Fix small issues with nextcloud

- HSTS header was not working
- Disable log files
- Specify trusted proxies
This commit is contained in:
Ivan R. 2024-11-02 14:03:24 +05:00
parent 562311375d
commit c788582950
Signed by: lumin
GPG key ID: E0937DC7CD6D3817
2 changed files with 31 additions and 13 deletions

View file

@ -25,24 +25,39 @@ defaults
errorfile 503 /usr/local/etc/haproxy/errors/503.http errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend www
frontend http
mode http mode http
bind :80 bind :80
bind :443 ssl crt /usr/local/etc/haproxy/certs
acl has_domain hdr_sub(host) -i comfycamp.space acl has_domain hdr_sub(host) -i comfycamp.space
http-request redirect scheme https if !{ ssl_fc } has_domain http-request redirect scheme https if !{ ssl_fc } has_domain
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if { ssl_fc } has_domain
acl host_mastodon hdr(host) -i m.comfycamp.space http-request set-header X-Forwarded-Proto http
acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion
acl path_streaming_api path_beg /api/v1/streaming acl path_streaming_api path_beg /api/v1/streaming
use_backend mastodon_streaming if host_mastodon path_streaming_api
use_backend mastodon_streaming if host_mastodon_tor path_streaming_api use_backend mastodon_streaming if host_mastodon_tor path_streaming_api
use_backend mastodon if host_mastodon || host_mastodon_tor use_backend mastodon if host_mastodon_tor
acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion
use_backend peertube if host_peertube_tor
acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion
use_backend comfycamp if host_comfycamp_tor
frontend https
mode http
bind :443 ssl crt /usr/local/etc/haproxy/certs
http-request set-header X-Forwarded-Proto https
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
acl host_mastodon hdr(host) -i m.comfycamp.space
acl path_streaming_api path_beg /api/v1/streaming
use_backend mastodon_streaming if host_mastodon path_streaming_api
use_backend mastodon if host_mastodon
acl host_xmpp hdr(host) -i xmpp.comfycamp.space acl host_xmpp hdr(host) -i xmpp.comfycamp.space
acl host_xmpp_uploads hdr(host) -i upload.comfycamp.space acl host_xmpp_uploads hdr(host) -i upload.comfycamp.space
@ -57,8 +72,7 @@ frontend www
use_backend minio if host_s3 use_backend minio if host_s3
acl host_peertube hdr(host) -i v.comfycamp.space acl host_peertube hdr(host) -i v.comfycamp.space
acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion use_backend peertube if host_peertube
use_backend peertube if host_peertube || host_peertube_tor
acl host_authentik hdr(host) -i auth.comfycamp.space acl host_authentik hdr(host) -i auth.comfycamp.space
use_backend authentik if host_authentik use_backend authentik if host_authentik
@ -74,8 +88,7 @@ frontend www
use_backend immich if host_immich use_backend immich if host_immich
acl host_comfycamp hdr(host) -i comfycamp.space acl host_comfycamp hdr(host) -i comfycamp.space
acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion use_backend comfycamp if host_comfycamp
use_backend comfycamp if host_comfycamp || host_comfycamp_tor
acl host_vaultwarden hdr(host) -i vault.comfycamp.space acl host_vaultwarden hdr(host) -i vault.comfycamp.space
use_backend vaultwarden if host_vaultwarden use_backend vaultwarden if host_vaultwarden
@ -95,6 +108,7 @@ frontend www
acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space
use_backend mta_sts if host_mta_sts use_backend mta_sts if host_mta_sts
frontend matrix-federation frontend matrix-federation
bind :8448 ssl crt /usr/local/etc/haproxy/certs bind :8448 ssl crt /usr/local/etc/haproxy/certs
http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc }

View file

@ -24,6 +24,7 @@ $CONFIG = array (
'mail_smtppassword' => '{{ smtp_password }}', 'mail_smtppassword' => '{{ smtp_password }}',
'maintenance' => false, 'maintenance' => false,
'loglevel' => 2, 'loglevel' => 2,
'log_type' => 'errorlog',
'memcache.local' => '\\OC\\Memcache\\APCu', 'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis', 'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis',
@ -39,6 +40,9 @@ $CONFIG = array (
'{{ domain }}', '{{ domain }}',
{% endfor %} {% endfor %}
], ],
'trusted_proxies' => [
'172.24.0.0/16',
],
'config_is_read_only' => true, 'config_is_read_only' => true,
'ldapUserCleanupInterval' => 0, 'ldapUserCleanupInterval' => 0,
'auth.storeCryptedPassword' => false, 'auth.storeCryptedPassword' => false,