RedXen/frontend-docker
RedXen
/
frontend-docker
Archived
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Change gitea domain, switch to let's encrypt and allow port 80

This commit is contained in:
caskd 2019-12-11 19:32:47 +01:00
parent c866a0c324
commit fe001456b4
No known key found for this signature in database
GPG Key ID: 79DB21404E300A27
2 changed files with 25 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
base.yml
View File

@ -5,17 +5,15 @@ networks:
driver: overlay
attachable: true
driver_opts:
encrypted: "true"
encrypted: "true"
cache:
driver: overlay
driver_opts:
encrypted: "true"
secrets:
cf_op:
file: certificates/cloudflare-op.crt
ssl_master:
file: certificates/master.pem
file: certificates/rxmaster.pem
volumes:
haproxysock:
@ -41,9 +39,6 @@ services:
image: localhost:5000/haproxy-rx
deploy: *gt2 ## HAProxy really dislikes if it's overlapped
logging: *json-log
secrets:
- ssl_master
- cf_op
volumes:
- 'haproxysock:/haproxy:rw' ## Telegraf monitoring
networks:
@ -63,7 +58,7 @@ services:
deploy: *gt2
logging: *json-log
secrets:
- source: ssl_master
- ssl_master
environment:
HITCH_PEM: '/run/secrets/ssl_master'
HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443'

46
build/HAProxy/haproxy.conf
View File

@ -3,7 +3,7 @@ global
maxconn 2048
maxconnrate 40
stats socket /haproxy/haproxy.sock mode 660 level admin
defaults
mode http
retries 3
@ -34,47 +34,45 @@ resolvers dockerdns
frontend https
mode http
bind *:80
acl is_cf req.hdr_ip(x-forwarded-for) -m found
acl dav url_beg /.well-known/carddav /.well-known/caldav
acl root url /
acl discord-redirect url /discord
acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443
acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443
acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443
acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443
acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443
acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443
acl seedown req.hdr(host) -i sd.redxen.eu or -i sd.redxen.eu:443
acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:2096
acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443 or -i yagpdb.redxen.eu:80
acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443 or -i stats.redxen.eu:80
acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443 or -i cloud.redxen.eu:80
acl git req.hdr(host) -i git.redxen.eu or -i git.redxen.eu:443 or -i git.redxen.eu:80
acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443 or -i seed.redxen.eu:80
acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443 or -i office.redxen.eu
acl seedown req.hdr(host) -i sd.redxen.eu or -i sd.redxen.eu:443 or -i sd.redxen.eu:80
acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:80 or -i www.redxen.eu:80
http-request set-header X-Client-IP %[req.hdr_ip(x-forwarded-for)] if is_cf
redirect location /remote.php/dav code 301 if dav nextcloud
redirect location /index.html code 301 if homepage root
redirect location /web/ code 301 if transmission root
redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage
http-response replace-header Set-Cookie (.*) \1;\ Secure
http-response add-header X-Forwarded-Proto https
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache
http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
http-response set-header X-XSS-Protection 1;\ mode=block
http-response set-header X-Content-Type-Options nosniff
http-response set-header Referrer-Policy no-referrer-when-downgrade
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
use_backend yagpdb if yagpdb
use_backend nextcloud if nextcloud
use_backend grafana if grafana
use_backend webgit if webgit
use_backend git if git
use_backend transmission if transmission
use_backend onlyoffice if onlyoffice
use_backend homepage if homepage
@ -103,9 +101,9 @@ backend grafana
option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
backend webgit
server webgit-docker git_gitea:3000 check
option httpchk HEAD / HTTP/1.1\r\nHost:\ webgit.redxen.eu
backend git
server git-docker git_gitea:3000 check
option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
backend transmission