diff --git a/.github/workflows/check_samples.yml b/.github/workflows/check_samples.yml index ba104b5..00f8489 100644 --- a/.github/workflows/check_samples.yml +++ b/.github/workflows/check_samples.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.3 + uses: actions/checkout@v4.0.0 - name: Check Allowed File Names run: | diff --git a/cadvisor.subdomain.conf.sample b/cadvisor.subdomain.conf.sample index 26dbf24..1a949b1 100644 --- a/cadvisor.subdomain.conf.sample +++ b/cadvisor.subdomain.conf.sample @@ -41,5 +41,16 @@ server { set $upstream_port 8080; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/cadvisor)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app cadvisor; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } } diff --git a/frigate.subdomain.conf.sample b/frigate.subdomain.conf.sample new file mode 100644 index 0000000..8136d58 --- /dev/null +++ b/frigate.subdomain.conf.sample @@ -0,0 +1,46 @@ +## Version 2023/06/21 +# make sure that your frigate container is named frigate +# make sure that your dns has a cname set for frigate + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name frigate.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app frigate; + set $upstream_port 5000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/libreddit.subdomain.conf.sample b/libreddit.subdomain.conf.sample index 751f3b2..f391bc4 100644 --- a/libreddit.subdomain.conf.sample +++ b/libreddit.subdomain.conf.sample @@ -1,10 +1,10 @@ -## Version 2023/02/05 +## Version 2023/06/21 # make sure that your libreddit container is named libreddit # make sure that your dns has a cname set for libreddit server { - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name libreddit.*; diff --git a/linkstack.subdomain.conf.sample b/linkstack.subdomain.conf.sample new file mode 100644 index 0000000..ead34f0 --- /dev/null +++ b/linkstack.subdomain.conf.sample @@ -0,0 +1,44 @@ +## Version 2023/06/27 +# make sure that your dns has a cname set for linkstack and that your linkstack container is not using a base url + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name linkstack.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app linkstack; + set $upstream_port 443; + set $upstream_proto https; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample index 3e03083..5fb72f8 100644 --- a/nextcloud.subdomain.conf.sample +++ b/nextcloud.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that your dns has a cname set for nextcloud # assuming this container is called "swag", edit your nextcloud container's config @@ -32,8 +32,14 @@ server { set $upstream_proto https; proxy_pass $upstream_proto://$upstream_app:$upstream_port; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering proxy_buffering off; } } diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample index 44a672b..ca259da 100644 --- a/nextcloud.subfolder.conf.sample +++ b/nextcloud.subfolder.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that nextcloud is set to work with the base url /nextcloud/ # Assuming this container is called "swag", edit your nextcloud container's config @@ -34,10 +34,18 @@ location ^~ /nextcloud/ { proxy_pass $upstream_proto://$upstream_app:$upstream_port; rewrite /nextcloud(.*) $1 break; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. - proxy_hide_header X-Frame-Options; - proxy_buffering off; + proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_ssl_session_reuse off; + + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering + proxy_buffering off; } diff --git a/notifiarr.subdomain.conf.sample b/notifiarr.subdomain.conf.sample index fdfd6f1..dbe77b2 100644 --- a/notifiarr.subdomain.conf.sample +++ b/notifiarr.subdomain.conf.sample @@ -31,6 +31,8 @@ server { # enable for Authelia (requires authelia-server.conf in the server block) #include /config/nginx/authelia-location.conf; + # Enable if you use webauth for Notifiarr client website authentication + #proxy_set_header X-WebAuth-User $user; # enable for Authentik (requires authentik-server.conf in the server block) #include /config/nginx/authentik-location.conf; diff --git a/partdb.subdomain.conf.sample b/partdb.subdomain.conf.sample new file mode 100644 index 0000000..d5efd90 --- /dev/null +++ b/partdb.subdomain.conf.sample @@ -0,0 +1,47 @@ +## Version 2023/05/31 +# make sure that your partdb container is named partdb +# make sure that your dns has a cname set for partdb + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name partdb.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app partdb; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + +} diff --git a/saltrim.subdomain.conf.sample b/saltrim.subdomain.conf.sample new file mode 100644 index 0000000..84fea2d --- /dev/null +++ b/saltrim.subdomain.conf.sample @@ -0,0 +1,45 @@ +## Version 2023/08/05 +# make sure that your saltrim webserver container is named bar_assistant-webserver-1 or manually change to match the upstream_app below +# make sure that your dns has a cname set for saltrim + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name saltrim.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 100M; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app bar_assistant-webserver-1; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/shlink.subdomain.conf.sample b/shlink.subdomain.conf.sample new file mode 100644 index 0000000..5bb67ca --- /dev/null +++ b/shlink.subdomain.conf.sample @@ -0,0 +1,45 @@ +## Version 2023/05/31 +# make sure that your shlink container is named shlink +# make sure that your dns has a cname set for shlink + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name shlink.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app shlink; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +}