From 70ef42bf98c64d82f149bf8d5f7ee57d36f9209b Mon Sep 17 00:00:00 2001 From: James Ketrenos Date: Fri, 6 Oct 2023 14:15:42 -0700 Subject: [PATCH] webserver, webmail, and letsencrypt all seeem to be working Signed-off-by: James Ketrenos --- .dockerignore | 2 + .gitignore | 4 + Dockerfile | 20 + Dockerfile.cron | 20 + README.md | 14 + config/apache2/envvars | 47 ++ config/apache2/ports.conf | 15 + .../apache2/sites-available/000-default.conf | 41 ++ config/apache2/sites-available/ApacheAmpache | 51 ++ .../apache2/sites-available/default-ssl.conf | 172 +++++ .../default-ssl.conf.dpkg-dist | 134 ++++ config/apache2/sites-available/ketrenos.com | 11 + .../sites-available/ketrenos.com-le-ssl.conf | 34 + .../apache2/sites-available/ketrenos.com-ssl | 98 +++ .../apache2/sites-available/kiaoramassage.com | 43 ++ .../sites-available/misty-dog.ketrenos.com | 31 + .../apache2/sites-available/sketchitect.com | 43 ++ .../sites-enabled/ketrenos.com-ssl.conf | 1 + .../apache2/sites-enabled/ketrenos.com.conf | 1 + .../sites-enabled/kiaoramassage.com.conf | 1 + .../sites-enabled/sketchitect.com.conf | 1 + config/cron.d/letsencrypt | 10 + config/letsencrypt/.gitignore | 5 + ...updated-options-ssl-apache-conf-digest.txt | 1 + ....updated-options-ssl-nginx-conf-digest.txt | 1 + .../.updated-ssl-dhparams-pem-digest.txt | 1 + .../meta.json | 1 + .../private_key.json | 1 + .../regr.json | 1 + .../meta.json | 1 + .../private_key.json | 1 + .../regr.json | 1 + .../acme-v02.api.letsencrypt.org/directory | 1 + config/letsencrypt/cli.ini | 3 + config/letsencrypt/options-ssl-apache.conf | 26 + config/letsencrypt/options-ssl-nginx.conf | 13 + config/letsencrypt/ssl-dhparams.pem | 8 + config/nginx/sites-available/default | 662 ++++++++++++++++++ config/nginx/sites-enabled/default | 1 + docker-compose.yml | 53 ++ ketreweb.sh | 27 + 41 files changed, 1602 insertions(+) create mode 100644 .dockerignore create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Dockerfile.cron create mode 100644 README.md create mode 100644 config/apache2/envvars create mode 100644 config/apache2/ports.conf create mode 100644 config/apache2/sites-available/000-default.conf create mode 100644 config/apache2/sites-available/ApacheAmpache create mode 100644 config/apache2/sites-available/default-ssl.conf create mode 100644 config/apache2/sites-available/default-ssl.conf.dpkg-dist create mode 100644 config/apache2/sites-available/ketrenos.com create mode 100644 config/apache2/sites-available/ketrenos.com-le-ssl.conf create mode 100644 config/apache2/sites-available/ketrenos.com-ssl create mode 100644 config/apache2/sites-available/kiaoramassage.com create mode 100644 config/apache2/sites-available/misty-dog.ketrenos.com create mode 100644 config/apache2/sites-available/sketchitect.com create mode 120000 config/apache2/sites-enabled/ketrenos.com-ssl.conf create mode 120000 config/apache2/sites-enabled/ketrenos.com.conf create mode 120000 config/apache2/sites-enabled/kiaoramassage.com.conf create mode 120000 config/apache2/sites-enabled/sketchitect.com.conf create mode 100644 config/cron.d/letsencrypt create mode 100644 config/letsencrypt/.gitignore create mode 100644 config/letsencrypt/.updated-options-ssl-apache-conf-digest.txt create mode 100644 config/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt create mode 100644 config/letsencrypt/.updated-ssl-dhparams-pem-digest.txt create mode 100644 config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/meta.json create mode 100644 config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/private_key.json create mode 100644 config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/regr.json create mode 100644 config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/meta.json create mode 100644 config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/private_key.json create mode 100644 config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/regr.json create mode 120000 config/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory create mode 100644 config/letsencrypt/cli.ini create mode 100644 config/letsencrypt/options-ssl-apache.conf create mode 100644 config/letsencrypt/options-ssl-nginx.conf create mode 100644 config/letsencrypt/ssl-dhparams.pem create mode 100644 config/nginx/sites-available/default create mode 120000 config/nginx/sites-enabled/default create mode 100644 docker-compose.yml create mode 100755 ketreweb.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..d0813a0 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +www + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f614237 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +log +www +data +keys diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..0448c29 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,20 @@ +FROM ubuntu:jammy + +RUN apt-get -q update \ + && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + nginx \ + apache2 \ + nano \ + php8.1 libapache2-mod-php \ + net-tools \ + inotify-tools \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} + +RUN a2enmod php8.1 \ + && a2enmod rewrite + +COPY /Dockerfile /Dockerfile +COPY /ketreweb.sh /ketreweb.sh + +ENTRYPOINT [ "/ketreweb.sh" ] diff --git a/Dockerfile.cron b/Dockerfile.cron new file mode 100644 index 0000000..41c43b1 --- /dev/null +++ b/Dockerfile.cron @@ -0,0 +1,20 @@ +FROM ubuntu:jammy + +RUN apt-get -q update \ + && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + cron vim ssh rsync \ + letsencrypt \ + python3-certbot-apache \ + python3-certbot-nginx \ + && apt-get clean \ + && for dir in apt dpkg cache log; do \ + if [[ -e /var/lib/apt/lists/${dir} ]]; then \ + rm -rf /var/lib/apt/lists/${dir}; \ + else \ + true ; \ + fi ; \ + done + +COPY /Dockerfile.cron /Dockerfile + +ENTRYPOINT [ "cron", "-f" ] \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..3ec17ef --- /dev/null +++ b/README.md @@ -0,0 +1,14 @@ +# ketreweb containers + +## ketreweb + +nginx and apache2 +monitors keys from ./config/letsencrypt and restarts nginx and apache if changed + +## ketreweb-roundcube + +default container for roundcube + +## ketreweb-cron + +Runs letsencrypt via cron diff --git a/config/apache2/envvars b/config/apache2/envvars new file mode 100644 index 0000000..91328ac --- /dev/null +++ b/config/apache2/envvars @@ -0,0 +1,47 @@ +# envvars - default environment variables for apache2ctl + +# this won't be correct after changing uid +unset HOME + +# for supporting multiple apache2 instances +if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then + SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" +else + SUFFIX= +fi + +# Since there is no sane way to get the parsed apache2 config in scripts, some +# settings are defined via environment variables and then used in apache2ctl, +# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. +export APACHE_RUN_USER=www-data +export APACHE_RUN_GROUP=www-data +# temporary state file location. This might be changed to /run in Wheezy+1 +export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid +export APACHE_RUN_DIR=/var/run/apache2$SUFFIX +export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX +# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. +export APACHE_LOG_DIR=/var/log/apache2$SUFFIX + +## The locale used by some modules like mod_dav +export LANG=C +## Uncomment the following line to use the system default locale instead: +#. /etc/default/locale + +export LANG + +## The command to get the status for 'apache2ctl status'. +## Some packages providing 'www-browser' need '--dump' instead of '-dump'. +#export APACHE_LYNX='www-browser -dump' + +## If you need a higher file descriptor limit, uncomment and adjust the +## following line (default is 8192): +#APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' + +## If you would like to pass arguments to the web server, add them below +## to the APACHE_ARGUMENTS environment. +#export APACHE_ARGUMENTS='' + +## Enable the debug mode for maintainer scripts. +## This will produce a verbose output on package installations of web server modules and web application +## installations which interact with Apache +#export APACHE2_MAINTSCRIPT_DEBUG=1 diff --git a/config/apache2/ports.conf b/config/apache2/ports.conf new file mode 100644 index 0000000..a4095cc --- /dev/null +++ b/config/apache2/ports.conf @@ -0,0 +1,15 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 8000 + + + Listen 4430 + + + + Listen 4430 + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/config/apache2/sites-available/000-default.conf b/config/apache2/sites-available/000-default.conf new file mode 100644 index 0000000..38a6a39 --- /dev/null +++ b/config/apache2/sites-available/000-default.conf @@ -0,0 +1,41 @@ + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/default + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + diff --git a/config/apache2/sites-available/ApacheAmpache b/config/apache2/sites-available/ApacheAmpache new file mode 100644 index 0000000..6914e1b --- /dev/null +++ b/config/apache2/sites-available/ApacheAmpache @@ -0,0 +1,51 @@ + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + Alias /ampache /usr/share/ampache/www + + Options FollowSymLinks + AllowOverride All + + +RewriteEngine on +RewriteCond %{SERVER_NAME} =ketrenos.com [OR] +RewriteCond %{SERVER_NAME} =www.ketrenos.com +RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent] + diff --git a/config/apache2/sites-available/default-ssl.conf b/config/apache2/sites-available/default-ssl.conf new file mode 100644 index 0000000..17e5af7 --- /dev/null +++ b/config/apache2/sites-available/default-ssl.conf @@ -0,0 +1,172 @@ + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/default + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + # + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + # + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + + diff --git a/config/apache2/sites-available/default-ssl.conf.dpkg-dist b/config/apache2/sites-available/default-ssl.conf.dpkg-dist new file mode 100644 index 0000000..7e37a9c --- /dev/null +++ b/config/apache2/sites-available/default-ssl.conf.dpkg-dist @@ -0,0 +1,134 @@ + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + # BrowserMatch "MSIE [2-6]" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/config/apache2/sites-available/ketrenos.com b/config/apache2/sites-available/ketrenos.com new file mode 100644 index 0000000..a7a0285 --- /dev/null +++ b/config/apache2/sites-available/ketrenos.com @@ -0,0 +1,11 @@ + + ServerName ketrenos.com + ServerAlias *.ketrenos.com + Redirect permanent / https://ketrenos.com/ + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} +RewriteCond %{SERVER_NAME} =ketrenos.com [OR] +RewriteCond %{SERVER_NAME} =*.ketrenos.com +RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent] + diff --git a/config/apache2/sites-available/ketrenos.com-le-ssl.conf b/config/apache2/sites-available/ketrenos.com-le-ssl.conf new file mode 100644 index 0000000..ef372f8 --- /dev/null +++ b/config/apache2/sites-available/ketrenos.com-le-ssl.conf @@ -0,0 +1,34 @@ + +NameVirtualHost *:80 + + + ServerName ketrenos.com + ServerAlias *.ketrenos.com +# Redirect permanent / https://ketrenos.com/ +# RewriteEngine On +# Some rewrite rules in this file were disabled on your HTTPS site, +# because they have the potential to create redirection loops. +# RewriteCond %{HTTPS} off +# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} +Include /etc/letsencrypt/options-ssl-apache.conf +SSLCertificateFile /etc/letsencrypt/live/ketrenos.com/fullchain.pem +SSLCertificateKeyFile /etc/letsencrypt/live/ketrenos.com/privkey.pem +Include /etc/letsencrypt/options-ssl-apache.conf + + + + + ServerName ketrenos.com + ServerAlias *.ketrenos.com + Redirect permanent / https://ketrenos.com/ + RewriteEngine On +# Some rewrite rules in this file were disabled on your HTTPS site, +# because they have the potential to create redirection loops. + +# RewriteCond %{HTTPS} off +# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} +# RewriteCond %{SERVER_NAME} =ketrenos.com [OR] +# RewriteCond %{SERVER_NAME} =*.ketrenos.com +# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent] + + diff --git a/config/apache2/sites-available/ketrenos.com-ssl b/config/apache2/sites-available/ketrenos.com-ssl new file mode 100644 index 0000000..672b785 --- /dev/null +++ b/config/apache2/sites-available/ketrenos.com-ssl @@ -0,0 +1,98 @@ + + SSLPassPhraseDialog exec:/etc/apache2/ssl/passphrase + + ServerAdmin james_webmaster@ketrenos.com + ServerName ketrenos.com + ServerAlias www.ketrenos.com + + DocumentRoot /var/www/ketrenos.com + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride all + Order allow,deny + allow from all + + +# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ +# +# AllowOverride None +# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch +# Order allow,deny +# Allow from all +# + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL + + + Include /etc/letsencrypt/options-ssl-apache.conf + + + CustomLog /var/log/apache2/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + Include /etc/letsencrypt/options-ssl-apache.conf + SSLCertificateFile /etc/letsencrypt/live/ketrenos.com/fullchain.pem +SSLCertificateKeyFile /etc/letsencrypt/live/ketrenos.com/privkey.pem +Include /etc/letsencrypt/options-ssl-apache.conf + + diff --git a/config/apache2/sites-available/kiaoramassage.com b/config/apache2/sites-available/kiaoramassage.com new file mode 100644 index 0000000..a47d69e --- /dev/null +++ b/config/apache2/sites-available/kiaoramassage.com @@ -0,0 +1,43 @@ + + ServerName kiaoramassage.com + ServerAdmin george_webmaster@kiaoramassage.com + ServerAlias *.kiaoramassage.com + + DocumentRoot /var/www/kiaoramassage.com + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + + +# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ +# +# AllowOverride None +# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch +# Order allow,deny +# Allow from all +# + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + diff --git a/config/apache2/sites-available/misty-dog.ketrenos.com b/config/apache2/sites-available/misty-dog.ketrenos.com new file mode 100644 index 0000000..58293a6 --- /dev/null +++ b/config/apache2/sites-available/misty-dog.ketrenos.com @@ -0,0 +1,31 @@ + + ServerAdmin james_webmaster@ketrenos.com + ServerName misty-dog.ketrenos.com + ServerAlias misty-dog.ketrenos.com + + DocumentRoot /home/marina/misty-dog/ + + + ProxyPass http://192.168.1.78:11011/ + ProxyPassReverse http://192.168.1.78:11011/ + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL + + CustomLog /var/log/apache2/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + SSLCertificateFile /etc/letsencrypt/live/ketrenos.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/ketrenos.com/privkey.pem + Include /etc/letsencrypt/options-ssl-apache.conf + diff --git a/config/apache2/sites-available/sketchitect.com b/config/apache2/sites-available/sketchitect.com new file mode 100644 index 0000000..9d72450 --- /dev/null +++ b/config/apache2/sites-available/sketchitect.com @@ -0,0 +1,43 @@ + + ServerName sketchitect.com + ServerAdmin christopher_webmaster@sketchitect.com + ServerAlias *.sketchitect.com + + DocumentRoot /var/www/sketchitect.com + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + + +# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ +# +# AllowOverride None +# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch +# Order allow,deny +# Allow from all +# + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + diff --git a/config/apache2/sites-enabled/ketrenos.com-ssl.conf b/config/apache2/sites-enabled/ketrenos.com-ssl.conf new file mode 120000 index 0000000..7e617de --- /dev/null +++ b/config/apache2/sites-enabled/ketrenos.com-ssl.conf @@ -0,0 +1 @@ +../sites-available/ketrenos.com-ssl \ No newline at end of file diff --git a/config/apache2/sites-enabled/ketrenos.com.conf b/config/apache2/sites-enabled/ketrenos.com.conf new file mode 120000 index 0000000..ed74cb9 --- /dev/null +++ b/config/apache2/sites-enabled/ketrenos.com.conf @@ -0,0 +1 @@ +../sites-available/ketrenos.com \ No newline at end of file diff --git a/config/apache2/sites-enabled/kiaoramassage.com.conf b/config/apache2/sites-enabled/kiaoramassage.com.conf new file mode 120000 index 0000000..e16f916 --- /dev/null +++ b/config/apache2/sites-enabled/kiaoramassage.com.conf @@ -0,0 +1 @@ +../sites-available/kiaoramassage.com \ No newline at end of file diff --git a/config/apache2/sites-enabled/sketchitect.com.conf b/config/apache2/sites-enabled/sketchitect.com.conf new file mode 120000 index 0000000..2493d51 --- /dev/null +++ b/config/apache2/sites-enabled/sketchitect.com.conf @@ -0,0 +1 @@ +../sites-available/sketchitect.com \ No newline at end of file diff --git a/config/cron.d/letsencrypt b/config/cron.d/letsencrypt new file mode 100644 index 0000000..30e63b9 --- /dev/null +++ b/config/cron.d/letsencrypt @@ -0,0 +1,10 @@ +# at 1:45am, and keeps it open for 10 minutes +47 6 * * * /usr/bin/certbot renew --quiet --no-self-upgrade --webroot -w /var/www/ketrenos.com +#50 6 * * * /usr/bin/rsync -aprl --delete /etc/letsencrypt/ /home/jketreno/letsencrypt/ > /dev/null +#50 7 * * * /usr/bin/rsync -aprl --delete /etc/letsencrypt/ media:/home/jketreno/letsencrypt/ > /dev/null +#51 6 * * * /bin/chown -R jketreno: /home/jketreno/letsencrypt +#52 6 * * * /usr/sbin/service nginx restart +#53 6 * * * /usr/sbin/service apache2 restart +54 6 * * * /usr/bin/scp -q -i /keys/opnsense-letsencrypt /etc/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:. +55 6 * * * /usr/bin/ssh -i /keys/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem + diff --git a/config/letsencrypt/.gitignore b/config/letsencrypt/.gitignore new file mode 100644 index 0000000..78bf160 --- /dev/null +++ b/config/letsencrypt/.gitignore @@ -0,0 +1,5 @@ +archive +live +keys +csr +renewal diff --git a/config/letsencrypt/.updated-options-ssl-apache-conf-digest.txt b/config/letsencrypt/.updated-options-ssl-apache-conf-digest.txt new file mode 100644 index 0000000..5e65f80 --- /dev/null +++ b/config/letsencrypt/.updated-options-ssl-apache-conf-digest.txt @@ -0,0 +1 @@ +c0c022ea6b8a51ecc8f1003d0a04af6c3f2bc1c3ce506b3c2dfc1f11ef931082 \ No newline at end of file diff --git a/config/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt b/config/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt new file mode 100644 index 0000000..1ca9f28 --- /dev/null +++ b/config/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt @@ -0,0 +1 @@ +4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16 \ No newline at end of file diff --git a/config/letsencrypt/.updated-ssl-dhparams-pem-digest.txt b/config/letsencrypt/.updated-ssl-dhparams-pem-digest.txt new file mode 100644 index 0000000..42a8ee2 --- /dev/null +++ b/config/letsencrypt/.updated-ssl-dhparams-pem-digest.txt @@ -0,0 +1 @@ +9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b \ No newline at end of file diff --git a/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/meta.json b/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/meta.json new file mode 100644 index 0000000..62b3e2e --- /dev/null +++ b/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/meta.json @@ -0,0 +1 @@ +{"creation_host": "webserver.ketrenos.net", "creation_dt": "2017-02-19T01:37:32Z"} \ No newline at end of file diff --git a/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/private_key.json b/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/private_key.json new file mode 100644 index 0000000..29efb6b --- /dev/null +++ b/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/private_key.json @@ -0,0 +1 @@ +{"e": "AQAB", "d": "iXql6y2p6w9My0NnJ1irdCHWGdJNSZjHMPuOQmyKGgdil3_hM1t_N9zhdeZSJ1_Z454yV6ZouSbNZZqkxhP6k3Ps8UwupQXsJ7WVCBWMlPfWt8uS5pHiv_0rnbZK26lv6sQ9iEzv1zjwjjx5R25I8GuyPkEdU7k4q9cnQMHunVnwmfw6Kwc1IAG81LXRa3GNjqEHqpXs1pBfZ9XWGc6TtJL4Q2jvIeroTvZOn_Y0a-jgMxtWbzAFoiyYWN4xLGHGK4VTJD_Mg_RnZOhYIAVwmQ8UyWgtkmg9pYV4uyeN1-1OJWWnBhwYJh0HMMMW27c0mAcwokUVCrKmAUsvbSuSEQ", "n": "owFqGNKgO9ghsSLeHp9aqP_HXWGxML3uWl0NUezYvwu9MMMnq267Xi1DzvFDTZrffm4p_PvXuQGwOrotfAGrnKhBA1SioDbqi5nCUQaSDR5Hc-F7WJXOc7GdeWGWd5FE0LtfSli4nHkohYVWfNgM9k384M8GXhYVriIe2F6NoIt-sMawJBhTlyYPea_CsUHwph-IVv75DE7D5791vtmIMgCsPUvjiery7yznHnUzl3Zi1oy7ant3kJe-1vqeXeeWi6XkgCM03dZ9cJU15reHwSJCM3P9fqSUNVSduYJ1RojmWZr0Eal_bEyboKhCRJxRrwXvZGg2KLPXWsUeFvugPw", "q": "wv5O29wzQhTN7SFk3EyEzv_CaGlNpWHRm16juMIqE-fjYQBw1EAlz_mLlX8rxifA74QhRiZtT1UNv-r0y7xsi_n3oyQ4azV0RJihQJAMp9ZAr9nTtEYCumNIfCBKF6MApuTMee4ZFta6iw15xXkjTYgabuHAWpPq-3_KIL7ThKM", "p": "1gEWju7ASNciHjiG5T0zNfjPfjCjS88I7VNsgIxJIPbIJ3_gd34Kab9dbsDAACuOKBRCHqLn3p55ukbaSWgoOl5--WNQWjUHKTq79YWpEMb4XlYeyRfs9r2SM7IGZ_XKhh66GL_aQsM__TBFRE4_JjAJIY71TJSz4l4VJ3O6U7U", "kty": "RSA", "qi": "bbh-F64j-Xs4AHfETb9hG_koXWsf40AqcIdqvA3-FunRl6hBVPpTtJPkdaj78ZlcEIP-1FGme10mNxKYucbeNZci7gyuDbfWPojjTXjUzomjXjs8CqCycnBU6CYmnZikJvIfHNdmmHjxYFmmNcsEI6gKlkh1ZUPd3vevMg8a-18", "dp": "EIeI_IVIaNflFLx8_tvZRsPvEuoi0sotAFe_O7aaN2eYUiS4a8Jaf4x-ZP2SVvEGS-Y0rTUb_7_x2wd5-M2IvelqmUyoei86XF7jAbXPNzKHIJI6UoH8lZpS3pdTk1gSyoU5DoxTCXEXUjEWSI5aplJzghoOrFmYA1YNAD0aGTk", "dq": "hWeBQjALrYkYPcTcAVAkiI44TkDFC4G56sc70bqdGRNL3-ByUPQ2Kmx7D-N6ak5mVDecoCbIID97cbLomb6msLlqr-Wm58ohapDVuZsT3Xvas7SefzZqxWQJgkqBBlzRpFzifATmi1aLN3kXt3-iJHgaRYQTmqSaXkhWXELR6Ws"} \ No newline at end of file diff --git a/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/regr.json b/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/regr.json new file mode 100644 index 0000000..22f35ac --- /dev/null +++ b/config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/regr.json @@ -0,0 +1 @@ +{"body": {"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", "key": {"e": "AQAB", "kty": "RSA", "n": "owFqGNKgO9ghsSLeHp9aqP_HXWGxML3uWl0NUezYvwu9MMMnq267Xi1DzvFDTZrffm4p_PvXuQGwOrotfAGrnKhBA1SioDbqi5nCUQaSDR5Hc-F7WJXOc7GdeWGWd5FE0LtfSli4nHkohYVWfNgM9k384M8GXhYVriIe2F6NoIt-sMawJBhTlyYPea_CsUHwph-IVv75DE7D5791vtmIMgCsPUvjiery7yznHnUzl3Zi1oy7ant3kJe-1vqeXeeWi6XkgCM03dZ9cJU15reHwSJCM3P9fqSUNVSduYJ1RojmWZr0Eal_bEyboKhCRJxRrwXvZGg2KLPXWsUeFvugPw"}}, "uri": "https://acme-staging.api.letsencrypt.org/acme/reg/925336", "new_authzr_uri": "https://acme-staging.api.letsencrypt.org/acme/new-authz", "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"} \ No newline at end of file diff --git a/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/meta.json b/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/meta.json new file mode 100644 index 0000000..a86c30f --- /dev/null +++ b/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/meta.json @@ -0,0 +1 @@ +{"creation_host": "webserver.ketrenos.net", "creation_dt": "2017-02-19T01:35:29Z"} \ No newline at end of file diff --git a/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/private_key.json b/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/private_key.json new file mode 100644 index 0000000..096e2d4 --- /dev/null +++ b/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/private_key.json @@ -0,0 +1 @@ +{"e": "AQAB", "d": "tj1Z63cSgC7JJEBbtPQh8rb5j6h1rLbzNc_iVWYtZFRHXOxrX4p5cqLnAaAypiqCME27o_Ow-CHajojB32xrtWUdp5PH423wrk66qk7mWHbm-j6KPXv5EySWurk_j2XDef-paIzwV_3N3NoxoOp3PHwSqpqAJ6vTfIO8Z_daIy37f5r1bQ6BU7R-OpLXqAtCnakmyfBeFOnBKh-IfNK5eKS8UbraVp86o4CPLm1jxX2WBO753GbM08gSCgIjUEA_5Wlu2sSuO6MUxzSYkfICdStRXe5_ppgrUDngZudJtPgWLgEqmI5X4V3NzqrPIRirwHjtGGx4RuyNjnNhDc738Q", "n": "5vcVs9XKhSC0iItysmOH-OAvFU_5Nq6vqR9fY67DxMeG7y6INdoNvQpAO0jKNrChAdONplJaSbpwDbg6dRzVOJWaJmTcVkSlO23N0OhnXXz5kynwWKqH46vKMY4oWbsmyWVKhbUP-GMATiPxlFhMq2fk0xlV_2BKLmw7_-tqfCOeGGPHPf8FH5Sx7DXbOPBDcTPLNGZn57Y7tm8v2nRiMf8LZxY2qNPQfmiNVtTE6O6aYrhM9o7nhDHdlHGw8BMZcM-VgZwdBekNYZCcDxwNeo0Q21wvzNaWPGiJoBNX1BS2K5xSgHEt5LLczGidwN6gkz3OJMDQ97VYL-SAGU4baw", "q": "63JY7idodcSXI0Lqs3FE-H58RMDtEmxBv4YWsZuISFAy1g7ZyCnDHJ7YeO4G69BYatc_tokOEsFBou51quWjzvPX6ANYSiQxE9IV0Z5ozSRAObso11XrIgMy2-RXUQFv24UpawT9iu_EPHWL6u_Zf5JRooUWEHH7VMgUgNbLl8k", "p": "-yCWR_8J23rItwm5zMnltNtDHB3sCfv-M0Rqt9vnikdGHKYZHSBHRtKwtzCY4rh4G71oXZQHybvPX3cs_kV3vauXLK2H0K6ctbsjFlSCN_rI3qoPcimfQomSWcCqs5ZXgqIYdr-uWTB_y-1K62HlJhthTbOrZuy0ZuM7JSul25M", "kty": "RSA", "qi": "RHbb1Koh0wCo8S9aQ-uGBm2spj8HGy7LrRmQHnZzYZijItNo4aMiDsdwLHr_ZSHOLt-TQX9LFFPF66QGHmBAcQWsmyCCSriWjunM0ksNH6IhUz_vqDjuPAlAg6Q5xEMcPCcSFUzTuwoBjlCLscPiZw75NTMLNfdlKxkeIknofJo", "dp": "gLE9cl3XfltY2rwoNDNO_TTUGmeXG7LAnSM1kU0nReyqmGniOtPc0wWLvAUyhBVGr-iLwFDpAM-3QNQBAbk12MRDb4jqLd4dvt_M5leed_OT1s_NpJKB5AY-MrKSh__GjtJkuQ4X2esJwsay-xcq6DFl1vz5HIC3HnbaS30nvPM", "dq": "ld1D89sLp6KJnT0zzSI1B4LjMJQokohr1S_RdB2OwpChuxTa1IiYk7gcC-VebG1CSkdWW6ajWZa_Y6krJqti-BDIBftTEGY3Aum_T5zoEmOXqeeSmHYs44prrgGK_pnOjEkXUvJrPCtfmigr9k_S_luxMKRLpg4XLyDnxBZ0otk"} \ No newline at end of file diff --git a/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/regr.json b/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/regr.json new file mode 100644 index 0000000..f5549d5 --- /dev/null +++ b/config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/regr.json @@ -0,0 +1 @@ +{"body": {"contact": ["mailto:james_letsencrypt@ketrenos.com"], "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", "key": {"e": "AQAB", "kty": "RSA", "n": "5vcVs9XKhSC0iItysmOH-OAvFU_5Nq6vqR9fY67DxMeG7y6INdoNvQpAO0jKNrChAdONplJaSbpwDbg6dRzVOJWaJmTcVkSlO23N0OhnXXz5kynwWKqH46vKMY4oWbsmyWVKhbUP-GMATiPxlFhMq2fk0xlV_2BKLmw7_-tqfCOeGGPHPf8FH5Sx7DXbOPBDcTPLNGZn57Y7tm8v2nRiMf8LZxY2qNPQfmiNVtTE6O6aYrhM9o7nhDHdlHGw8BMZcM-VgZwdBekNYZCcDxwNeo0Q21wvzNaWPGiJoBNX1BS2K5xSgHEt5LLczGidwN6gkz3OJMDQ97VYL-SAGU4baw"}}, "uri": "https://acme-v01.api.letsencrypt.org/acme/reg/9766723", "new_authzr_uri": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"} \ No newline at end of file diff --git a/config/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory b/config/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory new file mode 120000 index 0000000..3608227 --- /dev/null +++ b/config/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory @@ -0,0 +1 @@ +/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory \ No newline at end of file diff --git a/config/letsencrypt/cli.ini b/config/letsencrypt/cli.ini new file mode 100644 index 0000000..05a8e4f --- /dev/null +++ b/config/letsencrypt/cli.ini @@ -0,0 +1,3 @@ +# Because we are using logrotate for greater flexibility, disable the +# internal certbot logrotation. +max-log-backups = 0 \ No newline at end of file diff --git a/config/letsencrypt/options-ssl-apache.conf b/config/letsencrypt/options-ssl-apache.conf new file mode 100644 index 0000000..8113ee8 --- /dev/null +++ b/config/letsencrypt/options-ssl-apache.conf @@ -0,0 +1,26 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +SSLEngine on + +# Intermediate configuration, tweak to your needs +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS +SSLHonorCipherOrder on +SSLCompression off + +SSLOptions +StrictRequire + +# Add vhost name to log entries: +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined +LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/config/letsencrypt/options-ssl-nginx.conf b/config/letsencrypt/options-ssl-nginx.conf new file mode 100644 index 0000000..292d429 --- /dev/null +++ b/config/letsencrypt/options-ssl-nginx.conf @@ -0,0 +1,13 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_session_cache shared:le_nginx_SSL:1m; +ssl_session_timeout 1440m; + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_prefer_server_ciphers on; + +ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; diff --git a/config/letsencrypt/ssl-dhparams.pem b/config/letsencrypt/ssl-dhparams.pem new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/config/letsencrypt/ssl-dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/config/nginx/sites-available/default b/config/nginx/sites-available/default new file mode 100644 index 0000000..e6f256d --- /dev/null +++ b/config/nginx/sites-available/default @@ -0,0 +1,662 @@ +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + root /var/www/html; + + client_max_body_size 5g; + server_name ketrenos.com; + + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location /keys { + auth_basic "Restricted"; + auth_basic_user_file /var/www/ketrenos.com/keys/.htpasswd; + } + + location /fsm { + alias /var/www/ketrenos.com/fsm; + autoindex on; + } + + location /files { + alias /var/www/ketrenos.com/files; + autoindex on; + } + + location /funeral { + alias /var/www/ketrenos.com/funeral; + autoindex on; + } + + location /tfm/ { + proxy_pass http://192.168.1.78:4205/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /shell/ { + proxy_pass https://192.168.1.78:4200/shell/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /opnsense/ { + proxy_pass https://192.168.1.10/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + + location /valheim { + alias /var/www/ketrenos.com/valheim; + index index.html; + } + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + rewrite ^/ketr.ketran/games/(.*)$ /ketr.ketran/$1 permanent; + + location /ketr.ketran { + root /var/www/ketrenos.com; + index unresolvable-file-html.html; + try_files $uri @index; + } + + # This seperate location is so the no cache policy only applies to the index and nothing else. + location @index { + root /var/www/ketrenos.com/ketr.ketran; + add_header Cache-Control no-cache; + expires 0; + try_files /index.html =404; + } + + rewrite ^/ketr.test/games/(.*)$ /ketr.test/$1 permanent; + + location /ketr.test { + root /var/www/ketrenos.com; + index unresolvable-file-html.html; + try_files $uri @indextest; + } + + + # This seperate location is so the no cache policy only applies to the index and nothing else. + location @indextest { + root /var/www/ketrenos.com/ketr.test; + add_header Cache-Control no-cache; + expires 0; + try_files /index.html =404; + } + + location /splodice { + index index.html; + root /var/www/ketrenos.com; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + + location /airsonic { + proxy_pass http://azurite.ketrenos.com:4040; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /fallriver { + proxy_pass http://192.168.1.78:8766; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /chalk { + proxy_pass http://192.168.1.78:8765; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /ketr.test/api { + proxy_pass http://192.168.1.78:8931; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /ketr.ketran/api { + proxy_pass http://192.168.1.78:8930; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /roundcube { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:8124/; + } + + location ~* ^(/webmail(/.*)?|/mail(/.*)?)$ { + root /var/www/ketrenos.com; + try_files /horde-deprecated.html =404; + } + + location ~* ^(/mailman) { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass https://localhost:4430; + proxy_redirect https://localhost:4430 https://ketrenos.com; + } + + location ~* ^(/site|/recipes|/~jketreno/.*|/~christopher) { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass https://localhost:4430; + proxy_redirect https://localhost:4430 https://ketrenos.com; + } + + location /dad { + proxy_pass http://192.168.1.78:8134; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location / { + proxy_ssl_verify off; + proxy_pass https://192.168.1.78:8123; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} + +server { + server_name goodtime.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + return 301 https://goodtimes.ketrenos.com$request_uri; +} + +server { + server_name vnc.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + location / { + proxy_pass http://192.168.1.152:6081/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} + +server { + server_name goodtimes.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + root /var/www/goodtimes.ketrenos.com; + index unresolvable-file-html.html; + try_files $uri @index; + } + + # This seperate location is so the no cache policy only applies to the index + # and nothing else. + + location @index { + root /var/www/goodtimes.ketrenos.com/; + add_header Cache-Control no-cache; + expires 0; + try_files /index.html =404; + } + + location /api { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.69:11141; + } +} + +server { + server_name git.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:8300; + } +} + +server { + server_name media.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location /deluge/ { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.69:8112/; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.69:8096; + } +} + +server { + server_name fallriver.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + # make sure there is a trailing slash at the browser + # or the URLs will be wrong + location = /netdata { + return 301 /netdata/; + } + + location ~ /netdata/(?.*) { + proxy_redirect off; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + proxy_pass http://192.168.1.78:19999/$ndpath$is_args$args; + + gzip on; + gzip_proxied any; + gzip_types *; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:8767; + } +} + +server { + server_name budget.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:9876; + } +} + +server { + server_name mail.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:8124; + } +} + +server { + server_name commento.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:2080; + } +} + +server { + server_name misty-dog.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:11011; + } +} + +server { + server_name mastodon.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + + client_max_body_size 100M; + + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.78:3500; + } +} + +server { + server_name portland-werewolf.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + root /var/www/portland-werewolf.com/client; + index unresolvable-file-html.html; + try_files $uri @index; + } + + # This seperate location is so the no cache policy only applies to the index + # and nothing else. + + location @index { + root /var/www/portland-werewolf.com/client; + add_header Cache-Control no-cache; + expires 0; + try_files /index.html =404; + } + + location /api { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://192.168.1.69:11142; + } +} + + +server { + server_name opnsense.ketrenos.com; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem; + location ~* ^(/.well-known) { + root /var/www/ketrenos.com; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass https://192.168.1.10; + } +} + diff --git a/config/nginx/sites-enabled/default b/config/nginx/sites-enabled/default new file mode 120000 index 0000000..6d9ba33 --- /dev/null +++ b/config/nginx/sites-enabled/default @@ -0,0 +1 @@ +../sites-available/default \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..c9a7666 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,53 @@ +version: "3.1" +services: + webserver: + image: ketreweb + container_name: ketreweb + build: + context: . + dockerfile: Dockerfile + restart: always + volumes: + - ./config/nginx/sites-enabled:/etc/nginx/sites-enabled:ro + - ./config/nginx/sites-available:/etc/nginx/sites-available:ro + - ./config/apache2/envvars:/etc/apache2/envvars:ro + - ./config/apache2/ports.conf:/etc/apache2/ports.conf:ro + - ./config/apache2/sites-enabled:/etc/apache2/sites-enabled:ro + - ./config/apache2/sites-available:/etc/apache2/sites-available:ro + - ./config/letsencrypt/live:/etc/letsencrypt/live:ro + - ./config/letsencrypt/archive:/etc/letsencrypt/archive:ro + - ./run.sh:/run.sh:ro + - ./data/log:/var/log:rw + - ./www:/var/www:ro + ports: + - 80:80 + - 443:443 + roundcube: + image: roundcube/roundcubemail + container_name: ketreweb-roundcube + user: root + environment: + - ROUNDCUBEMAIL_DEFAULT_HOST=tls://ketrenos.com + - ROUNDCUBEMAIL_SMTP_SERVER=tls://ketrenos.com + - ROUNDCUBEMAIL_SMTP_PORT=587 + ports: + - 8124:80 + restart: always + volumes: + - ./config/roundcube:/var/roundcube/config:ro + - ./data/roundcube/db:/var/roundcube/db:rw + - ./data/roundcube/html:/var/www/html:rw + cron: + image: ketre-cron + container_name: ketreweb-cron + build: + context: . + dockerfile: Dockerfile.cron + restart: always + volumes: + - ./config/letsencrypt:/etc/letsencrypt:rw + - ./config/cron.d:/etc/cron.d:ro + - ./data/log:/var/log:rw + - ./keys:/keys:ro + - ./www:/var/www:rw + diff --git a/ketreweb.sh b/ketreweb.sh new file mode 100755 index 0000000..caf05db --- /dev/null +++ b/ketreweb.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +if [[ -d /var/run/apache2 ]]; then + mkdir -p /var/run/apache2 +fi + +while true; do + echo "Starting apache2" + . /etc/apache2/envvars + /usr/sbin/apache2 -D FOREGROUND + echo "apache2 died: $?" + sleep 5 +done & + +while true; do + echo "Starging nginx" + /usr/sbin/nginx -g 'daemon off;' + echo "nginx died: $?" + sleep 5 +done & + +# +# Watch for letsencrypt changes and if they occur, restart nginx and apache2 +# +while inotifywait -e modify /etc/letsencrypt/archive; do + kill -9 "$(cat /var/run/nginx.pid)" "$(cat /var/run/apache2.pid)" +done