First commit

http_upgrade

@@ -0,0 +1,27 @@
+# Security
+server_tokens off;
+add_header X-Frame-Options                   "SAMEORIGIN"               always;
+add_header X-Content-Type-Options            "nosniff"                  always;
+add_header X-XSS-Protection                  "1; mode=block"            always;
+add_header Referrer-Policy                   "no-referrer"              always;
+add_header X-Permitted-Cross-Domain-Policies "none"                     always;
+add_header X-Robots-Tag                      "noindex, nofollow"        always;
+# CSP breaks some webapps
+# add_header Content-Security-Policy         "default-src 'self';"      always;
+
+# http2
+http2 on;
+
+# http3
+# Open port 443/udp to use http3
+# Add reuseport to ONLY ONE virtual host: listen 443 quic reuseport;
+listen 443 quic;
+add_header Alt-Svc 'h3=":443"; ma=86400';
+quic_retry on;
+http3 on;
+
+# Certbot defaults
+listen 443 ssl;
+include /etc/letsencrypt/options-ssl-nginx.conf;
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+add_header Strict-Transport-Security "max-age=31536000" always;

nginx.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Fill in the following variables
+appname=
+url=
+domain=
+port=
+eff_email_address=
+
+# .conf installation
+{
+
+# Exit if variables are null
+if [ -z ${appname} ] || [ -z ${url} ] || [ -z ${domain} ] || [ -z ${port} ] || [ -z ${eff_email_address} ]
+then
+    exit 1
+fi
+
+sudo tee /etc/nginx/sites-available/${appname}.conf >/dev/null <<conf
+server {
+    server_name ${url};
+    include local/http_upgrade;
+
+    location / {
+        proxy_pass http://${domain}:${port};
+        include local/proxy_params;
+
+        error_log  /var/log/nginx/${appname}_error.log;
+        access_log /var/log/nginx/${appname}_access.log;
+    }
+}
+conf
+
+sudo ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/
+
+if sudo nginx -t
+then
+    sudo systemctl reload nginx.service
+    sudo certbot --nginx --non-interactive --agree-tos --no-eff-email -m ${eff_email_address} -d ${url} \
+        --staple-ocsp --hsts --no-redirect
+fi
+
+}

proxy_params

@@ -0,0 +1,18 @@
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Scheme $scheme;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Accept-Encoding "";
+proxy_set_header Host $host;
+
+client_body_buffer_size 512k;
+proxy_read_timeout 86400s;
+client_max_body_size 0;
+
+# Websocket
+proxy_http_version 1.1;
+proxy_cache_bypass  $http_upgrade;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection "upgrade";