Change gitea domain, switch to let's encrypt and allow port 80
This commit is contained in:
caskd
parent
c866a0c324
commit
fe001456b4
9
base.yml
9
base.yml
|
|
@ -12,10 +12,8 @@ networks:
|
||||||
encrypted: "true"
|
encrypted: "true"
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
cf_op:
|
|
||||||
file: certificates/cloudflare-op.crt
|
|
||||||
ssl_master:
|
ssl_master:
|
||||||
file: certificates/master.pem
|
file: certificates/rxmaster.pem
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
haproxysock:
|
haproxysock:
|
||||||
|
|
@ -41,9 +39,6 @@ services:
|
||||||
image: localhost:5000/haproxy-rx
|
image: localhost:5000/haproxy-rx
|
||||||
deploy: *gt2 ## HAProxy really dislikes if it's overlapped
|
deploy: *gt2 ## HAProxy really dislikes if it's overlapped
|
||||||
logging: *json-log
|
logging: *json-log
|
||||||
secrets:
|
|
||||||
- ssl_master
|
|
||||||
- cf_op
|
|
||||||
volumes:
|
volumes:
|
||||||
- 'haproxysock:/haproxy:rw' ## Telegraf monitoring
|
- 'haproxysock:/haproxy:rw' ## Telegraf monitoring
|
||||||
networks:
|
networks:
|
||||||
|
|
@ -63,7 +58,7 @@ services:
|
||||||
deploy: *gt2
|
deploy: *gt2
|
||||||
logging: *json-log
|
logging: *json-log
|
||||||
secrets:
|
secrets:
|
||||||
- source: ssl_master
|
- ssl_master
|
||||||
environment:
|
environment:
|
||||||
HITCH_PEM: '/run/secrets/ssl_master'
|
HITCH_PEM: '/run/secrets/ssl_master'
|
||||||
HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443'
|
HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443'
|
||||||
|
|
|
||||||
|
|
@ -43,16 +43,14 @@ frontend https
|
||||||
acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
|
acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
|
||||||
acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
|
acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
|
||||||
|
|
||||||
acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443
|
acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443 or -i yagpdb.redxen.eu:80
|
||||||
acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443
|
acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443 or -i stats.redxen.eu:80
|
||||||
acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443
|
acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443 or -i cloud.redxen.eu:80
|
||||||
acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443
|
acl git req.hdr(host) -i git.redxen.eu or -i git.redxen.eu:443 or -i git.redxen.eu:80
|
||||||
acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443
|
acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443 or -i seed.redxen.eu:80
|
||||||
acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443
|
acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443 or -i office.redxen.eu
|
||||||
acl seedown req.hdr(host) -i sd.redxen.eu or -i sd.redxen.eu:443
|
acl seedown req.hdr(host) -i sd.redxen.eu or -i sd.redxen.eu:443 or -i sd.redxen.eu:80
|
||||||
acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:2096
|
acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:80 or -i www.redxen.eu:80
|
||||||
|
|
||||||
acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
|
|
||||||
|
|
||||||
http-request set-header X-Client-IP %[req.hdr_ip(x-forwarded-for)] if is_cf
|
http-request set-header X-Client-IP %[req.hdr_ip(x-forwarded-for)] if is_cf
|
||||||
redirect location /remote.php/dav code 301 if dav nextcloud
|
redirect location /remote.php/dav code 301 if dav nextcloud
|
||||||
|
|
@ -63,7 +61,7 @@ frontend https
|
||||||
http-response replace-header Set-Cookie (.*) \1;\ Secure
|
http-response replace-header Set-Cookie (.*) \1;\ Secure
|
||||||
http-response add-header X-Forwarded-Proto https
|
http-response add-header X-Forwarded-Proto https
|
||||||
|
|
||||||
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
|
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache
|
||||||
http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
|
http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
|
||||||
|
|
||||||
http-response set-header X-XSS-Protection 1;\ mode=block
|
http-response set-header X-XSS-Protection 1;\ mode=block
|
||||||
|
|
@ -74,7 +72,7 @@ frontend https
|
||||||
use_backend yagpdb if yagpdb
|
use_backend yagpdb if yagpdb
|
||||||
use_backend nextcloud if nextcloud
|
use_backend nextcloud if nextcloud
|
||||||
use_backend grafana if grafana
|
use_backend grafana if grafana
|
||||||
use_backend webgit if webgit
|
use_backend git if git
|
||||||
use_backend transmission if transmission
|
use_backend transmission if transmission
|
||||||
use_backend onlyoffice if onlyoffice
|
use_backend onlyoffice if onlyoffice
|
||||||
use_backend homepage if homepage
|
use_backend homepage if homepage
|
||||||
|
|
@ -103,9 +101,9 @@ backend grafana
|
||||||
option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
|
option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
|
||||||
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
||||||
|
|
||||||
backend webgit
|
backend git
|
||||||
server webgit-docker git_gitea:3000 check
|
server git-docker git_gitea:3000 check
|
||||||
option httpchk HEAD / HTTP/1.1\r\nHost:\ webgit.redxen.eu
|
option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu
|
||||||
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
||||||
|
|
||||||
backend transmission
|
backend transmission
|
||||||
|
|
|
||||||
Reference in New Issue