init

iamnut · Feb 11, 2020 · 89a5f59 · 89a5f59
commit 89a5f59
Show file tree

Hide file tree

Showing 7 changed files with 180 additions and 0 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,34 @@
+version: "3.5"
+
+x-logging:
+  &default-logging
+    driver: "json-file"
+    options:
+      max-size: "10m"
+      max-file: "2"
+
+networks:
+  backbone-net:
+    name: backbone-net
+
+services:
+  nginx-controller:
+    container_name: nginx-controller
+    image: nginx:1.17.8
+    logging: *default-logging
+    restart: always
+    environment:
+      - TZ=Asia/Bangkok
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/conf.d:/etc/nginx/conf.d:ro
+      - ./nginx/ssl.d:/ssl.d:ro
+      - ./webroot.d:/webroot.d:ro
+      - certs:/etc/letsencrypt:ro
+      - certs-data:/data/letsencrypt:ro
+    networks:
+      - backbone-net
+    ports:
+      - 80:80
+      - 443:443
+
diff --git a/nginx/conf.d/00-default.conf b/nginx/conf.d/00-default.conf
@@ -0,0 +1,10 @@
+server {
+  listen 80 default_server;
+  root /usr/share/nginx/html;
+  index index.html index.htm;
+  server_name localhost;
+
+  location / {
+    try_files $uri $uri/ =404;
+  }
+}
diff --git a/nginx/conf.d/05-example.tld.conf.disable b/nginx/conf.d/05-example.tld.conf.disable
@@ -0,0 +1,59 @@
+server {
+  listen 80;
+  server_name example.ltd www.example.ltd;
+
+  ## uncomment when using letsencrypt SSL
+  # location ^~ /.well-known {
+  #   allow all;
+  #   root /data/letsencrypt/;
+  # }
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name example.ltd;
+
+  ssl_session_cache shared:SSL:20m;
+  ssl_session_timeout 10m;
+
+  ## non-letsencrypt SSL
+  ssl_certificate /ssl.d/$server_name/server.crt;
+  ssl_certificate_key /ssl.d/$server_name/server.key;
+
+  ## uncomment when using letsencrypt SSL
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem;
+  # ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem;
+  # ssl_trusted_certificate /etc/letsencrypt/live/$server_name/chain.pem;
+
+  add_header Strict-Transport-Security "max-age=31536000; always";
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+
+  resolver 127.0.0.1 valid=30s;
+
+  proxy_set_header Host $host:$server_port;
+  proxy_set_header X-Forwarded-Host $http_host;
+  proxy_set_header X-Forwarded-Port $server_port;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+
+  proxy_max_temp_file_size 0;
+  proxy_buffering off;
+  proxy_request_buffering off;
+  proxy_set_header Connection "";
+
+  location / {
+    proxy_pass http://backend.service:10180;
+  }
+
+  location /phpmyadmin/ {
+    rewrite ^/phpmyadmin(/.*)$ /$1 break;
+    proxy_pass http://phpmyadmin.service:10181;
+  }
+}
diff --git a/nginx/conf.d/06-dl.example.tld.conf.disable b/nginx/conf.d/06-dl.example.tld.conf.disable
@@ -0,0 +1,41 @@
+server {
+  listen 80;
+  server_name dl.example.ltd;
+
+  ## uncomment when using letsencrypt SSL
+  # location ^~ /.well-known {
+  #   allow all;
+  #   root /data/letsencrypt/;
+  # }
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name dl.example.ltd;
+
+  ssl_session_cache shared:SSL:20m;
+  ssl_session_timeout 10m;
+
+  # non-letsencrypt SSL
+  ssl_certificate /ssl.d/$server_name/server.crt;
+  ssl_certificate_key /ssl.d/$server_name/server.key;
+
+  ## uncomment when using letsencrypt SSL
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem;
+  # ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem;
+  # ssl_trusted_certificate /etc/letsencrypt/live/$server_name/chain.pem;
+
+  add_header Strict-Transport-Security "max-age=31536000; always";
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+
+  location / {
+    autoindex on;
+    root /webroot.d/$server_name;
+  }
+}
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -0,0 +1,36 @@
+user root;
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+  worker_connections  4095;
+}
+
+http {
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log /var/log/nginx/access.log main;
+
+  sendfile on;
+  tcp_nopush on;
+  keepalive_timeout 30;
+
+  server_tokens off;
+  server_names_hash_bucket_size 512;
+  client_max_body_size 250m;
+  types_hash_max_size 2048;
+
+  # SSL Global Setting
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
+
+  include /etc/nginx/conf.d/*.conf;
+}
diff --git a/nginx/ssl.d/.gitkeep b/nginx/ssl.d/.gitkeep
diff --git a/webroot.d/.gitkeep b/webroot.d/.gitkeep