From fddab7224d5bbf54db13fd4c1cfc5f5a44e0e564 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Thu, 13 Apr 2023 12:04:44 -0500 Subject: [PATCH 01/15] Additional cadvisor endpoints --- cadvisor.subdomain.conf.sample | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/cadvisor.subdomain.conf.sample b/cadvisor.subdomain.conf.sample index a3f9474..d9a75ab 100644 --- a/cadvisor.subdomain.conf.sample +++ b/cadvisor.subdomain.conf.sample @@ -41,5 +41,34 @@ server { set $upstream_port 8080; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/cadvisor)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app cadvisor; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/cadvisor)?/metrics { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # block metrics access by default because it is unprotected + # you can comment out the next line to enable remote metrics + deny all; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app cadvisor; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } } From 99490181017b4e61ad7e981918aae212bf678f4d Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Fri, 14 Apr 2023 15:24:07 -0500 Subject: [PATCH 02/15] Update cadvisor.subdomain.conf.sample --- cadvisor.subdomain.conf.sample | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/cadvisor.subdomain.conf.sample b/cadvisor.subdomain.conf.sample index d9a75ab..27e5a2a 100644 --- a/cadvisor.subdomain.conf.sample +++ b/cadvisor.subdomain.conf.sample @@ -53,22 +53,4 @@ server { proxy_pass $upstream_proto://$upstream_app:$upstream_port; } - - location ~ (/cadvisor)?/metrics { - # enable the next two lines for http auth - #auth_basic "Restricted"; - #auth_basic_user_file /config/nginx/.htpasswd; - - # block metrics access by default because it is unprotected - # you can comment out the next line to enable remote metrics - deny all; - - include /config/nginx/proxy.conf; - include /config/nginx/resolver.conf; - set $upstream_app cadvisor; - set $upstream_port 8080; - set $upstream_proto http; - proxy_pass $upstream_proto://$upstream_app:$upstream_port; - - } } From 7a58b9dd32da75579eba5a084a8c20fb6199dd5b Mon Sep 17 00:00:00 2001 From: MG-5 Date: Sun, 4 Jun 2023 13:50:35 +0200 Subject: [PATCH 03/15] Create partdb.subdomain.conf.sample --- partdb.subdomain.conf.sample | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 partdb.subdomain.conf.sample diff --git a/partdb.subdomain.conf.sample b/partdb.subdomain.conf.sample new file mode 100644 index 0000000..d5efd90 --- /dev/null +++ b/partdb.subdomain.conf.sample @@ -0,0 +1,47 @@ +## Version 2023/05/31 +# make sure that your partdb container is named partdb +# make sure that your dns has a cname set for partdb + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name partdb.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app partdb; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + +} From 908cd9c80078d652cbb3cdf5eee1c87eb424a8f6 Mon Sep 17 00:00:00 2001 From: Gabriel Lando Date: Mon, 19 Jun 2023 12:16:20 -0300 Subject: [PATCH 04/15] Add shlink sample --- shlink.subdomain.conf.sample | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 shlink.subdomain.conf.sample diff --git a/shlink.subdomain.conf.sample b/shlink.subdomain.conf.sample new file mode 100644 index 0000000..5bb67ca --- /dev/null +++ b/shlink.subdomain.conf.sample @@ -0,0 +1,45 @@ +## Version 2023/05/31 +# make sure that your shlink container is named shlink +# make sure that your dns has a cname set for shlink + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name shlink.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app shlink; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} From 757bc6118b5d03c89f732246bb613ee95c0a5d13 Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Wed, 21 Jun 2023 13:56:51 -0400 Subject: [PATCH 05/15] add frigate subdomain conf --- frigate.subdomain.conf.sample | 46 +++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 frigate.subdomain.conf.sample diff --git a/frigate.subdomain.conf.sample b/frigate.subdomain.conf.sample new file mode 100644 index 0000000..8136d58 --- /dev/null +++ b/frigate.subdomain.conf.sample @@ -0,0 +1,46 @@ +## Version 2023/06/21 +# make sure that your frigate container is named frigate +# make sure that your dns has a cname set for frigate + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name frigate.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app frigate; + set $upstream_port 5000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} From 540c4eec3afd5eecfc12308be093a7126ac9e217 Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Wed, 21 Jun 2023 14:02:16 -0400 Subject: [PATCH 06/15] fix warning for libreddit --- libreddit.subdomain.conf.sample | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libreddit.subdomain.conf.sample b/libreddit.subdomain.conf.sample index 751f3b2..f391bc4 100644 --- a/libreddit.subdomain.conf.sample +++ b/libreddit.subdomain.conf.sample @@ -1,10 +1,10 @@ -## Version 2023/02/05 +## Version 2023/06/21 # make sure that your libreddit container is named libreddit # make sure that your dns has a cname set for libreddit server { - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name libreddit.*; From cc22ea5d0b9775817f406368c909a05d851ff397 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 24 Jun 2023 20:35:40 -0500 Subject: [PATCH 07/15] Nextcloud header adjustments Signed-off-by: Eric Nemchik --- nextcloud.subdomain.conf.sample | 9 +++++++-- nextcloud.subfolder.conf.sample | 15 +++++++++++---- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample index 3e03083..afb4a00 100644 --- a/nextcloud.subdomain.conf.sample +++ b/nextcloud.subdomain.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that your dns has a cname set for nextcloud # assuming this container is called "swag", edit your nextcloud container's config @@ -32,8 +32,13 @@ server { set $upstream_proto https; proxy_pass $upstream_proto://$upstream_app:$upstream_port; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering proxy_buffering off; } } diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample index 44a672b..2ad882e 100644 --- a/nextcloud.subfolder.conf.sample +++ b/nextcloud.subfolder.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/06/06 +## Version 2023/06/24 # make sure that your nextcloud container is named nextcloud # make sure that nextcloud is set to work with the base url /nextcloud/ # Assuming this container is called "swag", edit your nextcloud container's config @@ -34,10 +34,17 @@ location ^~ /nextcloud/ { proxy_pass $upstream_proto://$upstream_app:$upstream_port; rewrite /nextcloud(.*) $1 break; - # Uncomment X-Frame-Options directive in ssl.conf to pass security checks. - proxy_hide_header X-Frame-Options; - proxy_buffering off; + proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_ssl_session_reuse off; + + # Hide proxy response headers from Nextcloud that conflict with ssl.conf + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Content-Type-Options; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-XSS-Protection; + + # Disable proxy buffering + proxy_buffering off; } From f6d6c030801355b1a6264920cce0f6b733f303cc Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Sat, 24 Jun 2023 20:43:42 -0500 Subject: [PATCH 08/15] Re-include comment about NC security scans Signed-off-by: Eric Nemchik --- nextcloud.subdomain.conf.sample | 1 + nextcloud.subfolder.conf.sample | 1 + 2 files changed, 2 insertions(+) diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample index afb4a00..5fb72f8 100644 --- a/nextcloud.subdomain.conf.sample +++ b/nextcloud.subdomain.conf.sample @@ -33,6 +33,7 @@ server { proxy_pass $upstream_proto://$upstream_app:$upstream_port; # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan proxy_hide_header Referrer-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample index 2ad882e..ca259da 100644 --- a/nextcloud.subfolder.conf.sample +++ b/nextcloud.subfolder.conf.sample @@ -40,6 +40,7 @@ location ^~ /nextcloud/ { proxy_ssl_session_reuse off; # Hide proxy response headers from Nextcloud that conflict with ssl.conf + # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan proxy_hide_header Referrer-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Frame-Options; From be68a63b4098a60b3700f7ca603d17af56d69417 Mon Sep 17 00:00:00 2001 From: "J. Scott Elblein" Date: Tue, 27 Jun 2023 01:30:03 -0500 Subject: [PATCH 09/15] Create linkstack.subdomain.conf.sample For: https://hub.docker.com/r/linkstackorg/linkstack https://github.com/LinkStackOrg/LinkStack --- linkstack.subdomain.conf.sample | 44 +++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 linkstack.subdomain.conf.sample diff --git a/linkstack.subdomain.conf.sample b/linkstack.subdomain.conf.sample new file mode 100644 index 0000000..ead34f0 --- /dev/null +++ b/linkstack.subdomain.conf.sample @@ -0,0 +1,44 @@ +## Version 2023/06/27 +# make sure that your dns has a cname set for linkstack and that your linkstack container is not using a base url + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name linkstack.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app linkstack; + set $upstream_port 443; + set $upstream_proto https; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} From 2a4d9139dd9aa2a0891844d46ec7a8a96850303c Mon Sep 17 00:00:00 2001 From: bokkoman Date: Thu, 27 Jul 2023 09:50:34 +0200 Subject: [PATCH 10/15] Update notifiarr.subdomain.conf.sample Added proxy_set_header for Authelia authentication with Notifiarr. --- notifiarr.subdomain.conf.sample | 3 +++ 1 file changed, 3 insertions(+) diff --git a/notifiarr.subdomain.conf.sample b/notifiarr.subdomain.conf.sample index fdfd6f1..244e57d 100644 --- a/notifiarr.subdomain.conf.sample +++ b/notifiarr.subdomain.conf.sample @@ -31,6 +31,9 @@ server { # enable for Authelia (requires authelia-server.conf in the server block) #include /config/nginx/authelia-location.conf; + # Enable if you use webauth for Notifiarr client website authentication + #proxy_set_header X-Forwarded-For $remote_addr; + #proxy_set_header X-WebAuth-User $user; # enable for Authentik (requires authentik-server.conf in the server block) #include /config/nginx/authentik-location.conf; From cff0020c14ee888757270de27673e6892a9e85b2 Mon Sep 17 00:00:00 2001 From: bokkoman Date: Thu, 27 Jul 2023 20:06:32 +0200 Subject: [PATCH 11/15] Update notifiarr.subdomain.conf.sample Co-authored-by: Eric Nemchik --- notifiarr.subdomain.conf.sample | 1 - 1 file changed, 1 deletion(-) diff --git a/notifiarr.subdomain.conf.sample b/notifiarr.subdomain.conf.sample index 244e57d..dbe77b2 100644 --- a/notifiarr.subdomain.conf.sample +++ b/notifiarr.subdomain.conf.sample @@ -32,7 +32,6 @@ server { # enable for Authelia (requires authelia-server.conf in the server block) #include /config/nginx/authelia-location.conf; # Enable if you use webauth for Notifiarr client website authentication - #proxy_set_header X-Forwarded-For $remote_addr; #proxy_set_header X-WebAuth-User $user; # enable for Authentik (requires authentik-server.conf in the server block) From 2319943669be9944ca36e6d207946d79c9118b27 Mon Sep 17 00:00:00 2001 From: beasthouse-au <78465928+beasthouse-au@users.noreply.github.com> Date: Sat, 5 Aug 2023 23:53:20 +1000 Subject: [PATCH 12/15] Add SaltRim Config Sample --- saltrim.subdomain.conf.sample | 45 +++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 saltrim.subdomain.conf.sample diff --git a/saltrim.subdomain.conf.sample b/saltrim.subdomain.conf.sample new file mode 100644 index 0000000..2a539de --- /dev/null +++ b/saltrim.subdomain.conf.sample @@ -0,0 +1,45 @@ +## Version 2023/08/05 +# make sure that your saltrim webserver container is named bar_assistant-webserver-1 or manually change to match the upstream_app below +# make sure that your dns has a cname set for bar_assistant-webserver-1 + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name saltrim.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 100M; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app bar_assistant-webserver-1; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} From 7c1909201caaf5cb9f8b9930d79cd9b1e6cbe174 Mon Sep 17 00:00:00 2001 From: beasthouse-au <78465928+beasthouse-au@users.noreply.github.com> Date: Sun, 6 Aug 2023 00:11:46 +1000 Subject: [PATCH 13/15] Update saltrim.subdomain.conf.sample --- saltrim.subdomain.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/saltrim.subdomain.conf.sample b/saltrim.subdomain.conf.sample index 2a539de..84fea2d 100644 --- a/saltrim.subdomain.conf.sample +++ b/saltrim.subdomain.conf.sample @@ -1,6 +1,6 @@ ## Version 2023/08/05 # make sure that your saltrim webserver container is named bar_assistant-webserver-1 or manually change to match the upstream_app below -# make sure that your dns has a cname set for bar_assistant-webserver-1 +# make sure that your dns has a cname set for saltrim server { listen 443 ssl; From 46dff674de0a673f87c60a5525dec79158f9c47d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Aug 2023 20:16:26 +0000 Subject: [PATCH 14/15] Bump actions/checkout from 3.5.3 to 3.6.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 3.6.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.5.3...v3.6.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/check_samples.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check_samples.yml b/.github/workflows/check_samples.yml index ba104b5..ddf6407 100644 --- a/.github/workflows/check_samples.yml +++ b/.github/workflows/check_samples.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.5.3 + uses: actions/checkout@v3.6.0 - name: Check Allowed File Names run: | From 8474c746a3f9629d489902a2c9a7f72964aa7df6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Sep 2023 20:19:33 +0000 Subject: [PATCH 15/15] Bump actions/checkout from 3.6.0 to 4.0.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...v4.0.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/check_samples.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check_samples.yml b/.github/workflows/check_samples.yml index ddf6407..00f8489 100644 --- a/.github/workflows/check_samples.yml +++ b/.github/workflows/check_samples.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3.6.0 + uses: actions/checkout@v4.0.0 - name: Check Allowed File Names run: |