-
-
Save danhead/2c90924d382abec5101e to your computer and use it in GitHub Desktop.
Nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
satisfy any; | |
allow 192.168.1.0/24; | |
deny all; | |
auth_basic "Restricted Area"; | |
auth_basic_user_file /etc/nginx/passwd/host.htpasswd; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server ipv6only=on; | |
server_name homeserver.com; | |
return 301 https://$server_name$request_uri; | |
} | |
server { | |
listen 443 ssl; | |
root /usr/share/nginx/html; | |
server_name homeserver.com; | |
ssl_certificate /etc/nginx/ssl/homeserver.ca-bundle; | |
ssl_certificate_key /etc/nginx/ssl/homeserver.key; | |
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated. | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
#Disables all weak ciphers | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
ssl_prefer_server_ciphers on; | |
index index.html index.php; | |
location / { | |
include /etc/nginx/include.d/auth.conf; | |
} | |
location /sickbeard { | |
proxy_pass http://127.0.0.1:8001/sickbeard; | |
include /etc/nginx/include.d/auth.conf; | |
include /etc/nginx/include.d/proxy.conf; | |
} | |
location /sickbeard/api { | |
proxy_pass http://127.0.0.1:8001/sickbeard/api; | |
include /etc/nginx/include.d/proxy.conf; | |
auth_basic off; | |
allow all; | |
} | |
location /couchpotato { | |
proxy_pass http://127.0.0.1:8002; | |
include /etc/nginx/include.d/proxy.conf; | |
proxy_set_header Host localhost:8002; | |
proxy_redirect default; | |
} | |
location /sabnzbd { | |
proxy_pass http://127.0.0.1:8003; | |
include /etc/nginx/include.d/auth.conf; | |
include /etc/nginx/include.d/proxy.conf; | |
} | |
location /sabnzbd/api { | |
proxy_pass http://127.0.0.1:8003/api/; | |
auth_basic off; | |
allow all; | |
} | |
location /deluge { | |
proxy_pass http://127.0.0.1:8005/; | |
proxy_set_header X-Deluge-Base "/deluge/"; | |
include /etc/nginx/include.d/auth.conf; | |
include /etc/nginx/include.d/proxy.conf; | |
} | |
location /headphones { | |
proxy_pass http://127.0.0.1:8006/headphones; | |
include /etc/nginx/include.d/auth.conf; | |
include /etc/nginx/include.d/proxy.conf; | |
} | |
location /headphones/api { | |
proxy_pass http://127.0.0.1:8006/headphones/api; | |
include /etc/nginx/include.d/proxy.conf; | |
auth_basic off; | |
allow all; | |
} | |
location /subsonic { | |
proxy_pass https://127.0.0.1:8007; | |
include /etc/nginx/include.d/proxy.conf; | |
} | |
location /sonarr { | |
proxy_pass http://127.0.0.1:8008/sonarr; | |
include /etc/nginx/include.d/auth.conf; | |
include /etc/nginx/include.d/proxy.conf; | |
} | |
location /sonarr/feed/calendar { | |
proxy_pass http://127.0.0.1:8008/sonarr/feed/calendar; | |
include /etc/nginx/include.d/proxy.conf; | |
auth_basic off; | |
allow all; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.4.21 on Wed Mar 18 10:32:38 2015 | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [327:247830] | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | |
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT | |
-A INPUT -j DROP | |
COMMIT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
proxy_connect_timeout 59s; | |
proxy_send_timeout 600; | |
proxy_read_timeout 36000s; ## Timeout after 10 hours | |
proxy_buffer_size 64k; | |
proxy_buffers 16 32k; | |
proxy_pass_header Set-Cookie; | |
proxy_hide_header Vary; | |
proxy_busy_buffers_size 64k; | |
proxy_temp_file_write_size 64k; | |
proxy_set_header Accept-Encoding ''; | |
proxy_ignore_headers Cache-Control Expires; | |
proxy_set_header Referer $http_referer; | |
proxy_set_header Host $host; | |
proxy_set_header Cookie $http_cookie; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Server $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Port '443'; | |
proxy_set_header X-Forwarded-Ssl on; | |
proxy_set_header X-Forwarded-Proto https; | |
proxy_set_header Authorization ''; | |
proxy_buffering off; | |
proxy_redirect off; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment