Subject: [PATCH 1/7] add frigate subdomain conf --- frigate.subdomain.conf.sample | 46 +++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 frigate.subdomain.conf.sample diff --git a/frigate.subdomain.conf.sample b/frigate.subdomain.conf.sample new file mode 100644 index 0000000..8136d58 --- /dev/null +++ b/frigate.subdomain.conf.sample @@ -0,0 +1,46 @@ +## Version 2023/06/21 +# make sure that your frigate container is named frigate +# make sure that your dns has a cname set for frigate + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name frigate.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app frigate; + set $upstream_port 5000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} From 540c4eec3afd5eecfc12308be093a7126ac9e217 Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Wed, 21 Jun 2023 14:02:16 -0400 Subject: [PATCH 2/7] fix warning for libreddit --- libreddit.subdomain.conf.sample | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libreddit.subdomain.conf.sample b/libreddit.subdomain.conf.sample index 751f3b2..f391bc4 100644 --- a/libreddit.subdomain.conf.sample +++ b/libreddit.subdomain.conf.sample @@ -1,10 +1,10 @@ -## Version 2023/02/05 +## Version 2023/06/21 # make sure that your libreddit container is named libreddit # make sure that your dns has a cname set for libreddit server { - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name libreddit.*; From cc22ea5d0b9775817f406368c909a05d851ff397 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 24 Jun 2023 20:35:40 -0500 Subject: [PATCH 3/7] Nextcloud header adjustments Signed-off-by: Eric Nemchik --- nextcloud.subdomain.conf.sample | 9 +++++++-- nextcloud.subfolder.conf.sample | 15 +++++++++++---- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample index 3e03083..afb4a00 100644 --- a/nextcloud.subdomain.conf.sample +++ b/nextcloud.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that your dns has a cname set for nextcloud # assuming this container is called "swag", edit your nextcloud container's config @@ -32,8 +32,13 @@ server { set $upstream_proto https; proxy_pass $upstream_proto://$upstream_app:$upstream_port; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering proxy_buffering off; } } diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample index 44a672b..2ad882e 100644 --- a/nextcloud.subfolder.conf.sample +++ b/nextcloud.subfolder.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that nextcloud is set to work with the base url /nextcloud/ # Assuming this container is called "swag", edit your nextcloud container's config @@ -34,10 +34,17 @@ location ^~ /nextcloud/ { proxy_pass $upstream_proto://$upstream_app:$upstream_port; rewrite /nextcloud(.*) $1 break; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. - proxy_hide_header X-Frame-Options; - proxy_buffering off; + proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_ssl_session_reuse off; + + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering + proxy_buffering off; } From f6d6c030801355b1a6264920cce0f6b733f303cc Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 24 Jun 2023 20:43:42 -0500 Subject: [PATCH 4/7] Re-include comment about NC security scans Signed-off-by: Eric Nemchik --- nextcloud.subdomain.conf.sample | 1 + nextcloud.subfolder.conf.sample | 1 + 2 files changed, 2 insertions(+) diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample index afb4a00..5fb72f8 100644 --- a/nextcloud.subdomain.conf.sample +++ b/nextcloud.subdomain.conf.sample @@ -33,6 +33,7 @@ server { proxy_pass $upstream_proto://$upstream_app:$upstream_port; # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan proxy_hide_header Referrer-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample index 2ad882e..ca259da 100644 --- a/nextcloud.subfolder.conf.sample +++ b/nextcloud.subfolder.conf.sample @@ -40,6 +40,7 @@ location ^~ /nextcloud/ { proxy_ssl_session_reuse off; # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan proxy_hide_header Referrer-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; From be68a63b4098a60b3700f7ca603d17af56d69417 Mon Sep 17 00:00:00 2001 From: "J. Scott Elblein" Date: Tue, 27 Jun 2023 01:30:03 -0500 Subject: [PATCH 5/7] Create linkstack.subdomain.conf.sample For: https://hub.docker.com/r/linkstackorg/linkstack https://github.com/LinkStackOrg/LinkStack --- linkstack.subdomain.conf.sample | 44 +++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 linkstack.subdomain.conf.sample diff --git a/linkstack.subdomain.conf.sample b/linkstack.subdomain.conf.sample new file mode 100644 index 0000000..ead34f0 --- /dev/null +++ b/linkstack.subdomain.conf.sample @@ -0,0 +1,44 @@ +## Version 2023/06/27 +# make sure that your dns has a cname set for linkstack and that your linkstack container is not using a base url + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name linkstack.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app linkstack; + set $upstream_port 443; + set $upstream_proto https; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} From 2a4d9139dd9aa2a0891844d46ec7a8a96850303c Mon Sep 17 00:00:00 2001 From: bokkoman Date: Thu, 27 Jul 2023 09:50:34 +0200 Subject: [PATCH 6/7] Update notifiarr.subdomain.conf.sample Added proxy_set_header for Authelia authentication with Notifiarr. --- notifiarr.subdomain.conf.sample | 3 +++ 1 file changed, 3 insertions(+) diff --git a/notifiarr.subdomain.conf.sample b/notifiarr.subdomain.conf.sample index fdfd6f1..244e57d 100644 --- a/notifiarr.subdomain.conf.sample +++ b/notifiarr.subdomain.conf.sample @@ -31,6 +31,9 @@ server { # enable for Authelia (requires authelia-server.conf in the server block) #include /config/nginx/authelia-location.conf; + # Enable if you use webauth for Notifiarr client website authentication + #proxy_set_header X-Forwarded-For $remote_addr; + #proxy_set_header X-WebAuth-User $user; # enable for Authentik (requires authentik-server.conf in the server block) #include /config/nginx/authentik-location.conf; From cff0020c14ee888757270de27673e6892a9e85b2 Mon Sep 17 00:00:00 2001 From: bokkoman Date: Thu, 27 Jul 2023 20:06:32 +0200 Subject: [PATCH 7/7] Update notifiarr.subdomain.conf.sample Co-authored-by: Eric Nemchik --- notifiarr.subdomain.conf.sample | 1 - 1 file changed, 1 deletion(-) diff --git a/notifiarr.subdomain.conf.sample b/notifiarr.subdomain.conf.sample index 244e57d..dbe77b2 100644 --- a/notifiarr.subdomain.conf.sample +++ b/notifiarr.subdomain.conf.sample @@ -32,7 +32,6 @@ server { # enable for Authelia (requires authelia-server.conf in the server block) #include /config/nginx/authelia-location.conf; # Enable if you use webauth for Notifiarr client website authentication - #proxy_set_header X-Forwarded-For $remote_addr; #proxy_set_header X-WebAuth-User $user; # enable for Authentik (requires authentik-server.conf in the server block)