From d756226c47a9f8abb3d05116257d94c03d5646cb Mon Sep 17 00:00:00 2001
From: Marwolf <cleako@gmail.com>
Date: Fri, 27 Jul 2018 13:04:08 -0400
Subject: [PATCH] Organized Nginx conf with added HTTPS version

---
 etc/nginx/HTTPS_default.template.conf | 204 ++++++++++++++++++++++++++
 etc/nginx/default.template.conf       | 127 ++++++----------
 2 files changed, 245 insertions(+), 86 deletions(-)
 create mode 100755 etc/nginx/HTTPS_default.template.conf

diff --git a/etc/nginx/HTTPS_default.template.conf b/etc/nginx/HTTPS_default.template.conf
new file mode 100755
index 0000000..4a590e4
--- /dev/null
+++ b/etc/nginx/HTTPS_default.template.conf
@@ -0,0 +1,204 @@
+# Nginx configuration for HTTPS only
+
+server_tokens off;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options nosniff;
+
+upstream dev_tomcat_1 {
+    server tomcat;
+}
+
+# HTTP
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+		gzip on;
+		gzip_static on;
+		gzip_vary on;
+		gzip_http_version 1.1;
+		gzip_min_length 700;
+		gzip_comp_level 6;
+    server_name ${NGINX_HOST};
+    error_log  /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+    root /var/www/html/public;
+		index index.php index.html index.htm index.jsp;
+
+    # Redirect all requests to HTTPS on :443
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://tomcat:8082;
+    }
+
+    ####### Protections and efficiencies #######
+    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
+    location ~ /\.ht {
+    		deny all;
+    }
+
+    # Block accidental directory listing
+    location / {
+        try_files $uri $uri/ =404;
+     }
+
+    # Instructs visitor browser to cache files for 1 month
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
+        expires 1M;
+    }
+
+    # Deny access to version control system directories.
+    location ~ /\.svn|/\.git {
+        deny all;
+        internal;
+    }
+
+    # Certbot for HTTPS cert renewal
+    location ^~ /.well-known {
+        allow all;
+        root  /data/letsencrypt/;
+    }
+
+    ####### PHPBB Forum #######
+    # PHPBB forum
+		location /board {
+				index index.php index.html index.htm;
+        try_files $uri $uri/ @rewriteapp;
+    }
+
+    # PHPBB installer rewrite
+    location /install/ {
+        try_files $uri $uri/ @rewrite_installapp;
+		}
+
+    location @rewriteapp {
+    		rewrite ^(.*)$ /app.php/$1 last;
+    }
+
+    # Deny access to internal phpbb files.
+    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
+    		deny all;
+        internal;
+		}
+
+    location @rewrite_installapp {
+        rewrite ^(.*)$ /board/install/app.php/$1 last;
+    }
+}
+
+# HTTPS
+server {
+    listen      443           ssl http2;
+    listen [::]:443           ssl http2;
+    server_name               ${NGINX_HOST};
+    ssl                       on;
+    add_header                Strict-Transport-Security "max-age=31536000" always;
+    ssl_session_cache         shared:SSL:20m;
+    ssl_session_timeout       10m;
+    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
+    ssl_stapling              on;
+    ssl_stapling_verify       on;
+    resolver                  8.8.8.8 1.1.1.1;
+    ssl_certificate           /etc/letsencrypt/live/openrsc.com/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/openrsc.com/privkey.pem;
+    ssl_trusted_certificate   /etc/letsencrypt/live/openrsc.com/chain.pem;
+    index index.php index.html index.jsp;
+    error_log  /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+    root /var/www/html/public;
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://tomcat:8082;
+    }
+
+    ####### Protections and efficiencies #######
+    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
+    location ~ /\.ht {
+    		deny all;
+    }
+
+    # Block accidental directory listing
+    location / {
+        try_files $uri $uri/ =404;
+     }
+
+    # Instructs visitor browser to cache files for 1 month
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
+        expires 1M;
+    }
+
+    # Deny access to version control system directories.
+    location ~ /\.svn|/\.git {
+        deny all;
+        internal;
+    }
+
+    # Certbot for HTTPS cert renewal
+    location ^~ /.well-known {
+        allow all;
+        root  /data/letsencrypt/;
+    }
+
+    ####### PHPBB Forum #######
+    # PHPBB forum
+		location /board {
+				index index.php index.html index.htm;
+        try_files $uri $uri/ @rewriteapp;
+    }
+
+    # PHPBB installer rewrite
+    location /install/ {
+        try_files $uri $uri/ @rewrite_installapp;
+		}
+
+    location @rewriteapp {
+    		rewrite ^(.*)$ /app.php/$1 last;
+    }
+
+    # Deny access to internal phpbb files.
+    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
+    		deny all;
+        internal;
+		}
+
+    location @rewrite_installapp {
+        rewrite ^(.*)$ /board/install/app.php/$1 last;
+    }
+
+}
diff --git a/etc/nginx/default.template.conf b/etc/nginx/default.template.conf
index a308d2e..48be825 100755
--- a/etc/nginx/default.template.conf
+++ b/etc/nginx/default.template.conf
@@ -1,4 +1,4 @@
-# Nginx configuration
+# Nginx configuration for HTTP only
 
 server_tokens off;
 add_header X-XSS-Protection "1; mode=block";
@@ -8,7 +8,7 @@ upstream dev_tomcat_1 {
     server tomcat;
 }
 
-# Website and PHPBB forum over HTTP
+# HTTP
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
@@ -24,11 +24,33 @@ server {
     root /var/www/html/public;
 		index index.php index.html index.htm index.jsp;
 
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://tomcat:8082;
+    }
+
+    ####### Protections and efficiencies #######
+    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
     location ~ /\.ht {
     		deny all;
     }
 
-    # Block empty folder access
+    # Block accidental directory listing
     location / {
         try_files $uri $uri/ =404;
      }
@@ -38,20 +60,30 @@ server {
         expires 1M;
     }
 
-    # Tomcat
-    location ~ \.(do|jspa|obr|jsp) {
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://tomcat:8082;
+    # Deny access to version control system directories.
+    location ~ /\.svn|/\.git {
+        deny all;
+        internal;
     }
 
+    # Certbot for HTTPS cert renewal
+    location ^~ /.well-known {
+        allow all;
+        root  /data/letsencrypt/;
+    }
+
+    ####### PHPBB Forum #######
     # PHPBB forum
 		location /board {
 				index index.php index.html index.htm;
         try_files $uri $uri/ @rewriteapp;
     }
 
+    # PHPBB installer rewrite
+    location /install/ {
+        try_files $uri $uri/ @rewrite_installapp;
+		}
+
     location @rewriteapp {
     		rewrite ^(.*)$ /app.php/$1 last;
     }
@@ -62,84 +94,7 @@ server {
         internal;
 		}
 
-		# Pass the php scripts to fastcgi server specified in upstream declaration.
-    location ~ \.php(/|$) {
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass php:9000;
-        fastcgi_index index.php;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-    }
-
-    # Correctly pass scripts for PHPBB installer usage
-    location /install/ {
-        try_files $uri $uri/ @rewrite_installapp;
-
-				location ~ \.php(/|$) {
-            try_files $uri =404;
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_pass php:9000;
-            fastcgi_index index.php;
-            include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
-        }
-		}
-
     location @rewrite_installapp {
         rewrite ^(.*)$ /board/install/app.php/$1 last;
     }
-
-    # Deny access to version control system directories.
-    location ~ /\.svn|/\.git {
-        deny all;
-        internal;
-    }
-
-#    # Redirect to HTTPS
-#    location / {
-#        rewrite ^ https://$host$request_uri? permanent;
-#    }
-
-    # Certbot for HTTPS cert renewal
-    location ^~ /.well-known {
-        allow all;
-        root  /data/letsencrypt/;
-    }
 }
-
-#HTTPS
-#server {
-#    listen      443           ssl http2;
-#    listen [::]:443           ssl http2;
-#    server_name               ${NGINX_HOST};
-#    ssl                       on;
-#    add_header                Strict-Transport-Security "max-age=31536000" always;
-#    ssl_session_cache         shared:SSL:20m;
-#    ssl_session_timeout       10m;
-#    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
-#    ssl_prefer_server_ciphers on;
-#    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
-#    ssl_stapling              on;
-#    ssl_stapling_verify       on;
-#    resolver                  8.8.8.8 1.1.1.1;
-#    ssl_certificate           /etc/letsencrypt/live/openrsc.com/fullchain.pem;
-#    ssl_certificate_key       /etc/letsencrypt/live/openrsc.com/privkey.pem;
-#    ssl_trusted_certificate   /etc/letsencrypt/live/openrsc.com/chain.pem;
-#    index index.php index.html index.jsp;
-#    error_log  /var/log/nginx/error.log;
-#    access_log /var/log/nginx/access.log;
-#    root /var/www/html/public;
-
-#    location ~ \.php$ {
-#        try_files $uri =404;
-#        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-#        fastcgi_pass php:9000;
-#        fastcgi_index index.php;
-#        include fastcgi_params;
-#        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-#        fastcgi_param PATH_INFO $fastcgi_path_info;
-#    }
-#}