update folder

nginx/conf.d/default_and_acme.conf

@@ -0,0 +1,24 @@
+server {
+    listen 80 default_server;
+
+    location /.well-known/acme-challenge {
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl default_server;
+
+    ssl_certificate /etc/nginx/ssl/selfsigned.pem;
+    ssl_certificate_key /etc/nginx/ssl/selfsigned.key;
+
+    server_tokens off;
+
+    location / {
+        return 444;
+    }
+}

nginx/conf.d/docker_web.conf

@@ -0,0 +1,31 @@
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  "" close;
+}
+
+server {
+    listen 443 ssl;
+    server_name docker.grenu4.ru;
+
+    ssl_certificate /etc/letsencrypt/live/docker.grenu4.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/docker.grenu4.ru/privkey.pem;
+
+    access_log /var/log/nginx/docker.grenu4.ru_access.log main;
+    error_log /var/log/nginx/mail.grenu4.ru_error.log notice;
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://195.122.225.17:9443;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $proxy_connection;
+    }
+
+    location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+    }
+}

nginx/conf.d/docker_web.conf.save

@@ -0,0 +1 @@
+

nginx/conf.d/mail_web.conf

@@ -0,0 +1,31 @@
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  "" close;
+}
+
+server {
+    listen 443 ssl;
+    server_name mail.grenu4.ru;
+
+    ssl_certificate /etc/letsencrypt/live/mail.grenu4.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mail.grenu4.ru/privkey.pem;
+
+    access_log /var/log/nginx/mail.grenu4.ru_access.log main;
+    error_log /var/log/nginx/mail.grenu4.ru_error.log notice;
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://127.0.0.1:8087;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $proxy_connection;
+    }
+
+    location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+    }
+}

nginx/conf.d/nextcloud.conf

@@ -0,0 +1,85 @@
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    listen 443 ssl;      # for nginx v1.25.1+
+
+    access_log /var/log/nginx/ns.grenu4.ru_access.log main;
+    error_log /var/log/nginx/ns.grenu4.ru_error.log notice;
+
+    http2 on;                                 # uncomment to enable HTTP/2        - supported on nginx v1.25.1+
+    http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    listen 443 quic reuseport;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
+    # listen [::]:443 quic reuseport;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6
+
+    server_name ns.grenu4.ru;
+
+    location / {
+        proxy_pass http://127.0.0.1:11000$request_uri;
+
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Accept-Encoding "";
+        # proxy_set_header Host $host;
+    
+        client_body_buffer_size 512k;
+        proxy_read_timeout 86400s;
+        client_max_body_size 0;
+
+        # Websocket
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+
+    ssl_certificate /etc/letsencrypt/live/ns.grenu4.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ns.grenu4.ru/privkey.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers on;
+
+}
+
+server {
+    listen 18443 ssl;
+    server_name ns.grenu4.ru;
+
+    access_log /var/log/nginx/aio_ns.grenu4.ru_access.log main;
+    error_log /var/log/nginx/aio_ns.grenu4.ru_error.log notice;
+
+    ssl_certificate /etc/letsencrypt/live/ns.grenu4.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ns.grenu4.ru/privkey.pem;
+
+    allow 77.91.87.36; # vpn
+    allow 37.18.26.66; # mrakomaks kwork
+    allow 212.124.20.138; # mrakomaks kwork
+    deny all;
+
+    proxy_read_timeout 300;
+    proxy_connect_timeout 300;
+    proxy_send_timeout 300;
+
+    location / {
+        proxy_pass https://127.0.0.1:18080;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    }
+
+}

nginx/conf.d/onlyoffice.conf

@@ -0,0 +1,55 @@
+upstream docservice {
+    server 127.0.0.1:3333;
+}
+
+map $http_host $this_host {
+    "" $host;
+    default $http_host;
+}
+
+map $http_x_forwarded_proto $the_scheme {
+    default $http_x_forwarded_proto;
+    "" $scheme;
+}
+
+map $http_x_forwarded_host $the_host {
+    default $http_x_forwarded_host;
+    "" $this_host;
+}
+
+map $http_upgrade $proxy_connection {
+    default upgrade;
+    "" close;
+}
+
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Forwarded-Host $the_host;
+proxy_set_header X-Forwarded-Proto $the_scheme;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+server {
+    listen 0.0.0.0:443 ssl;
+    server_name office.grenu4.ru;
+    server_tokens off;
+    root /var/www/html;
+
+    ssl_certificate /etc/letsencrypt/live/office.grenu4.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/office.grenu4.ru/privkey.pem;
+    ssl_verify_client off;
+
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache builtin:1000 shared:OnSSL:10m;
+
+    ssl_prefer_server_ciphers on;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff;
+
+    location / {
+        proxy_pass http://docservice;
+        proxy_http_version 1.1;
+    }
+}