up and rename snippets

time spent: 0.67h

Author: Friz-zy

README.md

@@ -36,7 +36,7 @@ Official nginx docker image and docs.
 So here I'm trying to put together all (my) good patterns and knowledge, and organize it as simply as possible in comparison with complex examples above. So anyone will be able to copy this configs and get a good nginx setup out of the box :)
 
 Time track:
-- [Filipp Frizzy](https://github.com/Friz-zy/) 45.56h
+- [Filipp Frizzy](https://github.com/Friz-zy/) 46.23h
 
 ### Support
 
@@ -73,25 +73,25 @@ SSL best practice from [mozilla](https://ssl-config.mozilla.org/#server=nginx&ve
 #### Snippets
 Templates and includes. You can also use [config generator](https://www.digitalocean.com/community/tools/nginx) from digitalocean :)
 
-* `corps.conf.j2`  
+* `corps.include.template`  
 Template of corps politic for multiple subdomains setup
 * `default.conf`  
 Example of default config with nginx_status, let's encrypt check and redirect to https
-* `fastcgi.conf`  
+* `fastcgi.include`  
 Include for php locations: fastcgi parameters, timeouts and cache example
-* `headers.conf`  
+* `headers.include`  
 Include with all headers, see known traps
-* `protected_locations.conf`  
+* `protected_locations.include`  
 Include with protected locations with 'deny all'
-* `proxy.conf`  
+* `proxy.include`  
 Include for proxy locations: proxy headers, parameters, timeouts and cache example
-* `referer.conf.j2`  
+* `referer.include.template`  
 Template of referer protection for cases when you concurents use your fail2ban protection against you, see known traps
-* `resolver.conf`  
+* `resolver.conf.template`  
 Include for dynamic dns resolving, see known traps
-* `site.conf.j2`  
+* `site.conf.template`  
 Template of common site configuration
-* `static_location.conf`  
+* `static_location.include`  
 Include with location for static files
 
 # Dockerfile
@@ -220,7 +220,7 @@ After all produce only `Name2` header in response.
 So use add_header.conf include or copy all headers manually 
 into sections under HTTP one.
 ```
-include /etc/nginx/snippets/headers.conf
+include /etc/nginx/snippets/headers.include
 ```
 
 #### DNS resolving and cache in Docker, Kubernetes and other dynamic environments
@@ -267,7 +267,7 @@ can be used for attack to you. For example, you competitors can add to their sit
 ```
 
 Then valid user after visit to the their site will be automatically blocked on your site 😆
-You can fight with this practice using `http_referer`, see `snippets/referer.conf.j2` template ;)
+You can fight with this practice using `http_referer`, see `snippets/referer.include.template` template ;)
 Warning: I have not tested this code yet
 
 #### Default templating engine in official docker image can't proceed variables with default values like `${var:-$DEFAULT}`

conf.d/0-basic.conf

@@ -15,6 +15,8 @@ reset_timedout_connection on; # default is on
 
 client_max_body_size 15m; # default is 1m
 
+# Fail fast, your pages should load in a seconds, not minutes!
+# for heavy pages you can configure this defaults per location or domain
 client_body_timeout 15;  # default is 60s
 client_header_timeout 15;  # default is 60s
 # keepalive_timeout 15; # default is 75s

snippets/corps.conf.j2 renamed to snippets/corps.include.template

@@ -1,8 +1,8 @@
-set $corps_origin https://{{ item.site }};
-if ($http_origin ~* "^https?://(?:.+\.)?{{ item.domain }}(?::\d{1,5})?$") {
+set $corps_origin https://${SERVER_NAME};
+if ($http_origin ~* "^https?://(?:.+\.)?${SERVER_DOMAIN}(?::\d{1,5})?$") {
     set $corps_origin "$http_origin";
 }
 add_header "Access-Control-Allow-Origin" "$corps_origin";
 
 # add_header will override all previous directives from parent sections
-include snippets/headers.conf;
+include snippets/headers.include;

snippets/fastcgi.conf renamed to snippets/fastcgi.include

@@ -11,6 +11,8 @@ fastcgi_param REQUEST_SCHEME $proxy_scheme;
 fastcgi_keep_conn on;
 # fastcgi_socket_keepalive on; # nginx >= 1.15.6
 
+# Fail fast, your pages should load in a seconds, not minutes!
+# for heavy pages you can configure this defaults per location or domain
 fastcgi_read_timeout 15s; # default is 60s
 fastcgi_send_timeout 15s; # default is 60s
 fastcgi_connect_timeout 15s; # default is 60s

snippets/headers.conf renamed to snippets/headers.include

@@ -12,6 +12,8 @@ proxy_http_version 1.1;
 
 # proxy_socket_keepalive on; # nginx >= 1.15.6
 
+# Fail fast, your pages should load in a seconds, not minutes!
+# for heavy pages you can configure this defaults per location or domain
 proxy_read_timeout 15s; # default is 60s
 proxy_send_timeout 15s; # default is 60s
 proxy_connect_timeout 15s; # default is 60s

snippets/protected_locations.conf renamed to snippets/protected_locations.include

@@ -1,6 +1,6 @@
 # http://nginx.org/en/docs/http/ngx_http_referer_module.html
 
-valid_referers none blocked server_names *.{{ item.domain }};
+valid_referers none blocked server_names *.${SERVER_DOMAIN};
 
 if ($invalid_referer) {
     return 307 $http_referer;

snippets/proxy.conf renamed to snippets/proxy.include

@@ -24,7 +24,9 @@
 # kube-dns.kube-system.svc.cluster.local - k8s resolver
 # 172.16.0.23 - aws default resolver
 
-resolver 127.0.0.11 valid=30s ipv6=off;
+# This default valuse will work only with modified envsubst
+# see known traps
+resolver ${RESOLVER_URL:-127.0.0.11} valid=${RESOLVER_TTL:-30s} ipv6=off;
 
 # A timeout for name resolution
 resolver_timeout 30s; # default is 30s

snippets/referer.conf.j2 renamed to snippets/referer.include.template

@@ -0,0 +1,69 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name ${SERVER_NAME};
+
+    # for non docker setup
+    # access_log      /var/log/nginx/${SERVER_NAME}-access.log main buffer=512k flush=1s;
+    # error_log       /var/log/nginx/${SERVER_NAME}-error.log error;
+
+    location /.well-known/acme-challenge {
+        root /var/www/letsencrypt;
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        return 301 https://${SERVER_NAME}$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${SERVER_NAME};
+
+    # for non docker setup
+    # access_log      /var/log/nginx/${SERVER_NAME}-access.log main buffer=512k flush=1s;
+    # error_log       /var/log/nginx/${SERVER_NAME}-error.log error;
+
+    root /var/www/${SERVER_NAME}/public;
+
+    # let's encrypt cert
+    ssl_certificate         /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+
+    # ssl_certificate         /etc/ssl/certs/${SERVER_DOMAIN}.crt;
+    # ssl_certificate_key     /etc/ssl/private/${SERVER_DOMAIN}.key;
+
+    # corps hack
+    # it should be configured per site with templating
+    # include corps.include;
+
+    # referer protection
+    # it should be configured per site with templating
+    # include referer.include;
+
+    # location ~* \.(js|css|png|jpg|jpeg|gif|ico|swf|eot|ttf|otf|woff|woff2)$
+    include snippets/static_location.include;
+
+    location /backend {
+        proxy_pass http://127.0.0.1:8080;
+        include snippets/proxy.include;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    location ~ \.php$ {
+        fastcgi_pass 127.0.0.1:9000;
+        include snippets/fastcgi.include;
+    }
+
+    # location ~ (/\.|^/protected)
+    include snippets/protected_locations.include;
+
+}

snippets/resolver.conf renamed to snippets/resolver.conf.template

@@ -7,5 +7,5 @@ location ~* \.(js|css|png|jpg|jpeg|gif|ico|swf|eot|ttf|otf|woff|woff2)$ {
     expires 30d;
 
     # add_header will override all previous directives from parent sections
-    include snippets/headers.conf;
+    include snippets/headers.include;
 }