Nginx
Reverse Proxy (rough)
Below is a very rough outline of an nginx reverse proxy setup
cd /etc/nginx
nano nginx.conf
## Global Settings
include /etc/nginx/conf/globals.conf;
http {
## United States only
# requires apt-get install geoip-database
# geoip_country /usr/share/GeoIP/GeoIP.dat;
# map $geoip_country_code $allowed_country {default yes; US yes;}
## Settings
include /etc/nginx/conf/settings.conf;
## Security stuff
include /etc/nginx/conf/securitystuff.conf;
### Default port 80 when accessed by external IP
server {listen 80 default_server; server_name ""; return 401;}
## local site
include /etc/nginx/conf/localsite.conf;
## domains
include /etc/nginx/conf/my-domains/*;
}
mkdir conf
cd conf
mkdir my-domains
mkdir htpc
nano settings.conf
## Basics sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type application/octet-stream; ## ssl ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## Logging access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## Gzip gzip on; gzip_disable "msie6"; ## Perfect Forward Secrecy # requires openssl dhparam -out dh4096.pem 4096 # include /etc/nginx/perfect-forward-secrecy.conf;
nano securitystuff.conf
# don't send the nginx version number in error pages and Server header server_tokens off; # config to don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options add_header X-Frame-Options SAMEORIGIN; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, # to disable content-type sniffing on some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 add_header X-Content-Type-Options nosniff; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for # this particular website if it was disabled by the user. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers add_header X-XSS-Protection "1; mode=block"; # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.owasp.org/index.php/Content_Security_Policy # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analyti$ ## Refer add_header Referrer-Policy "no-referrer";
nano localsite.conf
server {
listen 85;
# localsite location
root /var/www/deathbybandaid/;
index index.html index.php;
# if you have htpc configs like /radarr
include /etc/nginx/conf/htpc/*.conf;
# custom error pages
# include /etc/nginx/conf/errorpages.conf;
# proxy settings
include /etc/nginx/conf/proxysettings.conf;
# php
include /etc/nginx/include/php;
}
nano proxysettings.conf
## Proxy Settings proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 1; proxy_next_upstream error timeout http_500 http_502 http_503 http_504 http_404; proxy_intercept_errors on;
Domains stuff
letsencrypt
learn how to use it, and point at your keys
basic subdomain layout
This is an example subdomain fie
## 80
server {listen 80;
server_name chat.spicebot.net;
root /var/www/deathbybandaid/;
location / {alias /var/deathbybandaid/;}
location ~ /.well-known {allow all;}
return 301 https://$server_name$request_uri;
}
## 443
server {listen 443 ssl;
server_name chat.spicebot.net;
## location
root /var/www/deathbybandaid;
index index.php index.html index.htm;
location / {proxy_pass http://192.168.2.219:8065;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;}
## error
include /etc/nginx/conf/errorpages.conf;
## htpc configs
# include /etc/nginx/conf/htpc/*.conf;
## ssl
ssl_certificate /etc/letsencrypt/live/deathbybandaid.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/deathbybandaid.net/privkey.pem;
location ~ /.well-known {allow all;}
### End of Subdomain
}
HTPC stuff
Each of these is a file in the htpc folder
Deluge
## deluge
location /deluge {
proxy_pass http://192.168.2.181:8112/;
proxy_set_header X-Deluge-Base "/deluge/";
}
Jackett
## Jackett
location /jackett {
proxy_pass http://192.168.2.173:9117;
proxy_set_header X-Deluge-Base "/deluge/";
}
Sonarr Radarr Lidarr
## Lidarr
location /lidarr {
proxy_pass http://192.168.2.192:8686;
}
nzbhydra
## nzbhydra
location /nzbhydra {
proxy_pass http://192.168.2.170:5075;
Ombi
## Ombi
#location /ombi {
#proxy_pass http://192.168.2.161:5000;
#include /etc/nginx/conf/proxy.conf;
#}
#OMBIV3 CONTAINER
location /ombi {
return 301 $scheme://$host/ombi/;
}
location /ombi/ {
proxy_pass http://192.168.2.161:5000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_redirect http://192.168.1.161:5000 https://$host;
}
#The below is required after version 3.0.2517. This basically rewrites the requests to /dist/1.js to
#/ombi/dist/1.js where the number 1 could be any number
if ($http_referer ~* /ombi/) {rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;}
#If you use a custom URL base remember the change it on the rewrite.
nzbhydra
## nzbhydra
location /nzbhydra {
proxy_pass http://192.168.2.170:5075;
Custom error pages
nano errorpages.conf
# Error & Access logs
error_log /var/www/deathbybandaid/logs/error.log error;
access_log /var/www/deathbybandaid/logs/access.log;
## Error Pages
error_page 400 /400.html;
error_page 401 /401.html;
error_page 403 /403.html;
error_page 404 /404.html;
error_page 408 /408.html;
error_page 410 /410.html;
error_page 500 /500.html;
error_page 502 /502.html;
error_page 503 /503.html;
error_page 504 /504.html;
#400
location = /400.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#401
location = /401.html {
root /var/www/deathbybandaid/errorpages/nginx;}
## 403
location = /403.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#404
location = /404.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#408
location = /408.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#410
location = /410.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#500
location = /500.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#502
location = /502.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#503
location = /503.html {
root /var/www/deathbybandaid/errorpages/nginx;}
#504
location = /504.html {
root /var/www/deathbybandaid/errorpages/nginx;}