From c46ca01a557d57a9a7e3c5d5144d8fadda45873b Mon Sep 17 00:00:00 2001
From: Andreas Stephanides <andis@fet.at>
Date: Sat, 4 Dec 2021 11:05:01 +0100
Subject: [PATCH] snippets added

---
 Dockerfile                       |  1 +
 README.md                        |  2 +-
 snippets/auto_ssl.conf           |  5 +++++
 snippets/default_proxy.conf      |  6 ++++++
 snippets/internal_proxy.conf     |  6 ++++++
 snippets/internal_sub_proxy.conf |  9 +++++++++
 snippets/ldap.conf               |  2 ++
 snippets/secure.conf             | 10 ++++++++++
 snippets/ssl.conf                | 16 ++++++++++++++++
 9 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 snippets/auto_ssl.conf
 create mode 100644 snippets/default_proxy.conf
 create mode 100644 snippets/internal_proxy.conf
 create mode 100644 snippets/internal_sub_proxy.conf
 create mode 100644 snippets/ldap.conf
 create mode 100644 snippets/secure.conf
 create mode 100644 snippets/ssl.conf

diff --git a/Dockerfile b/Dockerfile
index b192846..da31e38 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,4 @@
 FROM docker.triton2.fet.at/openrestyfet
 COPY ./conf.d/* /etc/nginx/conf.d/
+copy ./snippets/* /usr/local/openresty/nginx/conf/
 ENV PATH "$PATH:/usr/local/openresty/bin"
\ No newline at end of file
diff --git a/README.md b/README.md
index 6fc169c..66a3c2f 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # Anleitung für Proxy Server in der FET 
-
+## Installation 
 
 location / {
     include proxy.conf;
diff --git a/snippets/auto_ssl.conf b/snippets/auto_ssl.conf
new file mode 100644
index 0000000..5f7753c
--- /dev/null
+++ b/snippets/auto_ssl.conf
@@ -0,0 +1,5 @@
+location /.well-known/acme-challenge/ {
+      content_by_lua_block {
+        auto_ssl:challenge_server()
+      }
+    }
\ No newline at end of file
diff --git a/snippets/default_proxy.conf b/snippets/default_proxy.conf
new file mode 100644
index 0000000..29ce06c
--- /dev/null
+++ b/snippets/default_proxy.conf
@@ -0,0 +1,6 @@
+location / {
+    include proxy.conf;
+    include secure.conf;
+    proxy_buffering off;
+    proxy_pass http://$proxy_host:$proxy_port;
+}
\ No newline at end of file
diff --git a/snippets/internal_proxy.conf b/snippets/internal_proxy.conf
new file mode 100644
index 0000000..29406ad
--- /dev/null
+++ b/snippets/internal_proxy.conf
@@ -0,0 +1,6 @@
+location / {
+    include proxy.conf;
+    include ldap.conf;
+    proxy_buffering off;
+    proxy_pass http://$proxy_host:$proxy_port;
+}
\ No newline at end of file
diff --git a/snippets/internal_sub_proxy.conf b/snippets/internal_sub_proxy.conf
new file mode 100644
index 0000000..e32cc8c
--- /dev/null
+++ b/snippets/internal_sub_proxy.conf
@@ -0,0 +1,9 @@
+location /$proxy_location {
+    include ldap.conf;
+    rewrite_log on;
+    rewrite /$proxy_location/(.*) /$1 break;
+    rewrite ^/$proxy_location$ /$proxy_location/ permanent;
+    include proxy.conf;
+    proxy_buffering off;
+    proxy_pass http://$proxy_host:$proxy_port;
+}
\ No newline at end of file
diff --git a/snippets/ldap.conf b/snippets/ldap.conf
new file mode 100644
index 0000000..95e7143
--- /dev/null
+++ b/snippets/ldap.conf
@@ -0,0 +1,2 @@
+auth_ldap "FET Login";
+auth_ldap_servers fet;
\ No newline at end of file
diff --git a/snippets/secure.conf b/snippets/secure.conf
new file mode 100644
index 0000000..2800c86
--- /dev/null
+++ b/snippets/secure.conf
@@ -0,0 +1,10 @@
+
+add_header Content-Security-Policy "default-src 'none'; img-src 'self'; \
+    script-src 'self'; style-src 'self' 'unsafe-inline'; \
+    font-src 'self'; base-uri 'self'; form-action 'self';\
+     connect-src 'self'; frame-ancestors 'none'";
+add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options DENY;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Referrer-Policy "strict-origin";
+add_header Strict-Transport-Security "max-age=31536000" always;
\ No newline at end of file
diff --git a/snippets/ssl.conf b/snippets/ssl.conf
new file mode 100644
index 0000000..9bf28f1
--- /dev/null
+++ b/snippets/ssl.conf
@@ -0,0 +1,16 @@
+ssl_certificate_by_lua_block {
+      auto_ssl:ssl_certificate()
+}
+
+    # You must still define a static ssl_certificate file for nginx to start.
+    #
+    # You may generate a self-signed fallback with:
+    #
+    # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    #   -subj '/CN=sni-support-required-for-valid-ssl' \
+    #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
+    #   -out /etc/ssl/resty-auto-ssl-fallback.crt
+ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
+ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
+ssl_protocols TLSv1.2 TLSv1.3;
+add_header Strict-Transport-Security "max-age=31536000" always;
\ No newline at end of file