2023-04-01

home/nginx/applications/filebrowser.conf

@@ -0,0 +1,14 @@
+client_max_body_size                    2048m;
+proxy_read_timeout                      86400s;
+proxy_send_timeout                      86400s;
+proxy_set_header                        X-Forwarded-Host $host;
+proxy_set_header                        X-Forwarded-Server $host;
+proxy_set_header                        X-Real-IP $remote_addr;
+proxy_set_header                        Host $host;
+proxy_set_header                        X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_http_version                      1.1;
+proxy_redirect                          off;
+proxy_set_header                        Upgrade $http_upgrade;
+proxy_set_header                        Connection "upgrade";
+
+proxy_pass http://filebrowser/filebrowser/;

home/nginx/applications/foundry.conf

@@ -0,0 +1,17 @@
+location ~ ^/foundry/$ {
+		return 301 /foundry/game/;
+	}
+
+# Set proxy headers
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+
+# These are important to support WebSockets
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection "Upgrade";
+#  may need to set
+#    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+#  in this bock as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
+# set user header (usually an email)
+proxy_pass http://foundry/foundry/; 

home/nginx/applications/podcast.conf

@@ -0,0 +1,57 @@
+location ~ ^/podcast/feed.xml$ {
+			return 301 /podcast/01sw;
+		}
+		
+		#/podcast/media/2022-03-09-ep42.mp3
+location ~* /podcast/media/(?:.*)-(?<season_2>s02)?(?<episode_label>ep\d+)(\.mp3) {
+			if ($season_2 = "s02") {
+				return 301 /dir2cast/02ram/$season_2$episode_label.mp3;
+			}
+			
+			return 301 /dir2cast/01sw/$episode_label.mp3;
+		}
+		
+#location /podcast/dir2cast.php {
+#	rewrite /podcast/(dir2cast.php) /dir2cast/$1;
+#}	
+
+
+location /podcast/ {
+			alias /var/www/dir2cast/;
+			autoindex on;
+				
+			if ( $arg_name) { 
+				return 301 /podcast/media/$arg_name;
+			}
+			
+			location ~* /podcast/(?<dir>.*)/feed {
+#				return 501;
+				rewrite /podcast/ /dir2cast/dir2cast.php?dir=$dir;
+			}
+
+			location ~ (\.php|\.ini)$ {
+				return 403;
+			}
+		}
+
+location /dir2cast/ {
+	root /var/www;
+	
+	
+	
+	location ~ ^/dir2cast/dir2cast.php {
+#		return 501;
+		include fastcgi_params;
+		fastcgi_pass php:9000;
+		add_header x-test "$args" always;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	}
+	
+	location ~ (\.php|\.ini)$ {
+		return 403;
+	}
+	
+	
+	
+	}
+

home/nginx/applications/vouch.conf

@@ -0,0 +1,22 @@
+# https://github.com/vouch/vouch-proxy#vouch-proxy-in-a-path
+
+location /vouch {
+      proxy_pass http://vouch; # must not! have a slash at the end
+      proxy_set_header Host $http_host;
+      proxy_pass_request_body off;
+      proxy_set_header Content-Length "";
+      
+      # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
+      auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+
+      # these return values are used by the @error401 call
+      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+}
+
+
+location @error401 {
+        # redirect to Vouch Proxy for login
+        return 302 https://$host/vouch/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+    }

home/nginx/applications/yacht.conf

@@ -0,0 +1,4 @@
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection "Upgrade";
+proxy_pass http://yacht/; 

home/nginx/certs/certs.conf

@@ -0,0 +1,9 @@
+ssl_certificate /etc/nginx/ssl/live/rpg.ascorrea.com/fullchain.pem;
+ssl_certificate_key /etc/nginx/ssl/live/rpg.ascorrea.com/privkey.pem;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/nginx/ssl/live/rpg.ascorrea.com/fullchain.pem;
+
+ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers         HIGH:!aNULL:!MD5;

home/nginx/conf.d/default.conf

@@ -1,97 +1,47 @@
 server {
-    listen       80;
-    listen  [::]:80;
-    server_name  localhost;
+ 	server_name _;
+ 	# you can serve any number of redirects from here...
+ 	listen 80;
+ 	return 301 https://$host$request_uri;
+}
 
-    #access_log  /var/log/nginx/host.access.log  main;
-	location / {
-        return 301 https://$host$request_uri; 
-    } 
-        
+server {
+    listen 443 ssl http2;
+    server_name rpg.ascorrea.com;
+	include certs/certs.conf;
+	include applications/vouch.conf;
+
+    root /var/www/html/;
 	
-	location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
+	error_page 401 = @error401;
 
-    #error_page  404              /404.html;
-
-    # redirect server error pages to the static page /50x.html
-    #
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-
-    # deny access to .htaccess files, if Apache's document root
-    # concurs with nginx's one
-    #
-    #location ~ /\.ht {
-    #    deny  all;
-    #}
-}
-
-server {
-    listen 443 default_server ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name example.org;
-
-    ssl_certificate /etc/nginx/ssl/live/rpg.ascorrea.com/fullchain.pem;
-    ssl_certificate_key /etc/nginx/ssl/live/rpg.ascorrea.com/privkey.pem;
-    
-    location / {
-        root   /var/www/html;
-        index  index.html index.htm;
-    } 
-    
-     # pass the PHP scripts to FastCGI server listening on php:9000
-    #
-    location ~ \.php$ {
-         fastcgi_pass   php:9000;
-         fastcgi_index  index.php;
-         include        fastcgi_params;
-         fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
-     }
-     
-	location /podcast/eps {
-         root   /var/www/html;
-   		 autoindex on;
+	location / {
+		# This application is simply proxy-passed without any authentication
+		index  index.html index.htm;
+		
 	}
-     
-     location /foundry/ {
-        
-                # Set proxy headers
-                proxy_set_header Host $host;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-        
-                # These are important to support WebSockets
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-        
-                # Make sure to set your Foundry VTT port number
-                proxy_pass http://foundry:30000/foundry/;
-            }
-    location /filebrowser/ {
-        client_max_body_size                    2048m;
-        proxy_read_timeout                      86400s;
-        proxy_send_timeout                      86400s;
-        proxy_set_header                        X-Forwarded-Host $host;
-        proxy_set_header                        X-Forwarded-Server $host;
-        proxy_set_header                        X-Real-IP $remote_addr;
-        proxy_set_header                        Host $host;
-        proxy_set_header                        X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_http_version                      1.1;
-        proxy_redirect                          off;
-        proxy_set_header                        Upgrade $http_upgrade;
-        proxy_set_header                        Connection "upgrade";
-        proxy_pass                              http://filebrowser:80/filebrowser/;
-    }
-    location /yacht/ {
-        proxy_http_version 1.1;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "Upgrade";
-        proxy_pass                              http://yacht:8000/;
-    }
+	
+	location /foundry/ {
+		auth_request /vouch/validate;
+		auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+		proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
+		include applications/foundry.conf;
+	}
+	
+	location /filebrowser/ {
+		auth_request /vouch/validate;
+		auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+		proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
+		include applications/filebrowser.conf;
+	}
+	
+	location /yacht/ {
+		auth_request /vouch/validate;
+		auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+		proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
+		include applications/yacht.conf;
+	}
+	
+	include applications/podcast.conf;
+	    
 }
-

home/nginx/conf.d/swrpg.ascorrea.com.conf

@@ -0,0 +1,15 @@
+server {
+server_name swrpg.ascorrea.com;    # you can serve any number of redirects from here...
+listen 80;
+return 301 https://rpg.ascorrea.com$request_uri;
+}
+
+server {
+server_name swrpg.ascorrea.com;    # you can serve any number of redirects from here...
+listen 443;
+
+ssl_certificate /etc/nginx/ssl/live/swrpg.ascorrea.com/fullchain.pem;
+ssl_certificate_key /etc/nginx/ssl/live/swrpg.ascorrea.com/privkey.pem;
+
+return 301 https://rpg.ascorrea.com$request_uri;
+}

home/nginx/conf.d/upstreams.conf

@@ -0,0 +1,17 @@
+upstream foundry {
+	# set this to location of foundry
+	server foundry:30000;
+}
+
+upstream vouch {
+	# set this to location of the vouch proxy
+	server vouch:9090;
+}
+
+upstream filebrowser{
+	server filebrowser:80;
+}
+
+upstream yacht {
+	server yacht:8000;
+}