mixed additions

nginx/btcpayserver_forward.conf

@@ -0,0 +1,158 @@
+## fill in the DOMAIN_NAME
+## fill in the PREFIX_BTCPAY_PORT
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+    default                       $http_x_forwarded_proto;
+    ''                            $scheme;
+}
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+    default                       $http_x_forwarded_port;
+    ''                            $server_port;
+}
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+    default                       upgrade;
+    ''                            close;
+}
+# Apply fix for very long server names
+#server_names_hash_bucket_size 128;
+# Prevent Nginx Information Disclosure
+#server_tokens off;
+# Default dhparam
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+    default                       off;
+    https                         on;
+}
+
+#gzip on;
+ gzip_min_length                  1000;
+ gzip_types                       image/svg+xml text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+ log_format                       vhost '$host $remote_addr - $remote_user [$time_local
+ ]                                '
+ '"$request"                      $status $body_bytes_sent '
+'"$http_referer""$http_user_agent"';
+ access_log                       off;
+# HTTP 1.1 support
+ proxy_http_version               1.1;
+ proxy_buffering                  off;
+ proxy_set_header                 Host $http_host;
+ proxy_set_header                 Upgrade $http_upgrade;
+ proxy_set_header                 Connection $proxy_connection;
+ proxy_set_header                 X-Real-IP $remote_addr;
+ proxy_set_header                 X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header                 X-Forwarded-Proto $proxy_x_forwarded_proto;
+ proxy_set_header                 X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+ proxy_set_header                 X-Forwarded-Port $proxy_x_forwarded_port;
+ proxy_buffer_size                128k;
+ proxy_buffers                    4 256k;
+ proxy_busy_buffers_size          256k;
+ client_header_buffer_size        500k;
+ large_client_header_buffers      4 500k;
+# Mitigate httpoxy attack (see README for details)
+ proxy_set_header                 Proxy "";
+
+server {
+    listen                        80 http2;
+    listen                        443 ssl http2;
+    server_name                   pay.diynodes.com;
+
+    #                             add_header 'Access-Control-Allow-Origin' '*';
+
+    ssl_certificate               /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem;
+    ssl_certificate_key           /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem;
+    ssl_session_timeout           1d;
+    ssl_session_cache             shared:SSL: 50m;
+    ssl_session_tickets           off;
+    ssl_protocols                 TLSv1.2 TLSv1.3;
+    ssl_ciphers                   'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    ssl_prefer_server_ciphers     on;
+    ssl_stapling                  on;
+    ssl_stapling_verify           on;
+    ssl_trusted_certificate       /etc/letsencrypt/live/$DOMAIN_NAME/chain.pem;
+
+    location / {
+        #                         add_header 'Access-Control-Allow-Origin' '*';
+
+        proxy_pass                $PREFIX_BTCPAY_PORT;
+
+        #                         For websockets
+        #proxy_set_header         Upgrade $http_upgrade;
+        #proxy_set_header         Connection $http_connection;
+
+        proxy_redirect            off;
+
+        proxy_set_header          X-Forwarded-Host $http_host;
+        proxy_set_header          Host $http_host;
+        proxy_set_header          Upgrade $http_upgrade;
+        proxy_set_header          Connection $proxy_connection;
+        proxy_set_header          X-Real-IP $remote_addr;
+        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header          X-Forwarded-Proto $proxy_x_forwarded_proto;
+        proxy_set_header          X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+        proxy_set_header          X-Forwarded-Port $proxy_x_forwarded_port;
+        client_max_body_size      100M;
+
+
+        #proxy_set_header         Host $http_host;
+        #proxy_set_header         X-Real-IP $remote_addr;
+        #proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
+        #proxy_set_header         X-Forwarded-Proto https;
+        #proxy_read_timeout       600;
+        #proxy_connect_timeout    600;
+        #proxy_send_timeout       600;
+    }
+
+
+    #location = /.well-known/nostr.json {
+    #                             return 301 https: //nostr.diynodes.com$request_uri;
+    #
+}
+
+location /.well-known/nostr.json {
+    add_header                    'Access-Control-Allow-Origin' '*';
+    alias                         /var/www/html/.well-known/nostr.json;
+}
+
+
+#  location /.well-known/lnurlp/openoms {
+#   add_header 'Access-Control-Allow-Origin' '*';
+#   proxy_pass      https: //100.106.178.118:23001;
+#proxy_redirect off;
+#proxy_set_header Host $http_host;
+#proxy_set_header X-Real-IP $remote_addr;
+#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#proxy_set_header X-Forwarded-Proto https;
+#
+#proxy_read_timeout 600;
+#proxy_connect_timeout 600;
+#proxy_send_timeout 600;
+#
+## remove if not needed
+## proxy_set_header X-Forwarded-Host $server_name;
+#
+}
+#
+#
+location /BTC/UILNURL/pay/i {
+    add_header                    'Access-Control-Allow-Origin' '*';
+    proxy_pass                    $PREFIX_BTCPAY_PORT;
+    proxy_redirect                off;
+    proxy_set_header              Host $http_host;
+    proxy_set_header              X-Real-IP $remote_addr;
+    proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header              X-Forwarded-Proto https;
+
+    proxy_read_timeout            600;
+    proxy_connect_timeout         600;
+    proxy_send_timeout            600;
+
+    #                             remove if not needed
+    #                             proxy_set_header X-Forwarded-Host $server_name;
+}
+}

nginx/btcpayserver_subdomain.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
-# WOWRK IN PROGRESS
+# WORK IN PROGRESS
+# see https://gist.github.com/NicolasDorier/1a7fce6836ee55a7fa2c7f65417b88b5
 
 echo "
 Input your email:
@@ -31,7 +32,7 @@ sudo certbot certonly -a standalone -m $EMAIL --agree-tos \
 cat EOF | sudo tee /etc/nginx/sites-available/${SUBDOMAIN}
 # sudo cat /etc/nginx/sites-enabled/${SUBDOMAIN}
 server {
-  listen 80;
+  listen 80 http2;
   listen 443 ssl http2;
   server_name ${SUBDOMAIN};