Nueva configuraciónd de nginx para el servidor principal

fs/principal/etc/letsencrypt/options-ssl-nginx.conf

@@ -0,0 +1,16 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_protocols TLSv1.3;
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1d;
+ssl_session_tickets off;
+ssl_ecdh_curve secp384r1;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 208.67.222.222 208.67.220.220 valid=300s;
+resolver_timeout 5s;
+ssl_trusted_certificate /etc/letsencrypt/live/wupp.dev/chain.pem;

fs/principal/etc/nginx/conf.d/amp.wupp.dev.conf

@@ -0,0 +1,30 @@
+server {
+    server_name amp.wupp.dev;
+
+    access_log /var/log/nginx/amp.wupp.dev-access.log;
+    error_log /var/log/nginx/amp.wupp.dev-error.log;
+
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+    location / {
+        proxy_pass https://192.168.1.157;
+        proxy_ssl_session_reuse on;
+        proxy_ssl_verify off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/amp.wupp.dev/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/amp.wupp.dev/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}

fs/principal/etc/nginx/conf.d/cloud.wupp.dev.conf

@@ -1,5 +1,5 @@
 upstream nextcloud {
-    server 127.0.0.1:9000;
+    server 127.0.0.1:26848;
 }
 
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
@@ -9,9 +9,12 @@ map $arg_v $asset_immutable {
 }
 
 server {
-    server_name cloud.wupp.dev;
+    server_name  cloud.wupp.dev;
     http2 on;
 
+    access_log /var/log/nginx/cloud.wupp.dev-access.log;
+    error_log /var/log/nginx/cloud.wupp.dev-error.log;
+
     # set max upload size
     client_max_body_size 50G;
     # unlimited download speed
@@ -40,7 +43,7 @@ server {
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "no-referrer" always;
     add_header X-Permitted-Cross-Domain-Policies "none" always;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 
     # Add .mjs as a file extension for javascript
     # Either include it in the default mime.types list

fs/principal/etc/nginx/conf.d/mc.wupp.dev.conf

@@ -0,0 +1,33 @@
+server {
+    server_name mc.wupp.dev;
+    http2 on;
+
+    access_log /var/log/nginx/mc.wupp.dev-access.log;
+    error_log /var/log/nginx/mc.wupp.dev-error.log;
+
+    add_header Allow "GET, POST, OPTIONS";
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    #add_header Content-Security-Policy "default-src 'self' blob:https://mc.wupp.dev https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'";
+    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+    location / {
+        proxy_pass https://192.168.1.157;
+        proxy_ssl_session_reuse on;
+        proxy_ssl_verify off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/mc.wupp.dev/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/mc.wupp.dev/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}

fs/principal/etc/nginx/conf.d/mcminio.wupp.dev.conf

@@ -0,0 +1,40 @@
+server {
+    server_name mcminio.wupp.dev;
+
+    # Allow special characters in headers
+    ignore_invalid_headers off;
+    # Allow any size file to be uploaded.
+    # Set to a value such as 1000m; to restrict file size to a specific value
+    client_max_body_size 0;
+    # Disable buffering
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+    location / {
+        proxy_pass https://192.168.1.157;
+        proxy_ssl_session_reuse on;
+        proxy_ssl_verify off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        chunked_transfer_encoding off;
+	proxy_connect_timeout 300;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/mcminio.wupp.dev/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/mcminio.wupp.dev/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}

fs/principal/etc/nginx/conf.d/web.mcminio.wupp.dev.conf

@@ -0,0 +1,41 @@
+server {
+    server_name web.mcminio.wupp.dev;
+
+    # Allow special characters in headers
+    ignore_invalid_headers off;
+    # Allow any size file to be uploaded.
+    # Set to a value such as 1000m; to restrict file size to a specific value
+    client_max_body_size 0;
+    # Disable buffering
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+    location / {
+        proxy_pass https://192.168.1.157;
+        proxy_ssl_session_reuse on;
+        proxy_ssl_verify off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+	proxy_connect_timeout 300;	
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/web.mcminio.wupp.dev/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/web.mcminio.wupp.dev/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}

fs/principal/etc/nginx/conf.d/www.wupp.dev.conf

@@ -2,11 +2,22 @@ server {
     server_name wupp.dev www.wupp.dev;
     http2 on;
 
-    #access_log  /var/log/nginx/host.access.log  main;
+    add_header Allow "GET, POST, OPTIONS";
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'";
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'";
+    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+    root /var/www/html;
+    index landing.html;
 
     location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
+	try_files $uri /landing.html;
     }
 
     #error_page  404              /404.html;
@@ -18,7 +29,7 @@ server {
         root   /usr/share/nginx/html;
     }
 
-    listen 443 ssl; # managed by Certbot
+    listen 443 ssl default_server; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/wupp.dev/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/wupp.dev/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot