ungleich-k8s/apps/zammad/nginx/default.conf

upstream php-handler {
    server localhost:9000;
}

server {
    listen 443      ssl http2;
    listen [::]:443 ssl http2;
    server_name {{ tpl .Values.fqdn . }};

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_certificate      /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;

    # Increase timeouts -- mainly for initial setup
    proxy_read_timeout 300;
    proxy_send_timeout 300;
    proxy_connect_timeout 300;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    # location ^~ /.well-known {
    #     # The rules in this block are an adaptation of the rules
    #     # in `.htaccess` that concern `/.well-known`.

    #     location = /.well-known/carddav { return 301 /remote.php/dav/; }
    #     location = /.well-known/caldav  { return 301 /remote.php/dav/; }

    #     location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    #     location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

    #     # Let Nextcloud's API for `/.well-known` URIs handle all other
    #     # requests by passing them to the front-end controller.
    #     return 301 /index.php$request_uri;
    # }

    location / {
        #try_files $uri $uri/ /index.php$request_uri;

        proxy_pass http://localhost:8080;

        # Forward original host name to be seen in unicorn
        proxy_set_header Host $host;

        # Server name and address like being available in PHP
        proxy_set_header SERVER_NAME $server_name;
        proxy_set_header SERVER_ADDR $server_addr;

        # Forward client ip address to rack/rails so logging
        proxy_set_header X-Forwarded-For $remote_addr;

    }
}
++zammad and more 2021-10-09 10:53:13 +00:00			`upstream php-handler {`
			`server localhost:9000;`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name {{ tpl .Values.fqdn . }};`

			`# Use Mozilla's guidelines for SSL/TLS settings`
			`# https://mozilla.github.io/server-side-tls/ssl-config-generator/`
			`ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;`

			`# Increase timeouts -- mainly for initial setup`
			`proxy_read_timeout 300;`
			`proxy_send_timeout 300;`
			`proxy_connect_timeout 300;`

			`# HSTS settings`
			`# WARNING: Only add the preload option once you read about`
			`# the consequences in https://hstspreload.org/. This option`
			`# will add the domain to a hardcoded list that is shipped`
			`# in all major browsers and getting removed from this list`
			`# could take several months.`
			`#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;`

			`# set max upload size`
			`client_max_body_size 512M;`
			`fastcgi_buffers 64 4K;`

			`# Enable gzip but do not remove ETag headers`
			`gzip on;`
			`gzip_vary on;`
			`gzip_comp_level 4;`
			`gzip_min_length 256;`
			`gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;`
			`gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;`

			`location = /robots.txt {`
			`allow all;`
			`log_not_found off;`
			`access_log off;`
			`}`

			# Make a regex exception for `/.well-known` so that clients can still
			`# access it despite the existence of the regex rule`
			# `location ~ /(\.\|autotest\|...)` which would otherwise handle requests
			# for `/.well-known`.
++zammad updates 2021-10-09 12:34:16 +00:00			`# location ^~ /.well-known {`
			`# # The rules in this block are an adaptation of the rules`
			# # in `.htaccess` that concern `/.well-known`.
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			`# location = /.well-known/carddav { return 301 /remote.php/dav/; }`
			`# location = /.well-known/caldav { return 301 /remote.php/dav/; }`
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			`# location /.well-known/acme-challenge { try_files $uri $uri/ =404; }`
			`# location /.well-known/pki-validation { try_files $uri $uri/ =404; }`
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			# # Let Nextcloud's API for `/.well-known` URIs handle all other
			`# # requests by passing them to the front-end controller.`
			`# return 301 /index.php$request_uri;`
			`# }`
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			`location / {`
			`#try_files $uri $uri/ /index.php$request_uri;`
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			`proxy_pass http://localhost:8080;`
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			`# Forward original host name to be seen in unicorn`
			`proxy_set_header Host $host;`
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			`# Server name and address like being available in PHP`
			`proxy_set_header SERVER_NAME $server_name;`
			`proxy_set_header SERVER_ADDR $server_addr;`
++zammad and more 2021-10-09 10:53:13 +00:00
++zammad updates 2021-10-09 12:34:16 +00:00			`# Forward client ip address to rack/rails so logging`
			`proxy_set_header X-Forwarded-For $remote_addr;`
++zammad and more 2021-10-09 10:53:13 +00:00
			`}`
			`}`