nginx sent Host/X-Real-IP/X-Forwarded-For/X-Forwarded-Proto twice (explicit proxy_set_header plus the included recommended-proxy-headers file), which Apache rejected as a malformed request due to the duplicate Host header. Removed the redundant explicit headers. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
349 lines
9.7 KiB
Nix
349 lines
9.7 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: {
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts = let
|
|
pdxDestinyRoot = pkgs.runCommand "pdxdestiny-web" {} ''
|
|
mkdir -p $out
|
|
cp ${./pdxdestiny/index.html} $out/index.html
|
|
cp ${pkgs.copyPathToStore ./pdxdestiny/gold.jpg} $out/gold.jpg
|
|
'';
|
|
withWww = domain: config: {
|
|
"${domain}" = config;
|
|
"www.${domain}" = {
|
|
enableACME = true;
|
|
addSSL = config.addSSL or true;
|
|
forceSSL = config.forceSSL or false;
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
return 301 https://${domain}$request_uri;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{
|
|
"_default" = {
|
|
listen = [
|
|
{ addr = "0.0.0.0"; port = 80; }
|
|
{ addr = "[::]"; port = 80; }
|
|
];
|
|
serverName = "_";
|
|
extraConfig = ''
|
|
deny all;
|
|
return 444;
|
|
'';
|
|
};
|
|
|
|
|
|
|
|
"blog.quineglobal.com" = {
|
|
enableACME = false;
|
|
forceSSL = false;
|
|
addSSL = false;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3010/"; # pass through to docker container
|
|
};
|
|
};
|
|
|
|
"claw.quineglobal.com" = {
|
|
enableACME = true;
|
|
forceSSL = false;
|
|
addSSL = true;
|
|
basicAuthFile = "/var/openclaw/htpasswd";
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:18789/";
|
|
extraConfig = ''
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_read_timeout 86400;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"hyper.quineglobal.com" = {
|
|
enableACME = true;
|
|
forceSSL = false;
|
|
addSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3013/";
|
|
};
|
|
};
|
|
"riverside.coldairnetworks.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3011/";
|
|
};
|
|
};
|
|
|
|
"atitraining.coldairnetworks.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3015/";
|
|
};
|
|
};
|
|
|
|
"db.coldairnetworks.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
basicAuthFile = "/var/coldairnetworks-db/htpasswd";
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:5050/";
|
|
extraConfig = ''
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 86400;
|
|
client_max_body_size 100M;
|
|
'';
|
|
};
|
|
};
|
|
"quineglobal.com" = {
|
|
enableACME = false;
|
|
forceSSL = false;
|
|
addSSL = false;
|
|
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
index index.html index.htm;
|
|
root /etc/pullomatic/com_quineglobal;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"webdav.philippeterson.com" = {
|
|
serverName = "webdav.philippeterson.com";
|
|
enableACME = true;
|
|
onlySSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:8082/"; # pass through to webdav
|
|
extraConfig = ''
|
|
# Pass required headers for WebDAV
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Pass Authorization header if required
|
|
proxy_set_header Authorization $http_authorization;
|
|
|
|
# Set timeouts for large file uploads or long WebDAV operations
|
|
proxy_read_timeout 300;
|
|
proxy_connect_timeout 300;
|
|
proxy_send_timeout 300;
|
|
|
|
# Increase client body size for large uploads
|
|
client_max_body_size 100M;
|
|
|
|
# Optional: Disable caching for WebDAV operations
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"paperless.philippeterson.com" = {
|
|
useACMEHost = "paperless.philippeterson.com";
|
|
onlySSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:8000/";
|
|
extraConfig = ''
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_read_timeout 86400;
|
|
client_max_body_size 100M;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"pluto.philippeterson.com" = {
|
|
useACMEHost = "pluto.philippeterson.com";
|
|
onlySSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:1234/";
|
|
extraConfig = ''
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_read_timeout 86400;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"vnc.quinefoundation.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
basicAuthFile = config.age.secrets.vnc-htpasswd.path;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:6080/";
|
|
extraConfig = ''
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_read_timeout 86400;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"forge.quinefoundation.com-https" = {
|
|
serverName = "forge.quinefoundation.com";
|
|
enableACME = true;
|
|
onlySSL = true;
|
|
|
|
extraConfig = ''
|
|
client_max_body_size 0;
|
|
'';
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3000/"; # pass through to Forgejo
|
|
};
|
|
};
|
|
|
|
"forge.quinefoundation.com-http" = {
|
|
serverName = "forge.quinefoundation.com";
|
|
|
|
listen = [
|
|
{ addr = "0.0.0.0"; port = 80; }
|
|
{ addr = "[::]"; port = 80; }
|
|
];
|
|
|
|
locations."/" = {
|
|
# TODO: forgejo does not support HTTP+HTTPS. But it would be nice if it did.
|
|
#proxyPass = "https://forge.quinefoundation.com/"; # pass through to HTTPS
|
|
|
|
# Instead, temporarily redirect to HTTPS
|
|
extraConfig = ''
|
|
return 302 https://$host$request_uri;
|
|
'';
|
|
};
|
|
};
|
|
} // (withWww "pdxdestiny.com" {
|
|
enableACME = true;
|
|
forceSSL = false;
|
|
addSSL = true;
|
|
root = pdxDestinyRoot;
|
|
}) // (withWww "philippeterson.com" {
|
|
enableACME = true;
|
|
forceSSL = false;
|
|
addSSL = true;
|
|
root = "/etc/pullomatic/com_philippeterson";
|
|
locations."~ /.git(/.*)$ " = {
|
|
extraConfig = ''
|
|
deny all;
|
|
return 404;
|
|
'';
|
|
};
|
|
locations."/games/atcsim" = {
|
|
extraConfig = ''
|
|
return 301 /games/atcsim/;
|
|
'';
|
|
};
|
|
locations."~ ^/games/atcsim(/[^/\\s]*)*$" = {
|
|
extraConfig = ''
|
|
index index.html index.htm;
|
|
rewrite ^/games/atcsim/?$ "/index.html" break;
|
|
rewrite ^/games/atcsim(?<query>(/[^/\\s]*)*)$ "$query" break;
|
|
root /etc/pullomatic/atcsim;
|
|
'';
|
|
};
|
|
locations."/portfolio" = {
|
|
extraConfig = ''
|
|
return 301 /portfolio/;
|
|
'';
|
|
};
|
|
locations."~ ^/portfolio/" = {
|
|
extraConfig = ''
|
|
index index.html index.htm;
|
|
rewrite ^/portfolio/?$ "/index.html" break;
|
|
rewrite ^/portfolio(?<query>(/[^/\\s]*)*)$ "$query" break;
|
|
root /etc/pullomatic/my-portfolio;
|
|
'';
|
|
};
|
|
locations."~ ^/echo(?<query>((/[^/\\s]*)*))$" = {
|
|
extraConfig = ''
|
|
add_header Content-Type text/plain;
|
|
return 200 "$query";
|
|
'';
|
|
};
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
try_files $uri $uri.php $uri/ =404;
|
|
index index.php index.html index.htm;
|
|
rewrite ^/contact$ /contact.php last;
|
|
rewrite ^/resume$ /resume.php last;
|
|
'';
|
|
};
|
|
locations."~ \.php$" = {
|
|
extraConfig = ''
|
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass unix:${config.services.phpfpm.pools.main.socket};
|
|
'';
|
|
};
|
|
}) // (withWww "coldairnetworks.com" {
|
|
enableACME = true;
|
|
forceSSL = false;
|
|
addSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:3012/";
|
|
};
|
|
});
|
|
|
|
# Optionally configure additional options
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
};
|
|
|
|
services.phpfpm.pools = {
|
|
main = {
|
|
phpEnv."PATH" = lib.makeBinPath [pkgs.php];
|
|
user = "nginx";
|
|
group = "nginx";
|
|
settings = {
|
|
# listen = /run/phpfpm.sock
|
|
# "listen.mode = 0660
|
|
"listen.owner" = "nginx";
|
|
"listen.group" = "nginx";
|
|
"pm" = "dynamic";
|
|
"pm.max_children" = 75;
|
|
"pm.start_servers" = 10;
|
|
"pm.min_spare_servers" = 5;
|
|
"pm.max_spare_servers" = 20;
|
|
"pm.max_requests" = 500;
|
|
|
|
"php_admin_value[error_log]" = "stderr";
|
|
"php_admin_flag[log_errors]" = true;
|
|
"catch_workers_output" = true;
|
|
};
|
|
};
|
|
};
|
|
}
|