kenjim/appa-net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c4c786e7b7bbc9353fc31701f1c058b69b38211
appa-net/zet.home.arpa/nginx/kenjim.conf
Kenji M 7c4c786e7b zet.home.arpa: document all services and SSL/nginx setup 
- Server overview (README.md) with services, storage, and network summary
- Storage layout with disk/fstab/mount details (storage.md)
- Service docs: Samba, NFS, Squid, Pi-hole (with DHCP/split-DNS notes)
- Let's Encrypt cert via acme.sh + GoDaddy DNS-01 (ssl/)
- nginx SSL reverse proxy config and virtual host guide (nginx/)
- Pi-hole moved to port 8081; split DNS overrides documented for both
  Pi-hole and pfSense Unbound to avoid hairpin NAT issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 14:37:04 +00:00

100 lines
3.0 KiB
Plaintext
Raw Blame History

# /etc/nginx/sites-available/kenjim.conf
#
# SSL reverse proxy for kenjim.com subdomains.
# Certificate managed by acme.sh (DNS-01 via GoDaddy).
# Cert path: /etc/nginx/ssl/kenjim.com/
# Redirect all HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
# Drop requests for unknown hostnames at SSL level (no response)
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/kenjim.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
return 444;
}
# Gitea — git.kenjim.com
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name git.kenjim.com;
ssl_certificate /etc/nginx/ssl/kenjim.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Gitea runs directly on the host (systemd), not in Docker
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# www.kenjim.com — update proxy_pass when container is running
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.kenjim.com;
ssl_certificate /etc/nginx/ssl/kenjim.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8080; # update port to match container
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# kenji.kenjim.com — update proxy_pass when container is running
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name kenji.kenjim.com;
ssl_certificate /etc/nginx/ssl/kenjim.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8082; # update port to match container
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# gt.kenjim.com — CNAME pointing elsewhere; reject cleanly if it lands here
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name gt.kenjim.com;
ssl_certificate /etc/nginx/ssl/kenjim.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
return 444;
}
Reference in New Issue View Git Blame Copy Permalink