diff --git a/Dockerfile b/Dockerfile index 94caa75..93e4f19 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,7 @@ CMD ["/bin/sh", "/entrypoint.sh"] RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ tini nginx supervisor gettext-base libjs-bootstrap4 libjs-jquery \ + && rm /etc/nginx/sites-enabled/default \ && rm -rf /var/lib/apt/lists/* \ && apt-get autoremove -y \ && rm -rf /var/cache/* diff --git a/cert-monitor.sh b/cert-monitor.sh index 6d6797e..2aebd50 100755 --- a/cert-monitor.sh +++ b/cert-monitor.sh @@ -4,6 +4,9 @@ CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem" while sleep 10; do if test -f "$CERT_PATH"; then + if test -f /etc/nginx/sites-enabled/startup; then + rm /etc/nginx/sites-enabled/startup; + fi /usr/local/bin/render-template.sh "/etc/nginx/templates/snikket-common" "/etc/nginx/snippets/snikket-common.conf" for proto in http https; do /usr/local/bin/render-template.sh "/etc/nginx/templates/$proto" "/etc/nginx/sites-enabled/$proto"; diff --git a/entrypoint.sh b/entrypoint.sh index fba80da..5e938f7 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -8,6 +8,8 @@ if test -f "$CERT_PATH"; then for proto in http https; do /usr/local/bin/render-template.sh "/etc/nginx/templates/$proto" "/etc/nginx/sites-enabled/$proto"; done +else + /usr/local/bin/render-template.sh "/etc/nginx/templates/startup.template" "/etc/nginx/sites-enabled/startup"; fi exec supervisord -c /etc/supervisord/supervisord.conf diff --git a/error-pages/404.html b/error-pages/404.html new file mode 100644 index 0000000..ab99fda --- /dev/null +++ b/error-pages/404.html @@ -0,0 +1,28 @@ + + + + + + Snikket | Page not found + + + + + + + + + + + + + + +
+ Snikket +

Oops! We couldn't find what you were looking for.

+

Check the address you entered, perhaps?

+ 404 Not Found +
+ + diff --git a/error-pages/404_site.html b/error-pages/404_site.html new file mode 100644 index 0000000..02f09e5 --- /dev/null +++ b/error-pages/404_site.html @@ -0,0 +1,29 @@ + + + + + + Snikket | Unknown domain + + + + + + + + + + + + + + +
+ Snikket +

Oops! Site not found.

+

The web address you entered does not seem to match the domain of your Snikket installation.

+

If this is unexpected, check your DNS settings and your Snikket configuration are both correct.

+ 404 Not Found +
+ + diff --git a/error-pages/504.html b/error-pages/504.html new file mode 100644 index 0000000..7612795 --- /dev/null +++ b/error-pages/504.html @@ -0,0 +1,30 @@ + + + + + + Snikket | Temporarily unavailable + + + + + + + + + + + + + + +
+ Snikket +

Oops! A technical glitch.

+

There was a problem connecting to the Snikket service of this site.

+

If you just started this service, please wait a moment and reload the page.

+

If the problem continues, please check your Snikket configuration for problems.

+ 504 Gateway Timeout +
+ + diff --git a/nginx/http.template b/nginx/http.template index 4ecc479..a2172f0 100644 --- a/nginx/http.template +++ b/nginx/http.template @@ -14,3 +14,13 @@ server { return 301 https://$host$request_uri; } } + +# Fail requests to unknown domains +server { + listen ${SNIKKET_TWEAK_HTTP_PORT}; + listen [::]:${SNIKKET_TWEAK_HTTP_PORT}; + + error_page 404 /_errors/404_site.html; + + return 404; +} diff --git a/nginx/https.template b/nginx/https.template index 6e71e47..7af50e0 100644 --- a/nginx/https.template +++ b/nginx/https.template @@ -32,6 +32,8 @@ server { server_name share.${SNIKKET_DOMAIN}; + root /var/www/html; + location /upload/ { proxy_pass http://localhost:${SNIKKET_TWEAK_INTERNAL_HTTP_PORT}; proxy_set_header Host $host; @@ -39,3 +41,22 @@ server { proxy_set_header X-Forwarded-Proto https; } } + +# Fail requests to unknown domains +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + ssl_certificate /snikket/letsencrypt/live/snikket.chat/fullchain.pem; + ssl_certificate_key /snikket/letsencrypt/live/snikket.chat/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; + + error_page 404 /_errors/404_site.html; + + return 404; +} diff --git a/nginx/startup.template b/nginx/startup.template new file mode 100644 index 0000000..f55091a --- /dev/null +++ b/nginx/startup.template @@ -0,0 +1,28 @@ +server { + listen ${SNIKKET_TWEAK_HTTP_PORT}; + listen [::]:${SNIKKET_TWEAK_HTTP_PORT}; + + server_name ${SNIKKET_DOMAIN}; + server_name groups.${SNIKKET_DOMAIN}; + server_name share.${SNIKKET_DOMAIN}; + + location /.well-known/acme-challenge { + alias /var/www/html/.well-known/acme-challenge; + } + + root /var/www/html; + + error_page 404 /_errors/404.html; +} + +# Fail requests to unknown domains +server { + listen ${SNIKKET_TWEAK_HTTP_PORT}; + listen [::]:${SNIKKET_TWEAK_HTTP_PORT}; + + root /var/www/html; + + error_page 404 /_errors/404_site.html; + + return 404; +}