m

volumes/conf.d/4netplayers.zinomedia.de.conf

@@ -14,13 +14,8 @@ server {
     ssl_certificate /etc/letsencrypt/live/4netplayers.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/4netplayers.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-    ssl_prefer_server_ciphers on;
 
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;
 
     location ~ /(\.user\.ini|debug\.log) {

volumes/conf.d/dl.zinomedia.de.conf

@@ -12,19 +12,13 @@ server {
     ssl_certificate /etc/letsencrypt/live/dl.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/dl.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
 
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header Content-Security-Policy "default-src 'self';" always;
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options SAMEORIGIN;
     add_header X-Content-Type-Options "nosniff";
-    
+
     gzip on;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 }

volumes/conf.d/git.zinomedia.de.conf

@@ -9,12 +9,7 @@ server {
     ssl_certificate /etc/letsencrypt/live/git.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/git.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     # Gzip Compression
     gzip on;

volumes/conf.d/joplin.zinomedia.de.conf

@@ -9,12 +9,7 @@ server {
     ssl_certificate /etc/letsencrypt/live/joplin.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/joplin.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     # Gzip Compression
     gzip on;

volumes/conf.d/pkrstarsbot.zinomedia.de.conf

@@ -13,12 +13,8 @@ server {
     ssl_certificate /etc/letsencrypt/live/pkrstarsbot.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/pkrstarsbot.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
+    
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self' data:;" always;
 
     location / {

volumes/conf.d/portainer.armos.zinomedia.de.conf

@@ -9,19 +9,13 @@ server {
     ssl_certificate /etc/letsencrypt/live/portainer.armos.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/portainer.armos.zinomedia.de/privkey.pem;
 
-    # SSL optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
     include "snippets/enable-vouch.conf";
 
     location / {
         resolver 127.0.0.11;
         set $upstream "portainer:9000";
-        
+
         add_header Content-Security-Policy "font-src * data: blob: 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';" always;
         proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_set_header X-Forwarded-Server $host;

volumes/conf.d/seafile.zinomedia.de.conf

@@ -11,12 +11,8 @@ server {
     ssl_certificate /etc/letsencrypt/live/seafile.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/seafile.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
+    
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header Content-Security-Policy "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: http://seafile.zinomedia.de; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;
 
     location / {

volumes/conf.d/validate.vouch.armos.zinomedia.de.conf

@@ -12,12 +12,7 @@ server {
     ssl_certificate /etc/letsencrypt/live/validate.vouch.armos.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/validate.vouch.armos.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     location = /validate {
         # forward the /validate request to Vouch Proxy

volumes/conf.d/vouch.armos.zinomedia.de.conf

@@ -1,4 +1,4 @@
-log_format vouch '[$time_iso8601] VOUCH | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount';
+#log_format vouch '[$time_iso8601] VOUCH | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount';
 
 
 server {
@@ -6,18 +6,14 @@ server {
     listen [::]:443 ssl;
     server_name vouch.armos.zinomedia.de;
 
-    access_log /var/log/nginx/access.log vouch;
+    #access_log /var/log/nginx/access.log vouch;
+    access_log off;
     error_log /var/log/nginx/error.log debug;
 
     ssl_certificate /etc/letsencrypt/live/vouch.armos.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/vouch.armos.zinomedia.de/privkey.pem;
 
-    # SSL Optimizations
+    include "snippets/ssl-optimizations.conf";
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     location / {
         resolver 127.0.0.11;