Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ########## APACHE #############
- <VirtualHost 192.168.4.111:443>
- Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
- Header always set X-Content-Type-Options nosniff
- SSLEngine on
- ### YOUR SERVER ADDRESS ###
- ServerAdmin daniel@techandme.se
- ServerName cloud.techandme.se
- ### SETTINGS ###
- DocumentRoot /var/www/nextcloud
- <Directory /var/www/nextcloud>
- Options Indexes FollowSymLinks
- AllowOverride All
- Require all granted
- Satisfy Any
- </Directory>
- <IfModule mod_dav.c>
- Dav off
- </IfModule>
- <Directory "/var/ncdata">
- # just in case if .htaccess gets disabled
- Require all denied
- </Directory>
- ### SSL CONFIG ###
- SSLCertificateFile /etc/ssl/techandme/techandme_wild.pem
- SSLCertificateKeyFile /etc/ssl/techandme/techandme_wild.key
- ### OFFICE ###
- # Encoded slashes need to be allowed
- AllowEncodedSlashes On
- # Container uses a unique non-signed certificate
- # SSLProxyEngine On
- SSLProxyVerify None
- SSLProxyCheckPeerCN Off
- SSLProxyCheckPeerName Off
- # keep the host
- ProxyPreserveHost On
- # static html, js, images, etc. served from loolwsd
- # loleaflet is the client part of LibreOffice Online
- ProxyPass /loleaflet https://192.168.4.111:9980/loleaflet retry=0
- ProxyPassReverse /loleaflet https://192.168.4.111:9980/loleaflet
- # WOPI discovery URL
- ProxyPass /hosting/discovery https://192.168.4.111:9980/hosting/discovery retry=0
- ProxyPassReverse /hosting/discovery https://192.168.4.111:9980/hosting/discovery
- # Main websocket
- ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.4.111:9980/lool/$1/ws
- # Admin Console websocket
- ProxyPass /lool/adminws wss://192.168.4.111:9980/lool/adminws
- # Download as, Fullscreen presentation and Image upload operations
- ProxyPass /lool https://192.168.4.111:9980/lool
- ProxyPassReverse /lool https://192.168.4.111:9980/lool
- </VirtualHost>
- ########## NGINX #############
- server {
- # Cloudflare IP that is masked by mod_real_ip
- error_page 404 500 502 503 504 /cloud-error.html;
- location = /cloud-error.html {
- root /usr/share/nginx/html;
- internal;
- }
- set_real_ip_from 103.21.244.0/22;
- set_real_ip_from 103.22.200.0/22;
- set_real_ip_from 103.31.4.0/22;
- set_real_ip_from 104.16.0.0/12;
- set_real_ip_from 108.162.192.0/18;
- set_real_ip_from 131.0.72.0/22;
- set_real_ip_from 141.101.64.0/18;
- set_real_ip_from 162.158.0.0/15;
- set_real_ip_from 172.64.0.0/13;
- set_real_ip_from 173.245.48.0/20;
- set_real_ip_from 188.114.96.0/20;
- set_real_ip_from 190.93.240.0/20;
- set_real_ip_from 197.234.240.0/22;
- set_real_ip_from 198.41.128.0/17;
- set_real_ip_from 199.27.128.0/21;
- real_ip_header X-Forwarded-For;
- real_ip_recursive on;
- listen 192.168.4.201:443 ssl http2;
- ssl on;
- ssl_certificate /etc/nginx/ssl/techandme/techandme_wild.pem;
- ssl_certificate_key /etc/nginx/ssl/techandme/techandme_wild.key;
- # ssl_certificate /etc/letsencrypt/live/cloud.techandme.se/fullchain.pem;
- # ssl_certificate_key /etc/letsencrypt/live/cloud.techandme.se/privkey.pem;
- ssl_dhparam /etc/nginx/sites-available/cloudflare_ip/cloud.techandme/cloud-dhparams.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:10m;
- ssl_stapling on;
- ssl_stapling_verify on;
- # Only use safe chiphers
- ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
- ssl_prefer_server_ciphers on;
- # Add secure headers
- add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
- server_name cloud.techandme.se;
- set $upstream 192.168.4.111:443;
- ## Collabora ##
- location ^~ /loleaflet {
- proxy_pass https://$upstream:9980;
- proxy_set_header Host $http_host;
- }
- location ^~ /hosting/discovery {
- proxy_pass https://$upstream:9980;
- proxy_set_header Host $http_host;
- }
- location ^~ /lool {
- proxy_pass https://$upstream:9980;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header Host $http_host;
- }
- ## Spreed ME ##
- location /webrtc/ws {
- proxy_pass https://$upstream;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_buffering on;
- proxy_ignore_client_abort off;
- proxy_redirect off;
- proxy_connect_timeout 90;
- proxy_send_timeout 90;
- proxy_read_timeout 90;
- proxy_buffer_size 4k;
- proxy_buffers 4 32k;
- proxy_busy_buffers_size 64k;
- proxy_temp_file_write_size 64k;
- }
- ## Nextcloud ##
- location / {
- proxy_pass_header Authorization;
- proxy_pass https://$upstream;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
- proxy_buffering off;
- proxy_request_buffering off;
- client_max_body_size 0;
- proxy_read_timeout 36000s;
- proxy_redirect off;
- proxy_ssl_session_reuse off;
- }
- }
- ## Redirect ##
- server {
- listen 192.168.4.201:80;
- server_name cloud.techandme.se;
- return 301 https://cloud.techandme.se$request_uri;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
