From fe001456b49d79cb24ac15ffaec0c62e3af2677d Mon Sep 17 00:00:00 2001 From: caskd Date: Wed, 11 Dec 2019 19:32:47 +0100 Subject: [PATCH] Change gitea domain, switch to let's encrypt and allow port 80 --- base.yml | 11 +++------ build/HAProxy/haproxy.conf | 46 ++++++++++++++++++-------------------- 2 files changed, 25 insertions(+), 32 deletions(-) diff --git a/base.yml b/base.yml index 493469c..20f2771 100644 --- a/base.yml +++ b/base.yml @@ -5,17 +5,15 @@ networks: driver: overlay attachable: true driver_opts: - encrypted: "true" + encrypted: "true" cache: driver: overlay driver_opts: encrypted: "true" secrets: - cf_op: - file: certificates/cloudflare-op.crt ssl_master: - file: certificates/master.pem + file: certificates/rxmaster.pem volumes: haproxysock: @@ -41,9 +39,6 @@ services: image: localhost:5000/haproxy-rx deploy: *gt2 ## HAProxy really dislikes if it's overlapped logging: *json-log - secrets: - - ssl_master - - cf_op volumes: - 'haproxysock:/haproxy:rw' ## Telegraf monitoring networks: @@ -63,7 +58,7 @@ services: deploy: *gt2 logging: *json-log secrets: - - source: ssl_master + - ssl_master environment: HITCH_PEM: '/run/secrets/ssl_master' HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443' diff --git a/build/HAProxy/haproxy.conf b/build/HAProxy/haproxy.conf index 245272c..6e31e5c 100644 --- a/build/HAProxy/haproxy.conf +++ b/build/HAProxy/haproxy.conf @@ -3,7 +3,7 @@ global maxconn 2048 maxconnrate 40 stats socket /haproxy/haproxy.sock mode 660 level admin - + defaults mode http retries 3 @@ -34,47 +34,45 @@ resolvers dockerdns frontend https mode http bind *:80 - + acl is_cf req.hdr_ip(x-forwarded-for) -m found acl dav url_beg /.well-known/carddav /.well-known/caldav acl root url / acl discord-redirect url /discord - + acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/ acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/ - - acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443 - acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443 - acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443 - acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443 - acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443 - acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443 - acl seedown req.hdr(host) -i sd.redxen.eu or -i sd.redxen.eu:443 - acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:2096 - - acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443 - + + acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443 or -i yagpdb.redxen.eu:80 + acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443 or -i stats.redxen.eu:80 + acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443 or -i cloud.redxen.eu:80 + acl git req.hdr(host) -i git.redxen.eu or -i git.redxen.eu:443 or -i git.redxen.eu:80 + acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443 or -i seed.redxen.eu:80 + acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443 or -i office.redxen.eu + acl seedown req.hdr(host) -i sd.redxen.eu or -i sd.redxen.eu:443 or -i sd.redxen.eu:80 + acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:80 or -i www.redxen.eu:80 + http-request set-header X-Client-IP %[req.hdr_ip(x-forwarded-for)] if is_cf redirect location /remote.php/dav code 301 if dav nextcloud redirect location /index.html code 301 if homepage root redirect location /web/ code 301 if transmission root redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage - + http-response replace-header Set-Cookie (.*) \1;\ Secure http-response add-header X-Forwarded-Proto https - - http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res + + http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache - + http-response set-header X-XSS-Protection 1;\ mode=block http-response set-header X-Content-Type-Options nosniff http-response set-header Referrer-Policy no-referrer-when-downgrade http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload - + use_backend yagpdb if yagpdb use_backend nextcloud if nextcloud use_backend grafana if grafana - use_backend webgit if webgit + use_backend git if git use_backend transmission if transmission use_backend onlyoffice if onlyoffice use_backend homepage if homepage @@ -103,9 +101,9 @@ backend grafana option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests -backend webgit - server webgit-docker git_gitea:3000 check - option httpchk HEAD / HTTP/1.1\r\nHost:\ webgit.redxen.eu +backend git + server git-docker git_gitea:3000 check + option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests backend transmission