init

Signed-off-by: Zoey <zoey@z0ey.de>

backend/templates/_assets.conf

@@ -1,4 +0,0 @@
-{% if caching_enabled == 1 or caching_enabled == true -%}
-  # Asset Caching
-  include conf.d/include/assets.conf;
-{% endif %}

backend/templates/_certificates.conf

@@ -1,14 +1,19 @@
 {% if certificate and certificate_id > 0 -%}
 {% if certificate.provider == "letsencrypt" %}
   # Let's Encrypt SSL
-  include conf.d/include/letsencrypt-acme-challenge.conf;
   include conf.d/include/ssl-ciphers.conf;
-  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
+  ssl_certificate /data/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
+  ssl_certificate_key /data/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
+  ssl_trusted_certificate /data/letsencrypt/live/npm-{{ certificate_id }}/chain.pem;
+  ssl_stapling on;
+  ssl_stapling_verify on;
 {% else %}
   # Custom SSL
+  include conf.d/include/ssl-ciphers.conf;
   ssl_certificate /data/custom_ssl/npm-{{ certificate_id }}/fullchain.pem;
   ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
+  ssl_trusted_certificate /data/custom_ssl/npm-{{ certificate_id }}/chain.pem;
+  ssl_stapling on;
+  ssl_stapling_verify on;
 {% endif %}
 {% endif %}
-

backend/templates/_hsts.conf

@@ -1,8 +1,7 @@
 {% if certificate and certificate_id > 0 -%}
 {% if ssl_forced == 1 or ssl_forced == true %}
 {% if hsts_enabled == 1 or hsts_enabled == true %}
-  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
-  add_header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
+  security_headers on;
 {% endif %}
 {% endif %}
 {% endif %}

backend/templates/_listen.conf

@@ -1,15 +1,14 @@
   listen 80;
-{% if ipv6 -%}
   listen [::]:80;
-{% else -%}
-  #listen [::]:80;
-{% endif %}
+
 {% if certificate -%}
   listen 443 ssl{% if http2_support %} http2{% endif %};
-{% if ipv6 -%}
   listen [::]:443 ssl{% if http2_support %} http2{% endif %};
-{% else -%}
-  #listen [::]:443;
+{% if http2_support -%}
+  listen 443 http3;
+  listen [::]:443 http3;
+
+  add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
 {% endif %}
 {% endif %}
   server_name {{ domain_names | join: " " }};

backend/templates/_location.conf

@@ -1,9 +1,11 @@
   location {{ path }} {
+    proxy_set_header Accept-Encoding "";
     proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Scheme $scheme;
-    proxy_set_header X-Forwarded-Proto  $scheme;
-    proxy_set_header X-Forwarded-For    $remote_addr;
-    proxy_set_header X-Real-IP		$remote_addr;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_http_version 1.1;
     proxy_pass       {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }};
 
     {% if access_list_id > 0 %}
@@ -27,19 +29,10 @@
  
     {% endif %}
 
-    {% include "_assets.conf" %}
-    {% include "_exploits.conf" %}
-
-    {% include "_forced_ssl.conf" %}
-    {% include "_hsts.conf" %}
-
     {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $http_connection;
-    proxy_http_version 1.1;
+    proxy_set_header Upgrade    $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
     {% endif %}
 
-
     {{ advanced_config }}
   }
-

backend/templates/dead_host.conf

@@ -7,14 +7,11 @@ server {
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
 
-  access_log /data/logs/dead-host-{{ id }}_access.log standard;
-  error_log /data/logs/dead-host-{{ id }}_error.log warn;
-
 {{ advanced_config }}
-
+  include conf.d/include/letsencrypt-acme-challenge.conf;
 {% if use_default_location %}
   location / {
-{% include "_hsts.conf" %}
+    include conf.d/include/letsencrypt-acme-challenge.conf;
     return 404;
   }
 {% endif %}

backend/templates/default.conf

@@ -5,36 +5,73 @@
 # Skipping output, congratulations page configration is baked in.
 {%- else %}
 server {
-  listen 80 default;
-{% if ipv6 -%}
-  listen [::]:80 default;
-{% else -%}
-  #listen [::]:80 default;
-{% endif %}
-  server_name default-host.localhost;
-  access_log /data/logs/default-host_access.log combined;
-  error_log /data/logs/default-host_error.log warn;
-{% include "_exploits.conf" %}
-
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  
+  listen 443 ssl http2 default_server;
+  listen [::]:443 ssl http2 default_server;
+  
+  listen 443 http3 default_server;
+  listen [::]:443 http3 default_server;
+  
+  server_name default-host;
+  
+  include conf.d/include/force-ssl.conf;
+  include conf.d/include/ssl-ciphers.conf;
   include conf.d/include/letsencrypt-acme-challenge.conf;
+  include conf.d/include/block-exploits.conf;
+  add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+  
+  ssl_certificate /data/nginx/dummycert.pem;
+  ssl_certificate_key /data/nginx/dummykey.pem;
 
 {%- if value == "404" %}
   location / {
+    include conf.d/include/letsencrypt-acme-challenge.conf;
     return 404;
   }
 {% endif %}
 
 {%- if value == "redirect" %}
   location / {
-    return 301 {{ meta.redirect }};
+    include conf.d/include/letsencrypt-acme-challenge.conf;
+    return 307 {{ meta.redirect }};
   }
 {%- endif %}
 
 {%- if value == "html" %}
   root /data/nginx/default_www;
   location / {
+    include conf.d/include/letsencrypt-acme-challenge.conf;
     try_files $uri /index.html;
   }
 {%- endif %}
 }
 {% endif %}
+
+# ------------------------------------------------------------
+# prevent processing requests with undefined server names
+# ------------------------------------------------------------
+
+server {
+  listen 80;
+  listen [::]:80;
+  
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  
+  listen 443 http3;
+  listen [::]:443 http3;
+  
+  server_name "";
+  return 444;
+  
+  include conf.d/include/force-ssl.conf;
+  include conf.d/include/ssl-ciphers.conf;
+  include conf.d/include/letsencrypt-acme-challenge.conf;
+  include conf.d/include/block-exploits.conf;
+  add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
+  
+  ssl_certificate /data/nginx/dummycert.pem;
+  ssl_certificate_key /data/nginx/dummykey.pem;
+}

backend/templates/letsencrypt-request.conf

@@ -2,18 +2,14 @@
 
 server {
   listen 80;
-{% if ipv6 -%}
   listen [::]:80;
-{% endif %}
 
   server_name {{ domain_names | join: " " }};
 
-  access_log /data/logs/letsencrypt-requests_access.log standard;
-  error_log /data/logs/letsencrypt-requests_error.log warn;
-
   include conf.d/include/letsencrypt-acme-challenge.conf;
 
   location / {
+    include conf.d/include/letsencrypt-acme-challenge.conf;
     return 404;
   }
 }

backend/templates/proxy_host.conf

@@ -8,28 +8,23 @@ server {
 
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}
-{% include "_assets.conf" %}
 {% include "_exploits.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
 
 {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
-proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection $http_connection;
-proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $http_connection;
 {% endif %}
 
-  access_log /data/logs/proxy-host-{{ id }}_access.log proxy;
-  error_log /data/logs/proxy-host-{{ id }}_error.log warn;
-
 {{ advanced_config }}
 
 {{ locations }}
-
+  include conf.d/include/letsencrypt-acme-challenge.conf;
 {% if use_default_location %}
 
   location / {
-
+    include conf.d/include/letsencrypt-acme-challenge.conf;
     {% if access_list_id > 0 %}
     {% if access_list.items.length > 0 %}
     # Authorization
@@ -51,12 +46,9 @@ proxy_http_version 1.1;
 
     {% endif %}
 
-{% include "_hsts.conf" %}
-
     {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $http_connection;
-    proxy_http_version 1.1;
+    proxy_set_header Upgrade            $http_upgrade;
+    proxy_set_header Connection         $connection_upgrade;
     {% endif %}
 
     # Proxy!
@@ -65,6 +57,6 @@ proxy_http_version 1.1;
 {% endif %}
 
   # Custom
-  include /data/nginx/custom/server_proxy[.]conf;
+  include /data/nginx/custom/server_proxy.conf;
 }
 {% endif %}

backend/templates/redirection_host.conf

@@ -4,20 +4,15 @@
 server {
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}
-{% include "_assets.conf" %}
 {% include "_exploits.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
 
-  access_log /data/logs/redirection-host-{{ id }}_access.log standard;
-  error_log /data/logs/redirection-host-{{ id }}_error.log warn;
-
 {{ advanced_config }}
-
+  include conf.d/include/letsencrypt-acme-challenge.conf;
 {% if use_default_location %}
   location / {
-{% include "_hsts.conf" %}
-
+    include conf.d/include/letsencrypt-acme-challenge.conf;
     {% if preserve_path == 1 or preserve_path == true %}
         return {{ forward_http_code }} {{ forward_scheme }}://{{ forward_domain_name }}$request_uri;
     {% else %}
@@ -27,6 +22,6 @@ server {
 {% endif %}
 
   # Custom
-  include /data/nginx/custom/server_redirect[.]conf;
+  include /data/nginx/custom/server_redirect.conf;
 }
 {% endif %}

backend/templates/stream.conf

@@ -6,32 +6,24 @@
 {% if tcp_forwarding == 1 or tcp_forwarding == true -%}
 server {
   listen {{ incoming_port }};
-{% if ipv6 -%}
   listen [::]:{{ incoming_port }};
-{% else -%}
-  #listen [::]:{{ incoming_port }};
-{% endif %}
 
   proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
 
   # Custom
-  include /data/nginx/custom/server_stream[.]conf;
-  include /data/nginx/custom/server_stream_tcp[.]conf;
+  include /data/nginx/custom/server_stream.conf;
+  include /data/nginx/custom/server_stream_tcp.conf;
 }
 {% endif %}
 {% if udp_forwarding == 1 or udp_forwarding == true %}
 server {
   listen {{ incoming_port }} udp;
-{% if ipv6 -%}
   listen [::]:{{ incoming_port }} udp;
-{% else -%}
-  #listen [::]:{{ incoming_port }} udp;
-{% endif %}
   proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
 
   # Custom
-  include /data/nginx/custom/server_stream[.]conf;
-  include /data/nginx/custom/server_stream_udp[.]conf;
+  include /data/nginx/custom/server_stream.conf;
+  include /data/nginx/custom/server_stream_udp.conf;
 }
 {% endif %}
-{% endif %}
+{% endif %}