Merge branch 'master' into cadvisor-endpoints

aptalca · web-flow · commit 9c275135af2e · 2023-08-21T15:45:09.000-04:00
diff --git a/frigate.subdomain.conf.sample b/frigate.subdomain.conf.sample
@@ -0,0 +1,46 @@
+## Version 2023/06/21
+# make sure that your frigate container is named frigate
+# make sure that your dns has a cname set for frigate
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name frigate.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app frigate;
+        set $upstream_port 5000;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+    }
+}
diff --git a/libreddit.subdomain.conf.sample b/libreddit.subdomain.conf.sample
@@ -1,10 +1,10 @@
-## Version 2023/02/05
+## Version 2023/06/21
 # make sure that your libreddit container is named libreddit
 # make sure that your dns has a cname set for libreddit
 
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     server_name libreddit.*;
 
diff --git a/linkstack.subdomain.conf.sample b/linkstack.subdomain.conf.sample
@@ -0,0 +1,44 @@
+## Version 2023/06/27
+# make sure that your dns has a cname set for linkstack and that your linkstack container is not using a base url
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name linkstack.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app linkstack;
+        set $upstream_port 443;
+        set $upstream_proto https;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    }
+}
diff --git a/nextcloud.subdomain.conf.sample b/nextcloud.subdomain.conf.sample
@@ -1,4 +1,4 @@
-## Version 2023/06/06
+## Version 2023/06/24
 # make sure that your nextcloud container is named nextcloud
 # make sure that your dns has a cname set for nextcloud
 # assuming this container is called "swag", edit your nextcloud container's config
@@ -32,8 +32,14 @@ server {
         set $upstream_proto https;
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
 
-        # Uncomment X-Frame-Options directive in ssl.conf to pass security checks.
+        # Hide proxy response headers from Nextcloud that conflict with ssl.conf
+        # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
+        proxy_hide_header Referrer-Policy;
+        proxy_hide_header X-Content-Type-Options;
         proxy_hide_header X-Frame-Options;
+        proxy_hide_header X-XSS-Protection;
+
+        # Disable proxy buffering
         proxy_buffering off;
     }
 }
diff --git a/nextcloud.subfolder.conf.sample b/nextcloud.subfolder.conf.sample
@@ -1,4 +1,4 @@
-## Version 2023/06/06
+## Version 2023/06/24
 # make sure that your nextcloud container is named nextcloud
 # make sure that nextcloud is set to work with the base url /nextcloud/
 # Assuming this container is called "swag", edit your nextcloud container's config
@@ -34,10 +34,18 @@ location ^~ /nextcloud/ {
     proxy_pass $upstream_proto://$upstream_app:$upstream_port;
 
     rewrite /nextcloud(.*) $1 break;
-    # Uncomment X-Frame-Options directive in ssl.conf to pass security checks.
-    proxy_hide_header X-Frame-Options;
-    proxy_buffering off;
+
     proxy_set_header Range $http_range;
     proxy_set_header If-Range $http_if_range;
     proxy_ssl_session_reuse off;
+
+    # Hide proxy response headers from Nextcloud that conflict with ssl.conf
+    # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
+    proxy_hide_header Referrer-Policy;
+    proxy_hide_header X-Content-Type-Options;
+    proxy_hide_header X-Frame-Options;
+    proxy_hide_header X-XSS-Protection;
+
+    # Disable proxy buffering
+    proxy_buffering off;
 }
diff --git a/notifiarr.subdomain.conf.sample b/notifiarr.subdomain.conf.sample
@@ -31,6 +31,8 @@ server {
 
         # enable for Authelia (requires authelia-server.conf in the server block)
         #include /config/nginx/authelia-location.conf;
+        # Enable if you use webauth for Notifiarr client website authentication
+        #proxy_set_header X-WebAuth-User $user;
 
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
