Updated default TLS and ecdh curve; (#69)

Added TLS 1.3 to the defaults and added prime256 to ecdh curve selection

Reviewed-on: #69
Reviewed-by: meaz <meaz@no-reply@disroot.org>
Co-authored-by: muppeth <muppeth@disroot.org>
Co-committed-by: muppeth <muppeth@disroot.org>

defaults/main.yml

@@ -62,9 +62,9 @@ nginx_selfsigned_deps:
 nginx_gen_dh: 'false'
 nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
 nginx_dh_length: 4096
-nginx_ssl_protocols: 'TLSv1.2'
+nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
 nginx_ssl_ciphers: 'EECDH+AESGCM:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'
-nginx_ssl_ecdh_curve: 'secp384r1'
+nginx_ssl_ecdh_curve: 'prime256v1:secp384r1'
 
 letsencrypt_webroot_path: ''
 install_letsencrypt: 'false'

tasks/main.yml

@@ -7,10 +7,10 @@
   include_tasks: config.yml
 
 - name: "[NGINX] - Set SSL configuration"
-  include: ssl.yml
+  include_tasks: ssl.yml
 
 - name: '[NGINX] - Deploy TOR for onion hidden services'
-  include: tor.yml
+  include_tasks: tor.yml
   when: enable_tor == 'true'
 
 - name: '[NGINX] - Create onion addresses'

tasks/onion_vhost.yml

@@ -1,12 +1,12 @@
 ---
 
-- name: '[ONION] - register onion address'
+- name: '[ONION] - register onion address for {{ item.name }}'
   slurp:
     src: "/var/lib/tor/{{ item.name }}/hostname"
   register: "onion_address"
   when: item.state is defined and item.onion is defined and item.onion == 'true'
 
-- name: "[ONION] - Create vhosts"
+- name: "[ONION] - Create vhosts for {{ item.name }}"
   template:
     src: etc/nginx/sites-available/{{ item.template }}.j2
     dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}.onion"
@@ -14,7 +14,7 @@
       - reload nginx
   when: item.state is defined and item.onion is defined and item.onion == 'true'
 
-- name: "[ONION] - Delete vhosts"
+- name: "[ONION] - Delete vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}.onion"
     state: absent
@@ -23,7 +23,7 @@
   when: item.state is defined and item.state == 'delete' and item.onion is defined and item.onion == 'true'
 
 
-- name: "[ONION] - Enable vhosts"
+- name: "[ONION] - Enable vhosts for {{ item.name }}"
   file:
     src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}.onion"
     dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}.onion"
@@ -33,7 +33,7 @@
   when: item.state is defined and item.state == 'enable' and item.onion is defined and item.onion == 'true'
 
 
-- name: "[ONION] - Disable vhosts"
+- name: "[ONION] - Disable vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir}}/sites-enabled/{{ item.name }}.onion"
     state: absent

tasks/ssl.yml

@@ -22,7 +22,7 @@
   notify:
     - reload nginx
 
-- name: "[NGINX] - Create SSL keys subfolder"
+- name: "[NGINX] - Create SSL keys subfolder for {{ item.name }}"
   file:
     path: "{{ nginx_ssl_dir }}/{{ item.ssl_name }}"
     state: directory
@@ -31,7 +31,7 @@
   when: item.copy_ssl is defined
   notify: reload nginx
 
-- name: "[NGINX] - Deploy SSL keys"
+- name: "[NGINX] - Deploy SSL keys for {{ item.name }}"
   copy:
     src: "{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem"
     dest: "{{ nginx_ssl_dir}}/{{ item.ssl_name }}/privkey.pem"
@@ -40,7 +40,7 @@
   when: item.copy_ssl is defined
   notify: reload nginx
 
-- name: "[NGINX] - Deploy SSL certs"
+- name: "[NGINX] - Deploy SSL certs for {{ item.name }}"
   copy:
     src: "{{ ssl_src_path }}/{{ item.ssl_name }}/fullchain.pem"
     dest: "{{ nginx_ssl_dir}}/{{ item.ssl_name }}/fullchain.pem"
@@ -70,7 +70,7 @@
   with_items: "{{ nginx_vhosts }}"
   when: item.selfsigned is defined and item.selfsigned == 'true' and ansible_python.executable == '/usr/bin/python3'
 
-- name: "[SELFSIGNED] - Create Key folder"
+- name: "[SELFSIGNED] - Create Key folder for {{ item.name }}"
   file:
     path: "{{ nginx_ssl_dir }}/{{ item.ssl_name }}"
     state: directory
@@ -79,7 +79,7 @@
   when: item.selfsigned is defined and item.selfsigned == 'true'
   notify: reload nginx
 
-- name: '[SELFSIGNED] - Create a self-signed key'
+- name: '[SELFSIGNED] - Create a self-signed key for {{ item.name }}'
   openssl_privatekey:
     path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
     size: 2048
@@ -88,7 +88,7 @@
   when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
   notify: reload nginx
 
-- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
+- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR) for {{ item.name }}'
   openssl_csr:
     path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
     privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
@@ -96,7 +96,7 @@
   when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
   notify: reload nginx
 
-- name: '[SELFSIGNED] - Create a self-signed certificate'
+- name: '[SELFSIGNED] - Create a self-signed certificate for {{ item.name }}'
   openssl_certificate:
     path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/fullchain.pem'
     privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'

tasks/vhost.yml

@@ -1,46 +1,92 @@
 ---
-- name: '[ONION] - register onion address'
+- name: '[ONION] - register onion address for {{ item.name }}'
   slurp:
     src: "/var/lib/tor/{{ item.name }}/hostname"
   register: "onion_address"
-  when:  item.onion is defined and item.onion == 'true'
+  when:  
+    - item.onion is defined 
+    - item.onion == 'true'
 
 - name: "[NGINX] - Set fact"
   set_fact:
     enable_tor: 'false'
     
-- name: "[NGINX] - Create vhosts"
+- name: "[NGINX] - Check if the certificate for the vhost exists for {{ item.name }}"
+  stat:
+    path: '{{ nginx_ssl_dir }}/{{ item.ssl_name }}/privkey.pem'
+  register: cert_exists
+  when:
+    - item.ssl_name is defined
+
+- name: "[NGINX] - Create HTTPS vhosts for {{ item.name }}"
   template:
     src: etc/nginx/sites-available/{{ item.template }}.j2
     dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
   notify:
       - reload nginx
-  when: item.state is defined and item.state != 'delete'
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists 
+    - item.state is defined 
+    - item.state != 'delete'
 
-- name: "[NGINX] - Delete vhosts"
+- name: "[NGINX] - Create HTTP vhosts for {{ item.name }}"
+  template:
+    src: etc/nginx/sites-available/{{ item.template }}.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined 
+    - item.state != 'delete'
+
+- name: "[NGINX] - Delete vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
     state: absent
   notify:
       - reload nginx
-  when: item.state is defined and item.state == 'delete'
+  when: 
+    - item.state is defined
+    - item.state == 'delete'
 
-- name: "[NGINX] - Enable vhosts"
+- name: "[NGINX] - Enable HTTPS vhosts for {{ item.name }}"
   file:
     src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
     dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
     state: link
   notify:
       - reload nginx
-  when: item.state is defined and item.state == 'enable'
+  when:
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state == 'enable'
 
-- name: "[NGINX] - Disable vhosts"
+- name: "[NGINX] - Enable HTTP vhosts for {{ item.name }}"
+  file:
+    src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
+    state: link
+  notify:
+      - reload nginx
+  when:
+    - item.ssl_name is not defined 
+    - item.state is defined
+    - item.state == 'enable'
+
+- name: "[NGINX] - Disable vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir}}/sites-enabled/{{ item.name }}"
     state: absent
   notify:
       - reload nginx
-  when: item.state is defined and (item.state == 'disable' or item.state == 'delete')
+  when: 
+    - item.state is defined
+    - item.state == 'disable' or item.state == 'delete'
 
 - name: "[NGINX] - Delete default vhost when explicitely defined"
   file:
@@ -50,10 +96,30 @@
     - reload nginx
   when: nginx_default_vhost is not none
 
-- name: "[NGINX] - Create maintenance vhosts"
+- name: "[NGINX] - Create HTTPS maintenance vhosts for {{ item.name }}"
   template:
     src: etc/nginx/sites-available/maintenance.j2
     dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
   notify:
       - reload nginx
-  when: (item.state is defined) and (item.state != 'delete') and (item.maintenance is defined) and (item.maintenance == 'true') 
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true' 
+
+- name: "[NGINX] - Create HTTP maintenance vhosts for {{ item.name }}"
+  template:
+    src: etc/nginx/sites-available/maintenance.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true' 

templates/etc/nginx/sites-available/basephp.j2

@@ -10,14 +10,6 @@
     try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
   }
 {% endblock %}
-{% block app_root_location %}
-{% endblock %}
-
-{% block extra_locations %}
-{% endblock %}
-
-{% block custom_locations %}
-{% endblock %}
 
 {% block local_content %}
 {% if item.manage_local_content is not defined %}

templates/etc/nginx/sites-available/core.j2

@@ -94,6 +94,9 @@ server {
 {% else %}
   add_header X-Robots-Tag "{{ item.header_robots | default('none') }}";
 {% endif %}
+{% if item.header_frame_ancestors is defined and item.header_frame_ancestors == 'true' %}
+  add_header Content-Security-Policy "frame-ancestors 'self';";
+{% endif %}
 {% endif %}
 {% endblock %}
 

templates/etc/nginx/sites-available/cryptpad.j2

@@ -1,6 +1,14 @@
+# SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
 {% extends "core.j2" %}
 
 {% block app_specific %}
+
+    # Include mime.types to be able to support .mjs files (see "types" below)
+    include mime.types;
+
     # CryptPad serves static assets over these two domains.
     # `main_domain` is what users will enter in their address bar.
     # Privileged computation such as key management is handled in this scope
@@ -13,15 +21,12 @@
     set $main_domain "{{ item.ssl_name }}";
     set $sandbox_domain "sandbox.{{ item.ssl_name }}";
 
-  # By default CryptPad allows remote domains to embed CryptPad documents in iframes.
-  # This behaviour can be blocked by changing $allowed_origins from "*" to the
-  # sandbox domain, which must be permitted to load content from the main domain
-  # in order for CryptPad to work as expected.
-  #
-  # An example is given below which can be uncommented if you want to block
-  # remote sites from including content from your server
-  set $allowed_origins "*";
-  # set $allowed_origins "https://${sandbox_domain}";
+    # By default CryptPad forbids remote domains from embedding CryptPad documents in iframes.
+    # The sandbox domain must always be permitted in order for the platform to function.
+    # If you wish to enable remote embedding you may change the value below to "*"
+    # as per the commented value.
+    set $allowed_origins "https://${sandbox_domain}";
+    #set $allowed_origins "*";
 
     # CryptPad's dynamic content (websocket traffic and encrypted blobs)
     # can be served over separate domains. Using dedicated domains (or subdomains)
@@ -29,14 +34,13 @@
     # if you find that a single machine cannot handle all of your users.
     # If you don't use dedicated domains, this can be the same as $main_domain
     # If you do, they can be added as exceptions to any rules which block connections to remote domains.
-  # You can find these variables referenced below in the relevant places.
+    # You can find these variables referenced below in the relevant places
     set $api_domain "{{ item.ssl_name }}";
     set $files_domain "{{ item.ssl_name }}";
 
     add_header Access-Control-Allow-Origin "${allowed_origins}";
-
-  #set $coop '';
- #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
+    add_header Access-Control-Allow-Credentials true;
+    # add_header X-Frame-Options "SAMEORIGIN";
 
     # Opt out of Google's FLoC Network
     add_header Permissions-Policy interest-cohort=();
@@ -45,6 +49,10 @@
     add_header Cross-Origin-Resource-Policy cross-origin;
     add_header Cross-Origin-Embedder-Policy require-corp;
 
+    # any static assets loaded with "ver=" in their URL will be cached for a year
+    if ($args ~ ver=) {
+        set $cacheControl max-age=31536000;
+    }
     # This rule overrides the above caching directive and makes things somewhat less efficient.
     # We had inverted them as an optimization, but Safari 16 introduced a bug that interpreted
     # some important headers incorrectly when loading these files from cache.
@@ -52,9 +60,6 @@
     if ($uri ~ ^(\/|.*\/|.*\.html)$) {
         set $cacheControl no-cache;
     }
-  if ($args ~ ver=) {
-    set $cacheControl max-age=31536000;
-  }
 
     # Will not set any header if it is emptystring
     add_header Cache-Control $cacheControl;
@@ -119,6 +124,12 @@
 
     # Finally, set all the rules you composed above.
     add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
+
+    # Add support for .mjs files used by pdfjs
+    types {
+        application/javascript mjs;
+    }
+
 {% endblock %}
 
 {% block root %}
@@ -127,15 +138,18 @@
     index index.html;
     error_page 404 /customize.dist/404.html;
 
-    # Finally, serve anything the above exceptions don't govern.
-    try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
 {% endblock %}
 {% block location%}
     # The nodejs process can handle all traffic whether accessed over websocket or as static assets
     # We prefer to serve static content from nginx directly and to leave the API server to handle
     # the dynamic content that only it can manage. This is primarily an optimization
     location ^~ /cryptpad_websocket {
-    proxy_pass http://{{ item.proxy_pass }}:3000;
+        # XXX
+        # static assets like blobs and blocks are served by clustered workers in the API server
+        # Websocket traffic still needs to be handled by the main process, which means it needs
+        # to be hosted on a different port. By default 3003 will be used, though this is configurable
+        # via config.websocketPort
+        proxy_pass http://{{ item.proxy_pass }}:3003;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -149,7 +163,6 @@
     location ^~ /customize.dist/ {
         # This is needed in order to prevent infinite recursion between /customize/ and the root
     }
-
     # try to load customizeable content via /customize/ and fall back to the default content
     # located at /customize.dist/
     # This is what allows you to override behaviour.
@@ -175,10 +188,15 @@
         add_header Cross-Origin-Embedder-Policy require-corp;
     }
 
-  # encrypted blobs are immutable and are thus cached for a year
-  location ^~ /blob/ {
+    # Requests for blobs and blocks are now proxied to the API server
+    # This simplifies NGINX path configuration in the event they are being hosted in a non-standard location
+    # or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to
+    # enforce access control for them, though this is not yet implemented.
+    # Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives.
+    location ~ ^/(blob|block)/.*$ {
         if ($request_method = 'OPTIONS') {
             add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
+            add_header 'Access-Control-Allow-Credentials' true;
             add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
             add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
             add_header 'Access-Control-Max-Age' 1728000;
@@ -186,38 +204,24 @@
             add_header 'Content-Length' 0;
             return 204;
         }
-    add_header X-Content-Type-Options nosniff;
-    add_header Cache-Control max-age=31536000;
-    add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
-    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
-    add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
-    try_files $uri =404;
+        # Since we are proxying to the API server these headers can get duplicated
+        # so we hide them
+        proxy_hide_header 'X-Content-Type-Options';
+        proxy_hide_header 'Access-Control-Allow-Origin';
+        proxy_hide_header 'Permissions-Policy';
+        proxy_hide_header 'X-XSS-Protection';
+        proxy_hide_header 'Cross-Origin-Resource-Policy';
+        proxy_hide_header 'Cross-Origin-Embedder-Policy';
+        proxy_pass http://{{ item.proxy_pass }}:3000;
     }
 
-  # the "block-store" serves encrypted payloads containing users' drive keys
-  # these payloads are unlocked via login credentials. They are mutable
-  # and are thus never cached. They're small enough that it doesn't matter, in any case.
-  location ^~ /block/ {
-    add_header X-Content-Type-Options nosniff;
-    add_header Cache-Control max-age=0;
-    try_files $uri =404;
-  }
-
-{% if item.debug is defined and item.debug == 'true' %}
-  # This block provides an alternative means of loading content
-  # otherwise only served via websocket. This is solely for debugging purposes,
-  # and is thus not allowed by default.
-  location ^~ /datastore/ {
-    add_header Cache-Control max-age=0;
-    try_files $uri =404;
-  }
-{% endif %}
-
     # The nodejs server has some built-in forwarding rules to prevent
     # URLs like /pad from resulting in a 404. This simply adds a trailing slash
     # to a variety of applications.
-  location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
+    location ~ ^/(register|login|recovery|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup|diagram)$ {
         rewrite ^(.*)$ $1/ redirect;
     }
+
+    # Finally, serve anything the above exceptions don't govern.
+    try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
 {% endblock %}

templates/etc/nginx/sites-available/etesync.j2

@@ -0,0 +1,35 @@
+# the upstream component nginx needs to connect to
+upstream etebase {
+    server unix:///tmp/etebase_server.sock; # for a file socket
+    # server {{ item.upstream_name }}:{{ item.upstream_port }}; # for a web port socket (we'll use this first)
+}
+
+# configuration of the server
+{% extends "core.j2" %}
+
+{% block location %}
+
+    charset     utf-8;
+    # max upload size
+    client_max_body_size 75M;   # adjust to taste
+
+    location /static/ {
+        alias {{ item.static_root }}/; # Project's static files
+    }
+
+    location / {
+        proxy_pass http://etebase;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $server_name;
+    }
+{% endblock %}
+
+}

templates/etc/nginx/sites-available/lemmy.j2

@@ -1,25 +1,42 @@
 limit_req_zone $binary_remote_addr zone={{ item.name }}_ratelimit:10m rate=1r/s;
 
 {% extends "core.j2" %}
+{% block extra_upstreams %}
+upstream lemmy {
+  server "{{ item.upstream_name }}:{{ item.lemmy_port }}";
+}
+upstream lemmy-ui {
+  server "{{ item.upstream_name }}:{{ item.lemmy_ui_port }}";
+}
+{% endblock %}
+{% block headers %}
+
+# Various content security headers
+  add_header Referrer-Policy "same-origin";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options "DENY";
+  add_header X-XSS-Protection "1; mode=block";
+
+{% endblock %}
 
 {% block location %}
+
 # frontend
 location / {
   # The default ports:
   # lemmy_ui_port: 1235
   # lemmy_port: 8536
 
-  set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_ui_port }};
-  if ($http_accept = "application/activity+json") {
-    set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
+  set $proxpass "{{ item.upstream_proto }}://lemmy-ui";
+
+  if ($http_accept ~ "application/activity+json") {
+    set $proxpass "{{ item.upstream_proto }}://lemmy";
   }
-  if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
-     set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
-  }
-  if ($request_method = POST) {
-    set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
+  if ($request_method = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+    set $proxpass "{{ item.upstream_proto }}://lemmy";
   }
   proxy_pass $proxpass;
+
   rewrite ^(.+)/+$ $1 permanent;
 
   # Send actual client IP upstream
@@ -29,57 +46,20 @@ location / {
   }
 
 # backend
-location ~ ^/(api|feeds|nodeinfo|.well-known) {
-  proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
+location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
+  proxy_pass {{ item.upstream_proto }}://lemmy;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
 
   # Rate limit
-  limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;
+  #limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;
 
   # Add IP forwarding headers
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header Host $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
-{% if lemmy_pictrs_deploy == true %}
-  # pictrs only - for adding browser cache control.
-  location ~ ^/(pictrs) {
-      # allow browser cache, images never update, we can apply long term cache
-      expires 120d;
-      add_header Pragma "public";
-      add_header Cache-Control "public";
-
-      proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "upgrade";
-
-      # Rate limit
-      limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;
-
-      # Add IP forwarding headers
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-  # Redirect pictshare images to pictrs
-  location ~ /pictshare/(.*)$ {
-    return 301 /pictrs/image/$1;
-  }
-{% endif %}
-
 {% endblock %}
 
-# Anonymize IP addresses
-# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
-map $remote_addr $remote_addr_anon {
-  ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
-  ~(?P<ip>[^:]+:[^:]+):       $ip::;
-  127.0.0.1                   $remote_addr;
-  ::1                         $remote_addr;
-  default                     {{ item.upstream_name }};
-}
 

templates/etc/nginx/sites-available/movim.j2

@@ -0,0 +1,81 @@
+
+{% if item.pic_cache is defined and item.pic_cache == 'true' %}
+fastcgi_cache_path /tmp/nginx_cache levels=1:2 keys_zone=nginx_cache:100m inactive=60m;
+fastcgi_cache_key "$scheme$request_method$host$request_uri";
+{% endif %}
+{% extends "core.j2" %}
+
+{% block root %}
+  root {{ nginx_www_dir }}{{ item.root }};
+  index index.php;
+{% endblock %}
+
+
+{% block location %}
+## LOCATIONS
+
+{% if item.proxy == 'true' %}
+  location / {
+    proxy_pass  {{ item.proto }}://{{ item.upstream_name }}:{{ item.listen }};
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_redirect off;
+  }
+
+{% else %}
+  location / {
+    set $no_cache 1;
+    try_files $uri $uri/ /index.php$is_args$args;
+  }
+{% endif %}
+
+  location ~ /\. {
+    deny all;
+  }
+
+  location = /favicon.ico {
+	  expires 30d;
+	  access_log off;
+	  log_not_found off;
+  }
+
+  location ~ ^/(config|temp|log)/ {
+    deny all;
+  }
+
+  location ~ \.php$ {
+    fastcgi_pass {{ item.fastcgi_pass }};
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    include fastcgi_params;
+    add_header X-Cache $upstream_cache_status;
+    fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
+    fastcgi_cache nginx_cache;
+    fastcgi_cache_valid any 7d;
+    fastcgi_cache_bypass $no_cache;
+    fastcgi_no_cache $no_cache;
+  }
+
+{% if item.ws is defined and item.ws == 'true' %}
+  location /ws/ {
+    proxy_pass {{ item.upstream_schema }}://{{ item.upstream_name }}:{{ item.upstream_port }};
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_redirect off;
+    }
+{% endif %}
+{% if item.pic_cache is defined and item.pic_cache == 'true' %}
+  location /picture {
+    set $no_cache 0; 
+    try_files $uri $uri/ /index.php$is_args$args;
+  }
+{% endif %}
+
+{% endblock %}

templates/etc/nginx/sites-available/mumble-web.j2

@@ -15,7 +15,7 @@ map $http_upgrade $connection_upgrade {
   }
 
   location /server {
-    proxy_pass {{ item.proto }}://{{ item.server }}:{{ item.port }};
+    proxy_pass http://{{ item.server }}:{{ item.port }};
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";

templates/etc/nginx/sites-available/nextcloud.j2

@@ -2,131 +2,127 @@
 
 {% block extra_upstreams %}
 upstream php-handler {
-  server {{ item.fastcgi_pass }};
+  server {{ item.php_handler }};
+}
+
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+  "" "";
+  default ", immutable";
 }
 {% endblock %}
 
 {% block root %}
   root {{ nginx_www_dir }}{{ item.root }};
-  index {{ item.index | default('index.html index.htm') }};
 
-  error_page 403 /core/templates/403.php;
-  error_page 404 /core/templates/404.php;
 {% endblock %}
 
 {% block headers %}
-
-## HEADERS 
-  add_header Permissions-Policy "geolocation=(),interest-cohort=()";
-  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+  # HTTP response headers borrowed from Nextcloud `.htaccess`
   add_header Referrer-Policy                   "no-referrer"       always;
   add_header X-Content-Type-Options            "nosniff"           always;
-  add_header X-Download-Options                   "noopen"        always;
   add_header X-Frame-Options                   "SAMEORIGIN"        always;
   add_header X-Permitted-Cross-Domain-Policies "none"              always;
-  add_header X-Robots-Tag                         "none"          always;
+  add_header X-Robots-Tag                      "noindex, nofollow" always;
   add_header X-XSS-Protection                  "1; mode=block"     always;
-
-  # Remove X-Powered-By, which is an information leak
-  fastcgi_hide_header X-Powered-By;
 {% endblock %}
 
 {% block location %}
-  # Path to the root of your installation
+  # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+  location = / {
+    if ( $http_user_agent ~ ^DavClnt ) {
+      return 302 /remote.php/webdav/$is_args$args;
+    }
+  }
+
   location = /robots.txt {
-  {% if item.robot_txt is defined %}  
     allow all;
     log_not_found off;
     access_log off;
-  {% else %}
-    deny all;
-    log_not_found off;
-    access_log off;
-  {% endif %}
-  }
-{% for app in nc_apps %}
-{% if app.name == 'user_webfinger' and app.state == 'enabled' %}
-  # The following 2 rules are only needed for the user_webfinger app.
-  rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-  rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-{% endif %}
-{% if app.name == 'social' and app.state == 'enabled'%}
-  # The following rule is only needed for the Social app.
-  rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-{% endif %}
-{% endfor %}
-
-  location = /.well-known/carddav {
-    return 301 $scheme://$host:$server_port/remote.php/dav;
-  }
-  location = /.well-known/caldav {
-    return 301 $scheme://$host:$server_port/remote.php/dav;
   }
 
-  location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-    deny all;
-  }
-  location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-    deny all;
+  # Make a regex exception for `/.well-known` so that clients can still
+  # access it despite the existence of the regex rule
+  # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+  # for `/.well-known`.
+  location ^~ /.well-known {
+    # The rules in this block are an adaptation of the rules
+    # in `.htaccess` that concern `/.well-known`.
+    location = /.well-known/carddav { return 301 /remote.php/dav/; }
+    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+    # Let Nextcloud's API for `/.well-known` URIs handle all other
+    # requests by passing them to the front-end controller.
+    return 301 /index.php$request_uri;
   }
 
-  location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+  # Rules borrowed from `.htaccess` to hide certain paths from clients
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+  # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+  # which handle static assets (as seen below). If this block is not declared first,
+  # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+  # to the URI, resulting in a HTTP 500 error response.
+  location ~ \.php(?:$|/) {
+    # Required for legacy support
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    set $path_info $fastcgi_path_info;
+
     try_files $fastcgi_script_name =404;
+
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param PATH_INFO $path_info;
     fastcgi_param HTTPS on;
-    # Avoid sending the security headers twice
-    fastcgi_param modHeadersAvailable true;
-    # Enable pretty urls
-    fastcgi_param front_controller_active true;
+
+    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+    fastcgi_param front_controller_active true;     # Enable pretty urls
     fastcgi_pass php-handler;
+
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
+    fastcgi_max_temp_file_size 0;
   }
 
-  location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-    try_files $uri/ =404;
-    index index.php;
-  }
-
-  # Adding the cache control header for js, css and map files
-  # Make sure it is BELOW the PHP block
-  location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+  # Serve static files
+  location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
     try_files $uri /index.php$request_uri;
-    add_header Cache-Control "public, max-age=15778463";
-    # Add headers to serve security related headers (It is intended to
-    # have those duplicated to the ones above)
-    # Before enabling Strict-Transport-Security headers please read into
-    # this topic first.
-    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-    #
-    # WARNING: Only add the preload option once you read about
-    # the consequences in https://hstspreload.org/. This option
-    # will add the domain to a hardcoded list that is shipped
-    # in all major browsers and getting removed from this list
-    # could take several months.
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
     add_header Referrer-Policy                   "no-referrer"       always;
     add_header X-Content-Type-Options            "nosniff"           always;
-    add_header X-Download-Options "noopen" always;
     add_header X-Frame-Options                   "SAMEORIGIN"        always;
     add_header X-Permitted-Cross-Domain-Policies "none"              always;
-    add_header X-Robots-Tag "none" always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
     add_header X-XSS-Protection                  "1; mode=block"     always;
-
-    # Optional: Don't log access to assets
-    access_log off;
+    access_log off;     # Optional: Don't log access to assets
   }
 
-  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+  location ~ \.woff2?$ {
     try_files $uri /index.php$request_uri;
-    # Optional: Don't log access to other assets
-    access_log off;
+    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+    access_log off;     # Optional: Don't log access to assets
+  }
+
+  # Rule borrowed from `.htaccess`
+  location /remote {
+    return 301 /remote.php$request_uri;
+  }
+
+  location / {
+    try_files $uri $uri/ /index.php$request_uri;
   }
 {% endblock %}
 
 {% block app_specific %}
+  # set max upload size and increase upload timeout:
+  client_body_timeout 300s;
   fastcgi_buffers 64 4K;
 
   # Enable gzip but do not remove ETag headers
@@ -135,6 +131,40 @@ upstream php-handler {
   gzip_comp_level 4;
   gzip_min_length 256;
   gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+  # Pagespeed is not supported by Nextcloud, so if your server is built
+  # with the `ngx_pagespeed` module, uncomment this line to disable it.
+  #pagespeed off;
+
+  # The settings allows you to optimize the HTTP2 bandwidth.
+  # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+  # for tuning hints
+  client_body_buffer_size 512k;
+
+  # Remove X-Powered-By, which is an information leak
+  fastcgi_hide_header X-Powered-By;
+
+  # Set .mjs and .wasm MIME types
+  # Either include it in the default mime.types list
+  # and include that list explicitly or add the file extension
+  # only for Nextcloud like below:
+  include mime.types;
+  types {
+    text/javascript js mjs;
+    application/wasm wasm;
+  }
+
+  # Specify how to handle directories -- specifying `/index.php$request_uri`
+  # here as the fallback means that Nginx always exhibits the desired behaviour
+  # when a client requests a path that corresponds to a directory that exists
+  # on the server. In particular, if that directory contains an index.php file,
+  # that file is correctly served; if it doesn't, then the request is passed to
+  # the front-end controller. This consistent behaviour means that we don't need
+  # to specify custom rules for certain paths (e.g. images and other assets,
+  # `/updater`, `/ocs-provider`), and thus
+  # `try_files $uri $uri/ /index.php$request_uri`
+  # always provides the desired behaviour.
+  index index.php index.html /index.php$request_uri;
 
 {% endblock %}

templates/etc/nginx/sites-available/pleroma.j2

@@ -2,19 +2,28 @@
 
 {% block extra_upstreams %}
 
+{% if item.mainsite is defined and item.mainsite == 'true' %}
 proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
 
 upstream phoenix {
   server {{ item.upstream_name }}:4000 max_fails=5 fail_timeout=60s;
 }
+{% endif %}
 {% endblock %}
 
 {% block location %}
 
+{% if item.mainsite is defined and item.mainsite == 'true' %}
   location / {
     proxy_pass http://phoenix;
+{% if item.mangane is defined and item.mangane == 'true' %}
+    proxy_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "upgrade-insecure-requests;script-src 'self';connect-src 'self' blob:     https://{{ item.name }} wss://{{ item.name }};media-src 'self' https:;img-src 'self' data: blob: https:;default-   src 'none';base-uri 'self';frame-ancestors 'none';style-src 'self' 'unsafe-inline';font-src 'self';manifest-src  'self';" always;
+{% endif %}
   }
+{% endif %}
 
+{% if item.mediasite == 'true' %}
   location ~ ^/(media|proxy) {
     proxy_cache        pleroma_media_cache;
     slice              1m;
@@ -27,7 +36,12 @@ upstream phoenix {
     chunked_transfer_encoding on;
     proxy_pass         http://phoenix;
   }
-
+{% endif %}
+{% if item.mediasite is defined and item.mediasite == 'false' %}
+  location ~ ^/(media) {
+    rewrite ^/(.*)$ https://{{ item.mediasiteurl }}$1 permanent;
+  }
+{% endif %}
 {% endblock %}
 {% block app_specific %}
 

templates/etc/nginx/sites-available/proxy.j2

@@ -9,11 +9,17 @@
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_redirect off;
 {% if item.secure_cookie is defined %}
     proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 {% endif %}
+{% if item.location_extra_options is defined %}
+{% for option in item.location_extra_options %}
+    {{ option }}
+{% endfor %}
+{% endif %}
 {% if item.root_custom_headers is defined %}
     #headers
 {% if header.permission_policy is defined and header.permission_policy == 'none' %}

templates/etc/nginx/sites-available/searx.j2

@@ -2,6 +2,9 @@
 
 {%block root %}
   root {{ searx_app_dir }}/searx;
+{% if item.real_ip_from is defined %}
+set_real_ip_from {{ item.real_ip_from }};
+{% endif %}
 {% endblock %}
 
 {% block location %}

templates/etc/nginx/sites-available/zabbix_check.j2

@@ -1,10 +1,23 @@
 server {
-  listen 10061;
+  listen {{ item.port }};
   
-  location /nginx_status {
-    stub_status on;
+  location /basic_status {
+    stub_status;
     access_log off;
     allow 127.0.0.1;
     deny all;
   }
+{% if item.php_check is defined and item.php_check == 'true' %}
+   location ~ ^/(status|ping)$ {
+     access_log off;
+     allow 127.0.0.1;
+     deny all;
+ 
+     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+     fastcgi_index index.php;
+     include fastcgi_params;
+     fastcgi_pass unix:{{ pool_listen }};
+  }
+{% endif %}
+
 }